Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Alerts and Search Engine Redirects


  • This topic is locked This topic is locked
15 replies to this topic

#1 richie_22

richie_22

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 11 July 2010 - 03:35 AM

I have a major problem eating my computer that i think is called sysguard or relates to it. It redirects my search results to bad pages, and every once and a while fake AVG alerts pop up. I think my computer should be running better in general. I uninstalled Firefox and installed Opera only to have the same issue.

Here are various logs.
ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/07/11 03:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xEF15A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "szkgfs.sys" at address 0xf7540710

==EOF==
........................................................................................................

OTL logfile created on: 11/07/2010 3:10:26 AM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:Documents and SettingsAnnMy Documents
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

446.00 Mb Total Physical Memory | 39.00 Mb Available Physical Memory | 9.00% Memory free
1.00 Gb Paging File | 0.00 Gb Available in Paging File | 9.00% Paging File free
Paging file location(s): C:pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:WINDOWS | %ProgramFiles% = C:Program Files
Drive C: | 149.05 Gb Total Space | 95.58 Gb Free Space | 64.13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SOMAS
Current User Name: Ann
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:Documents and SettingsAnnMy DocumentsOTL.exe (OldTimer Tools)
PRC - C:Program FilesAVGAVG8avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:Program FilesSTOPzilla!STOPzilla.exe (iS3, Inc.)
PRC - C:Program FilesCommon FilesiS3Anti-SpywareSZServer.exe (iS3, Inc.)
PRC - C:Program FilesOperaopera.exe (Opera Software)
PRC - C:Program FilesWinZipWZQKPICK.EXE (WinZip Computing, S.L.)
PRC - C:Program FilesAVGAVG8avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:Program FilesAVGAVG8avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:Program FilesAVGAVG8avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:Program FilesSpybot - Search & DestroyTeaTimer.exe (Safer-Networking Ltd.)
PRC - C:Program FilesWindows NTAccessorieswordpad.exe (Microsoft Corporation)
PRC - C:Program FilesD-LinkD-Link Wireless N DWA-130AirNCFG.exe (D-Link)
PRC - C:WINDOWSexplorer.exe (Microsoft Corporation)
PRC - C:Program FilesANIANIWZCS2 ServiceWZCSLDR2.exe (Wireless Service)
PRC - C:Program FilesVidalia BundlePrivoxyprivoxy.exe (The Privoxy team - www.privoxy.org)
PRC - C:WINDOWSsystem32slserv.exe ( )
PRC - C:Program FilesErasereraser.exe (-)


========== Modules (SafeList) ==========

MOD - C:Documents and SettingsAnnMy DocumentsOTL.exe (OldTimer Tools)
MOD - C:WINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03comctl32.dll (Microsoft Corporation)
MOD - C:WINDOWSsystem32msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (LXCYCustomerConnect) -- File not found
SRV - (AppMgmt) -- C:WINDOWSSystem32appmgmts.dll File not found
SRV - (szserver) -- C:Program FilesCommon FilesiS3Anti-SpywareSZServer.exe (iS3, Inc.)
SRV - (avg8emc) -- C:Program FilesAVGAVG8avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg8wd) -- C:Program FilesAVGAVG8avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (PCPitstop Scheduling) -- C:Program FilesPCPitstopPCPitstopScheduleService.exe (PC Pitstop LLC)
SRV - (ANIWZCSdService) -- C:Program FilesANIANIWZCS2 ServiceANIWZCSdS.exe (Wireless Service)
SRV - (IDriverT) -- C:Program FilesCommon FilesInstallShieldDriver1150Intel 32IDriverT.exe (Macrovision Corporation)
SRV - (WMConnectCDS) -- C:Program FilesWindows Media Connect 2wmccds.exe (Microsoft Corporation)
SRV - (SLService) -- C:WINDOWSSystem32slserv.exe ( )

========== Driver Services (SafeList) ==========

DRV - (szkgfs) -- C:WINDOWSsystem32driversszkgfs.sys (iS3, Inc.)
DRV - (szkg5) -- C:WINDOWSsystem32DRIVERSszkg.sys (iS3 Inc.)
DRV - (is3srv) -- C:WINDOWSsystem32driversis3srv.sys (iS3 Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:WINDOWSsystem32driversRtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (AvgLdx86) -- C:WINDOWSSystem32Driversavgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:WINDOWSSystem32Driversavgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX) -- C:WINDOWSSystem32Driversavgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (Ambfilt) -- C:WINDOWSsystem32driversAmbfilt.sys (Creative)
DRV - (rt2870) -- C:WINDOWSsystem32driversrt2870.sys (Ralink Technology, Corp.)
DRV - (ANIO) -- C:WINDOWSsystem32ANIO.sys (Alpha Networks Inc.)
DRV - (ati2mtag) -- C:WINDOWSsystem32driversati2mtag.sys (ATI Technologies Inc.)
DRV - (Monfilt) -- C:WINDOWSsystem32driversMonfilt.sys (Creative Technology Ltd.)
DRV - (nv) -- C:WINDOWSsystem32driversnv4_mini.sys (NVIDIA Corporation)
DRV - (RTL8023xp) -- C:WINDOWSsystem32driversRtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (Slntamr) -- C:WINDOWSsystem32driversslntamr.sys ( )
DRV - (SlNtHal) -- C:WINDOWSsystem32driversslnthal.sys ( )
DRV - (SlWdmSup) -- C:WINDOWSsystem32driversslwdmsup.sys ( )
DRV - (Mtlstrm) -- C:WINDOWSsystem32driversmtlstrm.sys ( )
DRV - (Mtlmnt5) -- C:WINDOWSsystem32driversmtlmnt5.sys ( )
DRV - (RecAgent) -- C:WINDOWSsystem32DRIVERSRecAgent.sys ( )
DRV - (HDAudBus) -- C:WINDOWSsystem32driversHdaudbus.sys (Windows Server 2003 DDK provider)
DRV - (MRENDIS5) -- C:Program FilesCommon FilesMotiveMRENDIS5.sys (Motive, Inc.)
DRV - (MREMPR5) -- C:Program FilesCommon FilesMotiveMREMPR5.sys (Motive, Inc.)
DRV - (NtMtlFax) -- C:WINDOWSsystem32driversntmtlfax.sys (Smart Link)
DRV - (MODEMCSA) -- C:WINDOWSsystem32driversMODEMCSA.sys (Microsoft Corporation)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLMSOFTWAREMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLMSOFTWAREMicrosoftInternet ExplorerMain,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
IE - HKLMSOFTWAREMicrosoftInternet ExplorerMain,Search Page = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
IE - HKLMSOFTWAREMicrosoftInternet ExplorerMain,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLMSOFTWAREMicrosoftInternet ExplorerSearch,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLMSOFTWAREMicrosoftInternet ExplorerSearch,Default_Search_URL = http://www.google.com/ie
IE - HKLMSOFTWAREMicrosoftInternet ExplorerSearch,SearchAssistant =

IE - HKCUSOFTWAREMicrosoftInternet ExplorerMain,Search Page =
IE - HKCUSOFTWAREMicrosoftInternet ExplorerMain,Start Page = http://search.orbitdownloader.com
IE - HKCUSOFTWAREMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.google.com/ie
IE - HKCU..URLSearchHook: *{00000000-6E41-4FD3-8538-502F5495E5FC} - Reg Error: Key error. File not found
IE - HKCU..URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKCU..URLSearchHook: *{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - Reg Error: Key error. File not found
IE - HKCU..URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:Program FilesAVGAVG8ToolbarIEToolbar.dll ()
IE - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings: "ProxyEnable" = 0
IE - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings: "ProxyOverride" = 127.0.0.1

FF - HKLMsoftwaremozillaFirefoxExtensionsavg@igeared: C:Program FilesAVGAVG8ToolbarFirefoxavg@igeared
FF - HKLMsoftwaremozillaFirefoxExtensions{20a82645-c095-46ed-80e3-08825760534b}: c:WINDOWSMicrosoft.NETFrameworkv3.5Windows Presentation FoundationDotNetAssistantExtension [2009/09/02 03:01:02 | 000,000,000 | ---D | M]
FF - HKLMsoftwaremozillaFirefoxExtensions{0329E7D6-6F54-462D-93F6-F5C3118BADF2}: C:Program FilesSpeedBit Video DownloaderSPFireFox

[2010/07/09 19:49:18 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataMozillaExtensions
[2009/04/27 18:09:35 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataMozillaExtensionsmozswing@mozswing.org

O1 HOSTS File: ([2010/07/10 20:08:15 | 000,411,446 | R--- | M]) - C:WINDOWSsystem32driversetchosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14221 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_07binssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:Program FilesAVGAVG8ToolbarIEToolbar.dll ()
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:Program FilesAsk.comGenericAskToolbar.dll (Ask.com)
O2 - BHO: (STOPzilla Browser Helper Object) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:Program FilesSTOPzilla!SZIEBHO.dll (iS3, Inc.)
O3 - HKLM..Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:Program FilesAVGAVG8ToolbarIEToolbar.dll ()
O3 - HKLM..Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:Program FilesAsk.comGenericAskToolbar.dll (Ask.com)
O3 - HKCU..ToolbarShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:WINDOWSsystem32browseui.dll (Microsoft Corporation)
O3 - HKCU..ToolbarShellBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:Program FilesAVGAVG8ToolbarIEToolbar.dll ()
O3 - HKCU..ToolbarShellBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:Program FilesAsk.comGenericAskToolbar.dll (Ask.com)
O3 - HKCU..ToolbarWebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:WINDOWSsystem32browseui.dll (Microsoft Corporation)
O3 - HKCU..ToolbarWebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:WINDOWSsystem32shell32.dll (Microsoft Corporation)
O3 - HKCU..ToolbarWebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:Program FilesAVGAVG8ToolbarIEToolbar.dll ()
O3 - HKCU..ToolbarWebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:Program FilesAsk.comGenericAskToolbar.dll (Ask.com)
O4 - HKLM..Run: [ANIWZCS2Service] C:Program FilesANIANIWZCS2 ServiceWZCSLDR2.exe (Wireless Service)
O4 - HKLM..Run: [AVG8_TRAY] C:Program FilesAVGAVG8avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..Run: [D-Link D-Link Wireless N DWA-130] C:Program FilesD-LinkD-Link Wireless N DWA-130AirNCFG.exe (D-Link)
O4 - HKLM..Run: [RTHDCPL] C:WINDOWSRTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKCU..Run: [AdobeUpdater] C:Program FilesCommon FilesAdobeUpdater5AdobeUpdater.exe (Adobe Systems Incorporated)
O4 - HKCU..Run: [DUTools] C:Program FilesNamiRobotDUTool.exe File not found
O4 - HKCU..Run: [Eraser] C:Program FilesErasereraser.exe (-)
O4 - HKCU..Run: [Google Update] C:Documents and SettingsAnnLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe (Google Inc.)
O4 - HKCU..Run: [RocketDock] C:Program FilesRocketDockRocketDock.exe File not found
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:Documents and SettingsAll UsersStart MenuProgramsStartupPrivoxy.lnk = C:Program FilesVidalia BundlePrivoxyprivoxy.exe (The Privoxy team - www.privoxy.org)
O4 - Startup: C:Documents and SettingsAll UsersStart MenuProgramsStartupWinZip Quick Pick.lnk = C:Program FilesWinZipWZQKPICK.EXE (WinZip Computing, S.L.)
O6 - HKLMSoftwarePoliciesMicrosoftInternet Explorercontrol panel present
O6 - HKLMSoftwarePoliciesMicrosoftInternet Explorerrestrictions present
O6 - HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer: HonorAutoRunSetting = 1
O6 - HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer: NoSetActiveDesktop = 1
O6 - HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer: NoActiveDesktopChanges = 1
O6 - HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesSystem: dontdisplaylastusername = 0
O6 - HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesSystem: legalnoticecaption =
O6 - HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesSystem: legalnoticetext =
O6 - HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesSystem: shutdownwithoutlogon = 1
O6 - HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesSystem: undockwithoutlogon = 1
O7 - HKCUSoftwarePoliciesMicrosoftInternet Explorercontrol panel present
O7 - HKCUSoftwarePoliciesMicrosoftInternet Explorerrestrictions present
O7 - HKCUSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer: NoDriveTypeAutoRun = 145
O7 - HKCUSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer: NoSetActiveDesktop = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binnpjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:Program FilesSpybot - Search & DestroySDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5Catalog_Entries000000000001 [] - C:WINDOWSsystem32mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5Catalog_Entries000000000002 [] - C:WINDOWSsystem32winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5Catalog_Entries000000000003 [] - C:WINDOWSsystem32mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9Catalog_Entries000000000001 - C:WINDOWSsystem32mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9Catalog_Entries000000000002 - C:WINDOWSsystem32mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9Catalog_Entries000000000003 - C:WINDOWSsystem32mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9Catalog_Entries000000000004 - C:WINDOWSsystem32rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9Catalog_Entries000000000005 - C:WINDOWSsystem32rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9Catalog_Entries000000000006 - C:WINDOWSsystem32mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9Catalog_Entries000000000007 - C:WINDOWSsystem32mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9Catalog_Entries000000000008 - C:WINDOWSsystem32mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9Catalog_Entries000000000009 - C:WINDOWSsystem32mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9Catalog_Entries000000000010 - C:WINDOWSsystem32mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9Catalog_Entries000000000011 - C:WINDOWSsystem32mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9Catalog_Entries000000000012 - C:WINDOWSsystem32mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9Catalog_Entries000000000013 - C:WINDOWSsystem32mswsock.dll (Microsoft Corporation)
O16 - DPF: {00000161-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/msaudio.cab (Reg Error: Key error.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} http://support.microsoft.com/mats/DiagWebControl.cab (Diagnostics ActiveX WebControl)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/da2/PCPitStop2.cab (PCPitstop Exam)
O16 - DPF: Microsoft XML Parser for Java file://C:WINDOWSJavaclassesxmldso.cab (Reg Error: Key error.)
O18 - ProtocolHandlerabout {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:WINDOWSsystem32mshtml.dll (Microsoft Corporation)
O18 - ProtocolHandlercdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:WINDOWSsystem32urlmon.dll (Microsoft Corporation)
O18 - ProtocolHandlerdvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:WINDOWSsystem32msvidctl.dll (Microsoft Corporation)
O18 - ProtocolHandlerfile {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:WINDOWSsystem32urlmon.dll (Microsoft Corporation)
O18 - ProtocolHandlerftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:WINDOWSsystem32urlmon.dll (Microsoft Corporation)
O18 - ProtocolHandlergopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:WINDOWSsystem32urlmon.dll (Microsoft Corporation)
O18 - ProtocolHandlerhttp {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:WINDOWSsystem32urlmon.dll (Microsoft Corporation)
O18 - ProtocolHandlerhttp0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:Program FilesCommon FilesSystemOle DBMSDAIPP.DLL (Microsoft Corporation)
O18 - ProtocolHandlerhttpoledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:Program FilesCommon FilesSystemOle DBMSDAIPP.DLL (Microsoft Corporation)
O18 - ProtocolHandlerhttps {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:WINDOWSsystem32urlmon.dll (Microsoft Corporation)
O18 - ProtocolHandlerhttps0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:Program FilesCommon FilesSystemOle DBMSDAIPP.DLL (Microsoft Corporation)
O18 - ProtocolHandlerhttpsoledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:Program FilesCommon FilesSystemOle DBMSDAIPP.DLL (Microsoft Corporation)
O18 - ProtocolHandlerintu-qt2007 {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - Reg Error: Value error. File not found
O18 - ProtocolHandleripp - No CLSID value found
O18 - ProtocolHandleripp0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:Program FilesCommon FilesSystemOle DBMSDAIPP.DLL (Microsoft Corporation)
O18 - ProtocolHandlerits {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:WINDOWSsystem32itss.dll (Microsoft Corporation)
O18 - ProtocolHandlerjavascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:WINDOWSsystem32mshtml.dll (Microsoft Corporation)
O18 - ProtocolHandlerlinkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - ProtocolHandlerlivecall {828030A1-22C1-4009-854F-8E305202313F} - C:Program FilesWindows LiveMessengermsgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - ProtocolHandlerlocal {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:WINDOWSsystem32urlmon.dll (Microsoft Corporation)
O18 - ProtocolHandlermailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:WINDOWSsystem32mshtml.dll (Microsoft Corporation)
O18 - ProtocolHandlermhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:WINDOWSsystem32inetcomm.dll (Microsoft Corporation)
O18 - ProtocolHandlermk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:WINDOWSsystem32urlmon.dll (Microsoft Corporation)
O18 - ProtocolHandlermsdaipp - No CLSID value found
O18 - ProtocolHandlermsdaipp0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:Program FilesCommon FilesSystemOle DBMSDAIPP.DLL (Microsoft Corporation)
O18 - ProtocolHandlermsdaippoledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:Program FilesCommon FilesSystemOle DBMSDAIPP.DLL (Microsoft Corporation)
O18 - ProtocolHandlerms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:WINDOWSsystem32itss.dll (Microsoft Corporation)
O18 - ProtocolHandlerms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:Program FilesCommon FilesMicrosoft SharedInformation Retrievalmsitss.dll (Microsoft Corporation)
O18 - ProtocolHandlermsnim {828030A1-22C1-4009-854F-8E305202313F} - C:Program FilesWindows LiveMessengermsgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - ProtocolHandlerres {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:WINDOWSsystem32mshtml.dll (Microsoft Corporation)
O18 - ProtocolHandlersysimage {76E67A63-06E9-11D2-A840-006008059382} - C:WINDOWSsystem32mshtml.dll (Microsoft Corporation)
O18 - ProtocolHandlertv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:WINDOWSsystem32msvidctl.dll (Microsoft Corporation)
O18 - ProtocolHandlervbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:WINDOWSsystem32mshtml.dll (Microsoft Corporation)
O18 - ProtocolHandlerwia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:WINDOWSsystem32wiascr.dll (Microsoft Corporation)
O18 - ProtocolFilterapplication/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:WINDOWSSystem32mscoree.dll (Microsoft Corporation)
O18 - ProtocolFilterapplication/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:WINDOWSSystem32mscoree.dll (Microsoft Corporation)
O18 - ProtocolFilterapplication/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:WINDOWSSystem32mscoree.dll (Microsoft Corporation)
O18 - ProtocolFilterClass Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:WINDOWSsystem32urlmon.dll (Microsoft Corporation)
O18 - ProtocolFilterdeflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:WINDOWSsystem32urlmon.dll (Microsoft Corporation)
O18 - ProtocolFiltergzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:WINDOWSsystem32urlmon.dll (Microsoft Corporation)
O18 - ProtocolFilterlzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:WINDOWSsystem32urlmon.dll (Microsoft Corporation)
O18 - ProtocolFiltertext/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:WINDOWSsystem32shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:WINDOWSexplorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:WINDOWSSYSTEM32Userinit.exe) - C:WINDOWSsystem32userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:WINDOWSSystem32logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:WINDOWSSystem32shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:WINDOWSSystem32sysdm.cpl (Microsoft Corporation)
O20 - WinlogonNotifyAtiExtEvent: DllName - Ati2evxx.dll - C:WINDOWSSystem32ati2evxx.dll (ATI Technologies Inc.)
O20 - WinlogonNotifyavgrsstarter: DllName - avgrsstx.dll - C:WINDOWSSystem32avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - WinlogonNotifycrypt32chain: DllName - crypt32.dll - C:WINDOWSSystem32crypt32.dll (Microsoft Corporation)
O20 - WinlogonNotifycryptnet: DllName - cryptnet.dll - C:WINDOWSSystem32cryptnet.dll (Microsoft Corporation)
O20 - WinlogonNotifycscdll: DllName - cscdll.dll - C:WINDOWSSystem32cscdll.dll (Microsoft Corporation)
O20 - WinlogonNotifyScCertProp: DllName - wlnotify.dll - C:WINDOWSSystem32wlnotify.dll (Microsoft Corporation)
O20 - WinlogonNotifySchedule: DllName - wlnotify.dll - C:WINDOWSSystem32wlnotify.dll (Microsoft Corporation)
O20 - WinlogonNotifysclgntfy: DllName - sclgntfy.dll - C:WINDOWSSystem32sclgntfy.dll (Microsoft Corporation)
O20 - WinlogonNotifySensLogn: DllName - WlNotify.dll - C:WINDOWSSystem32wlnotify.dll (Microsoft Corporation)
O20 - WinlogonNotifytermsrv: DllName - wlnotify.dll - C:WINDOWSSystem32wlnotify.dll (Microsoft Corporation)
O20 - WinlogonNotifyWgaLogon: DllName - WgaLogon.dll - C:WINDOWSSystem32WgaLogon.dll (Microsoft Corporation)
O20 - WinlogonNotifywlballoon: DllName - wlnotify.dll - C:WINDOWSSystem32wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:WINDOWSsystem32shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:WINDOWSsystem32shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:WINDOWSsystem32stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:WINDOWSsystem32webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:WINDOWSsystem32WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:WINDOWSsystem32browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:WINDOWSsystem32browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {98E1DEB2-6573-43B1-A2E3-92ED46FA3A86} - QuangustCew - Reg Error: Key error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:WINDOWSSystem32shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:WINDOWSSystem32msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:WINDOWSSystem32schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:WINDOWSSystem32digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:WINDOWSSystem32msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:WINDOWSSystem32msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:WINDOWSSystem32kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:WINDOWSSystem32msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:WINDOWSSystem32schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:WINDOWSSystem32wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/04/13 19:15:32 | 000,000,000 | ---- | M] () - C:AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM..comfile [open] -- "%1" %*
O35 - HKLM..exefile [open] -- "%1" %*
O37 - HKLM...com [@ = comfile] -- "%1" %*
O37 - HKLM...exe [@ = exefile] -- "%1" %*
O37 - HKCU...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/07/11 03:07:34 | 000,472,064 | ---- | C] ( ) -- C:Documents and SettingsAnnMy DocumentsRootRepeal.exe
[2010/07/11 03:07:19 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:Documents and SettingsAnnMy DocumentsOTL.exe
[2010/07/10 20:21:52 | 000,000,000 | ---D | C] -- C:Program FilesSafer Networking
[2010/07/10 19:52:28 | 000,000,000 | ---D | C] -- C:Documents and SettingsAll UsersApplication DataSITEguard
[2010/07/10 19:48:39 | 000,000,000 | ---D | C] -- C:Program FilesSTOPzilla!
[2010/07/10 19:48:38 | 000,000,000 | ---D | C] -- C:Program FilesCommon FilesiS3
[2010/07/10 19:48:34 | 000,000,000 | ---D | C] -- C:Documents and SettingsAll UsersApplication DataSTOPzilla!
[2010/07/10 19:39:11 | 000,000,000 | R--D | C] -- C:Documents and SettingsAnnMy DocumentsMy Videos
[2010/07/10 17:52:38 | 000,000,000 | ---D | C] -- C:Documents and SettingsAnnApplication DataAcapela Group
[2010/07/10 17:51:05 | 000,000,000 | ---D | C] -- C:Documents and SettingsAnnLocal SettingsApplication DataXtranormal
[2010/07/10 17:45:02 | 000,000,000 | ---D | C] -- C:Program FilesXtranormal
[2010/07/10 17:43:41 | 000,000,000 | ---D | C] -- C:Documents and SettingsAnnApplication DataXtranormal
[2010/07/10 06:23:41 | 000,000,000 | ---D | C] -- C:Documents and SettingsNetworkServiceLocal SettingsApplication Datafmtgvfnrx
[2010/07/10 02:41:53 | 000,000,000 | ---D | C] -- C:Documents and SettingsAnnMy Documentstrend
[2010/07/10 01:59:44 | 000,000,000 | ---D | C] -- C:Documents and SettingsAnnMy Documentsgegl-0.0
[2010/07/09 18:51:50 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:WINDOWSSystem32driversmbamswissarmy.sys
[2010/07/09 18:51:24 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:WINDOWSSystem32driversmbam.sys
[2010/07/03 23:15:30 | 000,000,000 | RH-D | C] -- C:MSOCache
[2010/07/03 23:04:19 | 000,000,000 | ---D | C] -- C:Documents and SettingsAnnApplication DataScalabium
[2010/07/02 08:11:32 | 000,000,000 | ---D | C] -- C:Documents and SettingsLocalServiceApplication DataMacromedia
[2010/07/02 08:11:31 | 000,000,000 | ---D | C] -- C:Documents and SettingsLocalServiceApplication DataAdobe
[2010/06/24 09:09:07 | 000,000,000 | ---D | C] -- C:Documents and SettingsNetworkServiceLocal SettingsApplication DataAdobe
[2010/06/18 15:22:55 | 000,000,000 | ---D | C] -- C:Documents and SettingsNetworkServiceApplication DataMacromedia
[2010/06/18 15:22:55 | 000,000,000 | ---D | C] -- C:Documents and SettingsNetworkServiceApplication DataAdobe
[2010/06/17 23:30:37 | 000,000,000 | ---D | C] -- C:Documents and SettingsAnnLocal SettingsApplication Datagwlaac
[2010/06/17 00:43:15 | 000,000,000 | ---D | C] -- C:Documents and SettingsAnnMy DocumentsNew Folder
[2010/04/25 15:43:53 | 000,000,000 | ---D | C] -- C:Documents and SettingsAnnMy DocumentsDownloads
[2010/04/18 00:37:47 | 000,000,000 | ---D | C] -- C:Documents and SettingsAnnMy DocumentsDivX Movies
[2010/04/12 18:16:04 | 000,000,000 | ---D | C] -- C:Documents and SettingsAnnMy DocumentsWintersleep
[2006/04/22 10:25:49 | 000,014,976 | ---- | C] ( ) -- C:WINDOWSSystem32driverswinddx.sys
[2006/04/22 09:13:27 | 001,396,048 | ---- | C] ( ) -- C:WINDOWSSystem32driversmtlstrm.sys
[2006/04/22 09:13:27 | 000,653,960 | ---- | C] ( ) -- C:WINDOWSSystem32driversslntamr.sys
[2006/04/22 09:13:27 | 000,229,720 | ---- | C] ( ) -- C:WINDOWSSystem32driversmtlmnt5.sys
[2006/04/22 09:13:27 | 000,014,520 | ---- | C] ( ) -- C:WINDOWSSystem32driversRecAgent.sys
[2006/04/22 09:13:27 | 000,013,216 | ---- | C] ( ) -- C:WINDOWSSystem32driversslwdmsup.sys
[2006/04/22 09:13:26 | 000,100,176 | ---- | C] ( ) -- C:WINDOWSSystem32driversslnthal.sys
[3 C:WINDOWS*.tmp files -> C:WINDOWS*.tmp -> ]
[1 C:WINDOWSSystem32*.tmp files -> C:WINDOWSSystem32*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/11 03:16:00 | 000,000,896 | ---- | M] () -- C:WINDOWSSystem32driverskgpcpy.cfg
[2010/07/11 03:15:27 | 000,000,000 | ---- | M] () -- C:Documents and SettingsAnnDesktopsettings.dat
[2010/07/11 03:07:37 | 000,472,064 | ---- | M] ( ) -- C:Documents and SettingsAnnMy DocumentsRootRepeal.exe
[2010/07/11 03:07:20 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:Documents and SettingsAnnMy DocumentsOTL.exe
[2010/07/11 03:01:01 | 000,000,230 | ---- | M] () -- C:WINDOWStasksScheduled Update for Ask Toolbar.job
[2010/07/11 02:42:02 | 000,000,970 | ---- | M] () -- C:WINDOWStasksGoogleUpdateTaskUserS-1-5-21-3596485175-1860854867-228222517-1006UA.job
[2010/07/10 23:50:11 | 000,001,158 | ---- | M] () -- C:WINDOWSSystem32wpa.dbl
[2010/07/10 23:46:54 | 000,000,004 | ---- | M] () -- C:WINDOWSSystem32ANIWZCSUSERNAME{6E857B43-48A4-47D2-A95A-9ABA6B854ACC}
[2010/07/10 23:46:37 | 000,000,006 | -H-- | M] () -- C:WINDOWStasksSA.DAT
[2010/07/10 23:46:16 | 000,002,048 | --S- | M] () -- C:WINDOWSbootstat.dat
[2010/07/10 23:46:10 | 468,242,432 | -HS- | M] () -- C:hiberfil.sys
[2010/07/10 23:40:33 | 011,272,192 | ---- | M] () -- C:Documents and SettingsAnnntuser.dat
[2010/07/10 23:40:03 | 000,000,178 | -HS- | M] () -- C:Documents and SettingsAnnntuser.ini
[2010/07/10 22:08:39 | 000,137,216 | ---- | M] () -- C:Documents and SettingsAnnLocal SettingsApplication DataDCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/10 20:40:14 | 000,001,980 | ---- | M] () -- C:Documents and SettingsAnnDesktopHiJackThis.lnk
[2010/07/10 20:38:49 | 001,402,880 | ---- | M] () -- C:Documents and SettingsAnnMy DocumentsHiJackThis.msi
[2010/07/10 20:23:33 | 000,000,245 | RHS- | M] () -- C:boot.ini
[2010/07/10 20:08:15 | 000,411,446 | R--- | M] () -- C:WINDOWSSystem32driversetchosts
[2010/07/10 17:45:20 | 000,000,773 | ---- | M] () -- C:Documents and SettingsAll UsersDesktopState.lnk
[2010/07/10 17:39:45 | 131,788,800 | ---- | M] () -- C:Documents and SettingsAnnMy DocumentsStatePackage.exe
[2010/07/10 14:54:36 | 000,000,007 | ---- | M] () -- C:WINDOWSSystem32ANIWZCSUSERNAME
[2010/07/10 14:46:29 | 005,808,612 | ---- | M] () -- C:Documents and SettingsAnnMy DocumentsJoy_Division_-_Atmosphere_(iamxl_remix).mp3
[2010/07/10 14:46:29 | 003,447,297 | ---- | M] () -- C:Documents and SettingsAnnMy Documentsaudio3.mp3
[2010/07/10 14:41:13 | 009,750,860 | ---- | M] () -- C:Documents and SettingsAnnMy Documents06 - how soon is now-.mp3
[2010/07/10 14:29:21 | 005,685,248 | ---- | M] () -- C:Documents and SettingsAnnMy DocumentsFranz_Ferdinand-Take_Me_Out.mp3
[2010/07/10 13:48:04 | 000,000,169 | ---- | M] () -- C:Documents and SettingsAnnMy Documentsindex.html
[2010/07/10 13:45:15 | 000,003,626 | ---- | M] () -- C:Documents and SettingsAnnMy Documents.htaccess
[2010/07/10 09:31:54 | 061,821,997 | ---- | M] () -- C:WINDOWSSystem32driversAvgincavi.avm
[2010/07/10 06:21:12 | 000,001,324 | ---- | M] () -- C:WINDOWSSystem32d3d9caps.dat
[2010/07/10 02:37:38 | 000,008,277 | ---- | M] () -- C:Documents and SettingsAnn.recently-used.xbel
[2010/07/10 02:37:38 | 000,005,200 | ---- | M] () -- C:Documents and SettingsAnnMy DocumentsUntitled.png
[2010/07/10 02:01:29 | 000,004,313 | ---- | M] () -- C:Documents and SettingsAnnMy Documentsscreen.css
[2010/07/10 01:33:55 | 000,004,366 | ---- | M] () -- C:Documents and SettingsAnnMy Documentssystems.html
[2010/07/09 23:42:01 | 000,000,918 | ---- | M] () -- C:WINDOWStasksGoogleUpdateTaskUserS-1-5-21-3596485175-1860854867-228222517-1006Core.job
[2010/07/09 18:52:56 | 000,000,706 | ---- | M] () -- C:Documents and SettingsAll UsersDesktopMalwarebytes' Anti-Malware.lnk
[2010/07/05 19:29:01 | 000,000,472 | ---- | M] () -- C:WINDOWStasksAd-Aware Update (Weekly).job
[2010/07/04 05:03:20 | 000,000,754 | ---- | M] () -- C:WINDOWSWORDPAD.INI
[2010/07/04 04:10:19 | 000,001,891 | ---- | M] () -- C:WINDOWSimsins.BAK
[2010/07/02 07:47:45 | 000,003,284 | ---- | M] () -- C:WINDOWSSystem32ANIWZCS{6E857B43-48A4-47D2-A95A-9ABA6B854ACC}
[2010/06/27 01:11:59 | 000,001,771 | ---- | M] () -- C:Documents and SettingsAnnDesktopGoogle Pagerank Check Tool.lnk
[2010/06/24 09:10:08 | 000,000,552 | ---- | M] () -- C:WINDOWSSystem32d3d8caps.dat
[2010/06/19 03:32:16 | 000,395,292 | R--- | M] () -- C:WINDOWSSystem32driversetchosts.20100710-181132.backup
[2010/06/09 04:03:59 | 000,309,192 | ---- | M] () -- C:WINDOWSSystem32FNTCACHE.DAT
[2010/06/09 03:14:04 | 000,501,054 | ---- | M] () -- C:WINDOWSSystem32PerfStringBackup.INI
[2010/06/09 03:14:04 | 000,441,124 | ---- | M] () -- C:WINDOWSSystem32perfh009.dat
[2010/06/09 03:14:04 | 000,071,060 | ---- | M] () -- C:WINDOWSSystem32perfc009.dat
[2010/05/29 16:49:44 | 000,000,800 | ---- | M] () -- C:Documents and SettingsAll UsersDesktopGIMP 2.lnk
[2010/05/17 02:53:27 | 000,027,146 | ---- | M] () -- C:Documents and SettingsAnnDesktoperev.rtf
[2010/05/14 22:01:21 | 000,000,171 | ---- | M] () -- C:Documents and SettingsAnnDesktop@ points to.rtf
[2010/05/14 20:19:09 | 000,000,777 | ---- | M] () -- C:Documents and SettingsAnnDesktoptags.rtf
[2010/05/09 02:20:03 | 000,026,703 | ---- | M] () -- C:Documents and SettingsAnnDesktopindex.rtf
[2010/05/09 01:01:37 | 000,000,165 | ---- | M] () -- C:Documents and SettingsAnnMy Documentscblg.rtf
[2010/05/07 20:37:21 | 000,023,392 | ---- | M] () -- C:WINDOWSSystem32nscompat.tlb
[2010/05/07 20:37:21 | 000,016,832 | ---- | M] () -- C:WINDOWSSystem32amcompat.tlb
[2010/05/03 00:53:55 | 000,024,071 | ---- | M] () -- C:Documents and SettingsAnnDesktopfap2-120z60.gif
[2010/05/02 02:56:34 | 001,850,880 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32win32k.sys
[2010/05/02 02:56:34 | 001,850,880 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcachewin32k.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:WINDOWSSystem32driversmbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:WINDOWSSystem32driversmbam.sys
[2010/04/24 01:09:05 | 000,737,280 | ---- | M] (Indigo Rose Corporation) -- C:WINDOWSiun6002.exe
[2010/04/20 02:51:20 | 000,285,696 | ---- | M] (Adobe Systems Incorporated) -- C:WINDOWSSystem32dllcacheatmfd.dll
[2010/04/20 02:51:20 | 000,285,696 | ---- | M] (Adobe Systems Incorporated) -- C:WINDOWSSystem32atmfd.dll
[2010/04/16 12:20:24 | 000,668,672 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcachewininet.dll
[2010/04/16 12:20:23 | 000,628,224 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcacheurlmon.dll
[2010/04/16 12:20:23 | 000,474,112 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcacheshlwapi.dll
[2010/04/16 12:20:23 | 000,061,952 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcachetdc.ocx
[2010/04/16 12:20:22 | 001,509,888 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcacheshdocvw.dll
[2010/04/16 12:20:21 | 000,532,480 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32mstime.dll
[2010/04/16 12:20:21 | 000,532,480 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcachemstime.dll
[2010/04/16 12:20:21 | 000,449,024 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcachemshtmled.dll
[2010/04/16 12:20:21 | 000,146,432 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32msrating.dll
[2010/04/16 12:20:21 | 000,146,432 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcachemsrating.dll
[2010/04/16 12:20:21 | 000,039,424 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32pngfilt.dll
[2010/04/16 12:20:21 | 000,039,424 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcachepngfilt.dll
[2010/04/16 12:20:20 | 003,073,024 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcachemshtml.dll
[2010/04/16 12:20:18 | 000,357,888 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dxtmsft.dll
[2010/04/16 12:20:18 | 000,357,888 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcachedxtmsft.dll
[2010/04/16 12:20:18 | 000,251,904 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32iepeers.dll
[2010/04/16 12:20:18 | 000,251,904 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcacheiepeers.dll
[2010/04/16 12:20:18 | 000,205,312 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dxtrans.dll
[2010/04/16 12:20:18 | 000,205,312 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcachedxtrans.dll
[2010/04/16 12:20:18 | 000,096,256 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32inseng.dll
[2010/04/16 12:20:18 | 000,096,256 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcacheinseng.dll
[2010/04/16 12:20:18 | 000,081,920 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32ieencode.dll
[2010/04/16 12:20:18 | 000,081,920 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcacheieencode.dll
[2010/04/16 12:20:18 | 000,055,808 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcacheextmgr.dll
[2010/04/16 12:20:18 | 000,016,384 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32jsproxy.dll
[2010/04/16 12:20:18 | 000,016,384 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcachejsproxy.dll
[2010/04/16 12:20:17 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcachedanim.dll
[2010/04/16 12:20:17 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32danim.dll
[2010/04/16 12:20:16 | 001,024,000 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcachebrowseui.dll
[2010/04/16 12:20:16 | 000,151,040 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcachecdfview.dll
[2010/04/16 10:40:07 | 000,369,664 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32html.iec
[2010/04/16 10:29:31 | 000,018,432 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32dllcacheiedw.exe
[2010/04/16 10:21:14 | 000,352,768 | ---- | M] (Microsoft Corporation) -- C:WINDOWSSystem32xpsp3res.dll
[3 C:WINDOWS*.tmp files -> C:WINDOWS*.tmp -> ]
[1 C:WINDOWSSystem32*.tmp files -> C:WINDOWSSystem32*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/11 03:15:27 | 000,000,000 | ---- | C] () -- C:Documents and SettingsAnnDesktopsettings.dat
[2010/07/10 23:51:16 | 000,000,896 | ---- | C] () -- C:WINDOWSSystem32driverskgpcpy.cfg
[2010/07/10 20:40:14 | 000,001,980 | ---- | C] () -- C:Documents and SettingsAnnDesktopHiJackThis.lnk
[2010/07/10 20:38:49 | 001,402,880 | ---- | C] () -- C:Documents and SettingsAnnMy DocumentsHiJackThis.msi
[2010/07/10 17:45:19 | 000,000,773 | ---- | C] () -- C:Documents and SettingsAll UsersDesktopState.lnk
[2010/07/10 17:34:11 | 131,788,800 | ---- | C] () -- C:Documents and SettingsAnnMy DocumentsStatePackage.exe
[2010/07/10 14:45:12 | 005,808,612 | ---- | C] () -- C:Documents and SettingsAnnMy DocumentsJoy_Division_-_Atmosphere_(iamxl_remix).mp3
[2010/07/10 14:43:56 | 003,447,297 | ---- | C] () -- C:Documents and SettingsAnnMy Documentsaudio3.mp3
[2010/07/10 14:40:46 | 009,750,860 | ---- | C] () -- C:Documents and SettingsAnnMy Documents06 - how soon is now-.mp3
[2010/07/10 14:29:12 | 005,685,248 | ---- | C] () -- C:Documents and SettingsAnnMy DocumentsFranz_Ferdinand-Take_Me_Out.mp3
[2010/07/10 03:46:30 | 000,056,713 | ---- | C] () -- C:Documents and SettingsAnnMy Documents3456945277_b6921d1f50_b.jpg
[2010/07/10 03:45:50 | 000,042,961 | ---- | C] () -- C:Documents and SettingsAnnMy DocumentsP4270066s.jpg
[2010/07/10 03:45:41 | 000,032,721 | ---- | C] () -- C:Documents and SettingsAnnMy Documentsl_1f1b23ab7102443b90f3fc4eb1b09b02.jpg
[2010/07/10 03:45:35 | 000,030,916 | ---- | C] () -- C:Documents and SettingsAnnMy Documentsl_1da57306db3ccda6f1882587ceaf8a38.jpg
[2010/07/10 03:45:30 | 000,029,927 | ---- | C] () -- C:Documents and SettingsAnnMy Documentsl_2d85122848b63c2866f30828177a94af.jpg
[2010/07/10 03:45:18 | 000,124,532 | ---- | C] () -- C:Documents and SettingsAnnMy DocumentsphpThumb_generated_thumbnailjpg.jpg
[2010/07/10 02:37:38 | 000,008,277 | ---- | C] () -- C:Documents and SettingsAnn.recently-used.xbel
[2010/07/10 01:59:59 | 000,005,200 | ---- | C] () -- C:Documents and SettingsAnnMy DocumentsUntitled.png
[2010/07/10 01:33:54 | 000,004,366 | ---- | C] () -- C:Documents and SettingsAnnMy Documentssystems.html
[2010/07/09 18:52:56 | 000,000,706 | ---- | C] () -- C:Documents and SettingsAll UsersDesktopMalwarebytes' Anti-Malware.lnk
[2010/07/09 01:56:15 | 000,003,626 | ---- | C] () -- C:Documents and SettingsAnnMy Documents.htaccess
[2010/07/08 19:04:55 | 000,000,169 | ---- | C] () -- C:Documents and SettingsAnnMy Documentsindex.html
[2010/07/06 23:01:36 | 000,004,313 | ---- | C] () -- C:Documents and SettingsAnnMy Documentsscreen.css
[2010/06/27 01:11:58 | 000,001,771 | ---- | C] () -- C:Documents and SettingsAnnDesktopGoogle Pagerank Check Tool.lnk
[2010/06/24 09:10:08 | 000,000,552 | ---- | C] () -- C:WINDOWSSystem32d3d8caps.dat
[2010/05/29 16:49:44 | 000,000,800 | ---- | C] () -- C:Documents and SettingsAll UsersDesktopGIMP 2.lnk
[2010/05/17 02:53:24 | 000,027,146 | ---- | C] () -- C:Documents and SettingsAnnDesktoperev.rtf
[2010/05/14 22:01:21 | 000,000,171 | ---- | C] () -- C:Documents and SettingsAnnDesktop@ points to.rtf
[2010/05/14 20:19:08 | 000,000,777 | ---- | C] () -- C:Documents and SettingsAnnDesktoptags.rtf
[2010/05/09 02:16:08 | 000,026,703 | ---- | C] () -- C:Documents and SettingsAnnDesktopindex.rtf
[2010/05/09 01:01:33 | 000,000,165 | ---- | C] () -- C:Documents and SettingsAnnMy Documentscblg.rtf
[2010/05/03 00:53:49 | 000,024,071 | ---- | C] () -- C:Documents and SettingsAnnDesktopfap2-120z60.gif
[2008/11/15 15:02:26 | 001,866,670 | ---- | C] () -- C:WINDOWSSystem32libfftw3f-3.dll
[2008/11/09 18:14:08 | 000,000,754 | ---- | C] () -- C:WINDOWSWORDPAD.INI
[2008/10/19 01:51:28 | 000,164,352 | ---- | C] () -- C:WINDOWSSystem32unrar.dll
[2008/10/19 01:51:27 | 000,000,038 | ---- | C] () -- C:WINDOWSavisplitter.ini
[2008/10/18 15:40:00 | 000,245,760 | ---- | C] () -- C:WINDOWSSystem32WlanApp.dll
[2008/10/18 15:40:00 | 000,049,152 | ---- | C] () -- C:WINDOWSSystem32JJAKEn.dll
[2008/10/14 18:44:21 | 000,000,412 | ---- | C] () -- C:WINDOWSMAXLINK.INI
[2008/10/12 15:27:34 | 000,000,010 | ---- | C] () -- C:WINDOWSWININIT.INI
[2008/04/05 17:53:24 | 000,140,288 | ---- | C] () -- C:WINDOWSSystem32avsfilter.dll
[2007/09/15 10:30:17 | 000,000,116 | ---- | C] () -- C:WINDOWSNeroDigital.ini
[2006/07/27 22:30:47 | 000,006,048 | ---- | C] () -- C:WINDOWSSystem32MCC16.dll
[2006/04/22 10:25:49 | 000,540,672 | ---- | C] () -- C:WINDOWSSystem32SLLights.dll
[2006/04/22 10:25:49 | 000,221,184 | ---- | C] () -- C:WINDOWSSystem32amr_cpl.dll
[2006/04/22 10:25:49 | 000,151,552 | ---- | C] () -- C:WINDOWSSystem32SLMOHServ.dll
[2006/04/22 09:18:55 | 000,000,376 | ---- | C] () -- C:WINDOWSODBC.INI
[2006/04/22 09:13:27 | 000,212,992 | ---- | C] () -- C:WINDOWSSystem32slextspk.dll
[2006/04/22 09:13:25 | 000,180,224 | ---- | C] () -- C:WINDOWSSystem32SLGen.dll
[2006/04/21 19:37:44 | 000,000,061 | ---- | C] () -- C:WINDOWSsmscfg.ini
[2006/04/17 12:30:53 | 000,033,792 | ---- | C] () -- C:WINDOWSSystem32cknkfpi.dll
[2006/04/17 12:30:53 | 000,021,506 | ---- | C] () -- C:WINDOWSSystem32bdyhwai.dll
[2006/03/22 19:15:55 | 000,061,440 | ---- | C] () -- C:WINDOWSSystem32coinst.dll
[2006/03/03 20:32:22 | 001,662,976 | ---- | C] () -- C:WINDOWSSystem32nvwdmcpl.dll
[2006/03/03 20:32:22 | 001,466,368 | ---- | C] () -- C:WINDOWSSystem32nview.dll
[2006/03/03 20:32:22 | 001,019,904 | ---- | C] () -- C:WINDOWSSystem32nvwimg.dll
[2006/03/03 20:32:22 | 000,573,440 | ---- | C] () -- C:WINDOWSSystem32nvhwvid.dll
[2006/03/03 20:32:22 | 000,466,944 | ---- | C] () -- C:WINDOWSSystem32nvshell.dll
[2006/03/03 20:32:22 | 000,286,720 | ---- | C] () -- C:WINDOWSSystem32nvnt4cpl.dll
[2006/03/03 20:32:20 | 000,110,592 | ---- | C] () -- C:WINDOWSSystem32nvapi.dll
[2005/11/04 19:11:48 | 000,001,292 | ---- | C] () -- C:WINDOWSSystem32OEMINFO.INI
[2005/09/13 03:09:34 | 000,004,608 | ---- | C] () -- C:WINDOWSSystem32AvsRecursion.dll
[2005/08/31 12:43:32 | 000,098,304 | ---- | C] () -- C:WINDOWSSystem32resourceGeneric.dll
[2004/01/24 02:35:44 | 000,057,344 | ---- | C] () -- C:WINDOWSSystem32avisynth_c.dll
[2002/09/10 12:10:05 | 000,495,616 | ---- | C] () -- C:WINDOWSSystem32xvid.dll
[2001/03/30 12:18:48 | 000,032,768 | RHS- | C] () -- C:WINDOWSSystem32zsoftas.dll
[1998/06/19 00:00:00 | 001,701,648 | ---- | C] () -- C:WINDOWSSystem32VBA6.DLL

========== LOP Check ==========

[2010/07/02 07:22:22 | 000,000,000 | ---D | M] -- C:Documents and SettingsAll UsersApplication DataAVG Security Toolbar
[2006/10/29 12:27:04 | 000,000,000 | ---D | M] -- C:Documents and SettingsAll UsersApplication DataBroderbund Software
[2010/03/27 13:29:00 | 000,000,000 | ---D | M] -- C:Documents and SettingsAll UsersApplication DataCanneverbe Limited
[2009/07/09 08:29:00 | 000,000,000 | ---D | M] -- C:Documents and SettingsAll UsersApplication DataGrid
[2009/09/15 15:45:09 | 000,000,000 | ---D | M] -- C:Documents and SettingsAll UsersApplication DataPCPitstop
[2008/10/14 18:44:15 | 000,000,000 | ---D | M] -- C:Documents and SettingsAll UsersApplication DataScanSoft
[2010/07/10 19:52:28 | 000,000,000 | ---D | M] -- C:Documents and SettingsAll UsersApplication DataSITEguard
[2010/05/02 03:46:25 | 000,000,000 | ---D | M] -- C:Documents and SettingsAll UsersApplication DataSpeedBit
[2010/07/11 03:25:16 | 000,000,000 | ---D | M] -- C:Documents and SettingsAll UsersApplication DataSTOPzilla!
[2010/02/05 01:51:45 | 000,000,000 | ---D | M] -- C:Documents and SettingsAll UsersApplication DataTEMP
[2009/10/31 01:51:27 | 000,000,000 | ---D | M] -- C:Documents and SettingsAll UsersApplication DataWinZip
[2008/12/17 19:07:17 | 000,000,000 | ---D | M] -- C:Documents and SettingsAll UsersApplication DataYAHOO
[2010/07/10 17:52:38 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataAcapela Group
[2009/05/16 02:44:47 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataAVGTOOLBAR
[2010/03/27 13:29:01 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataCanneverbe Limited
[2009/10/30 16:27:00 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataCoreFTP
[2010/03/27 12:55:27 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataElevatedDiagnostics
[2010/07/10 14:02:47 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataFileZilla
[2010/06/04 22:44:54 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataFrostWire
[2010/05/02 01:00:46 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataGrabPro
[2010/07/10 02:37:38 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication Datagtk-2.0
[2008/01/20 16:33:18 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataLeadertech
[2009/07/24 19:58:44 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataLimeWire
[2008/11/04 19:04:18 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataMicrogaming
[2010/05/01 19:27:40 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataOneSwarm
[2010/03/19 00:33:05 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataOpera
[2010/05/02 03:38:24 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataOrbit
[2010/07/03 23:04:19 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataScalabium
[2008/10/14 18:44:18 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataScanSoft
[2009/01/25 18:36:41 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataSearch Settings
[2006/10/15 15:59:35 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataTemplate
[2010/05/02 03:46:21 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataToolbar4
[2009/01/29 20:34:06 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication Datauniblue
[2008/12/14 02:24:55 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataXilisoft Corporation
[2010/07/10 17:53:33 | 000,000,000 | ---D | M] -- C:Documents and SettingsAnnApplication DataXtranormal
[2010/07/05 19:29:01 | 000,000,472 | ---- | M] () -- C:WINDOWSTasksAd-Aware Update (Weekly).job
[2010/07/11 03:01:01 | 000,000,230 | ---- | M] () -- C:WINDOWSTasksScheduled Update for Ask Toolbar.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:Documents and SettingsAll UsersApplication DataTEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:Documents and SettingsAll UsersApplication DataTEMP:DFC5A2B2
< End of report >
.................................................................................................................................................................................
End of file - 8747 bytes


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:31:12 AM, on 11/07/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesCommon FilesiS3Anti-SpywareSZServer.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesANIANIWZCS2 ServiceWZCSLDR2.exe
C:Program FilesD-LinkD-Link Wireless N DWA-130AirNCFG.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:WINDOWSRTHDCPL.EXE
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesErasereraser.exe
C:WINDOWSsystem32slserv.exe
C:Program FilesVidalia BundlePrivoxyprivoxy.exe
C:Program FilesWinZipWZQKPICK.EXE
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:WINDOWSsystem32wscntfy.exe
C:Program FilesSTOPzilla!STOPzilla.exe
C:Program FilesWindows NTAccessorieswordpad.exe
C:Documents and SettingsAnnMy DocumentsOTL.exe
C:Documents and SettingsAnnMy DocumentsRootRepeal.exe
C:WINDOWSnotepad.exe
C:WINDOWSnotepad.exe
C:WINDOWSsystem32notepad.exe
C:Program FilesOperaOpera.exe
C:WINDOWSsystem32rundll32.exe
C:WINDOWSsystem32taskmgr.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://search.orbitdownloader.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page =
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page =
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:Program FilesAVGAVG8ToolbarIEToolbar.dll
R3 - URLSearchHook: (no name) - *{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: (no name) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_07binssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:Program FilesAVGAVG8ToolbarIEToolbar.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:Program FilesAsk.comGenericAskToolbar.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:Program FilesSTOPzilla!SZIEBHO.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:Program FilesAVGAVG8ToolbarIEToolbar.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:Program FilesAsk.comGenericAskToolbar.dll
O4 - HKLM..Run: [ANIWZCS2Service] C:Program FilesANIANIWZCS2 ServiceWZCSLDR2.exe
O4 - HKLM..Run: [D-Link D-Link Wireless N DWA-130] C:Program FilesD-LinkD-Link Wireless N DWA-130AirNCFG.exe
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU..Run: [RocketDock] "C:Program FilesRocketDockRocketDock.exe"
O4 - HKCU..Run: [AdobeUpdater] "C:Program FilesCommon FilesAdobeUpdater5AdobeUpdater.exe"
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKCU..Run: [DUTools] C:Program FilesNamiRobotDUTool.exe
O4 - HKCU..Run: [Google Update] "C:Documents and SettingsAnnLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe" /c
O4 - HKCU..Run: [Eraser] C:Program FilesErasereraser.exe -hide
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')
O4 - Global Startup: Privoxy.lnk = C:Program FilesVidalia BundlePrivoxyprivoxy.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:Program FilesWinZipWZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~4OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra button: Purple Lounge - {00000000-0000-0000-0000-000000000000} - C:WINDOWSsystem32shdocvw.dll (HKCU)
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} (Diagnostics ActiveX WebControl) - http://support.microsoft.com/mats/DiagWebControl.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/da2/PCPitStop2.cab
O17 - HKLMSystemCCSServicesTcpip..{6E857B43-48A4-47D2-A95A-9ABA6B854ACC}: NameServer = 192.168.0.1,192.168.0.2
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - (no file)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:WINDOWSsystem32browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:WINDOWSsystem32browseui.dll
O22 - SharedTaskScheduler: QuangustCew - {98E1DEB2-6573-43B1-A2E3-92ED46FA3A86} - (no file)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:Program FilesANIANIWZCS2 ServiceANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSsystem32ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1150Intel 32IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:WINDOWSSYSTEM32slserv.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:Program FilesCommon FilesiS3Anti-SpywareSZServer.exe
--
End of file - 8747 bytes

Edited by hamluis, 11 July 2010 - 09:14 AM.
Consolidated log input, moved from XP to Malware Removal Logs forum ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 richie_22

richie_22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 12 July 2010 - 06:32 PM

Hello. Would it be safe to run combofix, is there anything i should do, or need to do? Sorry for the bump but I mean a lot of things are going wrong here. And my pagefile goes as high as 1.40 GB.

EDIT: Please be patient. There are over 190 unanswered topics in this forum at present and the current average wait time to receive help is 4 days.Don't run Combofix yet. ~BP

Edited by Budapest, 12 July 2010 - 10:21 PM.


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:47 PM

Posted 14 July 2010 - 06:57 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#4 richie_22

richie_22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 15 July 2010 - 03:10 PM

Hello. Thank you kindly. I have returned. I have also used the malwarebytes software, since the above post before i read your remarks about no running any scans, at first it detected the issue but it wasn't able to successfully remove it, it came right back.

Edited by richie_22, 15 July 2010 - 05:17 PM.


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:47 PM

Posted 15 July 2010 - 07:18 PM

Can you find the log showing the malware from MBAM and post it.

Also please run Gmer (if it fails then please check only the SECTIONS option and rerun)

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#6 richie_22

richie_22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 16 July 2010 - 03:30 PM

Okay. I have completed step one, i also attempted a full scan just because i thought the first one seemed a little quick, but my computer froze up a bit so I didn't complete it, it did however start bringing up other things. I disabled the resident shield of AVG as they said it was the core element and the best way to temporarily disable, I unplugged wireless adapter, exited tea timer/spybot, and firewall/updates are both disabled. With regards to the full scan, I was mainly worried that this was not the proper scan to post, but when i tried it again and saved the log right away I realized it was the quick scan, so here it is:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-16 17:04:28
Windows 5.1.2600 Service Pack 2
Running: 7buvj89z.exe; Driver: C:\DOCUME~1\Ann\LOCALS~1\Temp\fftdypow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 849EAEC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----




Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4298

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/07/2010 10:16:57 PM
mbam-log-2010-07-12 (22-16-57).txt

Scan type: Quick scan
Objects scanned: 155142
Time elapsed: 27 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator.SEANIX-CC1AD55C\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ann\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.SEANIX-CC1AD55C\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Edited by richie_22, 16 July 2010 - 03:39 PM.


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:47 PM

Posted 16 July 2010 - 06:49 PM

There's some nasty infections here. The main one must be removed to allow the others to be killed.

Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#8 richie_22

richie_22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 16 July 2010 - 07:56 PM

Okay, this looks ugly just from my own knowledge. I do have a problem though, my API icon, a little orange box in the system tray which used to appear every startup has yet to return, it vanished not long ago. i'm not sure if that's normal, perhaps the virus caused it to pop up in the first place. Anyway, I suspect i may not be out of the water. This is also a second hand computer and on a shared network. An IE desktop icon returned as well, my icons look a little different, and my browser screen looks somehow a little different as well, like the text and stuff.

ComboFix 10-07-15.05 - Ann 16/07/2010 21:24:31.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.2.1033.18.446.68 [GMT -3:00]
Running from: c:\documents and settings\Ann\My Documents\comfix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator.SEANIX-CC1AD55C\Desktop\Internet Security 2010.lnk
c:\documents and settings\Ann\miniupnpc.dll
c:\documents and settings\Ann\upnpc-shared.exe
c:\documents and settings\Ann\upnpc-static.exe
c:\program files\Search Settings
c:\program files\Search Settings\kb127\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\windows\system32\19351.exe
c:\windows\system32\26500.exe
c:\windows\system32\4088.exe
c:\windows\system32\Thumbs.db

Infected copy of c:\windows\system32\drivers\intelppm.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17 )))))))))))))))))))))))))))))))
.

2010-07-11 19:08 . 2010-07-11 20:11 -------- d-----w- c:\documents and settings\Ann\Application Data\PaRaMeter
2010-07-11 19:06 . 2010-07-11 19:07 -------- d-----w- c:\program files\PaRaMeter
2010-07-10 23:40 . 2010-07-10 23:40 388096 ----a-r- c:\documents and settings\Ann\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-10 23:21 . 2010-07-10 23:21 -------- d-----w- c:\program files\Safer Networking
2010-07-10 22:52 . 2010-07-10 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-07-10 22:48 . 2010-07-10 22:48 -------- d-----w- c:\program files\Common Files\iS3
2010-07-10 22:48 . 2010-07-11 06:25 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-07-10 20:52 . 2010-07-10 20:52 -------- d-----w- c:\documents and settings\Ann\Application Data\Acapela Group
2010-07-10 20:51 . 2010-07-10 20:51 -------- d-----w- c:\documents and settings\Ann\Local Settings\Application Data\Xtranormal
2010-07-10 20:45 . 2010-07-10 20:45 -------- d-----w- c:\program files\Xtranormal
2010-07-10 20:43 . 2010-07-10 20:53 -------- d-----w- c:\documents and settings\Ann\Application Data\Xtranormal
2010-07-10 09:23 . 2010-07-10 17:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\fmtgvfnrx
2010-07-09 21:51 . 2010-04-29 18:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-09 21:51 . 2010-04-29 18:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-04 02:15 . 2010-07-04 02:15 -------- d-----r- C:\MSOCache
2010-07-04 02:04 . 2010-07-04 02:04 -------- d-----w- c:\documents and settings\Ann\Application Data\Scalabium
2010-07-02 11:13 . 2010-07-02 11:13 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-06-24 12:10 . 2010-06-24 12:10 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-24 12:09 . 2010-06-24 12:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-18 18:23 . 2010-06-18 18:23 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-18 02:30 . 2010-06-19 15:04 -------- d-----w- c:\documents and settings\Ann\Local Settings\Application Data\gwlaac

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 00:22 . 2010-04-03 03:50 -------- d-----w- c:\program files\Eraser
2010-07-15 04:05 . 2008-10-22 21:17 -------- d-----w- c:\documents and settings\Ann\Application Data\FileZilla
2010-07-11 08:21 . 2009-05-16 07:00 -------- d-----w- c:\documents and settings\Ann\Application Data\tor
2010-07-11 08:12 . 2009-05-16 06:55 -------- d-----w- c:\documents and settings\Ann\Application Data\Vidalia
2010-07-11 06:16 . 2010-07-11 02:51 896 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-10 17:55 . 2008-10-25 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-07-10 09:21 . 2008-10-12 17:21 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-10 05:37 . 2010-02-28 03:15 -------- d-----w- c:\documents and settings\Ann\Application Data\gtk-2.0
2010-07-09 21:53 . 2010-01-18 02:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-02 10:22 . 2009-06-12 11:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-07-02 04:08 . 2008-10-14 21:43 -------- d-----w- c:\program files\ScanSoft
2010-06-20 01:32 . 2010-05-19 19:14 -------- d-----w- c:\program files\FileZilla FTP Client
2010-06-05 01:44 . 2009-07-25 00:14 -------- d-----w- c:\documents and settings\Ann\Application Data\FrostWire
2010-06-05 01:00 . 2010-01-12 23:21 -------- d-----w- c:\program files\Incomplete
2010-06-04 17:54 . 2010-01-13 03:20 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-02 05:56 . 2004-08-04 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 04:09 . 2010-04-03 02:59 737280 ----a-w- c:\windows\iun6002.exe
2010-04-20 05:51 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2001-03-30 15:18 . 2001-03-30 15:18 32768 --sha-r- c:\windows\system32\zsoftas.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 17:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 19:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-09 2356088]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Eraser"="c:\program files\Eraser\eraser.exe" [2003-07-25 536576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless N DWA-130"="c:\program files\D-Link\D-Link Wireless N DWA-130\AirNCFG.exe" [2008-03-20 1675264]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
"RTHDCPL"="RTHDCPL.EXE" [2009-09-11 18717696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-10-13 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 11:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 01:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 15:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 10:01 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 12:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
"c:\\Program Files\\GridService\\peer.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Port Detective\\PBDClient.exe"=
"c:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6669:TCP"= 6669:TCP:emule
"35641:UDP"= 35641:UDP:emule
"3728:TCP"= 3728:TCP:192.168.0.114/255.255.255.255:Enabled:GigaTribe

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [25/10/2008 2:57 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [25/10/2008 2:57 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [25/10/2008 2:57 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [25/10/2008 2:57 PM 297752]
S2 LXCYCustomerConnect;LXCYCustomerConnect; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [15/09/2009 3:58 PM 1684736]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [15/09/2009 3:41 PM 85504]
.
Contents of the 'Scheduled Tasks' folder

2010-07-17 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 19:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.orbitdownloader.com
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://ca.search.yahoo.com
IE: &U?????????
IE: &U????????? - c:\program files\NamiRobot\Data\du.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: {6E857B43-48A4-47D2-A95A-9ABA6B854ACC} = 192.168.0.1,192.168.0.2
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-*{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
HKCU-Run-RocketDock - c:\program files\RocketDock\RocketDock.exe
HKCU-Run-DUTools - c:\program files\NamiRobot\DUTool.exe
SharedTaskScheduler-{98E1DEB2-6573-43B1-A2E3-92ED46FA3A86} - (no file)
AddRemove-Google Pagerank Check Tool 1.00 - c:\program files\Google Pagerank Check Tool\Uninstall.exe
AddRemove-K free Find Files N Replace_is1 - c:\program files\k-free ffnr\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-16 21:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-16 21:39:37
ComboFix-quarantined-files.txt 2010-07-17 00:39

Pre-Run: 104,192,843,776 bytes free
Post-Run: 105,588,400,128 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

- - End Of File - - 2141BEC22BCE9EB278F60785376FBF30

Edited by richie_22, 16 July 2010 - 08:05 PM.


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:47 PM

Posted 17 July 2010 - 03:36 AM

The Combofix program sets defaults, one of which is adding the IE icon and making IE your default browser. The log itself looks far from ugly as Combofix has removed the rogue.


Here's some info on the Ask toolbar

The Ask toolbar is not recommended. This toolbar enhances internet browsing and provides a direct link to the "ask.com" search engine. This program is not known to be bundled with spyware - The company strongly denies the toolbar as being malware.

Please read why it might be good to remove it here.

If you choose to remove it then follow the instructions below.

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick (or right-click, if you are using Vista) the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":



Ask.com



Additional instructions can be found here if needed.


Now please rerun Combofix so that we can clear up what's left


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
File::
c:\windows\system32\drivers\kgpcpy.cfg
c:\windows\iun6002.exe

Folder::
c:\documents and settings\Ann\Local Settings\Application Data\gwlaac


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#10 richie_22

richie_22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 17 July 2010 - 10:27 AM

I just meant some of the stuff it removed, for example the intelppm infection and those .exe files. To be honest I'm not really concerned about the toolbar but I prefer just the Google bar, I can't remember how it got there, so i will likely remove it down the line. I have been browsing on Opera lately and I'm unhappy with it since I'm so used to Firefox, will be switching back today, my computer has improved with regards to random lagging and stuff.

ComboFix 10-07-15.05 - Ann 17/07/2010 11:40:04.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.2.1033.18.446.165 [GMT -3:00]
Running from: c:\documents and settings\Ann\My Documents\comfix.exe
Command switches used :: c:\documents and settings\Ann\My Documents\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\iun6002.exe"
"c:\windows\system32\drivers\kgpcpy.cfg"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ann\Local Settings\Application Data\gwlaac
c:\windows\iun6002.exe
c:\windows\system32\drivers\kgpcpy.cfg

.
((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17 )))))))))))))))))))))))))))))))
.

2010-07-11 19:08 . 2010-07-11 20:11 -------- d-----w- c:\documents and settings\Ann\Application Data\PaRaMeter
2010-07-11 19:06 . 2010-07-11 19:07 -------- d-----w- c:\program files\PaRaMeter
2010-07-10 23:40 . 2010-07-10 23:40 388096 ----a-r- c:\documents and settings\Ann\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-10 23:21 . 2010-07-10 23:21 -------- d-----w- c:\program files\Safer Networking
2010-07-10 22:52 . 2010-07-10 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-07-10 22:48 . 2010-07-10 22:48 -------- d-----w- c:\program files\Common Files\iS3
2010-07-10 22:48 . 2010-07-11 06:25 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-07-10 20:52 . 2010-07-10 20:52 -------- d-----w- c:\documents and settings\Ann\Application Data\Acapela Group
2010-07-10 20:51 . 2010-07-10 20:51 -------- d-----w- c:\documents and settings\Ann\Local Settings\Application Data\Xtranormal
2010-07-10 20:45 . 2010-07-10 20:45 -------- d-----w- c:\program files\Xtranormal
2010-07-10 20:43 . 2010-07-10 20:53 -------- d-----w- c:\documents and settings\Ann\Application Data\Xtranormal
2010-07-10 09:23 . 2010-07-10 17:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\fmtgvfnrx
2010-07-09 21:51 . 2010-04-29 18:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-09 21:51 . 2010-04-29 18:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-04 02:15 . 2010-07-04 02:15 -------- d-----r- C:\MSOCache
2010-07-04 02:04 . 2010-07-04 02:04 -------- d-----w- c:\documents and settings\Ann\Application Data\Scalabium
2010-07-02 11:13 . 2010-07-02 11:13 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-06-24 12:10 . 2010-06-24 12:10 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-24 12:09 . 2010-06-24 12:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-18 18:23 . 2010-06-18 18:23 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 06:20 . 2008-10-22 21:17 -------- d-----w- c:\documents and settings\Ann\Application Data\FileZilla
2010-07-17 03:41 . 2010-04-03 03:50 -------- d-----w- c:\program files\Eraser
2010-07-11 08:21 . 2009-05-16 07:00 -------- d-----w- c:\documents and settings\Ann\Application Data\tor
2010-07-11 08:12 . 2009-05-16 06:55 -------- d-----w- c:\documents and settings\Ann\Application Data\Vidalia
2010-07-10 17:55 . 2008-10-25 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-07-10 09:21 . 2008-10-12 17:21 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-10 05:37 . 2010-02-28 03:15 -------- d-----w- c:\documents and settings\Ann\Application Data\gtk-2.0
2010-07-09 21:53 . 2010-01-18 02:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-02 10:22 . 2009-06-12 11:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-07-02 04:08 . 2008-10-14 21:43 -------- d-----w- c:\program files\ScanSoft
2010-06-20 01:32 . 2010-05-19 19:14 -------- d-----w- c:\program files\FileZilla FTP Client
2010-06-05 01:44 . 2009-07-25 00:14 -------- d-----w- c:\documents and settings\Ann\Application Data\FrostWire
2010-06-05 01:00 . 2010-01-12 23:21 -------- d-----w- c:\program files\Incomplete
2010-06-04 17:54 . 2010-01-13 03:20 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-02 05:56 . 2004-08-04 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2001-03-30 15:18 . 2001-03-30 15:18 32768 --sha-r- c:\windows\system32\zsoftas.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 17:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 19:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-09 2356088]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Eraser"="c:\program files\Eraser\eraser.exe" [2003-07-25 536576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link Wireless N DWA-130"="c:\program files\D-Link\D-Link Wireless N DWA-130\AirNCFG.exe" [2008-03-20 1675264]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
"RTHDCPL"="RTHDCPL.EXE" [2009-09-11 18717696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-10-13 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 11:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 01:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 15:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 10:01 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 12:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=
"c:\\Program Files\\GridService\\peer.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Port Detective\\PBDClient.exe"=
"c:\\Program Files\\Real Alternative\\Media Player Classic\\mplayerc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6669:TCP"= 6669:TCP:emule
"35641:UDP"= 35641:UDP:emule
"3728:TCP"= 3728:TCP:192.168.0.114/255.255.255.255:Enabled:GigaTribe

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [25/10/2008 2:57 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [25/10/2008 2:57 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [25/10/2008 2:57 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [25/10/2008 2:57 PM 297752]
S2 LXCYCustomerConnect;LXCYCustomerConnect; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [15/09/2009 3:58 PM 1684736]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [15/09/2009 3:41 PM 85504]
.
Contents of the 'Scheduled Tasks' folder

2010-07-17 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 19:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.orbitdownloader.com
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://ca.search.yahoo.com
IE: &U?????????
IE: &U????????? - c:\program files\NamiRobot\Data\du.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: {6E857B43-48A4-47D2-A95A-9ABA6B854ACC} = 192.168.0.1,192.168.0.2
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-17 11:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-17 11:51:00
ComboFix-quarantined-files.txt 2010-07-17 14:50
ComboFix2.txt 2010-07-17 00:39

Pre-Run: 137,806,143,488 bytes free
Post-Run: 137,794,105,344 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

- - End Of File - - 2A85640084B326E6FE43B277960E5D41


Some of the AVG network connection entires still came up in a Gmer quick scan shortly after the first combofix scan last night, but i assume that is relevant and not an issue.

Edited by richie_22, 17 July 2010 - 10:39 AM.


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:47 PM

Posted 17 July 2010 - 04:37 PM

Gmer will pickup any modifications and that includes legitimate ones so don't worry about that.


Please run ESET's online scanner next
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#12 richie_22

richie_22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 17 July 2010 - 07:14 PM

I'm not sure what the first one is from but the three below it are .mp3 files i can identify and remove.


C:\Documents and Settings\Ann\Application Data\Sun\Java\Deployment\cache\6.0\26\4c72c81a-72dc661d a variant of Java/TrojanDownloader.Agent.NAN trojan
C:\Documents and Settings\Ann\My Documents\Music\california waiting (instrumental version).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\Ann\My Documents\Music\day old blues kings of leon live at private party.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\Ann\My Documents\Music\the rolling stones - Ruby Tuesday.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:47 PM

Posted 18 July 2010 - 04:57 AM

The top one is a copy of the infection cached in your Java folder. It isn't as dangerous there but it should be removed.

You can delete the last three items manually but to remove the cache please do this:

To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon. If you don't see it, go to Other options in the left panel or change to Classic View
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • Applications and applets
    • Trace and log files
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.

How is the PC running now?
Posted Image
m0le is a proud member of UNITE

#14 richie_22

richie_22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 18 July 2010 - 02:52 PM

My PC is running much better, as I indicated above my virtual memory would get really high which would cause page file issues and lagging. It was nothing for it to be up to 1.40 GB. Now since the computer is working better I'm doing more on the computer and running more tabs and windows, and it is staying put hovering around the 650-700 MB mark, also it stays at a good level during heavy activity as well like scans and stuff.

So yeah, my browser is functioning well too, pages load faster and i can do more without freezing.

I really appreciate you helping me, you're the closest thing to a real doctor I've spoken to in years. I think it may have been there a little too long and i didn't do anything about it. Thanks for your support.

Just let me know if you want me to scan anything else or have anymore instructions, I will come back later on or tomorrow.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:47 PM

Posted 18 July 2010 - 03:29 PM

Glad to hear that it's gone back to normal. Don't leave it so long 'til your check-up next time tongue.gif

Please complete the fix (yes, complete thumbup.gif ) using the instructions below:


You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it richie_22, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users