Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost blocked by Avast, browser opens unknown ads


  • This topic is locked This topic is locked
28 replies to this topic

#1 skyvvalker

skyvvalker

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 12 August 2010 - 04:59 AM

Hello. Earlier this year, I was attacked by AV Security Suite. I downloaded malwarebytes and it removed it. I'm not sure if this is related, but I am now getting ads opening up browser windows on their own. Also, Avast has been blocking svchost occasionally. Malwarebytes scans come up with nothing. Avast and Sbybot the same.

Here is my DDS, Hijackthis and GMER (attachment) info...


DDS (Ver_10-03-17.01) - NTFSx86
Run by RICK at 19:06:03.56 on Wed 08/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1279.607 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\RICK\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://www.dellnet.com
uSearch Bar = hxxp://home.peoplepc.com/search/
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {3EBBD0F6-1F1F-48A0-89DC-C7505D56E92A} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\bounce~1.lnk - c:\program files\cms peripherals\bounceback express\BBLauncher.exe
IE: &Google Search
IE: Backward Links
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\documents and settings\rick\application data\dvdvideosoftiehelpers\youtubetomp3.htm
IE: Similar Pages
IE: Translate into English
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://www.stonyfield.com/coupons/scriptX/smsx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX25.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4018/ftp.coupons.com/v3123/cpbrkpie.cab
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} - hxxp://www.microsoft.com/security/controls/SassCln.CAB
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - hxxps://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} - hxxp://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.disneyphotopass.com/software/ImageUploader4.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-6 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-6 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-6 40384]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2005-11-26 14976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-6 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-6 40384]
S2 JVDTPYND;JVDTPYND;\??\c:\windows\system32\jvdtpynd.kux --> c:\windows\system32\jvdtpynd.kux [?]

=============== Created Last 30 ================

2010-08-11 23:00:19 0 ----a-w- c:\documents and settings\rick\defogger_reenable
2010-08-04 22:49:43 0 d-----w- C:\caches
2010-08-02 22:51:00 0 d-----w- c:\program files\iPod

==================== Find3M ====================

2010-06-28 20:57:33 38848 ----a-w- c:\windows\avastSS.scr
2010-06-26 21:55:43 148304 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-31 02:33:04 1547677 ----a-w- c:\windows\fonts\HDZB_35.TTF
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2001-08-22 18:15:48 245760 -c----w- c:\windows\inf\i386\viceo.dll
2001-08-22 18:13:38 32768 -c----w- c:\windows\inf\i386\Pmicro.dll
2001-08-22 18:13:30 61440 -c----w- c:\windows\inf\i386\gl.dll
2001-08-03 23:29:18 13824 -c----w- c:\windows\inf\i386\Usbscan.sys
2004-08-04 04:56:58 73728 -csh--w- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe

============= FINISH: 19:08:24.64 ===============





Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:45:59 AM, on 8/12/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\RICK\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (file missing)
O2 - BHO: (no name) - {3EBBD0F6-1F1F-48A0-89DC-C7505D56E92A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutorunsDisabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\RICK\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4018/ftp...23/cpbrkpie.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Plug-in 1.3.1_02) -
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} (Java Plug-in 1.4.2_04) -
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.disneyphotopass.com/software/ImageUploader4.cab
O20 - Winlogon Notify: !SASWinLogon - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10730 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:54 PM

Posted 19 August 2010 - 06:37 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 skyvvalker

skyvvalker
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 20 August 2010 - 08:24 AM

Thank you for your help! As I said previously, I was attacked by AV Security Suite a while back. Malwarebytes seemed to have removed it. This problem I'm having now may be related or may not be related. I don't know. Now I am getting random redirects to webpages that appear to be advertisements. I immediately close these windows of course. I ran Avast, Malwarebytes, Spybot and they came up clean. Also, the computer seems to be slower than it was before I started getting these webpage re-directs. Also, sometimes Avast stops Svchost.exe from running, which I take to mean that it stopped some sort of attack.


OTL logfile created on: 8/20/2010 8:56:42 AM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\RICK\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.24 Gb Total Space | 11.44 Gb Free Space | 29.92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 1397.26 Gb Total Space | 1259.71 Gb Free Space | 90.16% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: R2D2
Current User Name: RICK
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/20 08:54:04 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\RICK\Desktop\OTL.exe
PRC - [2010/06/28 16:57:18 | 002,837,864 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 17:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2005/09/09 03:24:30 | 000,102,400 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
PRC - [2005/05/15 22:03:18 | 000,126,976 | ---- | M] () -- C:\WINDOWS\SYSTEM32\UAService7.exe


========== Modules (SafeList) ==========

MOD - [2010/08/20 08:54:04 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\RICK\Desktop\OTL.exe
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/03 23:01:18 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2005/09/09 03:24:30 | 000,102,400 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor4.0)
SRV - [2005/05/15 22:03:18 | 000,126,976 | ---- | M] () [Auto | Running] -- C:\WINDOWS\SYSTEM32\UAService7.exe -- (UserAccess7) SecuROM User Access Service (V7)
SRV - [2003/03/03 14:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\jvdtpynd.kux -- (JVDTPYND)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\wATV03nt.sys -- (iAimTV2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\RICK\LOCALS~1\Temp\cportclm.sys -- (cportclm)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\America Online 8.0\ATWPKT2.SYS -- (ATWPKT2)
DRV - [2010/06/28 16:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/06/28 16:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/06/28 16:33:13 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/06/28 16:32:45 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/06/28 16:32:33 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/06/28 16:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2006/12/06 19:52:58 | 000,002,432 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2006/12/06 19:52:43 | 000,002,560 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2006/11/16 10:54:08 | 000,513,152 | ---- | M] (Windows ® 2000/XP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\SndTDriverV32.sys -- (SndTDriverV32)
DRV - [2006/01/26 14:21:04 | 000,034,686 | ---- | M] (Service & Quality Technology.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\Capt905c.sys -- (SQTECH905C)
DRV - [2004/11/10 21:54:52 | 000,151,066 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2004/11/10 21:54:52 | 000,030,694 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2004/11/10 21:54:52 | 000,025,962 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2004/08/03 23:10:12 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\61883.sys -- (61883)
DRV - [2004/08/03 23:10:12 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\avc.sys -- (Avc)
DRV - [2004/08/03 23:10:00 | 000,051,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\msdv.sys -- (MSDV)
DRV - [2004/08/03 23:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/03 23:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/03 22:29:50 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 22:29:48 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 22:29:46 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 22:29:44 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 22:29:44 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 22:29:42 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 22:29:38 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 22:29:38 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 22:29:38 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 22:29:38 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/02/23 10:40:38 | 000,014,976 | ---- | M] (CMS Peripherals, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\portd2k.sys -- (portD)
DRV - [2003/10/06 15:16:00 | 001,550,043 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys -- (nv)
DRV - [2003/08/27 15:19:07 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2002/12/17 13:27:32 | 000,241,152 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/11/08 14:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002/10/29 17:38:10 | 000,170,499 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2002/10/29 17:37:36 | 001,175,536 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys -- (HSF_DP)
DRV - [2002/10/29 17:31:28 | 000,604,240 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - [2002/07/17 10:05:10 | 000,016,512 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ASPI32.SYS -- (Aspi32)
DRV - [2002/01/24 11:23:40 | 000,013,545 | ---- | M] (SCM Microsystems Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\STLTRK2K.sys -- (Stltrk2k)
DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 13:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)
DRV - [2000/12/01 01:02:10 | 000,005,992 | ---- | M] (Elaborate Bytes) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ElbyCDIO.sys -- (ElbyCDIO)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3316014324-2100270655-3420894276-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\S-1-5-21-3316014324-2100270655-3420894276-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-3316014324-2100270655-3420894276-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3316014324-2100270655-3420894276-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-3316014324-2100270655-3420894276-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577



O1 HOSTS File: ([2010/06/03 01:48:12 | 000,608,415 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 fr.a2dfp.net
O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 adserver.abv.bg
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 achmedia.com
O1 - Hosts: 127.0.0.1 aconti.net
O1 - Hosts: 127.0.0.1 secure.aconti.net
O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti]
O1 - Hosts: 127.0.0.1 ads.active.com
O1 - Hosts: 127.0.0.1 am1.activemeter.com
O1 - Hosts: 127.0.0.1 www.activemeter.com #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ads.activepower.net
O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ad2games.com
O1 - Hosts: 127.0.0.1 cms.ad2click.nl
O1 - Hosts: 127.0.0.1 ads.ad2games.com
O1 - Hosts: 127.0.0.1 content.ad20.net
O1 - Hosts: 16056 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll File not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\MNYSIDE.DLL (Microsoft Corporation)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll File not found
O2 - BHO: (no name) - {3EBBD0F6-1F1F-48A0-89DC-C7505D56E92A} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No CLSID value found.
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll File not found
O3 - HKU\S-1-5-21-3316014324-2100270655-3420894276-1007\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3316014324-2100270655-3420894276-1007\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll File not found
O3 - HKU\S-1-5-21-3316014324-2100270655-3420894276-1007\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll File not found
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\IME\IMKR6_1\imekrmig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKU\S-1-5-21-3316014324-2100270655-3420894276-1007..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2010/06/04 19:46:35 | 000,000,000 | -H-D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3316014324-2100270655-3420894276-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3316014324-2100270655-3420894276-1007\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-3316014324-2100270655-3420894276-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-3316014324-2100270655-3420894276-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: _NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\RICK\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\MNYSIDE.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-3316014324-2100270655-3420894276-1007\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} http://www.stonyfield.com/coupons/scriptX/smsx.cab (MeadCo ScriptX)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab (FilePlanet Download Control Class)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (Reg Error: Key error.)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab (GMNRev Class)
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} http://mediaplayer.walmart.com/installer/install.cab (Reg Error: Key error.)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} http://www.nick.com/common/groove/gx/GrooveAX25.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} https://rtc3.webresponse.one.microsoft.com/...p/TLIEFlash.CAB (TLIEFlashObj Class)
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} http://a19.g.akamai.net/7/19/7125/4018/ftp...23/cpbrkpie.cab (Reg Error: Key error.)
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} http://www.microsoft.com/security/controls/SassCln.CAB (SassCln Object)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab (DDRevision Class)
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} https://disney.go.com/games/downloads/gamem...GameManager.cab (CGameManagerCtrl Object)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab (EPSImageControl Class)
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} http://www.disneyphotopass.com/software/ImageUploader4.cab (Image Uploader Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.113.1
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\dimsntfy: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\RICK\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\RICK\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 09:59:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/01/20 22:48:49 | 000,000,000 | RH-D | M] - G:\autorun -- [ NTFS ]
O32 - AutoRun File - [2002/10/16 22:56:50 | 000,000,036 | RH-- | M] () - G:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{65051bb7-97dd-11de-8f29-0007e9645c8f}\Shell - "" = AutoRun
O33 - MountPoints2\{65051bb7-97dd-11de-8f29-0007e9645c8f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{65051bb7-97dd-11de-8f29-0007e9645c8f}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{b6bb937b-498d-11de-8eae-0007e9645c8f}\Shell\AutoRun\command - "" = G:\DPF_V211.exe -- File not found
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {057997dd-71e4-43cc-b161-3f8180691a9e} - Q824145
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608555} - Internet Explorer Classes for Java
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 10.1
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {2298d453-bcae-4519-bf33-1cbf3faf1524} - Q867801
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.1.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.1.4
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2cc9d512-6db6-4f1c-8979-9a41fae88de0} - Q837009
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA851-CC51-11CF-AAFA-00AA00B6015C} - rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015C} - Microsoft DirectX
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5f3c70b3-ac2f-432c-8f9c-1624df61f54f} - Microsoft Data Access Components KB870669
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {795d0712-722c-43ec-906a-fc5e678eada9} - Q831167
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider
ActiveX: {96543d59-497a-4801-a1f3-5936aacaf7b1} - Q828750
ActiveX: {B84AD69F-8358-F496-D993-4D356E35BFEB} - NetShow
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {eddbec60-89cb-44ef-8291-0850fd28ff6a} - Q832894
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: {f5173cf0-1dfb-4978-8e50-a90169ee7ca9} - Q823353
ActiveX: {F5776D81-AE53-4935-8E84-B0B283D8BCEF} - Q330994
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\AC3ACM.acm (fccHandler)
Drivers32: msacm.alf2cd - C:\WINDOWS\System32\alf2cd.acm (NCT Company)
Drivers32: MSACM.CEGSM - C:\WINDOWS\System32\mobileV.acm ()
Drivers32: Msacm.dvacm - C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm File not found
Drivers32: msacm.iac2 - C:\WINDOWS\System32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\SYSTEM32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.mpegacm - mpegacm.acm File not found
Drivers32: msacm.scg726 - C:\WINDOWS\System32\Scg726.acm (SHARP Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\TSSOFT32.ACM (DSP GROUP, INC.)
Drivers32: msacm.ulmp3acm - ulmp3acm.acm File not found
Drivers32: msacm.voxacm160 - C:\WINDOWS\System32\vct3216.acm (Voxware, Inc.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivXNetworks, Inc.)
Drivers32: vidc.dvsd - C:\WINDOWS\System32\mcdvd_32.dll (MainConcept)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\IR32_32.DLL ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\IR32_32.DLL ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.mp42 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.mp43 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.mpg4 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: VIDC.WMV3 - C:\WINDOWS\System32\wmv9vcm.dll (Microsoft Corporation)
Drivers32: vidc.xvid - C:\WINDOWS\System32\xvidvfw.dll ()

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

File not found -- C:\Documents and Settings\RICK\My Documents\CAM3KTG9.
File not found -- C:\Documents and Settings\RICK\My Documents\CAE74T65.
File not found -- C:\Documents and Settings\RICK\My Documents\CAAN8XEB.
[2010/08/20 08:54:03 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\RICK\Desktop\OTL.exe
[2010/08/12 06:20:00 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/08/11 19:09:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\RICK\Desktop\gmer
[2010/08/11 18:46:42 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/08/04 18:49:43 | 000,000,000 | ---D | C] -- C:\caches
[2010/08/02 18:51:00 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/07/27 18:56:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/27 18:55:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2008/08/11 17:35:08 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\RICK\Application Data\pcouffin.sys
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[7 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]
[222 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

File not found -- C:\Documents and Settings\RICK\My Documents\CAM3KTG9.
File not found -- C:\Documents and Settings\RICK\My Documents\CAE74T65.
File not found -- C:\Documents and Settings\RICK\My Documents\CAAN8XEB.
[2010/08/20 08:54:04 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\RICK\Desktop\OTL.exe
[2010/08/20 08:49:19 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/08/20 08:47:57 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/20 08:46:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/08/20 08:46:34 | 000,653,864 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/20 08:46:33 | 1341,198,336 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/18 21:35:32 | 011,796,480 | -H-- | M] () -- C:\Documents and Settings\RICK\NTUSER.DAT
[2010/08/18 21:35:32 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\RICK\NTUSER.INI
[2010/08/18 19:49:26 | 000,224,160 | ---- | M] () -- C:\Documents and Settings\RICK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/08/16 21:05:05 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/16 20:44:55 | 000,002,399 | ---- | M] () -- C:\Documents and Settings\RICK\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Money 2003.lnk
[2010/08/15 15:29:45 | 000,557,568 | ---- | M] () -- C:\Documents and Settings\RICK\My Documents\PaLady Cache Experience Tag Publication1d.pub
[2010/08/15 14:26:33 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/08/13 08:59:08 | 000,000,532 | ---- | M] () -- C:\hpfr5550.xml
[2010/08/12 06:22:29 | 000,507,136 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/12 06:22:29 | 000,445,370 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2010/08/12 06:22:29 | 000,072,576 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2010/08/12 06:16:08 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/11 19:02:28 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\RICK\Desktop\gmer.zip
[2010/08/11 19:01:12 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\RICK\Desktop\dds.scr
[2010/08/11 19:00:19 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\RICK\defogger_reenable
[2010/08/11 18:59:07 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\RICK\Desktop\Defogger.exe
[2010/08/10 22:14:32 | 000,000,981 | ---- | M] () -- C:\Documents and Settings\RICK\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/08/10 22:14:32 | 000,000,963 | ---- | M] () -- C:\Documents and Settings\RICK\Desktop\Spybot - Search & Destroy.lnk
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[222 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/15 15:29:45 | 000,557,568 | ---- | C] () -- C:\Documents and Settings\RICK\My Documents\PaLady Cache Experience Tag Publication1d.pub
[2010/08/11 19:02:27 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\RICK\Desktop\gmer.zip
[2010/08/11 19:01:11 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\RICK\Desktop\dds.scr
[2010/08/11 19:00:19 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\RICK\defogger_reenable
[2010/08/11 18:59:22 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\RICK\Desktop\Defogger.exe
[2010/08/02 18:53:35 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/06/30 18:44:48 | 000,763,832 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2009/01/10 21:29:25 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2008/08/11 17:35:19 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\RICK\Application Data\pcouffin.log
[2008/08/11 17:35:08 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\RICK\Application Data\inst.exe
[2008/08/11 17:35:08 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\RICK\Application Data\pcouffin.cat
[2008/08/11 17:35:08 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\RICK\Application Data\pcouffin.inf
[2008/08/03 10:17:34 | 000,000,486 | ---- | C] () -- C:\WINDOWS\ka.ini
[2008/07/29 16:55:01 | 000,000,286 | ---- | C] () -- C:\WINDOWS\TLCAPPS.INI
[2008/02/13 22:19:49 | 000,000,305 | ---- | C] () -- C:\WINDOWS\game.ini
[2007/02/13 21:33:31 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\gl.dll
[2007/02/13 21:33:31 | 000,006,138 | ---- | C] () -- C:\WINDOWS\System32\e1.ini
[2007/01/19 21:16:18 | 000,000,142 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2007/01/19 21:16:07 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2006/12/30 20:27:19 | 000,000,024 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/12/30 20:26:52 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/12/04 18:28:19 | 000,000,072 | ---- | C] () -- C:\WINDOWS\promp3recorder.ini
[2006/07/29 22:02:37 | 000,002,934 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/06/25 11:27:42 | 000,000,014 | ---- | C] () -- C:\WINDOWS\dswplug.ini
[2006/06/25 11:11:30 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/06/25 11:11:30 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2006/05/02 19:57:41 | 000,000,078 | ---- | C] () -- C:\WINDOWS\System32\EDMKGRP.INI
[2005/10/23 09:59:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI
[2005/07/22 18:58:23 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/07/11 20:36:26 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2005/05/15 22:03:18 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt.dll
[2005/04/10 18:33:49 | 000,002,353 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/01/31 17:52:29 | 000,000,065 | ---- | C] () -- C:\WINDOWS\tcwin.INI
[2005/01/31 17:52:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\TCWINMI.INI
[2005/01/23 16:52:32 | 000,000,632 | ---- | C] () -- C:\WINDOWS\CoD.INI
[2004/11/16 22:05:41 | 000,010,022 | ---- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2004/09/22 22:06:46 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/09/22 22:06:10 | 000,249,270 | ---- | C] () -- C:\WINDOWS\System32\_006580_.tmp.dll
[2004/09/22 22:06:06 | 000,022,040 | ---- | C] () -- C:\WINDOWS\System32\_006548_.tmp.dll
[2004/09/22 20:31:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\~tmp.INI
[2004/07/12 17:07:21 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/06/18 16:56:43 | 000,000,041 | ---- | C] () -- C:\WINDOWS\MSREGUSR.INI
[2004/05/08 20:18:39 | 000,302,592 | ---- | C] () -- C:\WINDOWS\System32\pgp.dll
[2004/05/08 20:18:39 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\keydb.dll
[2004/05/08 20:18:39 | 000,070,656 | ---- | C] () -- C:\WINDOWS\System32\simple.dll
[2004/05/08 20:18:39 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\bn.dll
[2004/05/08 20:18:38 | 000,306,688 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL
[2004/05/08 20:18:38 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[2004/02/14 11:01:30 | 000,000,037 | ---- | C] () -- C:\WINDOWS\Viewer.ini
[2004/01/31 11:45:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2004/01/08 20:05:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2003/12/06 16:09:25 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2003/12/06 16:09:09 | 000,000,009 | ---- | C] () -- C:\WINDOWS\sierra.ini
[2003/11/13 16:49:28 | 000,000,163 | ---- | C] () -- C:\WINDOWS\encore_launcher.ini
[2003/11/08 10:26:10 | 000,002,183 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2003/10/23 18:57:49 | 000,001,383 | ---- | C] () -- C:\WINDOWS\Disney.ini
[2003/10/23 11:31:38 | 000,000,027 | ---- | C] () -- C:\WINDOWS\UP9ASP.INI
[2003/10/06 15:16:00 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\nvcod.dll
[2003/10/05 17:52:11 | 000,051,200 | ---- | C] () -- C:\Documents and Settings\RICK\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/08/27 15:21:01 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/08/27 15:10:08 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/08/27 14:35:04 | 000,000,549 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/03/27 17:28:44 | 000,004,955 | ---- | C] () -- C:\WINDOWS\System32\DProg.ini
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/09/30 06:10:58 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2002/03/16 20:00:00 | 000,007,420 | ---- | C] () -- C:\WINDOWS\UA000019.DLL
[1998/10/11 00:07:38 | 000,088,576 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll
[1980/01/01 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp2.cab:AGP440.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2004/09/22 22:05:13 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\sp2.cab:AGP440.sys
[2008/08/27 17:16:02 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\agp440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\SYSTEM32\DLLCACHE\agp440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\SYSTEM32\DRIVERS\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0008\DriverFiles\i386\AGP440.SYS
[2001/08/17 14:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\I386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2002/08/29 06:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\I386\sp1.cab:atapi.sys
[2002/08/29 06:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp1.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp2.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2004/09/22 22:05:13 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\sp2.cab:atapi.sys
[2008/08/27 17:16:02 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sp3.cab:atapi.sys
[2003/01/31 16:43:30 | 000,087,040 | ---- | M] (Microsoft Corporation) MD5=3C33F5479520844A186C2D43ECFFD477 -- C:\I386\atapi.sys
[2003/01/31 16:43:30 | 000,087,040 | ---- | M] (Microsoft Corporation) MD5=3C33F5479520844A186C2D43ECFFD477 -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
[2002/08/29 02:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\SYSTEM32\DLLCACHE\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\SYSTEM32\eventlog.dll
[2002/08/29 06:00:00 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\I386\EVENTLOG.DLL

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2002/08/29 06:00:00 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\I386\NETLOGON.DLL
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\SYSTEM32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\scecli.dll
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\SYSTEM32\scecli.dll
[2002/08/29 06:00:00 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\I386\SCECLI.DLL
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[222 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2002/09/03 09:47:18 | 000,094,208 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.SAV
[2002/09/03 09:47:18 | 000,602,112 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.SAV
[2002/09/03 09:47:18 | 000,380,928 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >
[2010/06/28 16:32:16 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
[2010/06/28 16:32:33 | 000,017,744 | ---- | M] (ALWIL Software) -- C:\WINDOWS\SYSTEM32\DRIVERS\aswFsBlk.sys
[2010/06/28 16:32:42 | 000,094,544 | ---- | M] (ALWIL Software) -- C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
[2010/06/28 16:32:45 | 000,100,176 | ---- | M] (ALWIL Software) -- C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
[2010/06/28 16:33:13 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
[2010/06/28 16:37:30 | 000,165,456 | ---- | M] (ALWIL Software) -- C:\WINDOWS\SYSTEM32\DRIVERS\aswSP.sys
[2010/06/28 16:37:52 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
< End of report >




OTL Extras logfile created on: 8/20/2010 8:56:42 AM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\RICK\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.24 Gb Total Space | 11.44 Gb Free Space | 29.92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 1397.26 Gb Total Space | 1259.71 Gb Free Space | 90.16% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: R2D2
Current User Name: RICK
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [!ezcddaxc] -- "C:\Program Files\Easy CD-DA Extractor 10\burn2.exe" "%1" File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:*:Enabled:Connection Manager -- File not found
"C:\Program Files\LucasArts\Star Wars Battlefront\GameData\Battlefront.exe" = C:\Program Files\LucasArts\Star Wars Battlefront\GameData\Battlefront.exe:*:Enabled:Battlefront -- File not found
"C:\Program Files\Sony\Station\Launchpad\LaunchPad.exe" = C:\Program Files\Sony\Station\Launchpad\LaunchPad.exe:*:Enabled:LaunchPad -- File not found
"C:\Program Files\Sony\Station\Launchpad\_aunchPad.exe" = C:\Program Files\Sony\Station\Launchpad\_aunchPad.exe:*:Enabled:_aunchPad -- File not found
"C:\Program Files\BitTorrent\btdownloadgui.exe" = C:\Program Files\BitTorrent\btdownloadgui.exe:*:Enabled:btdownloadgui -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01F9D88C-3C86-4E82-840A-101A3221F67A}" = Microsoft Money 2003
"{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}" = Microsoft Money 2003 System Pack
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0F6A7971-0F11-4A79-A0E9-133D0963A570}" = ISO Recorder
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1B626AE0-EE88-4412-AAC0-FB21995A0C57}" = H&R Block Michigan 2009
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{209DF55F-5E5C-48A3-BC3D-A7CB1224458C}" = HP Print Diagnostic Utility
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 17
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{2E471285-BADB-45D2-8762-A29E93E83157}" = Disney Mix Central
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{369B36BE-3D64-4641-9AEA-808D436FE132}" = Microsoft Picture It! Photo 7.0
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{42FE04ED-8E4C-11D5-BA72-0048546FEA44}" = Reading Basics
"{43FCA273-9534-40DB-B7C5-D7758875616A}" = Dell Support
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{4CCC7F68-A437-4559-A840-F5E010934951}" = HP Driver Diagnostics
"{4EF69D40-4DC9-485E-95D3-B1C22F218FC8}" = upapp
"{53A19323-917A-4822-B27E-A57D1EF6E9FC}" = H&R Block Deluxe + Efile + State 2009
"{5E3CFCA6-C95A-47CB-A822-7FA80D423AF2}" = MapSource
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{64116298-93C5-401D-B06C-39D8E3338508}" = DAO
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{766E4715-B801-46B3-9D91-12288AB88428}" = DB CIF Cam
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7EE9DE0D-9228-4C33-B80E-FDD1773600DF}" = Microsoft Works Suite Add-in for Microsoft Word
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{80D8662E-1EAD-4036-844B-0374F39E4C81}" = TaxCut Michigan 2007
"{83d96ed0-98aa-4515-8ddc-816f3efdd104}" = DB CIF Cam
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8FFC924C-ED06-44CB-8867-3CA778ECE903}" = Adobe Help Center 2.0
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes
"{95632566-071E-4A02-92C1-4BD907065736}" = BounceBack Express
"{98DF85D9-96C0-4F57-A92E-C3539477EF5E}" = DVDSentry
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A0F584A7-B0C2-4D90-9580-15456B9CF63C}" = MapSource - Trip & Waypoint Manager v2
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A53AB160-8DC1-11D6-B494-008048C29C40}" = USB CF
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel® PROSet
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B57A7B53-0662-4AC0-9352-2AE2D8212A9F}" = Garmin Communicator Plugin
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF9A795B-2E4A-42D3-A4C4-333D5BF39350}" = TaxCut Premium + State + Efile 2007
"{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}" = Windows Resource Kit Tools - SubInAcl.exe
"{D64DCF1C-7A95-49A4-BAFA-C42B5CF6B8B6}" = Works Suite OS Pack
"{D81FBA6E-5492-4C46-BAE3-3A9242C27210}" = TaxCut Basic + Efile 2008
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EBB7C1C1-D439-4D9B-9FDC-954C10F266B0}" = Adobe Photoshop Elements 4.0
"{FC4ED75D-916C-4A8C-BB67-3C6F6E06D62B}" = Banctec Service Agreement
"{FD95ACB4-E09F-4B5A-B976-C7F6FDD2A6F9}" = Mix Central Update
"3rdAdv32.exe" = Third Grade Adventures
"42 Bit Scanner" = 42 Bit Scanner
"4G_1.0" = JumpStart 4th Grade v1.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop Elements 4" = Adobe Photoshop Elements 4.0
"Adobe Shockwave Player" = Adobe Shockwave Player
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.3
"Auto Update" = Auto Update
"avast5" = avast! Free Antivirus
"AviSynth" = AviSynth 2.5
"CloneCD" = CloneCD
"CNXT_MODEM_PCI_VEN_14F1&DEV_2702" = Conexant SmartHSFi V92 56K DF PCI Modem
"ComcastHSI" = Comcast High-Speed Internet Install Wizard
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"CreataCard Gold 2" = CreataCard Gold 2
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5_is1" = DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.0.7.6
"DVDFab 6_is1" = DVDFab 6.2.2.0 Beta (7/1/2010)
"EasyGPS_is1" = EasyGPS
"ExtractNow_is1" = ExtractNow
"Free Audio CD Burner_is1" = Free Audio CD Burner version 1.2
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.3
"HijackThis" = HijackThis 1.99.1
"hp deskjet 5550 series" = hp deskjet 5550 series (Remove only)
"hp deskjet 5550 series_Driver" = hp deskjet 5550 series
"hp instant support" = hp instant support
"hp print screen utility" = hp print screen utility
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{A0F584A7-B0C2-4D90-9580-15456B9CF63C}" = MapSource - Trip & Waypoint Manager v2
"InterActual Player" = InterActual Player
"JumpStart Advanced 3rd Grade" = JumpStart Advanced 3rd Grade
"LiveUpdate" = LiveUpdate 1.80 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Monopoly Star Wars" = Monopoly Star Wars
"Move Networks Player_is1" = Move Networks Player for Internet Explorer
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVEContent!UninstallKey" = NeroVision Express Content
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"NVIDIA Display Driver" = NVIDIA Display Driver
"PCFriendly" = PCFriendly
"Pdf995" = Pdf995 (installed by TaxCut)
"PdfEdit995" = PdfEdit995 (installed by TaxCut)
"PROSet" = Intel® PRO Network Adapters and Drivers
"RealPlayer 6.0" = RealPlayer
"Shockwave" = Shockwave
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"TaxCut Premium 2006" = TaxCut Premium 2006
"tcfm32.exe" = The ClueFinders' Math Ages 9-12
"Uninstall_is1" = Uninstall 1.0.0.1
"Vector Magic" = Vector Magic
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"WebPost" = Microsoft Web Publishing Wizard 1.52
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinGimp-2.0_is1" = GIMP 2.6.6
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2003Setup" = Microsoft Works 2003 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3316014324-2100270655-3420894276-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"61240c64869513c2" = Napster Download Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/12/2010 5:16:42 AM | Computer Name = R2D2 | Source = ESENT | ID = 455
Description = wuaueng.dll (3672) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 8/12/2010 5:16:59 AM | Computer Name = R2D2 | Source = ESENT | ID = 489
Description = wuauclt (3740) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 8/12/2010 5:16:59 AM | Computer Name = R2D2 | Source = ESENT | ID = 455
Description = wuaueng.dll (3740) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 8/12/2010 5:17:09 AM | Computer Name = R2D2 | Source = ESENT | ID = 489
Description = wuauclt (3740) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 8/12/2010 5:17:09 AM | Computer Name = R2D2 | Source = ESENT | ID = 455
Description = wuaueng.dll (3740) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 8/12/2010 5:17:28 AM | Computer Name = R2D2 | Source = ESENT | ID = 489
Description = wuauclt (1256) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 8/12/2010 5:17:28 AM | Computer Name = R2D2 | Source = ESENT | ID = 455
Description = wuaueng.dll (1256) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 8/12/2010 5:17:38 AM | Computer Name = R2D2 | Source = ESENT | ID = 489
Description = wuauclt (1256) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 8/12/2010 5:17:38 AM | Computer Name = R2D2 | Source = ESENT | ID = 455
Description = wuaueng.dll (1256) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 8/20/2010 8:54:18 AM | Computer Name = R2D2 | Source = Ci | ID = 4128
Description = Error 3221225529 detected in content index on c:\system volume information\catalog.wci.

[ System Events ]
Error - 8/15/2010 7:04:03 PM | Computer Name = R2D2 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 8/16/2010 8:06:56 PM | Computer Name = R2D2 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 8/16/2010 8:06:56 PM | Computer Name = R2D2 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 8/16/2010 8:08:14 PM | Computer Name = R2D2 | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 8/18/2010 7:13:24 PM | Computer Name = R2D2 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 8/18/2010 7:13:24 PM | Computer Name = R2D2 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 8/18/2010 7:14:32 PM | Computer Name = R2D2 | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079

Error - 8/20/2010 8:47:01 AM | Computer Name = R2D2 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 8/20/2010 8:47:01 AM | Computer Name = R2D2 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 8/20/2010 8:49:00 AM | Computer Name = R2D2 | Source = Service Control Manager | ID = 7000
Description = The Upload Manager service failed to start due to the following error:
%%1079


< End of report >


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:54 PM

Posted 20 August 2010 - 09:36 AM

Hi,

can you please rerun a gmer scan:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 skyvvalker

skyvvalker
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 21 August 2010 - 09:10 AM

Ok, this is very frustrating. I disabled avast and my firewall after disconnecting from internet. Ran GMER and it took over 8hrs to scan. The file scan was taking forever. I ended up going to bed before it finished, and when I woke up this morning I clicked on save and the computer froze up. So I did a hard reboot and ran the scan again, but with files unchecked. I clicked save and the computer was VERY slow and never saved teh log file. I checked windows manager and saw that lsass.exe was taking up 50% of the processor. I did another hard reboot, ran the scan again and clicked copy. Again comp was slow but got message that txt was copied to clipboard. I opened notepad... comp VERY slow... pasted text, then tried to save. Comp is now frozen again. I'm posting this via a different computer. What now?

#6 skyvvalker

skyvvalker
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 21 August 2010 - 09:18 AM

BTW, I just realized that I didn't post the log file from GMER that I ran back on 8/12/2010. It was run w/ file scanning enabled but realtime protection and firewall were enabled. Not sure why it ran ok on the 12th, but doesn't now. Only difference really is the disabled protection. Anyway, here it is... hopefully it will help. Thanks!



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-12 05:11:50
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\RICK\LOCALS~1\Temp\pxtdrpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB89E8CD2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB89E8B8E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB89E9142]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB89E906C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB89E8764]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB89E8C68]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB89E86A4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB89E8708]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB89E8D88]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB89E9210]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB89E8D48]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB89E8EC8]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB89F5B9C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB89F59C0]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB89F5AFA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 8056CBBF 5 Bytes JMP B89F2F6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 8056CE25 7 Bytes JMP B89F59C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058AB6C 7 Bytes JMP B89F5BA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 805A80B6 5 Bytes JMP B89F15B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805B9849 7 Bytes JMP B89F5AFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xBA18D340, 0x121A5F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D6380, 0x25BA81, 0xF8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007E000A
.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[1164] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007D000C
.text C:\WINDOWS\System32\svchost.exe[1164] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 0078000A
.text C:\WINDOWS\System32\svchost.exe[1164] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00D6000A
.text C:\WINDOWS\Explorer.EXE[2872] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C8000A
.text C:\WINDOWS\Explorer.EXE[2872] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D2000A
.text C:\WINDOWS\Explorer.EXE[2872] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C7000C
.text C:\WINDOWS\system32\wuauclt.exe[4000] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\wuauclt.exe[4000] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\wuauclt.exe[4000] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C2000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device A mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A B4D12C8A

AttachedDevice A fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\Aurigma.ImageUploaderEx.4@ Image Uploader Control
Reg HKLM\SOFTWARE\Classes\Aurigma.ImageUploaderEx.4\CLSID
Reg HKLM\SOFTWARE\Classes\Aurigma.ImageUploaderEx.4\CLSID@ {EDFCB7CB-942C-4822-AF14-F0B687409848}
Reg HKLM\SOFTWARE\Classes\Aurigma.ImageUploaderEx.4\CurVer
Reg HKLM\SOFTWARE\Classes\Aurigma.ImageUploaderEx.4\CurVer@ Aurigma.ImageUploaderEx.4.1
Reg HKLM\SOFTWARE\Classes\Aurigma.ImageUploaderEx.4.1@ Image Uploader Control
Reg HKLM\SOFTWARE\Classes\Aurigma.ImageUploaderEx.4.1\CLSID
Reg HKLM\SOFTWARE\Classes\Aurigma.ImageUploaderEx.4.1\CLSID@ {EDFCB7CB-942C-4822-AF14-F0B687409848}
Reg HKLM\SOFTWARE\Classes\Aurigma.ImageUploaderEx.4.1\Insertable
Reg HKLM\SOFTWARE\Classes\Aurigma.ShellComboEx.4@ Image Uploader ShellCombo Control
Reg HKLM\SOFTWARE\Classes\Aurigma.ShellComboEx.4\CLSID
Reg HKLM\SOFTWARE\Classes\Aurigma.ShellComboEx.4\CLSID@ {8F8F07AD-96BF-4997-9D60-48BA378BD7B0}
Reg HKLM\SOFTWARE\Classes\Aurigma.ShellComboEx.4\CurVer
Reg HKLM\SOFTWARE\Classes\Aurigma.ShellComboEx.4\CurVer@ Aurigma.ShellComboEx.4.1
Reg HKLM\SOFTWARE\Classes\Aurigma.ShellComboEx.4.1@ Image Uploader ShellCombo Control
Reg HKLM\SOFTWARE\Classes\Aurigma.ShellComboEx.4.1\CLSID
Reg HKLM\SOFTWARE\Classes\Aurigma.ShellComboEx.4.1\CLSID@ {8F8F07AD-96BF-4997-9D60-48BA378BD7B0}
Reg HKLM\SOFTWARE\Classes\Aurigma.ThumbnailEx.4@ Image Uploader Thumbnail Control
Reg HKLM\SOFTWARE\Classes\Aurigma.ThumbnailEx.4\CLSID
Reg HKLM\SOFTWARE\Classes\Aurigma.ThumbnailEx.4\CLSID@ {557E20E3-82B9-4B2D-AE7B-BE0910922DA6}
Reg HKLM\SOFTWARE\Classes\Aurigma.ThumbnailEx.4\CurVer
Reg HKLM\SOFTWARE\Classes\Aurigma.ThumbnailEx.4\CurVer@ Aurigma.ThumbnailEx.4.1
Reg HKLM\SOFTWARE\Classes\Aurigma.ThumbnailEx.4.1@ Image Uploader Thumbnail Control
Reg HKLM\SOFTWARE\Classes\Aurigma.ThumbnailEx.4.1\CLSID
Reg HKLM\SOFTWARE\Classes\Aurigma.ThumbnailEx.4.1\CLSID@ {557E20E3-82B9-4B2D-AE7B-BE0910922DA6}
Reg HKLM\SOFTWARE\Classes\Aurigma.UploadPaneEx.4@ Image Uploader Upload Pane Control
Reg HKLM\SOFTWARE\Classes\Aurigma.UploadPaneEx.4\CLSID
Reg HKLM\SOFTWARE\Classes\Aurigma.UploadPaneEx.4\CLSID@ {D0E4C324-8EC3-4D2E-8506-73EC124EA9E5}
Reg HKLM\SOFTWARE\Classes\Aurigma.UploadPaneEx.4\CurVer
Reg HKLM\SOFTWARE\Classes\Aurigma.UploadPaneEx.4\CurVer@ Aurigma.UploadPaneEx.4.1
Reg HKLM\SOFTWARE\Classes\Aurigma.UploadPaneEx.4.1@ Image Uploader Upload Pane Control
Reg HKLM\SOFTWARE\Classes\Aurigma.UploadPaneEx.4.1\CLSID
Reg HKLM\SOFTWARE\Classes\Aurigma.UploadPaneEx.4.1\CLSID@ {D0E4C324-8EC3-4D2E-8506-73EC124EA9E5}
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.Device@ Device Class
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.Device\CLSID
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.Device\CLSID@ {96C42B95-9B5A-4A2F-B1B4-B053AC661851}
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.Device\CurVer
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.Device\CurVer@ HPDeviceDetection2.Device.1
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.Device.1@ Device Class
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.Device.1\CLSID
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.Device.1\CLSID@ {96C42B95-9B5A-4A2F-B1B4-B053AC661851}
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceCollection@ DeviceCollection Class
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceCollection\CLSID
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceCollection\CLSID@ {1F84CA74-66D3-4C96-A85D-9D79993102D0}
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceCollection\CurVer
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceCollection\CurVer@ HPDeviceDetection2.DeviceCollection.1
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceCollection.1@ DeviceCollection Class
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceCollection.1\CLSID
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceCollection.1\CLSID@ {1F84CA74-66D3-4C96-A85D-9D79993102D0}
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceDetection@ DeviceDetection Class
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceDetection\CLSID
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceDetection\CLSID@ {35464AB0-7C53-4D87-837A-4633CDBF8A7F}
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceDetection\CurVer
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceDetection\CurVer@ HPDeviceDetection2.DeviceDetection.1
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceDetection.1@ DeviceDetection Class
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceDetection.1\CLSID
Reg HKLM\SOFTWARE\Classes\HPDeviceDetection2.DeviceDetection.1\CLSID@ {35464AB0-7C53-4D87-837A-4633CDBF8A7F}
Reg HKLM\SOFTWARE\Classes\HPGMNRev.GMNRev@ GMNRev Class
Reg HKLM\SOFTWARE\Classes\HPGMNRev.GMNRev\CLSID
Reg HKLM\SOFTWARE\Classes\HPGMNRev.GMNRev\CLSID@ {73ECB3AA-4717-450C-A2AB-D00DAD9EE203}
Reg HKLM\SOFTWARE\Classes\HPGMNRev.GMNRev\CurVer
Reg HKLM\SOFTWARE\Classes\HPGMNRev.GMNRev\CurVer@ HPGMNRev.GMNRev.92
Reg HKLM\SOFTWARE\Classes\HPGMNRev.GMNRev.92@ GMNRev Class
Reg HKLM\SOFTWARE\Classes\HPGMNRev.GMNRev.92\CLSID
Reg HKLM\SOFTWARE\Classes\HPGMNRev.GMNRev.92\CLSID@ {73ECB3AA-4717-450C-A2AB-D00DAD9EE203}

---- EOF - GMER 1.0.15 ----


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:54 PM

Posted 25 August 2010 - 02:46 AM

Hi,

that log is looking clean. Are you connecting to the internet through a router? Are there other Pcs on the network?

Can you please provide an example of the warning Avast is giving you.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 skyvvalker

skyvvalker
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 25 August 2010 - 05:33 PM

Ok, so I have not really be using this computer since my attempt to scan over the weekend using GMER. I have been using a laptop (Vista) and another desktop (WinXP), and neither of them are having issues. I just plugged it back into my router today and used google to do a search for bleeping computer. Then, as I was typing this note, a browser window popped up, flashed the following in the address line, and then went to the google homepage: hxxp://cityofsalem.com/key/?qs=74db9a40bc1a5fb4a90b263d738bb703ba5bc04dc2ca90b0cdf342642c89802c774436c7a815e21a04ce69fec72bcba5&t=bleeping+computer

Avast didn't pop up anything when this happened. I had to go into the browser history to get the url listed above. Regarding Avast, here are the recent realtime reports for file system and webshield:

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, July 06, 2010 4:38:27 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, July 06, 2010 9:34:27 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, July 06, 2010 10:38:17 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Wednesday, July 07, 2010 8:54:12 AM
*

7/7/2010 9:37:57 AM C:\Documents and Settings\RICK\Local Settings\Temp\EiJD.exe [L] Win32:Trojan-gen (0)
File was successfully moved to chest...
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, July 09, 2010 9:31:02 AM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, July 10, 2010 8:34:11 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, July 11, 2010 3:57:03 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, July 12, 2010 5:55:21 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, July 13, 2010 6:43:24 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, July 18, 2010 8:17:19 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, July 20, 2010 6:54:05 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, July 22, 2010 6:54:55 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, July 24, 2010 12:01:47 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, July 24, 2010 5:04:17 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, July 25, 2010 7:50:27 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, July 26, 2010 8:30:27 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, July 27, 2010 6:41:30 PM
*

7/27/2010 6:55:11 PM C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\TP42386E\ht[1].htm [L] JS:FakeAV-CH [Trj] (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, July 30, 2010 8:29:30 AM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, August 01, 2010 4:39:02 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, August 02, 2010 6:35:18 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, August 02, 2010 7:01:36 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, August 03, 2010 7:08:46 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Wednesday, August 04, 2010 6:43:26 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, August 08, 2010 4:46:24 PM
*

8/8/2010 10:03:51 PM C:\WINDOWS\exe.js [L] VBS:Agent-EP [Trj] (0)
File was successfully moved to chest...
8/9/2010 12:20:18 AM C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YZ1OY0KU\exemple[1].htm [L] HTML:Downloader-F [Trj] (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, August 09, 2010 12:37:09 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, August 10, 2010 5:31:31 PM
*

8/10/2010 9:55:05 PM C:\Documents and Settings\RICK\Local Settings\Temporary Internet Files\Content.IE5\UYRJUCG1\update[1].exe [L] Win32:SuspBehav-D [Heur] (0)
File was successfully moved to chest...
8/10/2010 9:55:14 PM C:\DOCUME~1\RICK\LOCALS~1\Temp\exe.exe [L] Win32:SuspBehav-D [Heur] (0)
File was successfully moved to chest...
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Wednesday, August 11, 2010 5:26:03 PM
*

8/12/2010 1:31:56 AM C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YZ1OY0KU\exemple[1].htm [L] HTML:Downloader-F [Trj] (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, August 12, 2010 5:36:16 AM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, August 12, 2010 7:33:13 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, August 13, 2010 8:29:38 AM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, August 15, 2010 2:22:50 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, August 16, 2010 8:07:51 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Wednesday, August 18, 2010 7:13:25 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, August 20, 2010 8:47:56 AM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, August 20, 2010 1:52:19 PM
*


*
* Shield stopped: Friday, August 20, 2010 1:57:33 PM
* Run-time was 5 minute(s), 14 second(s)
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, August 23, 2010 8:11:45 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, August 24, 2010 8:34:46 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Wednesday, August 25, 2010 6:11:02 PM
*

=============================================================================

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, July 06, 2010 4:38:27 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, July 06, 2010 9:34:27 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, July 06, 2010 10:38:17 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Wednesday, July 07, 2010 8:54:12 AM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, July 09, 2010 9:31:02 AM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, July 10, 2010 8:34:12 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, July 11, 2010 3:57:03 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, July 12, 2010 5:55:21 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, July 13, 2010 6:43:24 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, July 18, 2010 8:17:19 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, July 20, 2010 6:54:06 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, July 22, 2010 6:54:55 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, July 24, 2010 12:01:48 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, July 24, 2010 5:04:17 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, July 25, 2010 7:50:27 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, July 26, 2010 8:30:27 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, July 27, 2010 6:41:31 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, July 30, 2010 8:29:30 AM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, August 01, 2010 4:39:02 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, August 02, 2010 6:35:18 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, August 02, 2010 7:01:36 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, August 03, 2010 7:08:46 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Wednesday, August 04, 2010 6:43:26 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, August 08, 2010 4:46:24 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, August 09, 2010 12:37:10 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, August 10, 2010 5:31:31 PM
*

8/10/2010 9:51:28 PM http://lilumy3wxt.com/in.cgi?20¶meter=bank...ned1|>{gzip} [L] HTML:RedirME-inf [Trj] (0)
*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Wednesday, August 11, 2010 5:26:03 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, August 12, 2010 5:36:17 AM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Thursday, August 12, 2010 7:33:13 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, August 13, 2010 8:29:38 AM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Sunday, August 15, 2010 2:22:50 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, August 16, 2010 8:07:52 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Wednesday, August 18, 2010 7:13:25 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, August 20, 2010 8:47:57 AM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Friday, August 20, 2010 1:52:20 PM
*


*
* Shield stopped: Friday, August 20, 2010 1:57:48 PM
* Run-time was 5 minute(s), 28 second(s)
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Monday, August 23, 2010 8:11:45 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Tuesday, August 24, 2010 8:34:46 PM
*

*
* avast! Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Wednesday, August 25, 2010 6:11:02 PM
*

===================================================================

Also, the Virus Chest has the following files in it:
EiJD.exe transferred on 7/7/2010
exe.exe transferred on 8/10/2010
eze.js transferred on 8/8/2010
update[1].exe transferred on 8/10/2010

====================================================================


Does any of that help?

Edited by myrti, 26 August 2010 - 02:22 AM.
disabled link


#9 skyvvalker

skyvvalker
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 25 August 2010 - 06:22 PM

One more thing... before I did the GMER scan this past weekend, I disabled all of my realtime and firewall protections. I noticed that Spybot Teatimer isn't coming up anymore, even though it is enabled in Spybot to run on startup. Any ideas why that might be?

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:54 PM

Posted 26 August 2010 - 02:24 AM

Hi,

to reenable Spybot TeaTimer please check this:
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click on
  4. Click on
  5. Check this checkbox:
  6. Close/Exit Spybot Search and Destroy

But to be honest I would think you are better of without it.

Since you explicitely mention your router. Do the popups also happen when you connect directly to the internet without the router?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 skyvvalker

skyvvalker
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 26 August 2010 - 04:55 AM

Well that was the weird thing... I had checked the to see if the Teatimer checkbox was enabled and it was/is. However, if you are not recommending its use, then I guess I won't worry about it.

I haven't tried connecting without the router. I'm curious to know why connecting to the net without the router might mitigate these browser popup/redirects!? Wouldn't that make me more vulnerable?

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:54 PM

Posted 26 August 2010 - 05:10 AM

Hi,

I just want to exclude the possibility of your router having been infected and being the one rerouting you to advertisements.

EDIT: The teatimer is a registry survaillance, he will block all modification to the registry and prompt you for permission or silently restore the previous setting. This means that once your PC has been infected TeaTimer will go to a lot of trouble to restore the malicious registry entries over and over again.
It will also go to a lot of trouble to undo the malicious changes normally, but once it has been fooled it is working for the malware. To me it is somewhat of a loose canon and it assumes that you will know for all registry entries whether they need to be created or not. that is why I don't recommend using it.

regards myrti

Edited by myrti, 26 August 2010 - 05:13 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 skyvvalker

skyvvalker
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 26 August 2010 - 05:47 PM

I tried surfing without my router connected, and I was getting many more redirects. So I did some research and found that the hosts file can sometimes be hacked and cause redirects. Below (split into 3 posts) is my hosts file (it is 596kb in size). Does it look normal? What should I do next?

# This MVPS HOSTS file is a free download from: #
# http://www.mvps.org/winhelp2002/ #
# #
# Notes: The Operating System does not read the "#" symbol #
# You can create your own notes, after the # symbol #
# This *must* be the first line: 127.0.0.1 localhost #
# *********************************************************#
# ---------------- Updated: June-03-2010 ------------------#
# *********************************************************#
# #
# Entries with comments are all searchable via Google. #
# #
# Disclaimer: this file is free to use for personal use #
# only. Furthermore it is NOT permitted to copy any of the #
# contents or host on any other site without permission or #
# meeting the full criteria of the below license terms. #
# #
# This work is licensed under the Creative Commons #
# Attribution-NonCommercial-ShareAlike License. #
# http://creativecommons.org/licenses/by-nc-sa/3.0/ #

127.0.0.1 localhost

#start of lines added by WinHelp2002
# [Misc A - Z]
127.0.0.1 fr.a2dfp.net
127.0.0.1 m.fr.a2dfp.net
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 adserver.abv.bg
127.0.0.1 adv.abv.bg
127.0.0.1 bimg.abv.bg
127.0.0.1 www2.a-counter.kiev.ua
127.0.0.1 track.acclaimnetwork.com
127.0.0.1 accuserveadsystem.com
127.0.0.1 www.accuserveadsystem.com
127.0.0.1 achmedia.com
127.0.0.1 aconti.net
127.0.0.1 secure.aconti.net
127.0.0.1 www.aconti.net #[Dialer.Aconti]
127.0.0.1 ads.active.com
127.0.0.1 am1.activemeter.com
127.0.0.1 www.activemeter.com #[Tracking.Cookie]
127.0.0.1 ads.activepower.net
127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]
127.0.0.1 ad2games.com
127.0.0.1 cms.ad2click.nl
127.0.0.1 ads.ad2games.com
127.0.0.1 content.ad20.net
127.0.0.1 core.ad20.net
127.0.0.1 as.ad611.com
127.0.0.1 banner.ad.nu
127.0.0.1 cl21.v4.adaction.se
127.0.0.1 adadvisor.net
127.0.0.1 www.adagencypro.com
127.0.0.1 tag1.adaptiveads.com
127.0.0.1 www.adbanner.ro
127.0.0.1 vad.adbasket.net
127.0.0.1 wad.adbasket.net
127.0.0.1 ad.pop1.adbn.ru
127.0.0.1 ad.top1.adbn.ru
127.0.0.1 ad.rich1.adbn.ru

deleted rest of post 8/26/2010 7pm EST

I just realized that this large hosts file is a good thing, as it prevents bad site redirects by sending the page request back to my PC (local host).

So now what!?! Any suggestions? :-)

Edited by skyvvalker, 26 August 2010 - 06:04 PM.


#14 skyvvalker

skyvvalker
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 26 August 2010 - 05:49 PM

deleted post 8/26/2010 7pm EST

Edited by skyvvalker, 26 August 2010 - 06:00 PM.


#15 skyvvalker

skyvvalker
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 26 August 2010 - 05:51 PM

deleted post 8/26/2010 7pm EST

Edited by skyvvalker, 26 August 2010 - 06:00 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users