Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Bootkit Whistler


  • This topic is locked This topic is locked
12 replies to this topic

#1 sgomez417

sgomez417

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 18 July 2010 - 08:02 AM

Hi,this was my initial topic : http://www.bleepingcomputer.com/forums/t/330711/advert-virus/
Gmer ran but when i press 'save' after the scan's done,it freezes,but i have the DDS Log,if the Gmer one's important i'll keep trying.

DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Me at 21:22:21.63 on Mon 07/12/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.1244 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe 4
C:\WINDOWS\system32\spoolsv.exe
svchost.exe 4
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\Me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0.0:80
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Apple_KbdMgr] c:\program files\boot camp\KbdMgr.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
IE: &Search
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\pa1khzec.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-11 165456]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-10 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-10 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-10 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2008-10-13 136496]
R2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2008-10-13 99632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-11 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-11 40384]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-10 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-10 308064]
R2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2008-10-13 5760]
R2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2008-10-13 6784]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-11 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-11 40384]
R3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\drivers\IRFilter.sys [2010-1-16 16512]
R3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2010-1-16 22528]
S2 clr_optimization_v4.0.21006_32;Microsoft .NET Framework NGEN v4.0.21006_X86;c:\windows\microsoft.net\framework\v4.0.21006\mscorsvw.exe [2009-10-7 129856]
S3 nvnnio;nvnnio;c:\windows\system32\drivers\nvnnio.sys [2010-2-13 87040]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.21006\wpf\WPFFontCache_v0400.exe [2009-10-7 752984]

=============== Created Last 30 ================

2010-07-12 20:07:58 20 ----a-w- c:\documents and settings\me\defogger_reenable
2010-07-12 17:19:21 0 d-----w- c:\program files\Enigma Software Group
2010-07-12 17:18:48 0 d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-07-12 17:18:47 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-07-11 17:53:56 77312 ----a-w- C:\mbr.exe
2010-07-11 16:40:52 0 d-----w- c:\docume~1\me\applic~1\SUPERAntiSpyware.com
2010-07-11 16:40:52 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-11 16:40:44 0 d-----w- c:\program files\SUPERAntiSpyware
2010-07-11 14:59:30 0 d-----w- c:\program files\Trend Micro
2010-07-11 14:57:43 38848 ----a-w- c:\windows\avastSS.scr
2010-07-11 14:57:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-11 14:54:40 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2010-07-11 14:54:40 43904 ----a-w- c:\windows\system32\drivers\sbp2port.sys
2010-07-11 12:22:49 0 d-----w- c:\docume~1\me\applic~1\Malwarebytes
2010-07-11 12:22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-11 12:22:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-11 12:22:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-11 12:22:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-10 19:34:57 0 d--h--w- c:\windows\PIF
2010-07-05 17:13:58 0 d-----w- c:\program files\Bethesda Softworks
2010-06-28 08:05:32 0 d-----w- c:\windows\system32\madll
2010-06-28 08:05:30 0 d-----w- c:\program files\Abdio
2010-06-28 07:54:17 0 d-----w- c:\docume~1\me\applic~1\OpenCandy

==================== Find3M ====================

2010-06-11 08:47:23 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-10 21:26:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-10 21:25:55 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-25 15:53:58 323624 ----a-w- c:\windows\system32\wiaaut.dll

============= FINISH: 21:22:52.29 ===============


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:58 PM

Posted 18 July 2010 - 09:35 AM

Hello sgomez417, My names Syler and I will be helping you to solve your malware issues.

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have
since resolved your issues I would appreciate if you would let me no so I can close this topic.


I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Avast.



We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



Download and Run MBR Rootkit Scan
  • Please download MBR Rootkit Detector and save it on your desktop.
  • Go to Start >> Run then copy and paste the following line into the run box
    "%userprofile%\desktop\mbr.exe" -t

  • Select Run when you recieve a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe from.
  • Copy and paste the contents of mbr.log on your next reply.


Then please post back here with the following logs:
  • OTL.txt
  • Extra.txt
  • mbr.log

Thanks

Edited by syler, 18 July 2010 - 09:36 AM.

unite.jpg


#3 sgomez417

sgomez417
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 18 July 2010 - 11:05 AM

OTL:
OTL logfile created on: 7/18/2010 4:49:56 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Me\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 56.89 Gb Total Space | 15.55 Gb Free Space | 27.34% Space Free | Partition Type: NTFS
Drive D: | 4.19 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WINDOWS
Current User Name: Me
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/18 16:48:11 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\OTL.exe
PRC - [2010/07/18 00:19:29 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/07/18 00:19:27 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/07/17 10:06:08 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/07/17 10:06:07 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/07/17 10:06:07 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/07/17 10:06:06 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/07/17 10:05:40 | 000,921,440 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/07/17 10:05:39 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/07/17 10:05:39 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/06/29 18:48:45 | 002,403,568 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2010/01/22 15:48:18 | 000,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe
PRC - [2009/09/30 20:58:42 | 000,026,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2009/09/25 16:51:08 | 000,451,904 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2008/10/13 21:14:24 | 000,431,408 | ---- | M] (Apple Inc.) -- C:\Program Files\Boot Camp\KbdMgr.exe
PRC - [2008/10/13 21:14:16 | 000,099,632 | ---- | M] (Apple Inc.) -- C:\WINDOWS\system32\AppleTimeSrv.exe
PRC - [2008/10/13 21:14:14 | 000,136,496 | ---- | M] () -- C:\WINDOWS\system32\AppleOSSMgr.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/07/18 16:48:11 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\OTL.exe
MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/07/17 10:06:06 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/07/17 10:05:40 | 000,921,440 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/10/07 05:31:18 | 000,035,144 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.21006\aspnet_state.exe -- (aspnet_state)
SRV - [2009/10/07 02:44:58 | 000,752,984 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2009/10/07 02:44:58 | 000,129,856 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.21006\mscorsvw.exe -- (clr_optimization_v4.0.21006_32)
SRV - [2009/10/07 02:44:58 | 000,124,224 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2009/09/25 16:51:08 | 000,451,904 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2008/10/13 21:14:16 | 000,099,632 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\WINDOWS\system32\AppleTimeSrv.exe -- (AppleTimeSrv)
SRV - [2008/10/13 21:14:14 | 000,136,496 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\AppleOSSMgr.exe -- (AppleOSSMgr)


========== Driver Services (SafeList) ==========

DRV - [2010/07/17 10:06:08 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/07/17 10:06:07 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/07/17 10:05:40 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/05/10 19:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/03/30 17:34:39 | 000,037,920 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tbhsd.sys -- (tbhsd)
DRV - [2010/02/17 19:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/18 10:39:18 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008/10/13 20:36:01 | 004,878,336 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/10/13 20:33:54 | 000,255,232 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008/10/13 20:31:59 | 001,386,624 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008/10/13 20:30:16 | 000,005,760 | ---- | M] (Apple Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\KeyAgent.sys -- (KeyAgent)
DRV - [2008/10/13 20:30:02 | 000,016,512 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IRFilter.sys -- (IRRemoteFlt)
DRV - [2008/10/13 20:29:12 | 000,022,528 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\KeyMagic.sys -- (KeyMagic)
DRV - [2008/10/13 20:29:02 | 000,006,784 | ---- | M] (Apple Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\MacHALDriver.sys -- (MacHALDriver)
DRV - [2008/10/13 20:27:44 | 003,006,976 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/04/13 22:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/16 15:57:40 | 000,087,040 | ---- | M] (Novation Digital Music Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvnnio.sys -- (nvnnio)
DRV - [2005/03/03 18:53:57 | 000,048,640 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2005/02/23 16:59:54 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2004/12/03 11:20:41 | 000,020,544 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfsync02.sys -- (sfsync02) StarForce Protection Synchronization Driver (version 2.x)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1409082233-1645522239-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1409082233-1645522239-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-1409082233-1645522239-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 0.0.0.0:80

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.812
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.9
FF - prefs.js..extensions.enabledItems: facepad@lazyrussian.com:0.7.2
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.1.21
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/06/11 09:47:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/18 00:19:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/18 00:19:34 | 000,000,000 | ---D | M]

[2010/02/03 15:37:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\Mozilla\Extensions
[2010/02/03 15:37:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/07/18 00:05:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\pa1khzec.default\extensions
[2010/04/29 17:51:04 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\pa1khzec.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2010/04/29 17:51:05 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\pa1khzec.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/01/16 05:21:33 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\pa1khzec.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/04/08 19:41:14 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\pa1khzec.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/06/10 22:20:26 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\pa1khzec.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/04/29 17:51:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\pa1khzec.default\extensions\facepad@lazyrussian.com
[2010/07/18 00:05:50 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/19 22:45:23 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

O1 HOSTS File: ([2010/07/12 18:19:32 | 000,000,768 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-1409082233-1645522239-682003330-1003\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKU\S-1-5-21-1409082233-1645522239-682003330-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10d.exe (Adobe Systems, Inc.)
O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10d.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1409082233-1645522239-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Me\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Me\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/16 20:24:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/11/21 18:26:21 | 000,000,057 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{f63a2fcd-22b5-11df-afc3-001b63965740}\Shell\AutoRun\command - "" = F:\Setup_FlipShare.exe -- File not found
O33 - MountPoints2\{f63a2fcd-22b5-11df-afc3-001b63965740}\Shell\Setup FlipShare\command - "" = F:\Setup_FlipShare.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: wmcmgc - File not found
NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.3IV2 - C:\WINDOWS\System32\3ivxVfWCodec.dll (3ivx Technologies Pty. Ltd.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.VP60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 30 Days ==========

[2010/07/18 16:48:03 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\OTL.exe
[2010/07/17 18:13:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/07/17 15:53:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\Application Data\ImTOO Software Studio
[2010/07/17 15:40:38 | 000,000,000 | ---D | C] -- C:\Program Files\Haali
[2010/07/17 10:06:07 | 000,012,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/07/15 20:42:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\My Documents\My Videos
[2010/07/12 18:19:21 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2010/07/12 18:18:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
[2010/07/12 18:18:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/07/12 10:06:29 | 000,499,712 | ---- | C] (eSage Lab) -- C:\Documents and Settings\Me\Desktop\remover.exe
[2010/07/11 17:40:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\Application Data\SUPERAntiSpyware.com
[2010/07/11 17:40:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/07/11 17:40:44 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/07/11 17:38:09 | 009,070,816 | ---- | C] (SUPERAntiSpyware.com) -- C:\Documents and Settings\Me\Desktop\SUPERAntiSpyware.exe
[2010/07/11 17:37:45 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Me\Desktop\ATF-Cleaner.exe
[2010/07/11 17:19:05 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Me\Desktop\zztoy.exe.exe
[2010/07/11 15:59:30 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/07/11 15:57:38 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/07/11 15:57:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/07/11 15:54:40 | 000,043,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sbp2port.sys
[2010/07/11 13:22:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\Application Data\Malwarebytes
[2010/07/11 13:22:42 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/11 13:22:38 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/11 13:22:38 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/11 13:22:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/11 12:18:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/07/11 12:18:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/07/10 20:34:57 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/07/05 18:13:58 | 000,000,000 | ---D | C] -- C:\Program Files\Bethesda Softworks
[2010/07/05 18:11:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\My Documents\My Games
[2010/06/28 09:05:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\madll
[2010/06/28 09:05:30 | 000,000,000 | ---D | C] -- C:\Program Files\Abdio
[2010/06/28 08:54:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\Local Settings\Application Data\OpenCandy
[2010/06/28 08:54:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\Application Data\OpenCandy
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/18 16:48:11 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\OTL.exe
[2010/07/18 14:10:06 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Me\Local Settings\Application Data\prvlcl.dat
[2010/07/18 13:43:01 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/18 13:42:33 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/18 13:42:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/18 13:05:14 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\gmer.zip
[2010/07/18 13:04:11 | 009,437,184 | -H-- | M] () -- C:\Documents and Settings\Me\NTUSER.DAT
[2010/07/18 13:03:58 | 000,095,232 | ---- | M] () -- C:\Documents and Settings\Me\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/18 11:11:16 | 062,124,664 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/07/17 21:11:31 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Me\ntuser.ini
[2010/07/17 21:11:17 | 004,304,576 | -H-- | M] () -- C:\Documents and Settings\Me\Local Settings\Application Data\IconCache.db
[2010/07/17 10:06:08 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/07/17 10:06:07 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/07/17 10:06:07 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/07/17 10:05:40 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/07/12 22:23:33 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/12 21:21:18 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\dds.scr
[2010/07/12 21:08:05 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\Me\defogger_reenable
[2010/07/12 21:07:00 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\Defogger.exe
[2010/07/12 18:19:32 | 000,000,768 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/12 10:06:01 | 000,478,504 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\bootkit_remover.rar
[2010/07/11 19:47:20 | 000,004,566 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/11 19:47:18 | 000,600,922 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/11 19:47:18 | 000,501,712 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/11 19:47:18 | 000,087,490 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/11 19:43:18 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Me\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/07/11 18:53:57 | 000,077,312 | ---- | M] () -- C:\mbr.exe
[2010/07/11 17:40:47 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/07/11 17:39:49 | 009,070,816 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\Me\Desktop\SUPERAntiSpyware.exe
[2010/07/11 17:37:46 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Me\Desktop\ATF-Cleaner.exe
[2010/07/11 17:19:16 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Me\Desktop\zztoy.exe.exe
[2010/07/11 10:47:23 | 000,000,023 | ---- | M] () -- C:\WINDOWS\BlendSettings.ini
[2010/07/05 18:24:18 | 000,001,805 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Oblivion.lnk
[2010/06/28 09:06:07 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/24 22:25:48 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/18 13:06:39 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\gmer.exe
[2010/07/18 13:05:14 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\gmer.zip
[2010/07/12 21:21:12 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\dds.scr
[2010/07/12 21:07:58 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\Me\defogger_reenable
[2010/07/12 21:07:00 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\Defogger.exe
[2010/07/12 10:06:01 | 000,478,504 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\bootkit_remover.rar
[2010/07/11 18:55:21 | 000,000,169 | ---- | C] () -- C:\Documents and Settings\Me\mbr.log
[2010/07/11 18:53:56 | 000,077,312 | ---- | C] () -- C:\mbr.exe
[2010/07/11 17:40:47 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/07/05 18:24:18 | 000,001,805 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Oblivion.lnk
[2010/04/28 11:59:55 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2010/03/17 23:36:57 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/11/25 13:40:50 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/03/02 11:33:32 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/02/19 07:33:34 | 000,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/14 05:41:52 | 000,033,280 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\cryptdll.dll
[2008/04/14 05:41:56 | 000,094,720 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iphlpapi.dll
[2008/04/14 05:42:00 | 000,071,680 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msacm32.dll
[2001/08/23 12:00:00 | 000,146,432 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msls31.dll
[2008/04/14 00:00:48 | 000,061,440 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvcrt40.dll
[2008/04/14 05:42:04 | 000,237,056 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\rasapi32.dll
[2008/04/14 05:42:04 | 000,061,440 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\rasman.dll
[2008/04/14 05:42:06 | 000,433,664 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\riched20.dll
[2008/04/14 05:42:06 | 000,044,032 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\rtutils.dll
[2008/04/14 05:42:06 | 000,007,168 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\sensapi.dll
[2008/04/14 05:42:08 | 000,713,216 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\sxs.dll
[2008/04/14 05:42:08 | 000,181,760 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\tapi32.dll
[2008/04/14 05:42:12 | 000,022,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\wsock32.dll
[2008/04/13 23:09:26 | 002,897,920 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\xpsp2res.dll
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/01/16 12:13:24 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/01/16 12:13:24 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/01/16 12:13:24 | 000,933,888 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >
[2009/09/11 17:22:34 | 000,592,208 | ---- | M] (Microsoft Corporation) -- C:\install.exe
[2010/07/11 18:53:57 | 000,077,312 | ---- | M] () -- C:\mbr.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 60 bytes -> C:\WINDOWS\System32\xpssvcs.dll:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\WINDOWS\System32\xpsshhdr.dll:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\WINDOWS\System32\prntvpt.dll:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\WINDOWS\System32\dllcache\xpssvcs.dll:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\WINDOWS\System32\dllcache\xpsshhdr.dll:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll:AFP_AfpInfo
< End of report >


Extras:

OTL Extras logfile created on: 7/18/2010 4:49:56 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Me\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 56.89 Gb Total Space | 15.55 Gb Free Space | 27.34% Space Free | Partition Type: NTFS
Drive D: | 4.19 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WINDOWS
Current User Name: Me
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1409082233-1645522239-682003330-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htafile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Codemasters\The Lord of the Rings Online\lotroclient.exe" = C:\Program Files\Codemasters\The Lord of the Rings Online\lotroclient.exe:*:Enabled:lotroclient -- File not found
"C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd)
"C:\Documents and Settings\Me\Local Settings\Temp\Blizzard Installer Bootstrap - 0bab6996\Installer.exe" = C:\Documents and Settings\Me\Local Settings\Temp\Blizzard Installer Bootstrap - 0bab6996\Installer.exe:*:Enabled:Blizzard Installer -- File not found
"C:\Program Files\World of Warcraft\Launcher.exe" = C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- File not found
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Documents and Settings\Me\My Documents\Downloads\utorrent.exe" = C:\Documents and Settings\Me\My Documents\Downloads\utorrent.exe:*:Enabled:µTorrent -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{155B57B6-FCD8-4852-A02B-5D0F5CAF63B5}_is1" = Novation nio VST Plug-In 1.1
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{2D9F8079-7D50-3EFD-B3BD-ED642E4EE756}" = Microsoft Visual Basic PowerPacks 10.0
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{415EEB9A-4D86-431E-B07E-2A9A2911D4EF}" = FacebookAgentSetup
"{43DCF766-6838-4F9A-8C91-D92DA586DFA8}" = Microsoft Windows Journal Viewer
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4AB60DF3-DB89-928C-023E-4001C28A49BF}" = FlipShare
"{57EC5BFE-7CB7-3057-8385-C9D72918511C}" = Microsoft .NET Framework 4 Client Profile Beta 2
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{65DC4C06-95ED-4AD2-98CE-BEB82D47F84C}" = Vidalia 0.2.7
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6E405B40-3879-3C9B-9286-8D5E71258C35}" = Microsoft .NET Framework 4 Extended Beta 2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}" = PixiePack Codec Pack
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F0E2B312-D7FD-4349-A9B6-E90B36DB1BD0}" = Paint.NET v3.5.5
"{F0E45628-1218-4865-A516-8E8A54272ADC}" = Boot Camp Services
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"18BB9B0552BA675902E31409A34F929D9C9AD56C" = Windows Driver Package - Intel (e1express) Net (04/03/2006 9.3.39.0)
"3ivx MPEG-4 5.0.3" = 3ivx MPEG-4 5.0.3 (remove only)
"4D00971668041EDAD7097C5827D1739F03B9E5D7" = Windows Driver Package - Apple Inc. Apple IR Receiver (02/21/2008 2.0.4.0)
"6AB59209597E0F6B986EC8E976521FDF0A696C9D" = Windows Driver Package - Marvell (yukonwxp) Net (03/23/2007 10.12.7.3)
"7-Zip" = 7-Zip 4.65
"80087CDF19A4CE2FBB535E7DC99A0E50FFA25589" = Windows Driver Package - Intel (E1000) Net (01/06/2006 8.6.17.0)
"82BE89CA9B7493FA05D2D4D32B415CF07EA08B47" = Windows Driver Package - Intel System (07/20/2007 1.2.76.0)
"9324ED54E32F5399037F87E076CA01C6CEB92830" = Windows Driver Package - Apple Inc. Apple Built-in iSight (10/25/2007 2.0.1.0)
"992615C0D0002C27AA3BB336C66D1E7764047A51" = Windows Driver Package - Apple Inc. Apple Trackpad (10/09/2007 2.0.1.5)
"9A38D5642E3C7E0E4801C4C2C2B36C18C98A7FAC" = Windows Driver Package - Broadcom (BCM43XX) Net (09/10/2008 5.10.38.14)
"Abdio Free MOV Player (Free)" = Abdio Free MOV Player (Free)
"AD3493E108434977125BBF78F47699626F8AF64B" = Windows Driver Package - Apple Inc. (AppleUSBEthernet) Net (01/11/2008 3.4.3.18)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Ask Toolbar_is1" = Foxit Toolbar
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"AVG9Uninstall" = AVG Free 9.0
"B4AC4F962DDC0DD6B71FCF20B8F2F694214FAE69" = Windows Driver Package - Apple Inc. Apple ODD (01/17/2008 2.0.2.2)
"BE5EA125D85C1DA16871E1E6BC4671CD650147E1" = Windows Driver Package - Apple Inc. (applebt) Bluetooth (09/15/2008 2.1.2.0)
"CE031DF97C704035E8B6E570362ABD337ACA4BA5" = Windows Driver Package - Atheros (AR5211) Net (04/05/2007 5.3.0.35)
"D1E46C4F35C591B14E31349A9EDA8227C5F0E966" = Windows Driver Package - Apple Inc. Apple Trackpad Enabler (10/09/2007 2.0.1.5)
"D3BCC671821E117ACD653C1AA146540791143F25" = Windows Driver Package - Apple Inc. Apple Display (12/19/2007 2.0.2.0)
"D66D0ACEFE4E32CCDF30362ACBB3EAEFB97E9FDE" = Windows Driver Package - Atheros (AR5416) Net (06/26/2007 6.0.3.94)
"F24CB85E5983448F6319803791DEACED91E6565B" = Windows Driver Package - Apple Inc. System (08/22/2008 2.1.1.1)
"FE6C13AFE350660993DCE88716B777EF0BCB2C91" = Windows Driver Package - Apple Inc. Apple Keyboard (09/15/2008 2.1.2.0)
"FileSplitter_is1" = File Splitter v1.0
"HijackThis" = HijackThis 2.0.2
"jujuedit" = JujuEdit 1.44
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile Beta 2" = Microsoft .NET Framework 4 Client Profile Beta 2
"Microsoft .NET Framework 4 Extended Beta 2" = Microsoft .NET Framework 4 Extended Beta 2
"Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Novation nio_is1" = Novation nio 1.1
"Novation USB Audio Driver_is1" = Novation USB Audio Driver 1.1.7
"NVIDIA Drivers" = NVIDIA Drivers
"Oblivion mod manager_is1" = Oblivion mod manager 1.1.12
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.3
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1409082233-1645522239-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"b7c0bad11b91039e" = Album Downloader

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/21/2010 11:26:30 AM | Computer Name = WINDOWS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
module urlmon.dll, version 6.0.2900.5897, fault address 0x0003e55b.

Error - 5/21/2010 11:43:40 AM | Computer Name = WINDOWS | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 5/21/2010 11:43:40 AM | Computer Name = WINDOWS | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 5/21/2010 2:07:49 PM | Computer Name = WINDOWS | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
module urlmon.dll, version 6.0.2900.5897, fault address 0x0003e55b.

Error - 5/24/2010 9:42:33 AM | Computer Name = WINDOWS | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 5/24/2010 9:42:33 AM | Computer Name = WINDOWS | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 5/30/2010 6:40:44 PM | Computer Name = WINDOWS | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 5/30/2010 6:40:44 PM | Computer Name = WINDOWS | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 5/31/2010 7:24:57 AM | Computer Name = WINDOWS | Source = WindowsLiveMessenger | ID = 15728647
Description =

Error - 5/31/2010 7:24:57 AM | Computer Name = WINDOWS | Source = WindowsLiveMessenger | ID = 15728647
Description =

[ System Events ]
Error - 7/12/2010 7:53:58 PM | Computer Name = WINDOWS | Source = Service Control Manager | ID = 7034
Description = The FlipShare Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 7/13/2010 9:36:37 AM | Computer Name = WINDOWS | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 7/13/2010 9:36:37 AM | Computer Name = WINDOWS | Source = Service Control Manager | ID = 7034
Description = The FlipShare Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 7/14/2010 6:34:27 AM | Computer Name = WINDOWS | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{C70DCEB1-CF93-4FD7-B827-B925DB6D14BF}. The
backup browser is stopping.

Error - 7/15/2010 8:15:42 AM | Computer Name = WINDOWS | Source = Service Control Manager | ID = 7034
Description = The WebClient service terminated unexpectedly. It has done this 1
time(s).

Error - 7/17/2010 8:49:50 PM | Computer Name = WINDOWS | Source = Service Control Manager | ID = 7034
Description = The FlipShare Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 7/18/2010 8:35:15 AM | Computer Name = WINDOWS | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.

Error - 7/18/2010 8:37:15 AM | Computer Name = WINDOWS | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.

Error - 7/18/2010 11:50:09 AM | Computer Name = WINDOWS | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 7/18/2010 11:50:09 AM | Computer Name = WINDOWS | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2


< End of report >





MBR:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: MBR read successfully


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:58 PM

Posted 18 July 2010 - 04:57 PM

Please download MBRCheck and save it to your computer.
  • Double click on MBRCheck.exe to run it.
  • When it's done press enter to exit.
  • Then please post the log it produced MBRCheck_(time+date).txt

unite.jpg


#5 sgomez417

sgomez417
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 18 July 2010 - 05:13 PM

Hi Syler,thanks for the responses.


MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.



Enter your choice:

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:58 PM

Posted 18 July 2010 - 05:20 PM

Hi and your welcome : )

That's the bugger we were looking for, please do the following.
  • Double click on MBRCheck.exe to run it.
  • Type Y then hit enter, to show the options.
  • Type 2 then hit enter, to restore the mbr.
  • When asked for the physical number to fix, type 0 then press enter.
  • When asked to select the mbr to write, type 0 then press enter.
  • Then type yes and press enter to write the new code.

Then reboot your computer, once it's restarted run MBRCheck again as first instructed and post the new log.

Edited by syler, 18 July 2010 - 05:24 PM.

unite.jpg


#7 sgomez417

sgomez417
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 18 July 2010 - 05:40 PM

MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 Windows XP MBR code detected



#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:58 PM

Posted 19 July 2010 - 08:30 PM

Hi, sorry for the delay in my reply. Please can you tell me how the computer is running now and if you are having any more problems.


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    [2010/07/12 18:18:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
    :Reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall"=dword:00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=dword:00000001
    :Commands
    [Resethosts]
    [emptytemp]
    [emptyflash]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run a new OTL scan without the bold text, and post the new OTL log.



Download and Run Rooter SD

Please download Rooter.exe and save it to your desktop
  • Double-click it to start the tool. If you are using Vista, please right-click and choose Run As Administrator...
  • Alow it to run when you get a Security Warning.
  • At the main control page, please click the green button.
  • It will now begin to scan, please be paitent. The scan should not take more than 3 minutes
  • A Notepad file containing the report will open soon. It can also be found at %systemdrive%\Rooter$\Rooter_1.txt
  • Now push the button to close Rooter.
  • Please post the contents of that log file here in your next reply.


Then please post back here with the following logs:
  • OTL results
  • New OTL log
  • Rooter_1.txt

Thanks

unite.jpg


#9 sgomez417

sgomez417
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 20 July 2010 - 04:12 PM

Hi,that improved it alot thanks. No sound cuts/adverts/internet explorer opening.
But there's still something i think & i just got a blue screen.

OTL:
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\WINDOWS\4FC9DA9DF608454E8191D7EFFDCC5726.TMP folder moved successfully.
Folder EY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]\ not found.
File EY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] not found.
File sethosts] not found.
File ptytemp] not found.
File ptyflash] not found.

New OTL:
OTL logfile created on: 7/20/2010 3:51:21 PM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Me\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 56.89 Gb Total Space | 15.25 Gb Free Space | 26.80% Space Free | Partition Type: NTFS
Drive D: | 4.19 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WINDOWS
Current User Name: Me
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/18 16:48:11 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\OTL.exe
PRC - [2010/07/18 00:19:29 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/07/18 00:19:27 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/07/17 10:06:08 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/07/17 10:06:07 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/07/17 10:06:07 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/07/17 10:06:06 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/07/17 10:05:40 | 000,921,440 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/07/17 10:05:39 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/07/17 10:05:39 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/06/29 18:48:45 | 002,403,568 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2010/01/22 15:48:18 | 000,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe
PRC - [2009/11/24 12:32:22 | 000,234,792 | ---- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
PRC - [2009/09/30 20:58:42 | 000,026,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2009/09/25 16:51:08 | 000,451,904 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2008/10/13 21:14:24 | 000,431,408 | ---- | M] (Apple Inc.) -- C:\Program Files\Boot Camp\KbdMgr.exe
PRC - [2008/10/13 21:14:16 | 000,099,632 | ---- | M] (Apple Inc.) -- C:\WINDOWS\system32\AppleTimeSrv.exe
PRC - [2008/10/13 21:14:14 | 000,136,496 | ---- | M] () -- C:\WINDOWS\system32\AppleOSSMgr.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/07/18 16:48:11 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\OTL.exe
MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/07/17 10:06:06 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/07/17 10:05:40 | 000,921,440 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/10/07 05:31:18 | 000,035,144 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.21006\aspnet_state.exe -- (aspnet_state)
SRV - [2009/10/07 02:44:58 | 000,752,984 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.21006\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2009/10/07 02:44:58 | 000,129,856 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.21006\mscorsvw.exe -- (clr_optimization_v4.0.21006_32)
SRV - [2009/10/07 02:44:58 | 000,124,224 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.21006\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2009/09/25 16:51:08 | 000,451,904 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2008/10/13 21:14:16 | 000,099,632 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\WINDOWS\system32\AppleTimeSrv.exe -- (AppleTimeSrv)
SRV - [2008/10/13 21:14:14 | 000,136,496 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\AppleOSSMgr.exe -- (AppleOSSMgr)


========== Driver Services (SafeList) ==========

DRV - [2010/07/17 10:06:08 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/07/17 10:06:07 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/07/17 10:05:40 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/05/10 19:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/03/30 17:34:39 | 000,037,920 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tbhsd.sys -- (tbhsd)
DRV - [2010/02/17 19:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/18 10:39:18 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008/10/13 20:36:01 | 004,878,336 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/10/13 20:33:54 | 000,255,232 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008/10/13 20:31:59 | 001,386,624 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008/10/13 20:30:16 | 000,005,760 | ---- | M] (Apple Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\KeyAgent.sys -- (KeyAgent)
DRV - [2008/10/13 20:30:02 | 000,016,512 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IRFilter.sys -- (IRRemoteFlt)
DRV - [2008/10/13 20:29:12 | 000,022,528 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\KeyMagic.sys -- (KeyMagic)
DRV - [2008/10/13 20:29:02 | 000,006,784 | ---- | M] (Apple Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\MacHALDriver.sys -- (MacHALDriver)
DRV - [2008/10/13 20:27:44 | 003,006,976 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/04/13 22:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/16 15:57:40 | 000,087,040 | ---- | M] (Novation Digital Music Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvnnio.sys -- (nvnnio)
DRV - [2005/03/03 18:53:57 | 000,048,640 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2005/02/23 16:59:54 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2004/12/03 11:20:41 | 000,020,544 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfsync02.sys -- (sfsync02) StarForce Protection Synchronization Driver (version 2.x)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 0.0.0.0:80

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.812
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.9
FF - prefs.js..extensions.enabledItems: facepad@lazyrussian.com:0.7.2
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.1.21
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/06/11 09:47:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/18 00:19:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/18 00:19:34 | 000,000,000 | ---D | M]

[2010/02/03 15:37:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\Mozilla\Extensions
[2010/02/03 15:37:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/07/20 00:17:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\pa1khzec.default\extensions
[2010/04/29 17:51:04 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\pa1khzec.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2010/04/29 17:51:05 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\pa1khzec.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/01/16 05:21:33 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\pa1khzec.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/04/08 19:41:14 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\pa1khzec.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/06/10 22:20:26 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\pa1khzec.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/04/29 17:51:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\pa1khzec.default\extensions\facepad@lazyrussian.com
[2010/07/20 00:17:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/19 22:45:23 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

O1 HOSTS File: ([2010/07/12 18:19:32 | 000,000,768 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Me\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Me\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/16 20:24:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/11/21 18:26:21 | 000,000,057 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{f63a2fcd-22b5-11df-afc3-001b63965740}\Shell\AutoRun\command - "" = F:\Setup_FlipShare.exe -- File not found
O33 - MountPoints2\{f63a2fcd-22b5-11df-afc3-001b63965740}\Shell\Setup FlipShare\command - "" = F:\Setup_FlipShare.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/20 15:26:37 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/07/18 16:48:03 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\OTL.exe
[2010/07/17 18:13:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/07/17 15:53:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\Application Data\ImTOO Software Studio
[2010/07/17 15:40:38 | 000,000,000 | ---D | C] -- C:\Program Files\Haali
[2010/07/17 10:06:07 | 000,012,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/07/15 20:42:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\My Documents\My Videos
[2010/07/12 18:19:21 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2010/07/12 18:18:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/07/12 10:06:29 | 000,499,712 | ---- | C] (eSage Lab) -- C:\Documents and Settings\Me\Desktop\remover.exe
[2010/07/11 17:40:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\Application Data\SUPERAntiSpyware.com
[2010/07/11 17:40:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/07/11 17:40:44 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/07/11 17:38:09 | 009,070,816 | ---- | C] (SUPERAntiSpyware.com) -- C:\Documents and Settings\Me\Desktop\SUPERAntiSpyware.exe
[2010/07/11 17:37:45 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Me\Desktop\ATF-Cleaner.exe
[2010/07/11 17:19:05 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Me\Desktop\zztoy.exe.exe
[2010/07/11 15:59:30 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/07/11 15:57:38 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/07/11 15:57:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/07/11 15:54:40 | 000,043,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sbp2port.sys
[2010/07/11 13:22:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\Application Data\Malwarebytes
[2010/07/11 13:22:42 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/11 13:22:38 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/11 13:22:38 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/11 13:22:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/11 12:18:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/07/11 12:18:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/07/10 20:34:57 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/07/05 18:13:58 | 000,000,000 | ---D | C] -- C:\Program Files\Bethesda Softworks
[2010/07/05 18:11:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\My Documents\My Games
[2010/06/28 09:05:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\madll
[2010/06/28 09:05:30 | 000,000,000 | ---D | C] -- C:\Program Files\Abdio
[2010/06/28 08:54:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\Local Settings\Application Data\OpenCandy
[2010/06/28 08:54:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\Application Data\OpenCandy
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/20 15:28:40 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/20 15:27:52 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/20 15:27:51 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/20 15:26:54 | 009,699,328 | -H-- | M] () -- C:\Documents and Settings\Me\NTUSER.DAT
[2010/07/20 15:26:48 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Me\ntuser.ini
[2010/07/20 15:25:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Me\Local Settings\Application Data\prvlcl.dat
[2010/07/20 10:29:21 | 062,233,142 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/07/19 23:55:17 | 000,020,359 | ---- | M] () -- C:\Documents and Settings\Me\My Documents\33azzpe.jpg
[2010/07/19 23:50:37 | 000,015,117 | ---- | M] () -- C:\Documents and Settings\Me\My Documents\dldl3.jpg
[2010/07/19 23:01:05 | 000,250,440 | ---- | M] () -- C:\Documents and Settings\Me\My Documents\65263000.jpg
[2010/07/19 23:00:53 | 000,112,361 | ---- | M] () -- C:\Documents and Settings\Me\My Documents\lulzg.jpg
[2010/07/19 22:57:34 | 000,010,462 | ---- | M] () -- C:\Documents and Settings\Me\My Documents\bear.jpg
[2010/07/19 22:42:37 | 000,295,754 | ---- | M] () -- C:\Documents and Settings\Me\My Documents\downloadtemp.png
[2010/07/19 22:11:28 | 000,516,038 | ---- | M] () -- C:\Documents and Settings\Me\My Documents\PB16.jpg
[2010/07/18 23:36:10 | 004,833,394 | -H-- | M] () -- C:\Documents and Settings\Me\Local Settings\Application Data\IconCache.db
[2010/07/18 22:59:26 | 000,055,296 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\MBRCheck.exe
[2010/07/18 16:53:25 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\mbr.exe
[2010/07/18 16:48:11 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\OTL.exe
[2010/07/18 13:05:14 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\gmer.zip
[2010/07/18 13:03:58 | 000,095,232 | ---- | M] () -- C:\Documents and Settings\Me\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/17 10:06:08 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/07/17 10:06:07 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/07/17 10:06:07 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/07/17 10:05:40 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/07/12 22:23:33 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/12 21:21:18 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\dds.scr
[2010/07/12 21:08:05 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\Me\defogger_reenable
[2010/07/12 21:07:00 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\Defogger.exe
[2010/07/12 18:19:32 | 000,000,768 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/12 10:06:01 | 000,478,504 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\bootkit_remover.rar
[2010/07/11 19:47:20 | 000,004,566 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/11 19:47:18 | 000,600,922 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/11 19:47:18 | 000,501,712 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/11 19:47:18 | 000,087,490 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/11 19:43:18 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Me\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/07/11 18:53:57 | 000,077,312 | ---- | M] () -- C:\mbr.exe
[2010/07/11 17:40:47 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/07/11 17:39:49 | 009,070,816 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\Me\Desktop\SUPERAntiSpyware.exe
[2010/07/11 17:37:46 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Me\Desktop\ATF-Cleaner.exe
[2010/07/11 17:19:16 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Me\Desktop\zztoy.exe.exe
[2010/07/11 10:47:23 | 000,000,023 | ---- | M] () -- C:\WINDOWS\BlendSettings.ini
[2010/07/05 18:24:18 | 000,001,805 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Oblivion.lnk
[2010/06/28 09:06:07 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/24 22:25:48 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/19 23:55:17 | 000,020,359 | ---- | C] () -- C:\Documents and Settings\Me\My Documents\33azzpe.jpg
[2010/07/19 23:50:37 | 000,015,117 | ---- | C] () -- C:\Documents and Settings\Me\My Documents\dldl3.jpg
[2010/07/19 23:01:05 | 000,250,440 | ---- | C] () -- C:\Documents and Settings\Me\My Documents\65263000.jpg
[2010/07/19 23:00:53 | 000,112,361 | ---- | C] () -- C:\Documents and Settings\Me\My Documents\lulzg.jpg
[2010/07/19 22:57:34 | 000,010,462 | ---- | C] () -- C:\Documents and Settings\Me\My Documents\bear.jpg
[2010/07/19 22:42:36 | 000,295,754 | ---- | C] () -- C:\Documents and Settings\Me\My Documents\downloadtemp.png
[2010/07/19 22:11:27 | 000,516,038 | ---- | C] () -- C:\Documents and Settings\Me\My Documents\PB16.jpg
[2010/07/18 22:59:26 | 000,055,296 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\MBRCheck.exe
[2010/07/18 16:53:25 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\mbr.exe
[2010/07/18 13:06:39 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\gmer.exe
[2010/07/18 13:05:14 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\gmer.zip
[2010/07/12 21:21:12 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\dds.scr
[2010/07/12 21:07:58 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\Me\defogger_reenable
[2010/07/12 21:07:00 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\Defogger.exe
[2010/07/12 10:06:01 | 000,478,504 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\bootkit_remover.rar
[2010/07/11 18:55:21 | 000,000,169 | ---- | C] () -- C:\Documents and Settings\Me\mbr.log
[2010/07/11 18:53:56 | 000,077,312 | ---- | C] () -- C:\mbr.exe
[2010/07/11 17:40:47 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/07/05 18:24:18 | 000,001,805 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Oblivion.lnk
[2010/04/28 11:59:55 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2010/03/17 23:36:57 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/11/25 13:40:50 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/03/02 11:33:32 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/02/19 07:33:34 | 000,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 60 bytes -> C:\WINDOWS\System32\xpssvcs.dll:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\WINDOWS\System32\xpsshhdr.dll:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\WINDOWS\System32\prntvpt.dll:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\WINDOWS\System32\dllcache\xpssvcs.dll:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\WINDOWS\System32\dllcache\xpsshhdr.dll:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe:AFP_AfpInfo
@Alternate Data Stream - 60 bytes -> C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll:AFP_AfpInfo
< End of report >


Rooter_1:
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 15 Stepping 10, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 6.0.2900.5512
Mozilla Firefox 3.6.6 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:56 Go - Free:15 Go )
D:\ [CD_Rom]
.
Scan : 22:06.19
Path : C:\Documents and Settings\Me\Desktop\Rooter.exe
User : Me ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (824)
______ \??\C:\WINDOWS\system32\csrss.exe (888)
______ \??\C:\WINDOWS\system32\winlogon.exe (924)
______ C:\WINDOWS\system32\services.exe (968)
______ C:\WINDOWS\system32\savedump.exe (996)
______ C:\WINDOWS\system32\lsass.exe (1004)
______ C:\WINDOWS\system32\Ati2evxx.exe (1156)
______ C:\WINDOWS\system32\svchost.exe (1176)
______ C:\WINDOWS\system32\svchost.exe (1244)
______ C:\WINDOWS\System32\svchost.exe (1296)
______ C:\WINDOWS\system32\svchost.exe (1408)
______ C:\WINDOWS\system32\svchost.exe (1444)
______ C:\WINDOWS\system32\Ati2evxx.exe (1696)
______ C:\Program Files\AVG\AVG9\avgchsvx.exe (1748)
______ C:\WINDOWS\system32\spoolsv.exe (1764)
______ C:\Program Files\AVG\AVG9\avgrsx.exe (1756)
______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (1972)
______ C:\WINDOWS\system32\svchost.exe (788)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (856)
______ C:\WINDOWS\system32\AppleOSSMgr.exe (884)
______ C:\WINDOWS\system32\AppleTimeSrv.exe (892)
______ C:\Program Files\AVG\AVG9\avgwdsvc.exe (1324)
______ C:\Program Files\Bonjour\mDNSResponder.exe (1380)
______ C:\Program Files\Flip Video\FlipShare\FlipShareService.exe (1528)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1808)
______ C:\WINDOWS\system32\svchost.exe (380)
______ C:\WINDOWS\Explorer.EXE (1032)
______ C:\Program Files\AVG\AVG9\avgemc.exe (2088)
______ C:\WINDOWS\system32\wuauclt.exe (2124)
______ C:\Program Files\AVG\AVG9\avgnsx.exe (2176)
______ C:\WINDOWS\RTHDCPL.EXE (2592)
______ C:\Program Files\Boot Camp\KbdMgr.exe (2612)
______ C:\Program Files\Java\jre6\bin\jusched.exe (2632)
______ C:\Program Files\iTunes\iTunesHelper.exe (2676)
______ C:\PROGRA~1\AVG\AVG9\avgtray.exe (2688)
______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (2720)
______ C:\Program Files\Windows Live\Messenger\msnmsgr.exe (2760)
______ C:\Program Files\Messenger\msmsgs.exe (2784)
______ C:\WINDOWS\system32\ctfmon.exe (2796)
______ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (2852)
______ C:\WINDOWS\system32\wbem\unsecapp.exe (3256)
______ C:\WINDOWS\System32\alg.exe (3276)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (3288)
______ C:\Program Files\iPod\bin\iPodService.exe (3888)
______ C:\WINDOWS\system32\wscntfy.exe (4064)
______ C:\WINDOWS\System32\svchost.exe (1456)
______ C:\Program Files\Mozilla Firefox\firefox.exe (3100)
______ C:\Documents and Settings\Me\Desktop\OTL.exe (3876)
______ C:\Program Files\Windows Live\Contacts\wlcomm.exe (3996)
______ C:\Program Files\Mozilla Firefox\plugin-container.exe (3868)
______ C:\WINDOWS\notepad.exe (1500)
______ C:\Documents and Settings\Me\Desktop\Rooter.exe (2664)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:512 | Length:209735168)
\Device\Harddisk0\Partition2 (Start_Offset:209735680 | Length:258637561856)
\Device\Harddisk0\Partition3 --[ MBR ]-- (Start_Offset:258982543360 | Length:61090037760)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 22:07.16
.
C:\Rooter$\Rooter_1.txt - (20/07/2010 | 22:07.16)




#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:58 PM

Posted 21 July 2010 - 04:07 PM

The blue screen could be a number of things, it's not necessarily malware, if it happens again you should note down the
error so that we can find the cause.

Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push

unite.jpg


#11 sgomez417

sgomez417
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 22 July 2010 - 09:15 AM

C:\Documents and Settings\Me\Application Data\Sun\Java\Deployment\cache\6.0\57\6b535139-28cb3232 Java/TrojanDownloader.Agent.NBB trojan deleted - quarantined
C:\Documents and Settings\Me\Application Data\Sun\Java\Deployment\cache\6.0\63\5b42f9bf-79707c0e a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:58 PM

Posted 22 July 2010 - 11:33 AM

Hi,

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.TFC(Temp File Cleaner):


Then please run DDS again, then post back with the new log and let me know if their are any other problems, thanks.

unite.jpg


#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:58 PM

Posted 27 July 2010 - 07:03 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users