Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected: browser redirect, svchost.exe, cmd.exe ...


  • This topic is locked This topic is locked
17 replies to this topic

#1 thebeefychief

thebeefychief

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:45 PM

Posted 13 July 2010 - 12:38 PM

Good afternoon,

I am in serious need of assistance regarding my computer. Any advice would be greatly appreciated. I have already attempted using the following programs in and out of safe mode: trend micro house call, spybot search and destroy, lavasoft ad-aware, hitman pro 3.5. I used the aforementioned program before discovering this site. Here are the symptoms my computer is experiencing:

1. My internet browsers are being redirected. All search engines redirect when I click on a search result. Also, random tabs and/or windows pop up with similar redirect locations.

2. Various .exe files appear with odd and seemingly random names in task manager. One or more are directly related to an icon (a red shield with an 'x' in the centre) that is present in my system tray. Also, my regular icons are missing from the system tray. However, their corresponding process is present in task manager.

3. Overall system performance is lacking. Loading times are greater, computer will freeze and won't allow any programs to open. Upon shut down computer will not always go past the 'saving settings' screen even when left for extended periods of time.

4. svchost.exe is using an abnormally large portion of system resources, upwards of 50 to 60 percent, even when no tasks are being preformed.

5. On occasion a file called cmd.exe opens hundreds of times in task manager and is visible on the task bar. This causes the computer to become unusable for regular tasks.

Symptoms are becoming more and more apparent and overall functionality of my system is getting worse. I realize that this most likely a pain in the ass to figure out, as well as being completely my fault for not paying enough attention to system security. Please help me, any suggestions for future preventative measures would also be appreciated.

Thank you in advance,
Geoff C.

PS. Here is the 'dds.txt' file you requested as well as the attached 'attach.txt'. Unfortunately gmer would not allow me to save. After taking copious amounts of time to scan, the program would freeze and not allow me to save the completed scan. I hope this isn't too much on an inconvenience.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Geoff at 11:38:35.39 on 13/07/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1006.479 [GMT -4:00]

AV: AVG 7.5.441 *On-access scanning disabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
AV: avast! antivirus 4.8.1229 [VPS 080820-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avast4\aswUpdSv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
svchost.exe "C:\WINDOWS\system32\adsldpcd.exe"
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vVX3000.exe
C:\Program Files\Razer\Habu\razerhid.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Razer\Habu\razertra.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Geoff\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
uRun: [PowerBar]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [Habu] c:\program files\razer\habu\razerhid.exe
mRun: [avast!] c:\progra~1\avast4\ashDisp.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [rrevnjyw] c:\documents and settings\networkservice\local settings\application data\axqthifio\xtrepvytssd.exe
mRun: [vvnrbecd] c:\documents and settings\networkservice\local settings\application data\pioobnhon\hkykbiltssd.exe
mRun: [fvdqgjsc] c:\documents and settings\geoff\local settings\application data\vxfxrbrmi\tfvtllitssd.exe
mRun: [qcjpigaa] c:\documents and settings\networkservice\local settings\application data\dvfyriibk\pppmomdtssd.exe
mRun: [dwwfbhwt] c:\documents and settings\networkservice\local settings\application data\qtyuwpsdd\cklkifttssd.exe
mRun: [djtbgefj] c:\documents and settings\networkservice\local settings\application data\hwggyqrma\efnpaabtssd.exe
mRun: [nonep] c:\windows\temp\D.tmp
mRun: [nfodsflh] c:\documents and settings\networkservice\local settings\application data\oowttbpwf\pogfwdrtssd.exe
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
dRun: [rrevnjyw] c:\documents and settings\networkservice\local settings\application data\axqthifio\xtrepvytssd.exe
dRun: [vvnrbecd] c:\documents and settings\networkservice\local settings\application data\pioobnhon\hkykbiltssd.exe
dRun: [fvdqgjsc] c:\documents and settings\geoff\local settings\application data\vxfxrbrmi\tfvtllitssd.exe
dRun: [qcjpigaa] c:\documents and settings\networkservice\local settings\application data\dvfyriibk\pppmomdtssd.exe
dRun: [dwwfbhwt] c:\documents and settings\networkservice\local settings\application data\qtyuwpsdd\cklkifttssd.exe
dRun: [djtbgefj] c:\documents and settings\networkservice\local settings\application data\hwggyqrma\efnpaabtssd.exe
dRun: [nfodsflh] c:\documents and settings\networkservice\local settings\application data\oowttbpwf\pogfwdrtssd.exe
StartupFolder: c:\documents and settings\geoff\start menu\programs\startup\wwwxbv32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208733307671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: chkapp - {2634C132-BF37-871C-861F-007D13D55A15} - c:\program files\coyqhyf\chkapp.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geoff\applic~1\mozilla\firefox\profiles\nerhyu0h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox?client=firefox-a&rlz=1R0GGGL_en
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Internal security: No Registry Reference - c:\program files\mozilla firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-8-20 78416]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2006-12-31 4224]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2006-12-31 3968]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-8-22 394952]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-20 20560]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2006-12-31 353792]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2006-12-31 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe [2006-12-31 324096]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2006-12-31 4960]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-12-31 839936]
S1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2006-12-31 27776]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast4\ashServ.exe [2008-8-20 147640]
S2 ehRecvrALG;Media Center Receiver Service ehRecvrALG;c:\windows\system32\adsldpcd.exe srv --> c:\windows\system32\adsldpcd.exe srv [?]
S2 HTTPFilterlanmanserver;HTTP SSL HTTPFilterlanmanserver;c:\windows\system32\1054z.exe srv --> c:\windows\system32\1054z.exe srv [?]
S2 nmserviceNtmsSvc;Pure Networks Network Magic Service nmserviceNtmsSvc;c:\windows\system32\a3dw.exe srv --> c:\windows\system32\a3dw.exe srv [?]
S2 WmdmPmSNdmserver;Portable Media Serial Number Service WmdmPmSNdmserver;c:\windows\system32\1037h.exe srv --> c:\windows\system32\1037h.exe srv [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4\ashMaiSv.exe [2008-8-20 250040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4\ashWebSv.exe [2008-8-20 348344]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-6-10 16968]
S3 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-8-22 127768]

=============== Created Last 30 ================

2010-07-13 03:42:04 0 ----a-w- c:\windows\vnlfw30fblb73n0z23xkflkr.ini
2010-07-13 01:51:08 1648 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-13 01:01:58 11264 ----a-w- c:\windows\DCEBoot.exe
2010-07-13 00:54:33 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-07-13 00:36:19 0 d-sh--w- c:\windows\system32\lowsec
2010-07-12 23:59:57 100 --s-a-w- c:\windows\system32\3466367831.dat
2010-07-12 23:59:38 4 ----a-w- c:\docume~1\geoff\applic~1\avdrn.dat
2010-06-24 23:19:29 20 ----a-w- c:\documents and settings\geoff\defogger_reenable
2010-06-18 17:44:09 910 ----a-w- c:\windows\system32\.crusader
2010-06-15 23:03:05 32768 ----a-w- c:\windows\system32\hgtd.ruy
2010-06-15 23:03:04 65024 ----a-w- c:\windows\system32\h7t.wt
2010-06-15 23:03:03 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-06-15 23:03:00 156160 ----a-w- c:\windows\system32\cooper.mine

==================== Find3M ====================

2010-07-13 15:25:48 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-24 22:58:59 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-15 23:03:02 578560 ----a-w- c:\windows\system32\user32.DLL
2010-06-10 14:28:31 9 ----a-w- C:\confin.sys
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2004-03-11 21:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2010-03-13 16:52:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010031320100314\index.dat
2008-09-30 04:37:55 8996896 --sha-w- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 11:40:02.09 ===============

Merged posts removing redundant content. ~ OB

Attached Files


Edited by Orange Blossom, 13 July 2010 - 09:20 PM.


BC AdBot (Login to Remove)

 


#2 MalwareMutilator

MalwareMutilator

  • Members
  • 931 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 15 July 2010 - 10:25 AM

Hello thebeefychief, and welcome to Bleeping Computer smile.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, please include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below, I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again as your situation may have changed. Please use the Add Reply and add the new log to this thread.

Thank you, and once again, sorry for the delay.


We need to see some additional information about what is happening in your machine. Please perform the following steps in the order given:

Step #1

DDS:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.

  • Double click on the DDS icon, allow it to run.

  • A small box will open with an explanation about the tool. No input is needed, the scan is running.

  • Notepad will open with the results.

  • Follow the instructions that pop up for posting the results.

  • Close the program window and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Step #2

DeFogger:

Please download DeFogger to your Desktop.

Double click DeFogger to run the tool.
  • The application window will appear.

  • Click the Disable button to disable any CD Emulation drivers you may have, as these will interfere with the GMER scan we need to run next.

  • Click Yes to continue.

  • A 'Finished!' message will appear.

  • Click OK.

  • DeFogger will now ask to reboot the machine - click OK.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Step #3

Scan with RKUnHooker:
  • Please download Rootkit Unhooker and save it to your desktop.

  • Next, double-click on RKUnhookerLE.exe to run it.

  • Click the Report tab, then click Scan.

  • Check (tick) Drivers > Stealth. Uncheck the rest and then click OK.

  • Wait until the scanner has finished and then click File > Save Report.

  • Save the report somewhere where you can easily find it (your desktop for example). Click Close.

  • Copy the entire contents of the report and paste it in a reply here.
Note: You may receive the warning below when running the scan . . . please ignore it.

Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?


After completing all of the steps outlined above, please copy and paste the new DDS log, and the RKUnHooker log with your next reply.

Regards,

MalwareMutilator

#3 thebeefychief

thebeefychief
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:45 PM

Posted 15 July 2010 - 02:16 PM

Hello,

Thank you for answering my post. My situation has not changed. I will do my best to follow your instructions and respond promptly. Here are the logs you requested. Your assistance is greatly appreciated.

Cheers,

Geoff


DDS (Ver_10-03-17.01) - NTFSx86
Run by Geoff at 14:49:35.67 on 15/07/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1006.524 [GMT -4:00]

AV: AVG 7.5.441 *On-access scanning disabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
AV: avast! antivirus 4.8.1229 [VPS 080820-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avast4\aswUpdSv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
svchost.exe "C:\WINDOWS\system32\adsldpcd.exe"
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vVX3000.exe
C:\Program Files\Razer\Habu\razerhid.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\hwggyqrma\efnpaabtssd.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\oowttbpwf\pogfwdrtssd.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Geoff\Start Menu\Programs\Startup\wwwxbv32.exe
C:\Program Files\Razer\Habu\razertra.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Geoff\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
uRun: [PowerBar]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [Habu] c:\program files\razer\habu\razerhid.exe
mRun: [avast!] c:\progra~1\avast4\ashDisp.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [rrevnjyw] c:\documents and settings\networkservice\local settings\application data\axqthifio\xtrepvytssd.exe
mRun: [vvnrbecd] c:\documents and settings\networkservice\local settings\application data\pioobnhon\hkykbiltssd.exe
mRun: [fvdqgjsc] c:\documents and settings\geoff\local settings\application data\vxfxrbrmi\tfvtllitssd.exe
mRun: [qcjpigaa] c:\documents and settings\networkservice\local settings\application data\dvfyriibk\pppmomdtssd.exe
mRun: [dwwfbhwt] c:\documents and settings\networkservice\local settings\application data\qtyuwpsdd\cklkifttssd.exe
mRun: [djtbgefj] c:\documents and settings\networkservice\local settings\application data\hwggyqrma\efnpaabtssd.exe
mRun: [nonep] c:\windows\temp\C.tmp
mRun: [nfodsflh] c:\documents and settings\networkservice\local settings\application data\oowttbpwf\pogfwdrtssd.exe
mRun: [orhqbyfg] c:\documents and settings\networkservice\local settings\application data\jmdoxddmy\uoirbritssd.exe
mRun: [advguhrq] c:\documents and settings\networkservice\local settings\application data\oifmterfo\qhpwiwqtssd.exe
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
dRun: [rrevnjyw] c:\documents and settings\networkservice\local settings\application data\axqthifio\xtrepvytssd.exe
dRun: [vvnrbecd] c:\documents and settings\networkservice\local settings\application data\pioobnhon\hkykbiltssd.exe
dRun: [fvdqgjsc] c:\documents and settings\geoff\local settings\application data\vxfxrbrmi\tfvtllitssd.exe
dRun: [qcjpigaa] c:\documents and settings\networkservice\local settings\application data\dvfyriibk\pppmomdtssd.exe
dRun: [dwwfbhwt] c:\documents and settings\networkservice\local settings\application data\qtyuwpsdd\cklkifttssd.exe
dRun: [djtbgefj] c:\documents and settings\networkservice\local settings\application data\hwggyqrma\efnpaabtssd.exe
dRun: [nfodsflh] c:\documents and settings\networkservice\local settings\application data\oowttbpwf\pogfwdrtssd.exe
dRun: [orhqbyfg] c:\documents and settings\networkservice\local settings\application data\jmdoxddmy\uoirbritssd.exe
dRun: [advguhrq] c:\documents and settings\networkservice\local settings\application data\oifmterfo\qhpwiwqtssd.exe
StartupFolder: c:\documents and settings\geoff\start menu\programs\startup\wwwxbv32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208733307671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: chkapp - {2634C132-BF37-871C-861F-007D13D55A15} - c:\program files\coyqhyf\chkapp.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geoff\applic~1\mozilla\firefox\profiles\nerhyu0h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox?client=firefox-a&rlz=1R0GGGL_en
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Internal security: No Registry Reference - c:\program files\mozilla firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-8-20 78416]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2006-12-31 4224]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2006-12-31 3968]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-8-22 394952]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-20 20560]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2006-12-31 353792]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2006-12-31 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe [2006-12-31 324096]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2006-12-31 4960]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-12-31 839936]
S1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2006-12-31 27776]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast4\ashServ.exe [2008-8-20 147640]
S2 ehRecvrALG;Media Center Receiver Service ehRecvrALG;c:\windows\system32\adsldpcd.exe srv --> c:\windows\system32\adsldpcd.exe srv [?]
S2 HTTPFilterlanmanserver;HTTP SSL HTTPFilterlanmanserver;c:\windows\system32\1054z.exe srv --> c:\windows\system32\1054z.exe srv [?]
S2 nmserviceNtmsSvc;Pure Networks Network Magic Service nmserviceNtmsSvc;c:\windows\system32\a3dw.exe srv --> c:\windows\system32\a3dw.exe srv [?]
S2 WmdmPmSNdmserver;Portable Media Serial Number Service WmdmPmSNdmserver;c:\windows\system32\1037h.exe srv --> c:\windows\system32\1037h.exe srv [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4\ashMaiSv.exe [2008-8-20 250040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4\ashWebSv.exe [2008-8-20 348344]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-6-10 16968]
S3 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-8-22 127768]

=============== Created Last 30 ================

2010-07-13 03:42:04 0 ----a-w- c:\windows\vnlfw30fblb73n0z23xkflkr.ini
2010-07-13 01:51:08 1648 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-13 01:01:58 11264 ----a-w- c:\windows\DCEBoot.exe
2010-07-13 00:54:33 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-07-13 00:36:19 0 d-sh--w- c:\windows\system32\lowsec
2010-07-12 23:59:57 190 --s-a-w- c:\windows\system32\3466367831.dat
2010-07-12 23:59:38 4 ----a-w- c:\docume~1\geoff\applic~1\avdrn.dat
2010-06-24 23:19:29 20 ----a-w- c:\documents and settings\geoff\defogger_reenable
2010-06-18 17:44:09 910 ----a-w- c:\windows\system32\.crusader
2010-06-15 23:03:05 32768 ----a-w- c:\windows\system32\hgtd.ruy
2010-06-15 23:03:04 65024 ----a-w- c:\windows\system32\h7t.wt
2010-06-15 23:03:03 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-06-15 23:03:00 156160 ----a-w- c:\windows\system32\cooper.mine

==================== Find3M ====================

2010-07-15 01:21:13 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-24 22:58:59 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-15 23:03:02 578560 ----a-w- c:\windows\system32\user32.DLL
2010-06-10 14:28:31 9 ----a-w- C:\confin.sys
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2004-03-11 21:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2010-03-13 16:52:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010031320100314\index.dat
2008-09-30 04:37:55 8996896 --sha-w- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 14:51:06.96 ===============

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xF64A7000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 5300224 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xBF19B000 C:\WINDOWS\System32\ati3duag.dll 4096000 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF583000 C:\WINDOWS\System32\ativvaxx.dll 2379776 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xAD0EA000 C:\WINDOWS\system32\DRIVERS\VX3000.sys 1957888 bytes (Microsoft Corporation, Microsoft LifeCam VX3000 Device Driver)
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xAE6CA000 C:\WINDOWS\system32\drivers\sthda.sys 1130496 bytes (SigmaTel, Inc., NDRC)
0xF7227000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF062000 C:\WINDOWS\System32\ati2cqag.dll 561152 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xAD396000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xBF0EB000 C:\WINDOWS\System32\atikvmag.dll 446464 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xAD47B000 C:\WINDOWS\System32\vsdatant.sys 393216 bytes (Zone Labs, LLC, TrueVector Device Driver)
0xF625D000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF63B1000 C:\WINDOWS\system32\drivers\cmaudio.sys 380928 bytes (C-Media Inc, C-Media Audio WDM Driver)
0xAD5C9000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA78A4000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 327680 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xBF158000 C:\WINDOWS\System32\atiok3x2.dll 274432 bytes (ATI Technologies Inc., Ring 0 x2 component)
0xA7453000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF645A000 C:\WINDOWS\system32\DRIVERS\e1e5132.sys 233472 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 5.2 deserialized driver)
0xF62BB000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF736B000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA7C31000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF71FA000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA6A8A000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAD42E000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xA9F76000 C:\WINDOWS\system32\DRIVERS\atinavt2.sys 172032 bytes (ATI Technologies Inc., ATI T200 Unified AVStream Driver)
0xF640E000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xAD57B000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF7315000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xAD5A3000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xAD087000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF638D000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6436000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF636A000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA7200000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xAD459000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF72DD000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF733B000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF71CC000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF72FD000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xAD0D3000 C:\WINDOWS\System32\Drivers\aswSP.SYS 94208 bytes (ALWIL Software, avast! self protection module)
0xF72B4000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF633F000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA7BF3000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 90112 bytes (ALWIL Software, avast! File System Filter Driver for Windows XP)
0xA71EB000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6356000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF71E6000 srescan.sys 81920 bytes
0xF6493000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAD622000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF72CB000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF735A000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF632E000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xAD076000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xF76AA000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF76CA000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF749A000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF76EA000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF757A000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF76BA000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xACAE2000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF75DA000 C:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver)
0xF69C5000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF74AA000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF74FA000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF76DA000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF76FA000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF75CA000 C:\WINDOWS\system32\DRIVERS\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xF74DA000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF6A25000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF75AA000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF768A000 C:\WINDOWS\system32\DRIVERS\HECI.sys 45056 bytes (Intel Corporation, Intel® Management Engine Interface)
0xF769A000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF74CA000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF6A35000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF69B5000 C:\WINDOWS\system32\drivers\sfng32.sys 45056 bytes (Sonic Focus, Inc, SFNG32.SYS)
0xF74BA000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF69F5000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xA790B000 C:\WINDOWS\system32\DRIVERS\secdrv.sys 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0xF6A05000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF755A000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 36864 bytes (ALWIL Software, avast! TDI Filter Driver)
0xF74EA000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF75BA000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF767A000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF6A15000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF758A000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA6D9D000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF750A000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF756A000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xACD17000 C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys 32768 bytes (ALWIL Software, avast! File System Access Blocking Driver)
0xF779A000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF77A2000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF785A000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF786A000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7862000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 28672 bytes (GEAR Software Inc., CD/DVD Class Filter Driver)
0xF77AA000 C:\WINDOWS\system32\drivers\habu.sys 28672 bytes (Razer (Asia-Pacific) Pte Ltd, Diamondback USB Optical Mouse Driver)
0xF7782000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF771A000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7872000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF789A000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xACBDD000 C:\WINDOWS\system32\DRIVERS\purendis.sys 24576 bytes (Pure Networks, Inc., Pure Networks NDIS protocol driver)
0xABD3C000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xF7852000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF778A000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF77BA000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 20480 bytes (ALWIL Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)
0xF7772000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF7792000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7722000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF788A000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7892000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7882000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77DA000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF6E15000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7946000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xAA962000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF6E1D000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xAB0DE000 C:\WINDOWS\system32\DRIVERS\BdaSup.SYS 12288 bytes (Microsoft Corporation, Microsoft BDA Driver Support Library)
0xF78AA000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF6235000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF797A000 C:\WINDOWS\system32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xF717F000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF717B000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF6E19000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7173000 C:\WINDOWS\system32\drivers\pfc.sys 12288 bytes (Padus, Inc., Padus® ASPI Shell)
0xF7996000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7187000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF7A36000 C:\WINDOWS\System32\Drivers\avg7rsw.sys 8192 bytes (GRISOFT, s.r.o., AVG Resident Shield Unload Helper)
0xAA4EB000 C:\WINDOWS\System32\Drivers\avgtdi.sys 8192 bytes (GRISOFT, s.r.o., AVG Network connection watcher)
0xF7A30000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF799E000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7A2E000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF799A000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7A32000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7A34000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7A28000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7A2A000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF799C000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7BF0000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7BD8000 C:\WINDOWS\System32\Drivers\avgclean.sys 4096 bytes (GRISOFT, s.r.o., AVG7 Clean Driver)
0xF7BCF000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7BD7000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A62000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x86B2FAEA ?_empty_? 1302 bytes
!!!!!!!!!!!Hidden driver: 0x86A91D78 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xF72FD000 WARNING: suspicious driver modification [atapi.sys::0x86B2FAEA]
0x05D20000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Wizard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 102400 bytes
0x06790000 Hidden Image-->CLI.Component.Dashboard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 1036288 bytes
0x06F90000 Hidden Image-->CLI.Aspect.OverDrive3.Graphics.Dashboard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 1044480 bytes
0x01040000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x85094020 ] PID: 1444, 118784 bytes
0x03BC0000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 118784 bytes
0x056A0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Dashboard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 118784 bytes
0x069B0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 126976 bytes
0x068D0000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Dashboard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 143360 bytes
0x05F00000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 1699840 bytes
0x05D60000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Wizard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 217088 bytes
0x06900000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 233472 bytes
0x04CB0000 Hidden Image-->CLI.Caste.Graphics.Runtime.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 274432 bytes
0x01210000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x85094020 ] PID: 1444, 28672 bytes
0x01430000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x85094020 ] PID: 1444, 28672 bytes
0x04E00000 Hidden Image-->DEM.Graphics.I0804.dll [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x01070000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x010A0000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x03C50000 Hidden Image-->LOCALIZATION.Foundation.Private.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x03D20000 Hidden Image-->CLI.Component.Runtime.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x03FF0000 Hidden Image-->AEM.Server.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x04000000 Hidden Image-->AEM.Plugin.DPPE.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x04620000 Hidden Image-->AEM.Plugin.Hotkeys.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x04650000 Hidden Image-->AEM.Plugin.WinMessages.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x04810000 Hidden Image-->DEM.Graphics.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x04780000 Hidden Image-->DEM.Foundation.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x04D30000 Hidden Image-->DEM.OS.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x04D20000 Hidden Image-->DEM.OS.I0602.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x04D50000 Hidden Image-->DEM.Graphics.I0709.dll [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x04DA0000 Hidden Image-->AEM.Plugin.GD.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x04D80000 Hidden Image-->AEM.Actions.CCAA.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x05000000 Hidden Image-->DEM.Graphics.I0805.dll [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x04F70000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x04F60000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x04FA0000 Hidden Image-->CLI.Caste.Graphics.Runtime.Shared.Private.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x05020000 Hidden Image-->DEM.Graphics.I0706.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x051B0000 Hidden Image-->DEM.Graphics.I0712.dll [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x05200000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x054A0000 Hidden Image-->APM.Foundation.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x056E0000 Hidden Image-->CLI.Component.Runtime.Extension.EEU.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x05D10000 Hidden Image-->Branding.dll [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x05910000 Hidden Image-->AEM.Plugin.EEU.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x05B50000 Hidden Image-->CLI.Component.Client.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x05B30000 Hidden Image-->CLI.Component.Wizard.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x05C80000 Hidden Image-->CLI.Caste.Graphics.Wizard.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x05DB0000 Hidden Image-->atixclib.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x05EF0000 Hidden Image-->CLI.Component.Dashboard.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x06500000 Hidden Image-->CLI.Component.Dashboard.Shared.Private.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x06890000 Hidden Image-->CLI.Caste.Graphics.Dashboard.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 28672 bytes
0x01450000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x85094020 ] PID: 1444, 307200 bytes
0x010E0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x850E3998 ] PID: 2024, 307200 bytes
0x06BF0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 364544 bytes
0x03AF0000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x85094020 ] PID: 1444, 36864 bytes
0x03B20000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x85094020 ] PID: 1444, 36864 bytes
0x051F0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Runtime.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 36864 bytes
0x01040000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 36864 bytes
0x03BF0000 Hidden Image-->CLI.Foundation.XManifest.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 36864 bytes
0x03C70000 Hidden Image-->AxInterop.WBOCXLib.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 36864 bytes
0x03E10000 Hidden Image-->Interop.WBOCXLib.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 36864 bytes
0x04010000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 36864 bytes
0x03F90000 Hidden Image-->LOCALIZATION.Foundation.Implementation.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 36864 bytes
0x04D10000 Hidden Image-->ACE.Graphics.DisplaysManager.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 36864 bytes
0x04FD0000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 36864 bytes
0x05100000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 36864 bytes
0x050E0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 36864 bytes
0x05170000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 36864 bytes
0x05250000 Hidden Image-->CLI.Aspect.OverDrive3.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 36864 bytes
0x05B70000 Hidden Image-->CLI.Component.Wizard.Shared.Private.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 36864 bytes
0x05E80000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Wizard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 372736 bytes
0x05AC0000 Hidden Image-->CLI.Component.Wizard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 405504 bytes
0x05E10000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Wizard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 413696 bytes
0x04820000 Hidden Image-->ATIDEMGX.dll [ EPROCESS 0x850E3998 ] PID: 2024, 438272 bytes
0x054C0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 446464 bytes
0x06940000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 446464 bytes
0x01070000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x85094020 ] PID: 1444, 45056 bytes
0x010E0000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x85094020 ] PID: 1444, 45056 bytes
0x01060000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 45056 bytes
0x01140000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 45056 bytes
0x03D40000 Hidden Image-->ATICCCom.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 45056 bytes
0x04FE0000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 45056 bytes
0x05030000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 45056 bytes
0x050F0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 45056 bytes
0x05160000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 45056 bytes
0x06B70000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Dashboard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 462848 bytes
0x05920000 Hidden Image-->CLI.Component.Systemtray.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 487424 bytes
0x05C90000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Wizard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 495616 bytes
0x03CA0000 Hidden Image-->CLI.Component.Runtime.Shared.Private.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 53248 bytes
0x03CB0000 Hidden Image-->CLI.Foundation.Private.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 53248 bytes
0x03E00000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 53248 bytes
0x03FD0000 Hidden Image-->AEM.Plugin.Source.Kit.Server.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 53248 bytes
0x04770000 Hidden Image-->DEM.Graphics.I0601.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 53248 bytes
0x04FC0000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 53248 bytes
0x05040000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 53248 bytes
0x05120000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 53248 bytes
0x059A0000 Hidden Image-->CLI.Component.Client.Shared.Private.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 53248 bytes
0x05B60000 Hidden Image-->CLI.Caste.Graphics.Wizard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 53248 bytes
0x05D40000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 53248 bytes
0x06C50000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 602112 bytes
0x03BE0000 Hidden Image-->CLI.Component.SkinFactory.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 61440 bytes
0x04D00000 Hidden Image-->CLI.Caste.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 61440 bytes
0x05130000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 61440 bytes
0x051A0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 61440 bytes
0x052F0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 61440 bytes
0x05350000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 61440 bytes
0x055E0000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Dashboard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 684032 bytes
0x010F0000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x85094020 ] PID: 1444, 69632 bytes
0x010B0000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 69632 bytes
0x01080000 Hidden Image-->CLI.Foundation.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 69632 bytes
0x05180000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 69632 bytes
0x05230000 Hidden Image-->CLI.Aspect.OverDrive3.Graphics.Runtime.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 69632 bytes
0x052D0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Runtime.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 69632 bytes
0x05480000 Hidden Image-->APM.Server.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 69632 bytes
0x06530000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Wizard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 700416 bytes
0x03C80000 Hidden Image-->CLI.Component.Runtime.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 77824 bytes
0x04DB0000 Hidden Image-->ATIDEMOS.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 77824 bytes
0x04F80000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Runtime.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 77824 bytes
0x050A0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 77824 bytes
0x06AA0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Dashboard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 806912 bytes
0x06DC0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Dashboard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 823296 bytes
0x05080000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Runtime.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 86016 bytes
0x05330000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Runtime.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 86016 bytes
0x06510000 Hidden Image-->CLI.Caste.Graphics.Dashboard.DLL [ EPROCESS 0x850E3998 ] PID: 2024, 86016 bytes

Attached Files



#4 MalwareMutilator

MalwareMutilator

  • Members
  • 931 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 16 July 2010 - 11:28 AM

Hi, thebeefychief, smile.gif

I have completed the analysis of your log, and I have now compiled a pending repair for you. Please be advised, however, that I am currently a senior student in training at BC. Therefore, all of my repairs must be scrutinized by an authorized BC instructor prior to my postings. While there may possibly be a slight delay in our correspondences resultant of that, you will ultimately receive the benefit of two sets of eyes reviewing your log. clapping.gif

You will receive further instructions very shortly, thumbup2.gif

Regards,

MM

#5 thebeefychief

thebeefychief
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:45 PM

Posted 16 July 2010 - 12:33 PM

Hi,

My thanks to both of you for your time and expertise. I am eagerly awaiting instruction.

- Geoff

#6 MalwareMutilator

MalwareMutilator

  • Members
  • 931 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 16 July 2010 - 03:32 PM

Hello thebeefychief,

My name is MalwareMutilator (MM for short). Welcome to Bleeping Computer. welcome.gif

I will be assisting you with the cleaning of your machine, so listed below is some preliminary information:

Please note that comments are made in green, links are in red, important things are outlined by using the blue color, and the numbered steps I would like you to follow are outlined with orange.

Please also take note of the following:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Continue following my instructions until you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
Now that I have explained the rules, let's begin the cleaning process. I strongly urge you to print-out these instructions prior to continuing.


Backdoor Threat!

I'm sorry to say that your computer is infected with one or more backdoor trojans.
  • This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

  • You may want to read this article on how to handle identity theft.

  • You may also want to read this article regarding preventing of identity theft.

  • This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

  • Please read When Should I Format, How Should I Reinstall.
I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.


Step #1

Remove one Antivirus program:

Your DDS log indicates that you are running both AVG and Avast antivirus programs. I do not recommend that you have more than one antivirus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the antivirus software tells you that your PC has a virus when it actually doesn't.

  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time. Therefore please go to add/remove in the control panel and remove either AVG or Avast.
Step #2

Download and run ComboFix:

Please download ComboFix from this location:
  • Please disable your Anitvirsu antivirus protection program, any other AntiVirus and AntiSpyware applications that you may be running. Usually, a right click on the System Tray icon will allow you to do so. Running such protection may otherwise interfere with our tools. Click on this link to see a list of programs that should be disabled. The list is not all inclusive.

  • Double click on Combofix.exe and follow the prompts.

  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, its strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue its malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:/ComboFix.txt in your next reply.

Step #3

Run DDS:
  • Run a new scan with DDS.
  • Save the new DDS log as we will need it along with your next reply.
After completing all of the steps outlined above, please copy and paste the new DDS log, and the ComboFix.txt with your next reply.

Regards,

MalwareMutilator



#7 thebeefychief

thebeefychief
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:45 PM

Posted 16 July 2010 - 06:28 PM

Hi MM,

I have completed your instructions and noticed improvement! Here are the logs you requested. Please let me know how to proceed. Thank you once again.

- Geoff


DDS (Ver_10-03-17.01) - NTFSx86
Run by Geoff at 19:09:53.71 on 16/07/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1006.532 [GMT -4:00]

AV: AVG 7.5.441 *On-access scanning disabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe "C:\WINDOWS\system32\1054z.exe"
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Razer\Habu\razerhid.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Razer\Habu\razertra.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Geoff\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [Habu] c:\program files\razer\habu\razerhid.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208733307671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geoff\applic~1\mozilla\firefox\profiles\nerhyu0h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox?client=firefox-a&rlz=1R0GGGL_en
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2006-12-31 4224]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2006-12-31 3968]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-8-22 394952]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2006-12-31 353792]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2006-12-31 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe [2006-12-31 324096]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2006-12-31 4960]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-12-31 839936]
S1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2006-12-31 27776]
S2 HTTPFilterlanmanserver;HTTP SSL HTTPFilterlanmanserver;c:\windows\system32\1054z.exe srv --> c:\windows\system32\1054z.exe srv [?]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-6-10 16968]
S3 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-8-22 127768]

=============== Created Last 30 ================

2010-07-16 22:56:52 32 ----a-w- c:\windows\system32\3466367831.dat
2010-07-16 22:34:00 0 d-sha-r- C:\cmdcons
2010-07-16 22:29:50 98816 ----a-w- c:\windows\sed.exe
2010-07-16 22:29:50 77312 ----a-w- c:\windows\MBR.exe
2010-07-16 22:29:50 256512 ----a-w- c:\windows\PEV.exe
2010-07-16 22:29:50 161792 ----a-w- c:\windows\SWREG.exe
2010-07-13 03:42:04 0 ----a-w- c:\windows\vnlfw30fblb73n0z23xkflkr.ini
2010-07-13 01:51:08 1648 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-13 01:01:58 11264 ----a-w- c:\windows\DCEBoot.exe
2010-07-13 00:54:33 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-24 23:19:29 20 ----a-w- c:\documents and settings\geoff\defogger_reenable
2010-06-18 17:44:09 910 ----a-w- c:\windows\system32\.crusader

==================== Find3M ====================

2010-07-16 22:49:16 578560 ----a-w- c:\windows\system32\user32.dll
2010-07-15 01:21:13 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-24 22:58:59 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2004-03-11 21:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2010-03-13 16:52:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010031320100314\index.dat
2008-09-30 04:37:55 8996896 --sha-w- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 19:10:03.32 ===============



ComboFix 10-07-15.05 - Geoff 16/07/2010 18:41:08.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1006.483 [GMT -4:00]
Running from: c:\documents and settings\Geoff\Desktop\ComboFix.exe
AV: AVG 7.5.441 *On-access scanning disabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\confin.sys
c:\documents and settings\All Users\Application Data\sysReserve.ini
c:\documents and settings\Geoff\Application Data\avdrn.dat
c:\documents and settings\Geoff\delself.bat
c:\documents and settings\Geoff\Local Settings\Application Data\vxfxrbrmi
c:\documents and settings\Geoff\Local Settings\Application Data\vxfxrbrmi\tfvtllitssd.exe
c:\documents and settings\Geoff\Start Menu\Programs\Startup\wwwxbv32.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\axqthifio
c:\documents and settings\NetworkService\Local Settings\Application Data\axqthifio\xtrepvytssd.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\dvfyriibk
c:\documents and settings\NetworkService\Local Settings\Application Data\dvfyriibk\pppmomdtssd.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\hwggyqrma
c:\documents and settings\NetworkService\Local Settings\Application Data\hwggyqrma\efnpaabtssd.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\jmdoxddmy
c:\documents and settings\NetworkService\Local Settings\Application Data\jmdoxddmy\uoirbritssd.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\oifmterfo
c:\documents and settings\NetworkService\Local Settings\Application Data\oifmterfo\qhpwiwqtssd.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\oowttbpwf
c:\documents and settings\NetworkService\Local Settings\Application Data\oowttbpwf\pogfwdrtssd.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\pioobnhon
c:\documents and settings\NetworkService\Local Settings\Application Data\pioobnhon\hkykbiltssd.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\qtyuwpsdd
c:\documents and settings\NetworkService\Local Settings\Application Data\qtyuwpsdd\cklkifttssd.exe
c:\program files\Internet Explorer\rasadhlp.dll
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\program files\Mozilla Firefox\rasadhlp.dll
c:\program files\Outlook Express\rasadhlp.dll
c:\windows\inf\vvt.pnf
c:\windows\system32\1037h.exe
c:\windows\system32\a3dw.exe
c:\windows\system32\adsldpcd.exe
c:\windows\system32\akttzn.exe
c:\windows\system32\anticipator.dll
c:\windows\system32\awtoolb.dll
c:\windows\system32\bdn.com
c:\windows\system32\bsva-egihsg52.exe
c:\windows\system32\cooper.mine
c:\windows\system32\dpcproxy.exe
c:\windows\system32\E1N61QXT.exe.a_a
c:\windows\system32\emesx.dll
c:\windows\system32\h7t.wt
c:\windows\system32\hgtd.ruy
c:\windows\system32\hoproxy.dll
c:\windows\system32\hxiwlgpm.dat
c:\windows\system32\hxiwlgpm.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\medup012.dll
c:\windows\system32\msgp.exe
c:\windows\system32\msnbho.dll
c:\windows\system32\mssecu.exe
c:\windows\system32\msvchost.exe
c:\windows\system32\mtr2.exe
c:\windows\system32\mwin32.exe
c:\windows\system32\netode.exe
c:\windows\system32\newsd32.exe
c:\windows\system32\ps1.exe
c:\windows\system32\psof1.exe
c:\windows\system32\psoft1.exe
c:\windows\system32\regc64.dll
c:\windows\system32\regm64.dll
c:\windows\system32\rPcrv5MJ.exe.a_a
c:\windows\system32\Rundl1.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\smp
c:\windows\system32\smp\msrc.exe
c:\windows\system32\sncntr.exe
c:\windows\system32\ssurf022.dll
c:\windows\system32\ssvchost.com
c:\windows\system32\ssvchost.exe
c:\windows\system32\sysreq.exe
c:\windows\system32\taack.dat
c:\windows\system32\taack.exe
c:\windows\system32\temp#01.exe
c:\windows\system32\Thumbs.db
c:\windows\system32\thun.dll
c:\windows\system32\thun32.dll
c:\windows\system32\VBIEWER.OCX
c:\windows\system32\vbsys2.dll
c:\windows\system32\vcatchpi.dll
c:\windows\system32\winlogonpc.exe
c:\windows\system32\winsystem.exe
c:\windows\system32\WINWGPX.EXE
c:\windows\system32\3466367831.dat . . . . failed to delete

Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EHRECVRALG
-------\Legacy_NMSERVICENTMSSVC
-------\Legacy_WMDMPMSNDMSERVER
-------\Service_ehRecvrALG
-------\Service_nmserviceNtmsSvc
-------\Service_WmdmPmSNdmserver


((((((((((((((((((((((((( Files Created from 2010-06-16 to 2010-07-16 )))))))))))))))))))))))))))))))
.

2010-07-16 22:56 . 2010-07-16 22:56 32 ----a-w- c:\windows\system32\3466367831.dat
2010-07-13 01:51 . 2010-07-13 15:25 1648 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-13 01:01 . 2010-07-13 01:01 11264 ----a-w- c:\windows\DCEBoot.exe
2010-07-13 00:54 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-17 02:11 . 2010-06-17 02:11 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-16 22:49 . 2004-01-03 01:28 578560 ----a-w- c:\windows\system32\user32.dll
2010-07-16 22:39 . 2008-08-30 16:47 34052242 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2010-07-16 21:58 . 2008-08-20 04:33 -------- d-----w- c:\program files\Avast4
2010-07-16 19:19 . 2007-01-02 04:07 -------- d-----w- c:\program files\Steam
2010-07-15 01:21 . 2009-09-28 05:51 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-13 01:04 . 2010-07-13 01:04 8 ----a-w- c:\documents and settings\LocalService\Application Data\vdnxlf.dat
2010-07-13 00:39 . 2010-07-13 00:40 2313216 ----a-w- c:\windows\Internet Logs\xDB25.tmp
2010-07-12 23:59 . 2010-07-12 23:59 8 ----a-w- c:\windows\system32\config\systemprofile\Application Data\vdnxlf.dat
2010-07-11 01:36 . 2010-07-11 01:38 2309632 ----a-w- c:\windows\Internet Logs\xDB24.tmp
2010-07-11 01:36 . 2010-07-11 01:38 1487872 ----a-w- c:\windows\Internet Logs\xDB23.tmp
2010-06-24 22:58 . 2010-06-24 23:00 23552 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2010-06-24 22:58 . 2010-06-10 18:34 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-24 22:58 . 2010-06-24 23:00 2265088 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2010-06-24 22:55 . 2010-06-24 22:56 574976 ----a-w- c:\windows\Internet Logs\xDB1F.tmp
2010-06-24 22:55 . 2010-06-24 22:56 2264576 ----a-w- c:\windows\Internet Logs\xDB20.tmp
2010-06-22 02:28 . 2010-06-22 02:29 2252800 ----a-w- c:\windows\Internet Logs\xDB1E.tmp
2010-06-22 02:28 . 2010-06-22 02:29 2879488 ----a-w- c:\windows\Internet Logs\xDB1D.tmp
2010-06-10 18:40 . 2010-06-10 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-10 18:33 . 2010-06-10 18:33 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-10 18:33 . 2007-01-03 16:35 -------- d-----w- c:\documents and settings\Geoff\Application Data\U3
2010-06-10 18:12 . 2004-01-03 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-05 19:01 . 2007-01-01 03:57 -------- d-----w- c:\documents and settings\Geoff\Application Data\AVG7
2010-05-20 05:16 . 2010-05-20 11:17 2642432 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2010-05-12 15:21 . 2010-03-12 11:45 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-22 04:43 . 2010-04-22 05:12 2771456 ----a-w- c:\windows\Internet Logs\xDB1B.tmp
2004-03-11 21:27 . 2004-01-03 02:50 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2008-09-30 04:37 . 2008-08-22 04:23 8996896 --sha-w- c:\windows\system32\drivers\fidbox.dat
.
Infected c:\windows\system32\user32.dll hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 275800]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"Habu"="c:\program files\Razer\Habu\razerhid.exe" [2007-05-11 176128]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"C-Media Mixer"="Mixer.exe" [2002-10-15 1818624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-24 6110528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-02-14 145920]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Geoff\Desktop\KW & TO\Pictures\Campin 2008\IMG_1517.JPG
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\documents and settings\Geoff\Desktop\wp_Final_Fantasy_VII_1024x768.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= c:\documents and settings\Geoff\My Documents\My Pictures\Armyofanyonedesktop.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= c:\documents and settings\Geoff\My Documents\My Pictures\dexter2_wall_04_1280x1024.JPG
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= c:\documents and settings\Geoff\My Documents\My Pictures\Killbillwall2.JPG
FriendlyName=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Geoff^Start Menu^Programs^Startup^Palm Registration.lnk]
path=c:\documents and settings\Geoff\Start Menu\Programs\Startup\Palm Registration.lnk
backup=c:\windows\pss\Palm Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 06:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 14:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-10-25 23:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-11-02 18:43 472632 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\Program Files\\Steam\\steamapps\\thebeefychief\\counter-strike\\hl.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\arckanik@hotmail.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Sierra\\Half-Life\\hlds.exe"=
"c:\\CS-Source_Server\\CS-Source_Server\\srcds.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\beefychief\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 8:19 PM 13592]
S2 HTTPFilterlanmanserver;HTTP SSL HTTPFilterlanmanserver;c:\windows\system32\1054z.exe srv --> c:\windows\system32\1054z.exe srv [?]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [10/06/2010 2:34 PM 16968]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [28/04/2008 11:50 AM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-06-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2010-07-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Geoff\Application Data\Mozilla\Firefox\Profiles\nerhyu0h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox?client=firefox-a&rlz=1R0GGGL_en
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKCU-Run-PowerBar - (no file)
HKLM-Run-fvdqgjsc - c:\documents and settings\Geoff\Local Settings\Application Data\vxfxrbrmi\tfvtllitssd.exe
HKU-Default-Run-fvdqgjsc - c:\documents and settings\Geoff\Local Settings\Application Data\vxfxrbrmi\tfvtllitssd.exe
MSConfigStartUp-brastk - c:\windows\system32\brastk.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-shmoncom - c:\windows\system32\ovglsvyx.exe
AddRemove-Resistance And Liberation - c:\program files\steam\SteamApps\SourceMods\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-16 18:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????<???D??sh??????w????h???Z??w(???*??wt?@?l?@???f???????????????????????????2????????????????????w????g??w0??w????*??w???w????D??s??-????????w????l?@????????w????t?@???c?????????l?@?l?@????????w????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3456)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\Grisoft\AVGFRE~1\avgamsvr.exe
c:\progra~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\progra~1\Grisoft\AVGFRE~1\avgemc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Pure Networks\Network Magic\nmsrvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\Mixer.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Razer\Habu\razertra.exe
c:\program files\Razer\Habu\razerofa.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2010-07-16 19:06:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-16 23:06

Pre-Run: 5,472,718,848 bytes free
Post-Run: 15,551,889,408 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 17E03777872FB5A21E63FC62D9143337

Attached Files



#8 MalwareMutilator

MalwareMutilator

  • Members
  • 931 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 17 July 2010 - 10:27 AM

Hi, thebeefychief, smile.gif

Weíve made considerable progress to this point, so I ask that you remain patient for just a bit longer. As soon as an authorized BC instructor reviews my current fixes regarding your logs, I will post my next set of instructions. thumbup2.gif

Regards,

MM

#9 thebeefychief

thebeefychief
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:45 PM

Posted 17 July 2010 - 08:29 PM

Hey MM,

That sounds great! I'll check back for further instructions. You're the man/woman!

- Geoff

#10 MalwareMutilator

MalwareMutilator

  • Members
  • 931 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 18 July 2010 - 06:24 AM

Hello thebeefychief, smile.gif

ComboFix removed a majority of the infections from your computer, however, we still have some cleaning to do. Please proceed as follows:

Step #1

Update Antivirus:

Your DDS log indicates that your current version of AVG Antivirus is far outdated. Please visit AVG and update your antivirus to the latest version.

Step #2

Download OTL:
  • Please download OTL from here.

  • Save it to your desktop.
Step #3

OTL Custom Scan:

We need to run an OTL Custom Scan
  • Please reopen on your desktop.

  • Copy and Paste the following code into the textbox. Do not include the word "Code"


    CODE
    :FILES

    c:\windows\Internet Logs\xDB*.tmp
    c:\windows\system32\3466367831.dat
    c:\windows\vnlfw30fblb73n0z23xkflkr.ini
    c:\windows\system32\1054z.exe

    :services

    HTTPFilterlanmanserver

    :Commands
    [EMPTYTEMP]
    [EMPTYFLASH]

  • Push

  • A report will open. Copy and Paste that report in your next reply.
Step #4

Scan with MalwareBytes':

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.

alternate download link:

If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:

    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.

  • Press the OK button to close that box and continue.

  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Step #5

Scan with EST:

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window: ESET OnlineScan

  • Click the button.

  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.

    • Double click on the icon on your Desktop.
  • Check

  • Click the button.

  • Accept any security warnings from your browser.

  • Check

  • Push the Start button.

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

  • Push the button.

  • Push

After you have completed all of the above steps, please furnish the OTL log, the MBAM log, and the ESET log.

Regards, thumbup2.gif

MM



#11 thebeefychief

thebeefychief
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:45 PM

Posted 18 July 2010 - 05:41 PM

Hi MM,

I followed your instructions, but unfortunately I did not see on option to save my log for the ESET scan. Perhaps I missed it or maybe clicked past it, but I don't have a copy. The scan did find 44 infected files and cleaned them all. Here are the logs from the other two scan.

Thanks,

Geoff

OTL logfile created on: 18/07/2010 3:11:43 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Geoff\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1,006.00 Mb Total Physical Memory | 365.00 Mb Available Physical Memory | 36.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 13.74 Gb Free Space | 5.90% Space Free | Partition Type: NTFS
Drive D: | 7.60 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: THEBEEFYCHIEF
Current User Name: Geoff
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/18 15:08:18 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Geoff\Desktop\OTL.exe
PRC - [2010/07/18 14:57:21 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/07/18 14:57:21 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/07/18 14:57:20 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/07/18 14:57:17 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/07/18 14:57:04 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/07/18 14:56:41 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/03/30 18:08:39 | 000,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/07/09 09:05:20 | 000,919,016 | ---- | M] (Zone Labs, LLC) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2008/07/09 09:05:18 | 000,075,304 | ---- | M] (Zone Labs, LLC) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/11 12:58:54 | 000,176,128 | ---- | M] () -- C:\Program Files\Razer\Habu\razerhid.exe
PRC - [2007/01/04 18:13:54 | 000,240,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PRC - [2006/12/05 19:38:58 | 000,707,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\vVX3000.exe
PRC - [2006/08/07 18:00:28 | 000,163,840 | ---- | M] (Razer Inc.) -- C:\Program Files\Razer\Habu\razerofa.exe
PRC - [2006/08/07 18:00:24 | 000,143,360 | ---- | M] () -- C:\Program Files\Razer\Habu\razertra.exe
PRC - [2006/04/11 22:36:27 | 000,239,184 | ---- | M] (Pure Networks, Inc.) -- C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
PRC - [2005/11/22 21:58:48 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2004/06/16 06:03:04 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2002/10/15 18:00:20 | 001,818,624 | ---- | M] (C-Media Electronic Inc. (www.cmedia.com.tw)) -- C:\WINDOWS\mixer.exe


========== Modules (SafeList) ==========

MOD - [2010/07/18 15:08:18 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Geoff\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/07/18 14:56:41 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2008/07/09 09:05:18 | 000,075,304 | ---- | M] (Zone Labs, LLC) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2008/04/13 20:12:36 | 000,099,840 | --S- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\1054z.exe -- (HTTPFilterlanmanserver)
SRV - [2007/01/04 18:13:54 | 000,240,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2006/11/03 20:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/10/04 19:25:00 | 000,057,344 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2006/10/04 19:15:30 | 000,057,344 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2006/10/04 19:06:58 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2006/04/11 22:36:27 | 000,239,184 | ---- | M] (Pure Networks, Inc.) [Auto | Running] -- C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe -- (nmservice)
SRV - [2006/01/25 16:59:17 | 000,012,800 | ---- | M] (Pure Networks, Inc.) [On_Demand | Stopped] -- C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe -- (nmraapache)
SRV - [2005/11/22 21:58:48 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Sandra.sys -- (SANDRA)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Geoff\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/07/18 14:58:14 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/07/18 14:58:07 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/07/18 14:58:07 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/06/24 18:58:59 | 000,016,968 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hitmanpro35.sys -- (hitmanpro35)
DRV - [2008/08/21 00:52:41 | 003,299,840 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/07/09 09:05:22 | 000,394,952 | ---- | M] (Zone Labs, LLC) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2008/05/14 21:24:32 | 000,171,520 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinavt2.sys -- (ATIAVAIW)
DRV - [2008/04/28 11:50:41 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008/04/13 14:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/02 18:00:10 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2008/02/27 03:10:44 | 000,051,176 | ---- | M] (Zone Labs, LLC) [Kernel | Boot | Running] -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan)
DRV - [2007/07/19 15:10:28 | 000,127,768 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2007/06/18 21:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2007/04/03 14:59:42 | 000,099,080 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616unic.sys -- (s616unic) Sony Ericsson Device 616 USB Ethernet Emulation SEMC616 (WDM)
DRV - [2007/04/03 14:59:42 | 000,098,568 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616obex.sys -- (s616obex)
DRV - [2007/04/03 14:59:42 | 000,023,176 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616nd5.sys -- (s616nd5) Sony Ericsson Device 616 USB Ethernet Emulation SEMC616 (NDIS)
DRV - [2007/04/03 14:59:40 | 000,100,360 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616mgmt.sys -- (s616mgmt) Sony Ericsson Device 616 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/03 14:59:38 | 000,108,680 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616mdm.sys -- (s616mdm)
DRV - [2007/04/03 14:59:36 | 000,015,112 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616mdfl.sys -- (s616mdfl)
DRV - [2007/04/03 14:59:30 | 000,083,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616bus.sys -- (s616bus) Sony Ericsson Device 616 driver (WDM)
DRV - [2006/12/05 19:39:13 | 001,964,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VX3000.sys -- (VX3000)
DRV - [2006/10/23 13:09:48 | 000,027,776 | ---- | M] (Razer (Asia-Pacific) Pte Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\habu.sys -- (HabuFltr)
DRV - [2006/08/17 14:15:00 | 000,034,064 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Invoker.sys -- (Invoker)
DRV - [2006/08/17 14:15:00 | 000,033,148 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\FlexBios.sys -- (FlexBios)
DRV - [2006/06/05 09:49:08 | 000,230,400 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2006/06/05 07:39:56 | 000,024,064 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2006/06/01 08:43:56 | 000,043,264 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2006/05/26 03:59:12 | 001,177,032 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/04/11 23:24:52 | 000,027,088 | ---- | M] (Pure Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\purendis.sys -- (purendis)
DRV - [2005/12/02 13:38:04 | 000,041,728 | ---- | M] (Sonic Focus, Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfng32.sys -- (sfng32)
DRV - [2003/12/05 05:46:36 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2002/11/18 15:51:40 | 000,377,358 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cmaudio.sys -- (cmpci) C-Media PCI Audio Driver (WDM)
DRV - [2002/08/08 16:51:32 | 000,038,951 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETMDUSB.sys -- (NETMDUSB)
DRV - [2001/08/23 15:00:00 | 000,022,400 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/firefox?client=firefox-a&rlz=1R0GGGL_en"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.825


FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/07/18 14:56:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/30 23:20:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/30 18:08:46 | 000,000,000 | ---D | M]

[2008/08/26 21:10:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geoff\Application Data\Mozilla\Extensions
[2010/07/18 15:02:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geoff\Application Data\Mozilla\Firefox\Profiles\nerhyu0h.default\extensions
[2010/03/12 08:08:45 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Geoff\Application Data\Mozilla\Firefox\Profiles\nerhyu0h.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/29 01:36:35 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Geoff\Application Data\Mozilla\Firefox\Profiles\nerhyu0h.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2007/07/31 22:04:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Geoff\Application Data\Mozilla\Firefox\Profiles\nerhyu0h.default\extensions\TFToolbarX@torrent-finder
[2008/04/28 12:08:50 | 000,002,921 | ---- | M] () -- C:\Documents and Settings\Geoff\Application Data\Mozilla\Firefox\Profiles\nerhyu0h.default\searchplugins\daemon-search.xml
[2010/07/18 15:02:28 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/10/28 17:45:11 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/12/30 13:51:52 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\proxy@hide-my-ip.com
[2008/08/22 00:21:52 | 000,024,673 | ---- | M] (Check Point Software Technologies Ltd.) -- C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll

O1 HOSTS File: ([2010/07/16 18:57:41 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (ZoneAlarm Spy Blocker) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL (ZoneAlarm)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [C-Media Mixer] C:\WINDOWS\mixer.exe (C-Media Electronic Inc. (www.cmedia.com.tw))
O4 - HKLM..\Run: [Habu] C:\Program Files\Razer\Habu\razerhid.exe ()
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [VX3000] C:\WINDOWS\vVX3000.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scan8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1208733307671 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll (Pure Networks, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 () - C:\Documents and Settings\Geoff\Desktop\KW & TO\Pictures\Campin 2008\IMG_1517.JPG
O24 - Desktop Components:1 () - C:\Documents and Settings\Geoff\Desktop\wp_Final_Fantasy_VII_1024x768.jpg
O24 - Desktop Components:2 () - C:\Documents and Settings\Geoff\My Documents\My Pictures\Armyofanyonedesktop.jpg
O24 - Desktop Components:3 () - C:\Documents and Settings\Geoff\My Documents\My Pictures\dexter2_wall_04_1280x1024.JPG
O24 - Desktop Components:4 () - C:\Documents and Settings\Geoff\My Documents\My Pictures\Killbillwall2.JPG
O24 - Desktop Components:5 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/01/02 22:42:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/18 15:08:19 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Geoff\Desktop\OTL.exe
[2010/07/18 14:58:14 | 000,012,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/07/18 14:58:12 | 000,243,024 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/07/18 14:58:07 | 000,216,400 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/07/18 14:58:05 | 000,029,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/07/18 14:57:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2010/07/18 14:55:13 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/07/18 14:54:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/07/18 14:36:10 | 002,133,536 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Geoff\Desktop\avg_free_stb_all_9_115_cnet.exe
[2010/07/16 20:13:51 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2010/07/16 18:34:00 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/07/16 18:29:50 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/16 18:29:50 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/16 18:29:50 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/16 18:29:50 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/16 18:29:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/16 18:14:18 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/12 22:45:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/07/12 20:54:33 | 000,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/06/24 18:29:28 | 001,869,952 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Geoff\Desktop\HousecallLauncher(2).exe
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/18 15:08:18 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Geoff\Desktop\OTL.exe
[2010/07/18 14:58:16 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/07/18 14:58:16 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/07/18 14:58:14 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/07/18 14:58:07 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/07/18 14:58:07 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/07/18 14:58:05 | 062,124,664 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/07/18 14:58:05 | 000,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/07/18 14:47:48 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/18 14:47:43 | 000,352,918 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/07/18 14:47:32 | 000,000,032 | --S- | M] () -- C:\WINDOWS\System32\3466367831.dat
[2010/07/18 14:47:23 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/18 14:47:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/18 14:47:11 | 000,044,964 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2010/07/18 14:47:04 | 1054,842,880 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/18 14:45:58 | 029,360,128 | -H-- | M] () -- C:\Documents and Settings\Geoff\NTUSER.DAT
[2010/07/18 14:45:58 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Geoff\ntuser.ini
[2010/07/18 14:36:10 | 002,133,536 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Geoff\Desktop\avg_free_stb_all_9_115_cnet.exe
[2010/07/18 03:08:26 | 001,578,526 | -H-- | M] () -- C:\Documents and Settings\Geoff\Local Settings\Application Data\IconCache.db
[2010/07/17 10:00:31 | 000,274,168 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/17 02:35:01 | 000,000,628 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/07/17 02:33:58 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/17 02:27:37 | 000,505,608 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/17 02:27:37 | 000,444,358 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/17 02:27:37 | 000,072,108 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/16 18:57:57 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/16 18:57:41 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/16 18:49:16 | 000,578,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2010/07/16 18:34:08 | 000,000,279 | RHS- | M] () -- C:\boot.ini
[2010/07/16 18:05:00 | 003,738,072 | R--- | M] () -- C:\Documents and Settings\Geoff\Desktop\ComboFix.exe
[2010/07/16 17:55:43 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/15 15:01:26 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Geoff\Desktop\RKUnhookerLE.EXE
[2010/07/15 11:15:28 | 000,209,408 | ---- | M] () -- C:\Documents and Settings\Geoff\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/14 21:21:13 | 000,001,984 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/13 13:15:42 | 005,456,989 | ---- | M] () -- C:\Documents and Settings\Geoff\Desktop\slackshot.wmv
[2010/07/13 11:25:47 | 000,001,648 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/07/12 23:42:04 | 000,000,000 | ---- | M] () -- C:\WINDOWS\vnlfw30fblb73n0z23xkflkr.ini
[2010/07/12 21:01:58 | 000,011,264 | ---- | M] () -- C:\WINDOWS\DCEBoot.exe
[2010/07/10 18:10:52 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\Geoff\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/07/10 18:10:39 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Geoff\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/07/06 16:31:10 | 000,022,307 | ---- | M] () -- C:\Documents and Settings\Geoff\Desktop\001.jpg
[2010/07/04 21:15:46 | 000,054,592 | ---- | M] () -- C:\Documents and Settings\Geoff\My Documents\jordyn.jpg
[2010/06/28 21:07:26 | 000,044,544 | ---- | M] () -- C:\Documents and Settings\Geoff\My Documents\Resume.doc
[2010/06/24 19:31:40 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Geoff\Desktop\gmer.zip
[2010/06/24 19:19:41 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\Geoff\defogger_reenable
[2010/06/24 19:19:01 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Geoff\Desktop\Defogger.exe
[2010/06/24 18:58:59 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/06/24 18:29:29 | 001,869,952 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Geoff\Desktop\HousecallLauncher(2).exe
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/18 14:58:16 | 000,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/07/18 14:58:05 | 000,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/07/18 14:57:52 | 062,124,664 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/07/16 18:56:52 | 000,000,032 | --S- | C] () -- C:\WINDOWS\System32\3466367831.dat
[2010/07/16 18:34:07 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2010/07/16 18:34:01 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/07/16 18:29:50 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/16 18:29:50 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/16 18:29:50 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/16 18:29:50 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/16 18:29:50 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/16 18:05:06 | 003,738,072 | R--- | C] () -- C:\Documents and Settings\Geoff\Desktop\ComboFix.exe
[2010/07/15 15:01:27 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Geoff\Desktop\RKUnhookerLE.EXE
[2010/07/15 11:15:28 | 005,456,989 | ---- | C] () -- C:\Documents and Settings\Geoff\Desktop\slackshot.wmv
[2010/07/12 23:42:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vnlfw30fblb73n0z23xkflkr.ini
[2010/07/12 23:21:37 | 1054,842,880 | -HS- | C] () -- C:\hiberfil.sys
[2010/07/12 21:51:08 | 000,001,648 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/07/12 21:04:17 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\vdnxlf.dat
[2010/07/12 21:01:58 | 000,011,264 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2010/07/10 18:10:52 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\Geoff\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/07/10 18:10:39 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\Geoff\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/07/06 16:29:27 | 000,022,307 | ---- | C] () -- C:\Documents and Settings\Geoff\Desktop\001.jpg
[2010/07/04 21:15:46 | 000,054,592 | ---- | C] () -- C:\Documents and Settings\Geoff\My Documents\jordyn.jpg
[2010/07/04 13:07:59 | 001,453,746 | ---- | C] () -- C:\Documents and Settings\Geoff\Desktop\IMG_3621.JPG
[2010/07/04 13:07:29 | 001,444,681 | ---- | C] () -- C:\Documents and Settings\Geoff\Desktop\IMG_3623.JPG
[2010/06/24 19:33:19 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Geoff\Desktop\gmer.exe
[2010/06/24 19:31:54 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Geoff\Desktop\gmer.zip
[2010/06/24 19:19:29 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\Geoff\defogger_reenable
[2010/06/24 19:19:02 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Geoff\Desktop\Defogger.exe
[2010/06/10 14:34:44 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/15 00:41:49 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/10/18 22:43:26 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\LPng.dll
[2009/07/07 14:24:58 | 000,000,101 | ---- | C] () -- C:\WINDOWS\CMMIXER.INI
[2009/07/02 17:19:46 | 000,000,025 | ---- | C] () -- C:\WINDOWS\mixerdef.ini
[2009/07/01 18:18:27 | 000,001,480 | ---- | C] () -- C:\WINDOWS\Cmicnfg3.ini.cfg
[2009/07/01 18:18:25 | 000,002,532 | ---- | C] () -- C:\WINDOWS\cmudax3.ini
[2008/12/03 01:14:08 | 000,001,017 | ---- | C] () -- C:\WINDOWS\psmplay.ini
[2008/12/03 01:09:07 | 000,000,070 | ---- | C] () -- C:\WINDOWS\mmpoly.ini
[2008/08/22 00:18:49 | 000,796,048 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll
[2008/07/23 12:46:38 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/04/20 20:16:31 | 000,000,152 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/01/09 15:01:48 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2007/12/28 00:08:16 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX3000.ini
[2007/07/23 09:03:32 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2007/07/23 09:03:32 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2007/07/23 09:03:32 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2007/07/23 09:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2007/07/23 09:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2007/07/23 09:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2007/07/23 09:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2007/07/23 09:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2007/07/23 09:03:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2007/05/16 08:32:35 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2007/04/06 14:05:53 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/02/05 12:33:13 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Sony.dll
[2007/01/17 10:45:34 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/01/11 23:07:17 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2007/01/11 23:07:17 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2007/01/11 23:07:17 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2006/12/23 10:13:00 | 000,000,056 | ---- | C] () -- C:\WINDOWS\sierra.ini
[2005/10/14 05:56:50 | 000,155,136 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2004/01/04 03:12:15 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/01/04 03:03:25 | 000,185,856 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2004/01/02 21:28:49 | 000,000,458 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 15:00:00 | 000,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== Custom Scans ==========


< :FILES >

< >

< c:\windows\Internet Logs\xDB*.tmp >
[37 c:\windows\Internet Logs\*.tmp files -> c:\windows\Internet Logs\*.tmp -> ]

< c:\windows\system32\3466367831.dat >
[2010/07/18 14:47:32 | 000,000,032 | --S- | M] () -- C:\WINDOWS\system32\3466367831.dat
[1 c:\windows\system32\*.tmp files -> c:\windows\system32\*.tmp -> ]

< c:\windows\vnlfw30fblb73n0z23xkflkr.ini >
[2010/07/12 23:42:04 | 000,000,000 | ---- | M] () -- c:\WINDOWS\vnlfw30fblb73n0z23xkflkr.ini
[2 c:\windows\*.tmp files -> c:\windows\*.tmp -> ]

< c:\windows\system32\1054z.exe >
[2008/04/13 20:12:36 | 000,099,840 | --S- | M] () -- C:\WINDOWS\system32\1054z.exe
[1 c:\windows\system32\*.tmp files -> c:\windows\system32\*.tmp -> ]

< >

< :services >

< >

< HTTPFilterlanmanserver >

< >

< :Commands >

< [EMPTYTEMP] >

< [EMPTYFLASH] >

========== Alternate Data Streams ==========

@Alternate Data Stream - 229 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8FF81EB0
< End of report >


OTL Extras logfile created on: 18/07/2010 3:11:43 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Geoff\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1,006.00 Mb Total Physical Memory | 365.00 Mb Available Physical Memory | 36.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 13.74 Gb Free Space | 5.90% Space Free | Partition Type: NTFS
Drive D: | 7.60 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: THEBEEFYCHIEF
Current User Name: Geoff
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"67:UDP" = 67:UDP:*:Enabled:DHCP Discovery Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\msncall.exe" = C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) -- File not found
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Steam\steamapps\thebeefychief\counter-strike\hl.exe" = C:\Program Files\Steam\steamapps\thebeefychief\counter-strike\hl.exe:*:Enabled:Half-Life Launcher -- (Valve)
"C:\Program Files\BitLord\BitLord.exe" = C:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord -- (www.BitLord.com)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Computer, Inc.)
"C:\Program Files\Steam\steamapps\arckanik@hotmail.com\counter-strike source\hl2.exe" = C:\Program Files\Steam\steamapps\arckanik@hotmail.com\counter-strike source\hl2.exe:*:Enabled:hl2 -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\Steam\steam.exe" = C:\Program Files\Steam\steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Sierra\Half-Life\hlds.exe" = C:\Sierra\Half-Life\hlds.exe:*:Enabled:hlds -- ()
"C:\CS-Source_Server\CS-Source_Server\srcds.exe" = C:\CS-Source_Server\CS-Source_Server\srcds.exe:*:Enabled:srcds -- ()
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Steam\steamapps\beefychief\counter-strike source\hl2.exe" = C:\Program Files\Steam\steamapps\beefychief\counter-strike source\hl2.exe:*:Enabled:Counter-Strike: Source -- ()
"C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe" = C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe:LocalSubNet:Enabled:Pure Networks Network Magic Service -- (Pure Networks, Inc.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0030188A-533E-42EE-9837-E044F10E4369}" = Palm
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{055FEF8E-4B86-400F-A5C6-8FAC0042DCD9}" = NVIDIA ForceWare Multimedia
"{06C32EA0-4A22-4919-979A-8700715865B8}" = Microsoft LifeCam
"{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}" = Intel® PRO Network Connections
"{0A7FBF0B-F96C-B34F-7627-0F93C9A8FABD}" = Skins
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Multimedia Launcher
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{2205E3A5-DCDC-461D-8ED6-D6F2341D3B64}" = Intel Audio Studio 2.0
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{240D4AC7-F7BC-4B51-898E-E4CB86485ECE}" = Intel Audio Studio 2.0
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{32CF189D-52BB-4C1C-8F93-97E8F3CDDC95}" = Razer Habu Config
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3D79DB6E-73DA-46C9-B8FA-DAE52108246F}" = OpenMG Secure Module 4.6.01
"{446DBFFA-4088-48E3-8932-74316BA4CAE4}" = iTunes
"{45235788-142C-44BE-8A4D-DDE9A84492E5}" = AGEIA PhysX v7.09.13
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{50D8FFDD-90CD-4859-841F-AA1961C7767A}" = QuickTime
"{554E0167-0B53-B866-9512-44B766FABAAF}" = ccc-utility
"{55574205-0833-A7A2-FD0D-D1520E5469DD}" = CCC Help English
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skypeô 3.6
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6994491D-D491-48F1-AE1F-E179C1FFFC2F}" = HP Photosmart Essential
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6A4C13C8-39F5-305C-44DE-CD26E1DE0DD6}" = Catalyst Control Center Graphics Full New
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{82E760D8-F344-3DE4-134D-2D782E31AACF}" = Catalyst Control Center Core Implementation
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91BFB889-7BDE-E3BB-A622-068DB5202B0F}" = Catalyst Control Center Graphics Previews Common
"{935B7D79-D6BB-4603-9ABD-45B62F37E707}" = Phanku eTaxCanada 2009
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy
"{9A2AF890-B0CD-43DC-85F6-AA0B51024DFF}" = ATI MCE Transcode
"{9D622363-9235-E8F0-380C-D9114D77FB52}" = ccc-core-static
"{9FC8D8F8-AF3A-4488-98AF-51C6DEC732F2}" = c3100_Help
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}" = Apple Software Update
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A9F5421F-DA70-4C77-BB97-8D77EC33ED5E}" = HP Photosmart and Deskjet 7.0.A
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B525BB2C-9338-11D4-8B84-00B0D03E6A83}" = Palm Conduit Support for COM
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B97CF5C3-0487-11D8-A36E-0050BAE317E1}" = DVD Solution
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{C941F1F1-25B3-4DF5-83E6-888C51A1AAB6}" = AVIVO Codecs
"{C9DD3547-2B8B-B451-F479-30F8B05ED6D6}" = Catalyst Control Center Graphics Full Existing
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}" = Far Cry
"{D6E00160-F372-F959-A54C-ABDE5E03B170}" = ccc-core-preinstall
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{E5D3E730-1EF6-7876-358A-41C0E61475F5}" = Catalyst Control Center Graphics Light
"{EB8C9964-09AC-48bf-8B98-027609C78251}" = C3100
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FA3A247D-437A-455E-A88F-7EB6E5F9E799}" = Catalyst Control Center - Branding
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"0D91165CEEB2095316E8A04A59CDF0AE4B957C61" = Windows Driver Package - MOTOROLA (uisp) USB (09/08/2006 1.2.0.0)
"AC3Filter" = AC3Filter (remove only)
"Acoustica Beatcraft" = Acoustica Beatcraft
"Acoustica Effects Pack" = Acoustica Effects Pack
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"AVG9Uninstall" = AVG Free 9.0
"BitLord" = BitLord 1.1
"BSPlayer1" = BSPlayer
"C248DC5465E4500BAAAE52DF5A4C1714C1714ABE" = Windows Driver Package - Razer (HidUsb) HIDClass (01/10/2007 1.00)
"Click to Convert 6.1" = Click to Convert 6.1
"C-Media PCI Sound" = C-Media PCI Audio Device
"CompTracker 4.5" = CompTracker 4.5
"CompTracker 4.7" = CompTracker 4.7
"Guitar Pro 5_is1" = Guitar Pro 5.0
"Half-Life" = Half-Life
"HECI" = Intel® Active Client Manager 2.0 HECI Driver
"HitmanPro35" = Hitman Pro 3.5
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPOCR" = OCR Software by I.R.I.S 7.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{3D79DB6E-73DA-46C9-B8FA-DAE52108246F}" = OpenMG Secure Module 4.6.01
"InstallShield_{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}" = Far Cry
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mobile Music Polyphonic" = Mobile Music Polyphonic
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"MPE" = MyPhoneExplorer
"MSNINST" = MSN
"Nero - Burning Rom!UninstallKey" = Nero OEM
"Network Magic" = Pure Networks Network Magic
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PCI Audio Driver" = PCI Audio Driver
"Sony-Ericsson Ringtone Convertor_is1" = Sony-Ericsson Ringtone Convertor Version 1.0 Beta
"SopCast" = SopCast 3.0.3
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"Steam" = Steam
"Steam App 215" = Source SDK Base
"Steam App 380" = Half-Life 2: Episode One
"VLC media player" = VideoLAN VLC media player 0.8.6f
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"ZoneAlarm" = ZoneAlarm
"ZoneAlarmSB Uninstall" = ZoneAlarm Spy Blocker

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Steam App 240" = Counter-Strike: Source
"Steam App 6530" = Lost Planet: Extreme Conditions Demo

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 16/07/2010 2:41:43 PM | Computer Name = THEBEEFYCHIEF | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 16/07/2010 2:41:43 PM | Computer Name = THEBEEFYCHIEF | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 16/07/2010 2:41:43 PM | Computer Name = THEBEEFYCHIEF | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 16/07/2010 2:41:43 PM | Computer Name = THEBEEFYCHIEF | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 16/07/2010 6:12:03 PM | Computer Name = THEBEEFYCHIEF | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 16/07/2010 6:12:03 PM | Computer Name = THEBEEFYCHIEF | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 16/07/2010 6:12:03 PM | Computer Name = THEBEEFYCHIEF | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 16/07/2010 6:12:04 PM | Computer Name = THEBEEFYCHIEF | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 16/07/2010 6:12:04 PM | Computer Name = THEBEEFYCHIEF | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 17/07/2010 9:13:32 PM | Computer Name = THEBEEFYCHIEF | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module user32.dll, version 5.1.2600.5512, fault address 0x000187aa.

[ System Events ]
Error - 16/07/2010 7:00:00 PM | Computer Name = THEBEEFYCHIEF | Source = Schedule | ID = 7901
Description = The At20.job command failed to start due to the following error: %%2147942402

Error - 16/07/2010 7:00:00 PM | Computer Name = THEBEEFYCHIEF | Source = Schedule | ID = 7901
Description = The At44.job command failed to start due to the following error: %%2147942402

Error - 16/07/2010 7:15:46 PM | Computer Name = THEBEEFYCHIEF | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Avg7Core Avg7RsXP

Error - 16/07/2010 8:55:13 PM | Computer Name = THEBEEFYCHIEF | Source = Service Control Manager | ID = 7034
Description = The Pure Networks Network Magic Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 17/07/2010 10:01:38 AM | Computer Name = THEBEEFYCHIEF | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Avg7Core Avg7RsXP

Error - 17/07/2010 6:26:18 PM | Computer Name = THEBEEFYCHIEF | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Avg7Core Avg7RsXP

Error - 17/07/2010 6:48:36 PM | Computer Name = THEBEEFYCHIEF | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Avg7Core Avg7RsXP

Error - 17/07/2010 9:14:25 PM | Computer Name = THEBEEFYCHIEF | Source = Service Control Manager | ID = 7034
Description = The Pure Networks Network Magic Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 17/07/2010 9:20:32 PM | Computer Name = THEBEEFYCHIEF | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Avg7Core Avg7RsXP

Error - 18/07/2010 9:06:54 AM | Computer Name = THEBEEFYCHIEF | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Avg7Core Avg7RsXP


< End of report >


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4324

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

18/07/2010 3:56:19 PM
mbam-log-2010-07-18 (15-56-19).txt

Scan type: Quick scan
Objects scanned: 139688
Time elapsed: 10 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3f5a62e2-51f2-11d3-a075-cc7364cae42a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



#12 MalwareMutilator

MalwareMutilator

  • Members
  • 931 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 20 July 2010 - 10:28 AM

Hello thebeefychief, smile.gif

Your new logs are looking much better. Just a few more steps and we have this beat.

Please proceed as follows:

Step #1

Run OTL custom fix:

We need to run an OTL Fix:
  • Please reopen on your desktop.

  • Copy and Paste the following code into the textbox. Do not include the word "Code"


    CODE
    :OTL

    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

    :FILES

    c:\windows\Internet Logs\xDB*.tmp
    c:\windows\system32\3466367831.dat
    c:\windows\vnlfw30fblb73n0z23xkflkr.ini
    c:\windows\system32\1054z.exe

    :services

    HTTPFilterlanmanserver

    :Commands
    [EMPTYTEMP]
    [EMPTYFLASH]

  • Push

  • OTL may ask to reboot the machine. Please do so if asked.

  • Click .

  • A report will open. Copy and Paste that report in your next reply.
Step #2

Update Java:

Your Java is out of date.

Older versions of Java have vulnerabilities that malicious sites can use to exploit and infect your system. Therefore, please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 21.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
NOTE: If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it. The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Step #3

Update Adobe Reader:

Recently, there have been vulnerabilities detected in older versions of the Adobe Reader. It is strongly suggested that you update to the current version. You can download the newest version of the Adobe Reader (9.3.3) from here.
  • After installing the latest Adobe Reader, uninstall all previous versions.

  • If you don't like Adobe Reader, you can download Foxit PDF Reader (3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

  • Note: If installing FoxitReader, be careful not to install anything to do with AskBar.
After completing all of the steps outlined above, please furnish the new OTL log with your next reply. In addition, please inform me how your computer is running now. Any other problems you are experiencing?

Regards, thumbup2.gif

MM

#13 thebeefychief

thebeefychief
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:45 PM

Posted 20 July 2010 - 12:54 PM

Hey MM,

I have updated both adobe and java programs. OTL appeared to be successful with its actions. I'm having a problem with AVG however. avgcsrvx.exe , avgrsx.exe , and csrss.exe are taking up all of my CPU, each taking up between 20-40%. Is this normal if AVG is trying to perpetually scan my system for threats? When I stop both of the avg processes in task manager, the problem goes away. Ive tried to disable AVG from scanning without being prompted. Otherwise my computer appears to be running well, thank you for all the help so far. Here's the most recent OTL Log.

Thanks again,

Geoff

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
========== FILES ==========
c:\windows\Internet Logs\xDB1.tmp moved successfully.
c:\windows\Internet Logs\xDB10.tmp moved successfully.
c:\windows\Internet Logs\xDB11.tmp moved successfully.
c:\windows\Internet Logs\xDB12.tmp moved successfully.
c:\windows\Internet Logs\xDB13.tmp moved successfully.
c:\windows\Internet Logs\xDB14.tmp moved successfully.
c:\windows\Internet Logs\xDB15.tmp moved successfully.
c:\windows\Internet Logs\xDB16.tmp moved successfully.
c:\windows\Internet Logs\xDB17.tmp moved successfully.
c:\windows\Internet Logs\xDB18.tmp moved successfully.
c:\windows\Internet Logs\xDB19.tmp moved successfully.
c:\windows\Internet Logs\xDB1A.tmp moved successfully.
c:\windows\Internet Logs\xDB1B.tmp moved successfully.
c:\windows\Internet Logs\xDB1C.tmp moved successfully.
c:\windows\Internet Logs\xDB1D.tmp moved successfully.
c:\windows\Internet Logs\xDB1E.tmp moved successfully.
c:\windows\Internet Logs\xDB1F.tmp moved successfully.
c:\windows\Internet Logs\xDB2.tmp moved successfully.
c:\windows\Internet Logs\xDB20.tmp moved successfully.
c:\windows\Internet Logs\xDB21.tmp moved successfully.
c:\windows\Internet Logs\xDB22.tmp moved successfully.
c:\windows\Internet Logs\xDB23.tmp moved successfully.
c:\windows\Internet Logs\xDB24.tmp moved successfully.
c:\windows\Internet Logs\xDB25.tmp moved successfully.
c:\windows\Internet Logs\xDB3.tmp moved successfully.
c:\windows\Internet Logs\xDB4.tmp moved successfully.
c:\windows\Internet Logs\xDB5.tmp moved successfully.
c:\windows\Internet Logs\xDB6.tmp moved successfully.
c:\windows\Internet Logs\xDB7.tmp moved successfully.
c:\windows\Internet Logs\xDB8.tmp moved successfully.
c:\windows\Internet Logs\xDB9.tmp moved successfully.
c:\windows\Internet Logs\xDBA.tmp moved successfully.
c:\windows\Internet Logs\xDBB.tmp moved successfully.
c:\windows\Internet Logs\xDBC.tmp moved successfully.
c:\windows\Internet Logs\xDBD.tmp moved successfully.
c:\windows\Internet Logs\xDBE.tmp moved successfully.
c:\windows\Internet Logs\xDBF.tmp moved successfully.
File move failed. c:\windows\system32\3466367831.dat scheduled to be moved on reboot.
c:\windows\vnlfw30fblb73n0z23xkflkr.ini moved successfully.
File move failed. c:\windows\system32\1054z.exe scheduled to be moved on reboot.
========== SERVICES/DRIVERS ==========
Service HTTPFilterlanmanserver stopped successfully!
Service HTTPFilterlanmanserver deleted successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 49360 bytes
->Temporary Internet Files folder emptied: 2169466 bytes
->Java cache emptied: 5732 bytes
->Flash cache emptied: 523 bytes

User: All Users

User: Default User
->Temp folder emptied: 49152 bytes
->Temporary Internet Files folder emptied: 119265 bytes
->FireFox cache emptied: 4589750 bytes
->Flash cache emptied: 564 bytes

User: Geoff
->Temp folder emptied: 103827912 bytes
->Temporary Internet Files folder emptied: 1812647 bytes
->Java cache emptied: 142897393 bytes
->FireFox cache emptied: 68566533 bytes
->Flash cache emptied: 10939 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 131206 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 3584 bytes
->Temporary Internet Files folder emptied: 111826 bytes
->Java cache emptied: 277 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4518292 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 40772636 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 36614 bytes
RecycleBin emptied: 45380 bytes

Total Files Cleaned = 353.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Geoff
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 07202010_125138

Files\Folders moved on Reboot...
c:\windows\system32\3466367831.dat moved successfully.
c:\windows\system32\1054z.exe moved successfully.
File\Folder C:\WINDOWS\temp\ZLT05981.TMP not found!
File\Folder C:\WINDOWS\temp\ZLT05984.TMP not found!

Registry entries deleted on Reboot...


#14 MalwareMutilator

MalwareMutilator

  • Members
  • 931 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 21 July 2010 - 10:21 AM

Hi, thebeefychief, smile.gif

Iíve researched your problem pertaining to AVG, and I believe that I may have found a plausible answer for you. Iíve submitted my thoughts to an authorized BC instructor for review, so I will return ASAP.

Regards, thumbup2.gif

MM

#15 MalwareMutilator

MalwareMutilator

  • Members
  • 931 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 22 July 2010 - 11:06 AM

Hi, thebeefychief, smile.gif

There is a help forum at AVG that relates to the problem you are experiencing with AVG 9. You may find an answer there, or you could seek additional help right here at the BC site from the AntiVirus, Firewall and Privacy Products and Protection Methods forum. I would also suggest that you refer to the two links listed below to gain a bit more insight regarding your problem:

http://forums.avg.com/gb-en/avg-free-forum...1695#post_21695

http://forums.cnet.com/5208-19703_102-0.html?threadID=367963

Also, pleased be aware that Antivirus programs do consume large amounts of resources, especially while scanning.

If you find that you are ultimately unable to resolve the issue, I can only suggest that you uninstall AVG, and install another Antivirus program. Two free Antivirus programs with good reputations are Avira and Avast. If you do choose to install a different Antivirus program, be certain to uninstall AVG 9 prior to doing so.

On the bright side . . . your computer now appears to be clean! Congratulations! clapping.gif

Next, we will cleanup the tools we have used, and I will then offer my suggestions to minimize your chances of being re-infected. Please proceed as follows:

Restore emulation drivers:
  • To re-enable your emulation drivers, double click DeFogger to run the tool.

  • The application window will appear.

  • Click the Re-enable button to re-enable your CD emulation drivers.

  • Click Yes to continue.

  • A Finished message will appear.

  • Click OK.

  • DeFogger will now ask to reboot the machine - click OK.

  • Your emulation drivers are now re-enabled.
Uninstall ComboFix:
  • Push the "Windows key" + "R" (between the "Ctrl" button and "Alt" Button).

  • Please copy and paste the following into the box: ComboFix /Uninstall
  • Click OK.

  • Note the space between the X and the /Uninstall, it needs to be there.



Download and Run OTC:

We will now remove the tools we used during this fix using OTC:
  • Download OTC by OldTimer and save it to your desktop.

  • Double click the icon to start the program.

  • Click the big button.

  • You will get a prompt saying "Being Cleanup Process". Please select Yes.

  • Restart your computer when prompted.
Recommendations

Below are some recommendations to lower your chances of (re)infection.
  • Install an Anti-Spyware program, and update it regularly. Malwarebytes' Anti-Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.

    SUPERAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.

  • Prevention article : To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.


    Windows XP

  • Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install.

  • Keep your other software up to date as well. Software does not need to be made by Microsoft to be insecure. Download Secunia Software Inspector to keep all your software up to date.

  • Consider Firefox as your primary browser. Its safer, fast and secure.

  • Install WOT. Never inadvertently surf to a dangerous website again.

  • Consider running your browser Sandboxed with Sandboxie. You decide what actually get's into your OS.

  • Install NoScript. Pre-emptively blocks malicious scripts and allows JavaScript, Java and other potentially dangerous content only from sites you trust.

  • Stay up to date!

    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing .
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help. thumbup2.gif

Regards,

MM

Edited by MalwareMutilator, 22 July 2010 - 11:17 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users