Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer is getting out of control


  • This topic is locked This topic is locked
20 replies to this topic

#1 caappold

caappold

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 29 August 2010 - 10:41 PM

My computer has been acting pretty wierd as of late and I cannot find the problem. It has slowed down a lot, we are getting a lot of pop ups even when not using the internet, a few programs do not want to run at all, and my windows explorer crashes every time I try to use it. I have run Ad-aware, Malwarebytes, and AVG scans and they aren't finding the issues. HijackThis is also havingan error anytime that I run it. It still finishes, but asks me to report the error every time. Here is my log. Thanks for any and all help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:46 PM, on 8/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1013018 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Orbit.lnk
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://oldnavy.gap.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1278797593018
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://clubgames.pogo.com/online2/pogo/zen...eb.1.0.0.10.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 6725 bytes

Edit: My computer has SVCHOST running at 99 when bringing the computer off the screen saver or from sleeping. Also the pop ups are mostly google work from home type or somethign similar to what I was actually looking for. IE looking at Bleepingcomputer.com and virus removal stuff comes up.

Here is the updated log from the new hijack this.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:23:33 AM, on 8/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1013018 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Orbit.lnk
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://oldnavy.gap.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1278797593018
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://clubgames.pogo.com/online2/pogo/zen...eb.1.0.0.10.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 7081 bytes

EDIT: Posts merged ~BP

Edited by Budapest, 30 August 2010 - 04:15 PM.
Moved from XP ~BP


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:30 PM

Posted 04 September 2010 - 06:39 AM

Hello caappold, My name is Syler and I will be helping you to solve your malware issues. Sorry for the delay
in replying, we are very busy at the moment.

Please note because we are very busy, if I don't hear from you within 5 days the topic will be closed, If you
have since resolved your issues I would appreciate if you would let me no so I can close this topic.



Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check all of the boxes. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"




We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


Then please post back here with the following logs:
  • RKUnHooker report
  • OTL.txt
  • Extra.txt

Thanks

unite.jpg


#3 caappold

caappold
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 04 September 2010 - 08:48 AM

Thanks again for all of your help. I have one other thing that could be completely unrelated, but my wife's Facebook got hacked and my "active desktop" is not working. Not a huge deal but hopefully this will all clear that up too.

Here are the logs:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtCreateKey, Type: Address change 0x8061A312-->F766087E [Lbd.sys]
ntkrnlpa.exe-->NtSetValueKey, Type: Address change 0x80618898-->F7660BFE [Lbd.sys]
==============================================
>Shadow
==============================================
==============================================
>Processes
==============================================
0x861C6A00 [4] System
0x852A05C0 [232] C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe (TiVo Inc., TiVo Beacon Service Process)
0x852C2AB0 [300] C:\WINDOWS\System32\CTFMON.EXE (Microsoft Corporation, CTF Loader)
0x8529C948 [348] C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe (TiVo Inc., TiVo Transfer Service Process)
0x852AA500 [372] C:\Program Files\TiVo\Desktop\TiVoNotify.exe (TiVo Inc., TiVo Notify Service Process)
0x852769E0 [468] C:\Program Files\TiVo\Desktop\TiVoServer.exe (TiVo Inc., TiVo Server Service Process)
0x857F2788 [588] C:\Program Files\Acer\Acer eConsole\MediaServerService.exe (Acer Inc., Acer UPnP Media Server Service)
0x861063C0 [628] C:\WINDOWS\System32\SMSS.EXE (Microsoft Corporation, Windows NT Session Manager)
0x85254BE8 [676] C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe (Pinnacle Systems, Media Server Host)
0x857DB788 [684] C:\Program Files\AVG\AVG8\AVGWDSVC.EXE (AVG Technologies CZ, s.r.o., AVG Watchdog Service)
0x856896E8 [704] C:\WINDOWS\System32\CSRSS.EXE (Microsoft Corporation, Client Server Runtime Process)
0x856856E8 [728] C:\WINDOWS\System32\WINLOGON.EXE (Microsoft Corporation, Windows NT Logon Application)
0x85063020 [752] C:\Documents and Settings\Owner\Desktop\RKUnhookerLE.EXE (UG North, RKULE, SR2 Normandy)
0x8567D6E8 [776] C:\WINDOWS\System32\SERVICES.EXE (Microsoft Corporation, Services and Controller app)
0x8567C6E8 [788] C:\WINDOWS\System32\LSASS.EXE (Microsoft Corporation, LSA Shell (Export Version))
0x857D4788 [916] C:\WINDOWS\EXPLORER.EXE (Microsoft Corporation, Windows Explorer)
0x85992788 [948] C:\WINDOWS\System32\SVCHOST.EXE (Microsoft Corporation, Generic Host Process for Win32 Services)
0x858066C8 [984] C:\Program Files\Orbitdownloader\orbitnet.exe (Orbitdownloader.com, P2P service of Orbit Downloader)
0x85994788 [1008] C:\WINDOWS\System32\SVCHOST.EXE (Microsoft Corporation, Generic Host Process for Win32 Services)
0x851DD800 [1080] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft, Ad-Aware Tray Application)
0x85349DA0 [1136] C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\SQLSERVR.EXE (Microsoft Corporation, SQL Server Windows NT)
0x8596E788 [1152] C:\WINDOWS\System32\SVCHOST.EXE (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85929788 [1280] C:\WINDOWS\System32\SVCHOST.EXE (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8530E448 [1316] C:\WINDOWS\System32\NVSVC32.EXE (NVIDIA Corporation, NVIDIA Driver Helper Service, Version 81.95)
0x858F0788 [1452] C:\WINDOWS\System32\SVCHOST.EXE (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85351458 [1560] C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation, Internet Explorer)
0x85887788 [1708] C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft, Ad-Aware Service Application)
0x85824788 [1800] C:\WINDOWS\System32\SPOOLSV.EXE (Microsoft Corporation, Spooler SubSystem App)
0x85243020 [1928] C:\Program Files\Orbitdownloader\orbitdm.exe (Orbitdownloader.com, Orbit Downloader)
0x852BF440 [1932] C:\Program Files\AVG\AVG8\AVGTRAY.EXE (AVG Technologies CZ, s.r.o., AVG Tray Monitor)
0x852ECA08 [1952] C:\WINDOWS\System32\SVCHOST.EXE (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85362588 [2452] C:\Program Files\AVG\AVG8\AVGRSX.EXE (AVG Technologies CZ, s.r.o., AVG Resident Shield Service)
0x853D8550 [2848] C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation, Internet Explorer)
0x85233620 [3380] C:\WINDOWS\System32\WBEM\unsecapp.exe (Microsoft Corporation, WMI)
0x853CFDA0 [3592] C:\WINDOWS\System32\WBEM\wmiprvse.exe (Microsoft Corporation, WMI)
0x860ECDA0 [3656] C:\WINDOWS\System32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
==============================================
>Drivers
==============================================
0xBE012000 C:\WINDOWS\System32\nv4_disp.dll 3928064 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 81.95 )
0xF6AA4000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 3731456 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0xF6FC4000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3534848 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 81.95 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2066048 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2066048 bytes
0x804D7000 RAW 2066048 bytes
0x804D7000 WMIxWDM 2066048 bytes
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF6E33000 C:\WINDOWS\system32\DRIVERS\AGRSM.sys 1269760 bytes (Agere Systems, SoftModem Device Driver)
0xF3F68000 C:\WINDOWS\System32\Drivers\Ntfs.SYS 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF40BC000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF689D000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF4269000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB9065000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xF4045000 C:\WINDOWS\System32\Drivers\avgldx86.sys 331776 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xF6A36000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 303104 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)
0xB891C000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF69FF000 C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS 225280 bytes (NVIDIA Corporation, NVIDIA Networking Soft-NPU Driver.)
0xF74C1000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB91E0000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF73DF000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB6470000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF4154000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF4241000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF4096000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF7423000 Fastfat.sys 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF6A80000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6F8C000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6F69000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF421F000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806D0000 ACPI_HAL 131840 bytes
0x806D0000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7459000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7491000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF73C5000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7479000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF740C000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF69AC000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB95BA000 C:\WINDOWS\system32\DRIVERS\irda.sys 90112 bytes (Microsoft Corporation, IRDA Protocol Driver)
0xB9375000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF69C3000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF6FB0000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF42C2000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBE000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7447000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB90DF000 C:\Acer\Empowering Technology\eRecovery\int15.sys 69632 bytes
0xF74B0000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF68FB000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF695C000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF76C0000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF76E0000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7600000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF7700000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7810000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF76F0000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7660000 Lbd.sys 61440 bytes (Lavasoft AB, Boot Driver)
0xF76D0000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB94E2000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF77A0000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7610000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF76A0000 C:\WINDOWS\system32\DRIVERS\AmdK8.sys 57344 bytes (Advanced Micro Devices, AMD Processor Driver)
0xF7650000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7710000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7720000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7630000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7760000 C:\WINDOWS\System32\Drivers\Pcouffin.sys 49152 bytes (VSO Software, Patin-Couffin low level access layer for CD devices)
0xF7740000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF77F0000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF76B0000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7620000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7730000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75F0000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7790000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7770000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7640000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7750000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF77D0000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB8B15000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF77C0000 C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 36864 bytes (NVIDIA Corporation, NVIDIA Networking Function Driver.)
0xF7670000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7800000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF78D8000 C:\WINDOWS\system32\drivers\Afc.sys 32768 bytes (Arcsoft, Inc., Arcsoft® ASPI Shell)
0xF78D0000 C:\WINDOWS\system32\drivers\ASAPIW2k.sys 32768 bytes (Pinnacle Systems GmbH, ASAPI)
0xF78E8000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF7948000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF78C0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF78F0000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF78E0000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 28672 bytes (GEAR Software Inc., CD/DVD Class Filter Driver)
0xF7870000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF79C0000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xF79A8000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF78C8000 C:\WINDOWS\System32\Drivers\AnyDVD.sys 24576 bytes (SlySoft, Inc., Watch & copy any DVD!)
0xF7950000 C:\WINDOWS\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xF7900000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF78F8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7938000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7940000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7878000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7918000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7908000 C:\WINDOWS\system32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)
0xF7920000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7910000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF78B8000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF79E8000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7AD8000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xF7AB4000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB96D0000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7A9C000 C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 16384 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)
0xF738D000 C:\WINDOWS\system32\drivers\pclepci.sys 16384 bytes (Pinnacle Systems GmbH, PCLEPCI)
0xF7AA0000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7A90000 C:\WINDOWS\System32\Drivers\UBHelper.SYS 16384 bytes
0xF7A00000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF69E3000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB9231000 C:\WINDOWS\System32\Drivers\ElbyCDIO.sys 12288 bytes (Elaborate Bytes AG, ElbyCD Windows NT/2000/XP I/O driver)
0xF7AA8000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7AEC000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7AFE000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7AFC000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7AF0000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7B00000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7AF6000 C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys 8192 bytes (NewTech Infosystems, Inc., NTI CD-ROM Filter Driver)
0xF7B02000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7AF8000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7AFA000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7AF2000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7C62000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7CBF000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7C57000 C:\WINDOWS\System32\Drivers\ElbyDelay.sys 4096 bytes (Elaborate Bytes, Elby Delay Lower Filter Driver)
0xF7CA3000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7BB8000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x85D0CAEA ?_empty_? 1302 bytes
!!!!!!!!!!!Hidden driver: 0x85F5A2E0 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xF7479000 WARNING: suspicious driver modification [atapi.sys::0x85D0CAEA]
0xF76C0000 WARNING: Virus alike driver modification [cdrom.sys], 65536 bytes
==============================================
>Files
==============================================
!-->[Hidden] C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt
!-->[Hidden] C:\Documents and Settings\NetworkService\Cookies\system@adxpose[1].txt
!-->[Hidden] C:\Documents and Settings\NetworkService\Cookies\system@amgdgt[1].txt
!-->[Hidden] C:\Documents and Settings\NetworkService\Cookies\system@meviomusic.mevio[1].txt
!-->[Hidden] C:\Documents and Settings\NetworkService\Cookies\system@mevio[2].txt
!-->[Hidden] C:\Documents and Settings\NetworkService\Cookies\system@mmismm[1].txt
!-->[Hidden] C:\Documents and Settings\NetworkService\Cookies\system@qlkrs[1].txt
!-->[Hidden] C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
!-->[Hidden] C:\Documents and Settings\NetworkService\Cookies\system@rubiconproject[3].txt
!-->[Hidden] C:\Documents and Settings\NetworkService\Cookies\system@yumenetworks[2].txt
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9UNCAX41\1565661433@x15[1]
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9UNCAX41\afr[1].php
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9UNCAX41\hairbangersball-247177-09-03-2010[1].flv
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JIWKALDL\1283438295[1].swf
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\K1Q12MD8\pixel[1].gif
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WZVWLQ0B\1283438295[1]
!-->[Hidden] C:\WINDOWS\Temp\fla7F.tmp
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0002AC40, Type: Inline - RelativeJump 0x80501C40-->80501C4E [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006AA6A, Type: Inline - RelativeJump 0x80541A6A-->80541A71 [ntkrnlpa.exe]
[1152]SVCHOST.EXE-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[1152]SVCHOST.EXE-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[1152]SVCHOST.EXE-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[1152]SVCHOST.EXE-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E45C-->00000000 [unknown_code_page]
[1152]SVCHOST.EXE-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6D0-->00000000 [unknown_code_page]
[1152]SVCHOST.EXE-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DF90-->00000000 [unknown_code_page]
[1152]SVCHOST.EXE-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E41BD76-->00000000 [unknown_code_page]
[1560]IEXPLORE.EXE-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[1560]IEXPLORE.EXE-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[1560]IEXPLORE.EXE-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[1560]IEXPLORE.EXE-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E45C-->00000000 [unknown_code_page]
[1560]IEXPLORE.EXE-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6D0-->00000000 [unknown_code_page]
[1560]IEXPLORE.EXE-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DF90-->00000000 [unknown_code_page]
[1560]IEXPLORE.EXE-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x7E41FC25-->00000000 [ieframe.dll]
[1560]IEXPLORE.EXE-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456B50-->00000000 [ieframe.dll]
[1560]IEXPLORE.EXE-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432032-->00000000 [ieframe.dll]
[1560]IEXPLORE.EXE-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B10C-->00000000 [ieframe.dll]
[1560]IEXPLORE.EXE-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E42555F-->00000000 [ieframe.dll]
[1560]IEXPLORE.EXE-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E4505FC-->00000000 [ieframe.dll]
[1560]IEXPLORE.EXE-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E4505D8-->00000000 [ieframe.dll]
[1560]IEXPLORE.EXE-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A04A-->00000000 [ieframe.dll]
[1560]IEXPLORE.EXE-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4662AB-->00000000 [ieframe.dll]
[2848]IEXPLORE.EXE-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[2848]IEXPLORE.EXE-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[2848]IEXPLORE.EXE-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[2848]IEXPLORE.EXE-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E45C-->00000000 [unknown_code_page]
[2848]IEXPLORE.EXE-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6D0-->00000000 [unknown_code_page]
[2848]IEXPLORE.EXE-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DF90-->00000000 [unknown_code_page]
[2848]IEXPLORE.EXE-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump 0x7E41F85B-->00000000 [ieframe.dll]
[2848]IEXPLORE.EXE-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x7E41FC25-->00000000 [ieframe.dll]
[2848]IEXPLORE.EXE-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456B50-->00000000 [ieframe.dll]
[2848]IEXPLORE.EXE-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432032-->00000000 [ieframe.dll]
[2848]IEXPLORE.EXE-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B10C-->00000000 [ieframe.dll]
[2848]IEXPLORE.EXE-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E42555F-->00000000 [ieframe.dll]
[2848]IEXPLORE.EXE-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E4505FC-->00000000 [ieframe.dll]
[2848]IEXPLORE.EXE-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E4505D8-->00000000 [ieframe.dll]
[2848]IEXPLORE.EXE-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A04A-->00000000 [ieframe.dll]
[2848]IEXPLORE.EXE-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4662AB-->00000000 [ieframe.dll]
[2848]IEXPLORE.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42DDB5-->00000000 [ieframe.dll]
[2848]IEXPLORE.EXE-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E41F21E-->00000000 [ieframe.dll]
[916]EXPLORER.EXE-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[916]EXPLORER.EXE-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[916]EXPLORER.EXE-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[916]EXPLORER.EXE-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E45C-->00000000 [unknown_code_page]
[916]EXPLORER.EXE-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6D0-->00000000 [unknown_code_page]
[916]EXPLORER.EXE-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DF90-->00000000 [unknown_code_page]

OTL logfile created on: 9/4/2010 9:38:26 AM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.00 Mb Total Physical Memory | 261.00 Mb Available Physical Memory | 27.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 40.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.82 Gb Total Space | 9.74 Gb Free Space | 13.56% Space Free | Partition Type: FAT32
Drive D: | 72.33 Gb Total Space | 49.18 Gb Free Space | 68.00% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACER-55C1D4102C
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/04 09:14:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/09/02 10:33:58 | 001,355,928 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/09/02 10:33:58 | 000,864,624 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/07/09 08:31:28 | 002,048,352 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/08/24 23:15:20 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/24 23:15:00 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2008/11/24 13:38:30 | 001,690,824 | ---- | M] (Orbitdownloader.com) -- C:\Program Files\Orbitdownloader\orbitdm.exe
PRC - [2008/11/19 12:22:24 | 000,356,352 | ---- | M] (Orbitdownloader.com) -- C:\Program Files\Orbitdownloader\orbitnet.exe
PRC - [2008/07/09 15:15:50 | 001,931,264 | ---- | M] (TiVo Inc.) -- C:\Program Files\TiVo\Desktop\TiVoServer.exe
PRC - [2008/07/09 15:14:24 | 000,394,240 | ---- | M] (TiVo Inc.) -- C:\Program Files\TiVo\Desktop\TiVoNotify.exe
PRC - [2008/07/09 15:13:58 | 001,189,376 | ---- | M] (TiVo Inc.) -- C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
PRC - [2008/07/09 15:13:20 | 000,868,864 | ---- | M] (TiVo Inc.) -- C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
PRC - [2007/06/13 06:23:08 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/10/26 09:34:20 | 000,049,152 | ---- | M] (Pinnacle Systems) -- c:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
PRC - [2005/09/21 13:46:56 | 000,438,272 | ---- | M] (Acer Inc.) -- C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
PRC - [2002/12/17 17:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe


========== Modules (SafeList) ==========

MOD - [2010/09/04 09:14:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/09/02 10:33:58 | 001,355,928 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/08/24 23:15:00 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2008/07/09 15:13:20 | 000,868,864 | ---- | M] (TiVo Inc.) [Auto | Running] -- C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe -- (TivoBeacon2)
SRV - [2005/10/26 09:34:20 | 000,049,152 | ---- | M] (Pinnacle Systems) [Auto | Running] -- c:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe -- (PinnacleSys.MediaServer)
SRV - [2005/09/21 13:46:56 | 000,438,272 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Program Files\Acer\Acer eConsole\MediaServerService.exe -- (Acer Media Server)
SRV - [2002/12/17 17:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe -- (MSSQL$PINNACLESYS)
SRV - [2002/12/17 17:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE -- (SQLAgent$PINNACLESYS)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/08/16 10:39:32 | 000,015,008 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/08/04 14:35:58 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF) WinPcap Packet Driver (NPF)
DRV - [2010/07/12 04:55:40 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/08/24 23:15:20 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/24 23:15:20 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/06/05 10:56:40 | 000,044,928 | ---- | M] (Panda Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SDTHOOK.SYS -- (SDTHOOK)
DRV - [2005/11/11 04:47:00 | 003,532,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/09/22 16:34:00 | 003,727,680 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/07/29 17:11:04 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/07/29 17:11:02 | 000,034,048 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/03/30 12:41:26 | 000,011,264 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\asapiW2k.sys -- (ASAPIW2k)
DRV - [2005/03/09 15:53:00 | 000,036,352 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2005/01/13 14:46:16 | 000,069,632 | ---- | M] () [Kernel | Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15.sys)
DRV - [2005/01/03 08:05:22 | 000,006,144 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV - [2004/12/17 17:14:44 | 000,013,952 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\UBHelper.sys -- (UBHelper)
DRV - [2004/07/16 16:47:14 | 000,014,165 | ---- | M] (Pinnacle Systems GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Pclepci.sys -- (PCLEPCI)
DRV - [2004/06/29 09:07:18 | 001,268,204 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/05/05 13:40:38 | 000,019,584 | R--- | M] (Pinnacle Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emAudio.sys -- (emAudio)
DRV - [2004/04/06 14:08:06 | 000,100,957 | R--- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emDevice.sys -- (DCamUSBEMPIA)
DRV - [2004/04/06 14:07:58 | 000,005,245 | R--- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emFilter.sys -- (FiltUSBEMPIA)
DRV - [2004/04/06 14:07:54 | 000,004,493 | R--- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emScan.sys -- (ScanUSBEMPIA)
DRV - [2004/01/27 15:13:46 | 000,003,840 | ---- | M] (Elaborate Bytes) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyDelay.sys -- (ElbyDelay)
DRV - [2003/09/29 15:33:00 | 000,022,912 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2003/09/20 14:23:06 | 000,009,728 | ---- | M] (Elaborate Bytes AG) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 13:51:32 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irsir.sys -- (irsir)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{D6901B81-BB0E-484D-A5AC-54BCA3ECCCC5}: C:\Documents and Settings\Owner\Local Settings\Application Data\{D6901B81-BB0E-484D-A5AC-54BCA3ECCCC5} [2010/02/08 22:41:58 | 000,000,000 | ---D | M]


Hosts file not found
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O3 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No CLSID value found.
O3 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
O3 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003..\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe (TiVo Inc.)
O4 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003..\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe (TiVo Inc.)
O4 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003..\Run: [TivoTransfer] C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe (TiVo Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [SWHelper] C:\WINDOWS\System32\Macromed\Shockwave 10\PostUpdate.exe ()
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [SWHelper] C:\WINDOWS\System32\Macromed\Shockwave 10\PostUpdate.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Orbit.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DriveConfiguration = [Binary data over 100 bytes]
O7 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LegacyDrive = [Binary data over 100 bytes]
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O15 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\..Trusted Domains: gap.com ([oldnavy] http in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/Facebo...toUploader3.cab (Reg Error: Key error.)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebook.com/controls/Facebo...otoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1278797593018 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} http://clubgames.pogo.com/online2/pogo/zen...eb.1.0.0.10.cab (CPlayFirstzenerchiControl Object)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} http://upload.facebook.com/controls/Facebo...Uploader4_5.cab (Facebook Photo Uploader 4)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.247.15.53 24.247.24.53 68.115.71.53
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\My Documents\My Pictures\untitled.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\My Documents\My Pictures\untitled.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/03 08:06:04 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O33 - MountPoints2\{1c85f104-7c76-11de-a60b-001558261098}\Shell - "" = AutoRun
O33 - MountPoints2\{1c85f104-7c76-11de-a60b-001558261098}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1c85f104-7c76-11de-a60b-001558261098}\Shell\AutoRun\command - "" = F:\Connect.exe -- File not found
O33 - MountPoints2\{22883889-8379-11df-a636-001558261098}\Shell\AutoRun\command - "" = F:\setup.exe -- File not found
O33 - MountPoints2\{2f27417a-4863-11dc-a5b3-001558261098}\Shell - "" = AutoRun
O33 - MountPoints2\{2f27417a-4863-11dc-a5b3-001558261098}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2f27417a-4863-11dc-a5b3-001558261098}\Shell\AutoRun\command - "" = F:\Connect.exe -- File not found
O33 - MountPoints2\{6fc5d154-25a1-11db-a579-001558261098}\Shell - "" = AutoRun
O33 - MountPoints2\{6fc5d154-25a1-11db-a579-001558261098}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6fc5d154-25a1-11db-a579-001558261098}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{6fc5d155-25a1-11db-a579-001558261098}\Shell\AutoRun\command - "" = L:\setupSNK.exe -- File not found
O33 - MountPoints2\{ddc0daa6-86fd-11dc-a5bb-001558261098}\Shell - "" = AutoRun
O33 - MountPoints2\{ddc0daa6-86fd-11dc-a5bb-001558261098}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ddc0daa6-86fd-11dc-a5bb-001558261098}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: rsmuadow - (C:\WINDOWS\system32\edlirsvp.dll) - C:\WINDOWS\System32\edlirsvp.dll File not found
O36 - AppCertDlls: xcopdl32 - (C:\WINDOWS\fastuirt.dll) - C:\WINDOWS\fastuirt.dll File not found
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe - (Adobe Systems, Inc.)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe - (Adobe Systems Incorporated)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe - (Hewlett-Packard Development Company, L.P.)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe - (Hewlett-Packard Co.)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE - (Microsoft Corporation)
MsConfig - StartUpReg: AGRSMMSG - hkey= - key= - C:\WINDOWS\AGRSMMSG.exe (Agere Systems)
MsConfig - StartUpReg: Aim6 - hkey= - key= - C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe File not found
MsConfig - StartUpReg: AnyDVD - hkey= - key= - C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe (SlySoft, Inc.)
MsConfig - StartUpReg: AspireService - hkey= - key= - C:\Program Files\Acer\Acer eMode Management\AspireService.exe (Acer Inc.)
MsConfig - StartUpReg: ccApp - hkey= - key= - C:\Program Files\Common Files\Symantec Shared\ccApp.exe File not found
MsConfig - StartUpReg: ElbyCheckAnyDVD - hkey= - key= - C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe (Elaborate Bytes AG)
MsConfig - StartUpReg: eRecoveryService - hkey= - key= - C:\Acer\Empowering Technology\eRecovery\Monitor.exe (acer Inc.)
MsConfig - StartUpReg: HostManager - hkey= - key= - C:\Program Files\Common Files\AOL\1154916856\ee\aolsoftware.exe (America Online, Inc.)
MsConfig - StartUpReg: HP Component Manager - hkey= - key= - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: HP Software Update - hkey= - key= - C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard Development Company, L.P.)
MsConfig - StartUpReg: IMJPMIG8.1 - hkey= - key= - C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
MsConfig - StartUpReg: IPHSend - hkey= - key= - C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe (America Online, Inc.)
MsConfig - StartUpReg: KernelFaultCheck - hkey= - key= - File not found
MsConfig - StartUpReg: LaunchApp - hkey= - key= - C:\WINDOWS\Alaunch.exe (Acer Inc.)
MsConfig - StartUpReg: MediaSync - hkey= - key= - C:\Program Files\Acer\Acer eConsole\MediaSync.exe (Acer Inc.)
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: MSPY2002 - hkey= - key= - File not found
MsConfig - StartUpReg: ntiMUI - hkey= - key= - C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe ()
MsConfig - StartUpReg: NvCplDaemon - hkey= - key= - File not found
MsConfig - StartUpReg: NvMediaCenter - hkey= - key= - File not found
MsConfig - StartUpReg: nwiz - hkey= - key= - File not found
MsConfig - StartUpReg: PHIME2002A - hkey= - key= - File not found
MsConfig - StartUpReg: PHIME2002ASync - hkey= - key= - File not found
MsConfig - StartUpReg: PinnacleDriverCheck - hkey= - key= - File not found
MsConfig - StartUpReg: PMCRemote - hkey= - key= - C:\Program Files\Pinnacle\Shared Files\Programs\Remote\remoterm.exe (Pinnacle Systems)
MsConfig - StartUpReg: PMCS - hkey= - key= - C:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe (Pinnacle Systems)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
MsConfig - StartUpReg: RemoteControl - hkey= - key= - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
MsConfig - StartUpReg: SoundMan - hkey= - key= - C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
MsConfig - StartUpReg: SpySweeper - hkey= - key= - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Webroot Software, Inc.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: TivoNotify - hkey= - key= - C:\Program Files\TiVo\Desktop\TiVoNotify.exe (TiVo Inc.)
MsConfig - StartUpReg: TivoServer - hkey= - key= - C:\Program Files\TiVo\Desktop\TiVoServer.exe (TiVo Inc.)
MsConfig - StartUpReg: TivoTransfer - hkey= - key= - C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe (TiVo Inc.)
MsConfig - StartUpReg: updateMgr - hkey= - key= - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: ViewMgr - hkey= - key= - C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (Viewpoint Corporation)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 1

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.vorbis - C:\WINDOWS\System32\vorbis.acm (HMS http://hp.vector.co.jp/authors/VA012897/)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivXNetworks)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\i420vfw.dll (www.helixcommunity.org)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.LEAD - LCODCCMP.DLL File not found
Drivers32: VIDC.MJPG - C:\WINDOWS\System32\pvmjpg21.dll (Pegasus Imaging Corporation)
Drivers32: VIDC.PIM1 - C:\WINDOWS\System32\pclepim1.dll (Pinnacle Systems)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (68130555115339776)

========== Files/Folders - Created Within 30 Days ==========

[2010/09/04 09:14:20 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/08/28 12:50:10 | 000,159,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusd.dll
[2010/08/28 12:50:10 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusb.dll
[2010/08/25 14:20:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2010/08/17 09:51:12 | 000,000,000 | -HSD | C] -- C:\FOUND.012
[2010/08/16 02:20:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\AdobeUM
[2010/08/09 10:30:09 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/08/09 10:30:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2010/08/09 10:29:47 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/08/09 10:27:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Sunbelt Software
[2010/08/09 10:27:23 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
[2010/08/09 10:26:46 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/08/09 09:46:01 | 128,750,008 | ---- | C] (Lavasoft ) -- C:\Documents and Settings\Owner\Desktop\Ad-AwareInstall.exe
[2010/08/09 02:33:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/08/08 22:07:20 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2010/08/08 10:05:58 | 000,000,000 | -HSD | C] -- C:\FOUND.011
[2010/08/08 00:19:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/08/07 14:03:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts
[92 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[614 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/04 09:14:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/09/04 09:13:52 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RKUnhookerLE.EXE
[2010/09/04 09:11:48 | 000,000,480 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Scan (s).job
[2010/09/04 09:11:48 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/09/03 19:40:00 | 000,049,152 | ---- | M] ( ) -- C:\WINDOWS\System32\CompiledAdapter
[2010/09/03 19:39:20 | 000,041,237 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/09/03 19:38:54 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/03 19:38:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/03 19:38:48 | 1005,113,344 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/02 00:46:34 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/31 22:28:52 | 005,505,024 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/08/31 22:28:52 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/08/30 10:23:00 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/08/09 21:36:44 | 000,232,186 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\J and Mel.skp
[2010/08/09 17:00:58 | 006,429,930 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\pw_pocket_shop_reference.pdf
[2010/08/09 10:29:48 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/08/09 10:27:22 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/08/09 09:46:00 | 128,750,008 | ---- | M] (Lavasoft ) -- C:\Documents and Settings\Owner\Desktop\Ad-AwareInstall.exe
[2010/08/08 22:13:24 | 000,639,842 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\cc_20100808_2212.reg
[2010/08/08 13:48:18 | 000,107,008 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/08 13:47:50 | 000,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2010/08/06 00:14:18 | 000,661,615 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Picture 219-tiltshift[1].JPG
[2010/08/06 00:11:24 | 000,535,912 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Picture 205-tiltshift[1].JPG
[2010/08/06 00:07:18 | 000,789,938 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Picture 025-tiltshift[1].JPG
[92 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[614 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/04 09:13:50 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RKUnhookerLE.EXE
[2010/09/03 00:44:54 | 000,000,480 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Scan (s).job
[2010/08/30 10:21:56 | 000,002,447 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/08/09 21:36:43 | 000,232,186 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\J and Mel.skp
[2010/08/09 17:00:55 | 006,429,930 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\pw_pocket_shop_reference.pdf
[2010/08/09 11:01:30 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/08/09 10:30:14 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/08/09 10:27:20 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/08/08 22:12:35 | 000,639,842 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\cc_20100808_2212.reg
[2010/08/06 00:14:15 | 000,661,615 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Picture 219-tiltshift[1].JPG
[2010/08/06 00:11:21 | 000,535,912 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Picture 205-tiltshift[1].JPG
[2010/08/06 00:07:15 | 000,789,938 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Picture 025-tiltshift[1].JPG
[2010/02/09 18:21:12 | 000,000,024 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\sgcpom.dat
[2010/02/08 22:37:57 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\sgcpom.dat
[2009/08/31 18:37:38 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\msdrve.dll
[2009/08/31 18:37:36 | 000,010,816 | ---- | C] () -- C:\WINDOWS\vmoptver.dll
[2009/06/30 02:20:05 | 001,970,176 | ---- | C] () -- C:\WINDOWS\System32\d3dx9.dll
[2009/01/31 13:35:20 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2008/12/05 14:27:39 | 000,000,146 | -H-- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\Thumbs.db
[2008/11/23 00:34:14 | 000,030,976 | ---- | C] () -- C:\WINDOWS\rascntrl.dll
[2008/11/23 00:34:14 | 000,023,104 | ---- | C] () -- C:\WINDOWS\System32\svcprmpt.dll
[2008/11/07 11:00:45 | 000,019,987 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\osikibux.scr
[2008/11/07 11:00:45 | 000,018,013 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\nyletaw.dll
[2008/11/07 11:00:45 | 000,017,010 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\mugemeqe.bat
[2008/11/07 11:00:45 | 000,013,680 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\ynasow.scr
[2008/11/07 11:00:45 | 000,012,995 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\ykobo.inf
[2008/11/07 11:00:45 | 000,011,308 | ---- | C] () -- C:\Program Files\Common Files\sevyluho.db
[2008/11/07 11:00:45 | 000,011,151 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\cetys.dll
[2008/11/07 11:00:45 | 000,010,226 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ufyzu.dll
[2008/11/07 11:00:44 | 000,019,129 | ---- | C] () -- C:\Program Files\Common Files\fahopybeq.exe
[2008/11/07 11:00:44 | 000,018,326 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\pabutofali.exe
[2008/11/07 11:00:44 | 000,016,597 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\amytita.sys
[2008/11/07 11:00:44 | 000,016,250 | ---- | C] () -- C:\Program Files\Common Files\nafimy.bin
[2008/11/07 11:00:44 | 000,016,061 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\yhekunakuq.exe
[2008/11/07 11:00:44 | 000,014,445 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\abyz.bat
[2008/11/07 11:00:44 | 000,013,538 | ---- | C] () -- C:\Program Files\Common Files\xazevuwy.dll
[2008/11/07 11:00:44 | 000,010,437 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\otifo.bin
[2008/06/03 21:15:54 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2006/12/11 19:38:18 | 000,007,309 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Cabos.plist
[2006/10/07 19:44:07 | 000,107,008 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/10/06 06:43:35 | 000,000,029 | ---- | C] () -- C:\WINDOWS\CDMKR32.INI
[2006/10/03 18:44:28 | 000,000,156 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/09/10 23:19:42 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/08/14 21:41:38 | 000,196,096 | ---- | C] () -- C:\WINDOWS\System32\MACD32.DLL
[2006/08/14 21:41:38 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\MASE32.DLL
[2006/08/14 21:41:38 | 000,136,192 | ---- | C] () -- C:\WINDOWS\System32\MAMC32.DLL
[2006/08/14 21:41:38 | 000,057,856 | ---- | C] () -- C:\WINDOWS\System32\MASD32.DLL
[2006/08/14 21:41:38 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\MA32.DLL
[2006/08/14 21:40:33 | 000,166,912 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2006/08/11 08:47:12 | 000,000,215 | ---- | C] () -- C:\WINDOWS\Jcmkr32.INI
[2006/08/09 20:27:07 | 000,000,123 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2006/08/08 20:21:46 | 000,005,516 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
[2006/08/08 20:21:46 | 000,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/08/07 06:09:29 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2006/08/07 06:07:55 | 000,000,058 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2006/08/07 06:07:46 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPR220.ini
[2006/08/07 05:38:34 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2006/08/06 19:12:10 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/08/06 18:20:24 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2006/08/06 16:44:48 | 000,001,152 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/07/31 09:08:40 | 000,000,725 | ---- | C] () -- C:\WINDOWS\System32\eRLog.ini
[2006/07/31 09:02:59 | 000,000,294 | ---- | C] () -- C:\WINDOWS\PowerOption.ini
[2006/06/02 02:08:50 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/06/02 02:08:50 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/06/02 02:08:50 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/06/02 02:08:50 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/09/18 08:32:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/09/18 08:32:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/09/18 08:32:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/09/16 14:14:00 | 000,157,184 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/08/09 17:13:31 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/08/09 17:13:31 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/08/09 17:12:28 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/02/04 02:11:40 | 000,008,073 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/01/03 08:09:08 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/01/03 08:06:30 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2005/01/03 08:05:24 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2005/01/03 08:05:24 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2005/01/03 08:05:24 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
[2005/01/03 08:05:24 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2005/01/02 19:18:26 | 000,000,083 | ---- | C] () -- C:\WINDOWS\ALaunch.ini
[2004/12/17 17:14:44 | 000,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
[2004/09/16 16:24:26 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/08/04 05:00:00 | 000,249,270 | ---- | C] () -- C:\WINDOWS\System32\_004373_.tmp.dll
[2004/08/04 05:00:00 | 000,022,040 | ---- | C] () -- C:\WINDOWS\System32\_004341_.tmp.dll
[2004/08/04 05:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/03/18 07:44:29 | 001,663,068 | ---- | C] () -- C:\WINDOWS\System32\libmmd.dll
[2001/12/26 16:12:30 | 000,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/03 23:46:38 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 16:33:56 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/23 22:04:36 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[2001/07/06 16:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2001/07/06 00:19:00 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[614 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2005/01/03 07:22:38 | 000,901,120 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
[2005/01/03 07:22:38 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/01/03 07:22:38 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >
< End of report >


OTL Extras logfile created on: 9/4/2010 9:38:26 AM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.00 Mb Total Physical Memory | 261.00 Mb Available Physical Memory | 27.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 40.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.82 Gb Total Space | 9.74 Gb Free Space | 13.56% Space Free | Partition Type: FAT32
Drive D: | 72.33 Gb Total Space | 49.18 Gb Free Space | 68.00% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACER-55C1D4102C
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.js [@ = JSFile] -- C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe (Macromedia, Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
jsfile [open] -- "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\TiVo\Desktop\TiVoServer.exe" = C:\Program Files\TiVo\Desktop\TiVoServer.exe:*:Enabled:TiVo Server Service Process -- (TiVo Inc.)
"C:\Program Files\Orbitdownloader\orbitnet.exe" = C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:P2P service of Orbit Downloader -- (Orbitdownloader.com)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{028814FB-D05F-495E-81D7-636A87321025}" = CreativeProjectsTemplates
"{0BF5FBE7-3907-4A1F-9E48-8B66E52850D6}" = TrayApp
"{0F40754C-F1FD-43df-B73E-9DA38399CDD6}" = hpf_ProductContext
"{11680998-6792-4DE9-8DE1-D6D041418B26}" = SkinsHP1
"{14A67CE0-4F30-4607-885B-43EE27BAC746}" = Readme
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1E1F1E70-14D8-4380-8652-BD1A895A7D65}" = Status
"{24BEBF2E-73F3-4599-840B-EDC612CCDD0D}" = Destinations
"{3248F0A8-6813-11D6-A77B-00B0D0150050}" = J2SE Runtime Environment 5.0 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3662AF19-6E4B-4F6D-A61C-F3CB6D67097D}" = QuickProjects
"{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{45D3CD3E-7715-4341-8441-A3A6409FCDE4}" = BIAS SoundSoap 2.0
"{460CE8B9-6EC2-458A-90D4-691631ECE9D9}" = Pinnacle MediaServer
"{47786B84-92C1-4706-BDDD-5CFFA6720C18}" = Sony DVD Architect 2.0
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{4BE53DB2-C1F2-44D1-A9AB-1630BA7F2AF1}" = SolutionCenter
"{4E05249B-CC02-40E7-85B6-29627BFE9454}" = Scan
"{4E839090-3B68-436A-B3CF-A2A08C38DD26}" = TiVo Desktop 2.6.2
"{5B70C118-2F9F-411E-9C67-80380365CFBA}" = Mega Manager
"{65CDEC30-4BF4-48FB-8059-9FC480E4E94F}" = Acer eMode Management
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{696C94BC-44BC-4B8E-ABAA-6FFC0F11A6D3}" = PhotoGallery
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{784DF107-2945-4B65-ADE3-A58ECD6C37A9}" = Sony Vegas 5.0a
"{7ADE9F27-A175-447F-A4B4-B05FA82735E1}" = HP Deskjet 6900 series
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7DB9BF65-46AC-4803-82AA-14EFCA927789}" = HP Scanjet 4070
"{827ECAB7-3F8E-4A66-A663-67A8F678536C}" = CreativeProjects
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{87F59A07-55EE-415E-A966-31F3D8B6B7AD}" = LP6940_Help
"{8B4AB829-DFD3-436D-B808-D9733D76C590}" = Macromedia Dreamweaver MX
"{8DC6CA16-9B4E-4C10-95EE-2BD91EB0290C}" = LP6940Trb
"{90190409-6000-11D3-8CFE-0050048383C9}" = Microsoft Publisher 2002
"{90260409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Web Components
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{AAA11090-6E99-4655-AAF5-57EB5F677D0C}" = MarketResearch
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B8A6F713-D72D-47AD-A92D-B5C0E13F98C1}" = NTI HomeVideo-Maker
"{BEF106F8-2689-4530-925A-E1117836E8CD}" = Google SketchUp 7
"{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver
"{C3502B86-FAC7-43AA-82D8-AB30EC51596A}" = PrintScreen
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D7CAE58E-26DE-49B7-A75D-EAEDF76726BE}" = HP Photosmart Essential
"{DEBB2986-15B0-4D28-95FA-5C966A396589}" = HPProductAssistant
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (PINNACLESYS)
"{EC028E6B-F3F1-4192-B63E-A7C97302ED5A}" = Acer eConsole
"{EC2715CE-C182-483C-84CC-81D7D914CF14}" = WebReg
"{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}" = HP Software Update
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}" = Pinnacle MediaCenter
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}" = EPSON Print CD
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe PageMaker 6.5K" = Adobe PageMaker 6.5K
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"Any Video Converter_is1" = Any Video Converter 1.0
"AP1 Loader 1.84.0" = AP1 Loader 1.84.0
"Audacity_is1" = Audacity 1.2.4
"AVG8Uninstall" = AVG Free 8.5
"BitZipper_is1" = BitZipper 2009
"Cheat Engine 5.5_is1" = Cheat Engine 5.5
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDBuilder_is1" = DVDBuilder 2.7
"DVDStyler_is1" = DVDStyler v1.4
"EPSON Printer and Utilities" = EPSON Printer Software
"FL Studio 8" = FL Studio 8
"FLV Player" = FLV Player 2.0, build 24
"Free Sound Recorder" = Free Sound Recorder
"HP Imaging Device Functions" = HP Imaging Device Functions 6.0
"HP Photo & Imaging" = HP Image Zone 4.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center and Imaging Support Tools 6.0
"HPExtendedCapabilities" = HP Extended Capabilities 6.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"IL Download Manager" = IL Download Manager
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MP3MyMP3 2.0_is1" = MP3MyMP3 2.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Orbit_is1" = Orbit Downloader
"plusdeck23.25c" = plusdeck2
"QuickTime" = QuickTime
"Replay Music3.5" = Replay Music
"Ricochet Lost Worlds" = Ricochet Lost Worlds
"Silent Package Run-Time Sample" = EPSON ESPR220 Reference Guide
"SpySweeper" = Spy Sweeper
"VideoReDo-Plus_is1" = VideoReDo/Plus Version 2.5.6.512
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinMX Music" = WinMX Music
"WinZip Self-Extractor" = WinZip Self-Extractor
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3903405293-2884909451-3221281461-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/29/2009 2:21:16 PM | Computer Name = ACER-55C1D4102C | Source = ESENT | ID = 455
Description = wuaueng.dll (492) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred
while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 7/29/2009 3:29:30 PM | Computer Name = ACER-55C1D4102C | Source = Application Error | ID = 1000
Description = Faulting application flvplayer.exe, version 0.0.0.0, faulting module
flashplayer.3.1.1e.ocx, version 9.0.115.0, fault address 0x000c1dc3.

Error - 7/30/2009 11:11:59 PM | Computer Name = ACER-55C1D4102C | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16791, faulting
module flash10b.ocx, version 10.0.22.87, fault address 0x002d5072.

Error - 8/3/2009 1:03:22 AM | Computer Name = ACER-55C1D4102C | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16791, faulting
module avgssie.dll, version 8.5.0.392, fault address 0x000290df.

Error - 8/3/2009 1:03:32 AM | Computer Name = ACER-55C1D4102C | Source = Application Error | ID = 1001
Description = Fault bucket 1368311579.

Error - 8/4/2009 10:42:49 AM | Computer Name = ACER-55C1D4102C | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16791, faulting
module grabpro.dll, version 1.0.0.4, fault address 0x0002edb6.

Error - 8/9/2009 2:36:38 PM | Computer Name = ACER-55C1D4102C | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16791, faulting
module mshtml.dll, version 7.0.6000.16809, fault address 0x0003c1b5.

Error - 8/9/2009 2:36:47 PM | Computer Name = ACER-55C1D4102C | Source = Application Error | ID = 1001
Description = Fault bucket 1138094346.

Error - 8/26/2009 3:10:42 PM | Computer Name = ACER-55C1D4102C | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module unknown, version 0.0.0.0, fault address 0x05388710.

Error - 8/31/2009 10:20:51 AM | Computer Name = ACER-55C1D4102C | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module unknown, version 0.0.0.0, fault address 0x02de6710.

[ System Events ]
Error - 9/1/2010 6:06:32 PM | Computer Name = ACER-55C1D4102C | Source = Service Control Manager | ID = 7034
Description = The Automatic Updates service terminated unexpectedly. It has done
this 1 time(s).

Error - 9/1/2010 6:06:32 PM | Computer Name = ACER-55C1D4102C | Source = Service Control Manager | ID = 7034
Description = The Wireless Zero Configuration service terminated unexpectedly.
It has done this 1 time(s).

Error - 9/1/2010 10:50:06 PM | Computer Name = ACER-55C1D4102C | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk2\D.

Error - 9/2/2010 12:00:05 AM | Computer Name = ACER-55C1D4102C | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk2\D.

Error - 9/2/2010 12:32:14 AM | Computer Name = ACER-55C1D4102C | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk2\D.

Error - 9/3/2010 12:00:08 AM | Computer Name = ACER-55C1D4102C | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk2\D.

Error - 9/3/2010 7:39:12 PM | Computer Name = ACER-55C1D4102C | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 9/3/2010 7:39:13 PM | Computer Name = ACER-55C1D4102C | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 9/3/2010 7:39:37 PM | Computer Name = ACER-55C1D4102C | Source = Service Control Manager | ID = 7000
Description = The Pml Driver HPZ12 service failed to start due to the following
error: %%2

Error - 9/3/2010 7:41:15 PM | Computer Name = ACER-55C1D4102C | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:30 PM

Posted 04 September 2010 - 09:03 AM

If your wife has used this computer to log into facebook, then that will be how the account got compromised.

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#5 caappold

caappold
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 04 September 2010 - 07:36 PM

I tried to run combofix but I hit some barriers. It says that it cannot run while anti-virus type software is running so I tried to close everything out. AVG doesn't seem to want to stop running. I clicked on it in the system tray and clicked exit. The programs appears closed. I tryied running combofix and it says AVG is still running. I bring up the task manager and try to end process. It either won't go away or comes back very quickly. I tried to just let combofix do it's thing anyway. It found root activity and rebooted. When it came back it ran and then rebooted again. Then it came up with a DOS window saying "please wait" and it sat there for about an hour before I closed it. It didn't create a log for me to post so I was hopinjgfor a little more direction before proceding.

Thanks again.


#6 caappold

caappold
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 04 September 2010 - 07:43 PM

I still want to kill this virus, but will stop using this computer for important information. Plus I would like to avoid a reformat. I have some questions though. Can I transfer photos, music, doc, etc. to a different PC without worrying about affecting that PC? If I do not reformat, can I still use this computer as the computer that is connected to the net for my wireless? Do I need to worry about my Wii, Tivo, or other non-computer items that are on the wireless? If I do reformat does that mean that I am going to lose all of my documents and programs?

Sorry for all of the question I just want to make the best decision.

Thanks again,

#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:30 PM

Posted 05 September 2010 - 07:01 AM

You can backup your photos, music, doc, etc and I suggest you do so, either burn them to a disc, or you can copy
them over to a flash\external drive, if you are going to do that I would suggest you run the following program first
as a precaution.

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.


QUOTE
If I do not reformat, can I still use this computer as the computer that is connected to the net for my wireless?


If we get your computer cleaned up, you can use the computer for whatever you want.

QUOTE
Do I need to worry about my Wii, Tivo, or other non-computer items that are on the wireless?


I don't believe that you need to worry about these, this would require specific malware written for these platforms and
if there are any, I don't think they are very common.

QUOTE
If I do reformat does that mean that I am going to lose all of my documents and programs?


You will still be able to backup any photos, music, doc, etc before hand, so you wouldn't lose these. You would however
lose any programs you have installed or settings you have put in place, as the whole drive\partition will be wiped.


If you want to go on please try running combofix again, in safe mode this time.

unite.jpg


#8 caappold

caappold
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 05 September 2010 - 08:52 AM

QUOTE
If I do not reformat, can I still use this computer as the computer that is connected to the net for my wireless?
I think that I need to clairify this. Can I do this with out worrying about infecting the other computers? If I use my laptop through the wireless and the infected computer is the wireless hub, do I have to worry about the information on my laptop? What if another computer is hardwired into the network?

I re-ran combofix in safe mode and still got that message about AVG. Only difference is now I cannot find the program running in the task manager. I still cannot uninstall it. Combofix did complete this time though. Here's the log:

ComboFix 10-09-03.02 - Owner 09/05/2010 9:39.2.1 - FAT32x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.735 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Owner\Local Settings\Application Data\{D6901B81-BB0E-484D-A5AC-54BCA3ECCCC5}
c:\documents and settings\Owner\Local Settings\Application Data\{D6901B81-BB0E-484D-A5AC-54BCA3ECCCC5}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{D6901B81-BB0E-484D-A5AC-54BCA3ECCCC5}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{D6901B81-BB0E-484D-A5AC-54BCA3ECCCC5}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{D6901B81-BB0E-484D-A5AC-54BCA3ECCCC5}\install.rdf
c:\program files\Internet Explorer\SET116.tmp
c:\program files\Internet Explorer\SET117.tmp
c:\program files\Internet Explorer\SET118.tmp
c:\program files\Internet Explorer\SETB2.tmp
c:\program files\Internet Explorer\SETB3.tmp
c:\program files\Internet Explorer\SETB5.tmp
c:\windows\SET2DF7.tmp
c:\windows\system32\_004330_.tmp.dll
c:\windows\system32\_004331_.tmp.dll
c:\windows\system32\_004332_.tmp.dll
c:\windows\system32\_004333_.tmp.dll
c:\windows\system32\_004340_.tmp.dll
c:\windows\system32\_004341_.tmp.dll
c:\windows\system32\_004342_.tmp.dll
c:\windows\system32\_004343_.tmp.dll
c:\windows\system32\_004345_.tmp.dll
c:\windows\system32\_004346_.tmp.dll
c:\windows\system32\_004349_.tmp.dll
c:\windows\system32\_004350_.tmp.dll
c:\windows\system32\_004352_.tmp.dll
c:\windows\system32\_004353_.tmp.dll
c:\windows\system32\_004354_.tmp.dll
c:\windows\system32\_004356_.tmp.dll
c:\windows\system32\_004359_.tmp.dll
c:\windows\system32\_004360_.tmp.dll
c:\windows\system32\_004364_.tmp.dll
c:\windows\system32\_004365_.tmp.dll
c:\windows\system32\_004367_.tmp.dll
c:\windows\system32\_004369_.tmp.dll
c:\windows\system32\_004370_.tmp.dll
c:\windows\system32\_004372_.tmp.dll
c:\windows\system32\_004373_.tmp.dll
c:\windows\system32\_004374_.tmp.dll
c:\windows\system32\_004375_.tmp.dll
c:\windows\system32\_004376_.tmp.dll
c:\windows\system32\_004379_.tmp.dll
c:\windows\system32\_004380_.tmp.dll
c:\windows\system32\_004381_.tmp.dll
c:\windows\system32\_004382_.tmp.dll
c:\windows\system32\_004383_.tmp.dll
c:\windows\system32\_004388_.tmp.dll
c:\windows\system32\_004390_.tmp.dll
c:\windows\system32\drivers\fkrnbiywetjw.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\nGpxx18
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF
-------\Legacy_fkrnbiywetjw
-------\Service_fkrnbiywetjw


((((((((((((((((((((((((( Files Created from 2010-08-05 to 2010-09-05 )))))))))))))))))))))))))))))))
.

2010-08-30 14:21 . 2010-08-30 14:21 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-28 16:50 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-08-28 16:50 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-08-25 18:20 . 2010-08-25 18:20 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-08-17 13:51 . 2010-08-17 13:51 -------- d-----w- C:\FOUND.012
2010-08-16 06:20 . 2010-08-16 06:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-08-09 15:01 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-09 14:30 . 2010-07-12 08:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-09 14:30 . 2010-08-09 14:30 -------- d-----w- c:\windows\system32\DRVSTORE
2010-08-09 14:29 . 2010-08-09 14:29 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-09 14:27 . 2010-08-09 14:27 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software
2010-08-09 14:27 . 2010-08-09 14:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-09 14:27 . 2010-07-12 08:56 2979280 ----a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-08-09 14:26 . 2010-08-09 14:26 -------- d-----w- c:\program files\Lavasoft
2010-08-09 06:33 . 2010-08-09 06:33 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-08-08 14:05 . 2010-08-08 14:05 -------- d-----w- C:\FOUND.011
2010-08-08 04:19 . 2010-08-08 04:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 07:37 . 2006-08-16 13:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2008-11-07 15:00 . 2008-11-07 15:00 11308 ----a-w- c:\program files\Common Files\sevyluho.db
2008-11-07 15:00 . 2008-11-07 15:00 19129 ----a-w- c:\program files\Common Files\fahopybeq.exe
2008-11-07 15:00 . 2008-11-07 15:00 16250 ----a-w- c:\program files\Common Files\nafimy.bin
2008-11-07 15:00 . 2008-11-07 15:00 13538 ----a-w- c:\program files\Common Files\xazevuwy.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\system32\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\$NtServicePackUninstall$\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[7] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB905414$\netman.dll

[7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\system32\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\$NtServicePackUninstall$\rpcss.dll
[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2005-04-28 . C8061F289E000703E7672916B7FE1571 . 395776 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\rpcss.dll
[-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[-] 2005-01-14 . 419899803CA479B73B02390318C787C0 . 395776 . . [5.1.2600.2595] . . c:\windows\$NtUninstallKB894391$\rpcss.dll
[-] 2005-01-14 . 94456045BEB4545B5EBE1DCC85951AFA . 395776 . . [5.1.2600.2595] . . c:\windows\$hf_mig$\KB873333\SP2QFE\rpcss.dll
[7] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB873333$\rpcss.dll

[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2005-06-10 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[7] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\linkinfo.dll
[-] 2005-08-31 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
[-] 2005-08-31 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\system32\linkinfo.dll
[-] 2005-08-31 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\$NtServicePackUninstall$\linkinfo.dll
[7] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB900725$\linkinfo.dll

[7] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tapisrv.dll
[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\system32\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$NtServicePackUninstall$\tapisrv.dll
[7] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893756$\tapisrv.dll

[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\system32\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll

[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

[7] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ole32.dll
[-] 2005-07-26 . AB8231D13692AC5088EB9C226B0C0576 . 1285120 . . [5.1.2600.2726] . . c:\windows\system32\ole32.dll
[-] 2005-07-26 . AB8231D13692AC5088EB9C226B0C0576 . 1285120 . . [5.1.2600.2726] . . c:\windows\$NtServicePackUninstall$\ole32.dll
[-] 2005-07-26 . A2F755E237FA2CDD748A80BFBE6657F3 . 1285632 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\ole32.dll
[-] 2005-04-28 . 5950E4F28FDA9D147576BF6798937397 . 1285120 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\ole32.dll
[-] 2005-04-28 . 7440D29F257B7E44329343F944F2142C . 1286144 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\ole32.dll
[-] 2005-01-14 . ABDEF60CED7C04AB35A415EFB6B96D81 . 1285120 . . [5.1.2600.2595] . . c:\windows\$NtUninstallKB894391$\ole32.dll
[-] 2005-01-14 . 2E752611C9A9AE1B6BFD0DA03CF7F17E . 1284608 . . [5.1.2600.2595] . . c:\windows\$hf_mig$\KB873333\SP2QFE\ole32.dll
[7] 2004-08-04 . 4FE9D9FA62D020E35E0AC6D1AEEB96F0 . 1281536 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB873333$\ole32.dll

[7] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\system32\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\$NtServicePackUninstall$\shsvcs.dll
[-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
[7] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB928255$\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-07-09 1189376]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-07-09 394240]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-07-09 1931264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-06 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-11 7311360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [2010-09-03 53248]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LegacyDrive"= 7adf5e0807c645c0d8a3fef07c5f150188c77e2923f43487c80b216f47273e030d94fb03a63ee1e580697629f2a261e77cf5ceaa5160148012889552ddabe67286d630732458d73dd0765960f0a96078a91b649bf3616272404980d909381effd16d0cc7008afb6eef50326e40aa82a370ed7cadaf5ee195eff45ab33b606acf4a4ba08654df11ef2488057f6efcf12a6479a6cb844dc7c6b4d79c80ec905e759f03a7f936142b81a20301585295a79455ac4748bf1a38fb4db7c8594cb13929b624097f9feb7633cfb54291b15bb4526b70dfcb4f1a26657221004d9a46f96d5ed6f99a887fafc90fbe61d31a62682a15b6daca98442c20ed7d1acdc4a0f6a728dd4100b2ba782bfdb7303d592d6511c47c108f1665f72d7bb5c9b526246a49447c8ca52ffe7fa5e5014a07b8dcfa7146063a98b6ac7c2455f7635742dbef4aeaa883df71791a3c3eafe5d6b99e35ce53859c81c7c44f5aa049cfebfc4cc93d8f3c3a64ebf9d656fe43abfddc72028abe68860d4bc5a842175941ae6adf79ebbf42e8e8409b15fc75ed899be6f79e09d5bbd70b05ca164d84c11001c814fdc9fd0a94d79e09365243146afcb99289135851ba7491ca2106c7a7545660820f7f1bf0284da4bec5a2657acc18a0c0359be7bb88fa09dad54d9db3cf0e8a9e3d7b64ecfa8c937a4128b286279835c1693c4fa5687d12087202d8f24327e3acccab401932a8f1491ac94a4c24b79c44b5d411befa2cd7432aa88129970b85aaafb705db49a065ae39d20e345f780f9552a2cbf6af45efa0b283a85e032d1226d287f3fc254ba91471f06137682b8a6713b789c62051afb47d07683826b3b5a13ac3dc6d553b5d691a97fc291a0f460f5cae7c7749b827525ccd3e51d63aa4556112f327f480786af65b7ecea6fbd085ba4c79fb4620cec2e0caafcb02e809dcaf809f3e5a4f0bb6035dffb7a3d5d1d6ca14377e8700fb4ee5889be23f82d7e931d3ac50886669fb2bd848074ed94452e9d42f3d69d2ffb0a59b685f131fb14c3c15c08d6de27650b0bc431cfa0ff159a620c41322f0c5fbe9635bafb1a11b3be5bde1d0df559420122cf976c8230f84f1f5f5fc4213a9fb3798269a597fd0bfbc141239cda8460d4a89d50a92319fa41fbe9dff51a2c4496d9c2d4de5e77445dab15df0dfcebee500ae9927028d88f9eaede95ef4c8390b56a4dcc09ddb5054559aa4e62e9d30c5513a838cf4a19d912c625e8103303f44cbe44027b1c421399506d5f51a903422f902f0f89af6ca84e586064d550f1c384f35b0a9b3fb28c4ebb0252dd2dc3f439f845fdd23408a7d28cb62c70c12f038af8ba0148fc88da0324cff92c59d32c6029a5a32560fe31c4487fd8a046258fb71272c54221a7d1dd6129ded1585f22314e5c4f9d7d92f8b10a1c060387f6bd1cd45cae258a7d17fa39ea906270bbb06c49d0a46b5f4c70ac2071f91b7c358e216f41cc80969151c9a53b94226ef68f60f65b449b2efffe6993d4c9af1184fec143e47c6e94daf0cda6abdec5ad409b34b6e338909b71101a9fc0dee82ccc878edad03704a0dc0e1447ca4e85518a0c58c48d0318eada4f2da553dae52321afdf7cbf3c1f532e5badf36d055f73bd9fdc541040555e07aeefd020b9633110a5503ba01de62f1a266c0350109dc150169dcf30c989d08083848a886e026c73cc2b5bdb58bfb46478b1acd461625ea772a3229c751b00d3dc9fbe9542ee32e7db0a9388850c333fd089cf02f6bc0d7c22388ee6b9dfa37f703eb3f8f6b66f43a4d52b7a33b4eb21ccce06ce4dacf9aa5edcd3841f659d9ce41e43cdfa5331f06fd045897dcf421a3ae7da0b473f90b189cbd3f3a343a383f9bdefd19cf441058e9a80843ea9d7d28b80224f064323bf6ae7b2819cbd15d1066c47efee4b0c647ec34a7a127e5b06e4443b44940eb29dfe40fce00a28f2490f535daaf15a8511d93168a269ad31b569c592898e68d8e9b7944617a1506999b961208d783a28fdce57092d05578a93759009917f1d6825a6cd9597380ba99459a043640735ad3cde4950034ecfb9df61b4e407e7a8fa02f2e61a8e0036a338d55aa144c300b5983b639d059c1b3cb6aca2221bf0aea75fdde00bbdc70fbf7db946d4832f0732609608be8e798a6896d0b7eab440c2ab9dc5434f01937035a90edca8caad1c8d449cb93834ec8b9fc5f67a80ae7f5cb775e9cf6dacad704b08629beae420fff564b3316c90ce26cdcd5c0676ddcbb8ef7823ded65d7a6bb245ff93a7cbf16d5df20b3a8b3042a1ff96e74e01150927c9cd5d09fe13a478a6fdfa5c4049e310cae5b099130dcae66a7dbc3306e5a12213e37d02b9a00226d6a08dff2e5bb989ab52ed65856faa29ec04b954b1645346393bc460b47df607036f2c896eaa57b55693cc2a064ed060db18ae592fb5f858db95e29085c79023acd504751160c876e5f8b3ef21dbda7f8864ed2224885f6997a6c084fd3318de5881accac98dde287ee66e9cb51eb8d866a05533a83637d2f8ec02d0d6912cda96005ad20f3a7ee22da65a0914736274b6b16e3433bb60fd77472ea5edd831500cc763dcaebdcf9013c44f6b7f95b66519d03a14418d4a805975477eb23338dd337d355c2d307e5cbcc1bea346616e3d4243b8ebfdfd6a0261635b97885f497cdf97d8a8562d0282c2a8041a1c5fe15788a1ac59cc1c70839fdbe1f1fd9aba70bccecd3fdcea0cd0ee4c3723087fd9d650474a92f23e5314707f31a9155bfd45098b8dc96e5b486ffba40f99f2c357b39428cefb29c749bc558a12ff735e603cef906a13e11c8d4836478491d76d9961efbf87af4374e958eeaf3ae653ac24abdedb77e28db9b014da3e485e79ed6481011efe6c0a78271911ea2c3c5404113891599c77b57cb896b26c79d5efd6b72d9e5ef77e95ce8802f2cc92b8855f2fd69f0ae698aa298e9886553e8398b7ce03cffddc0d5cfe490f8e75357a41f383d727920ed6ea3883d25c49411ff74037cd00c6329a92181faf44b24eec02bfb4859bdacd3ee1c880d0f890e50089a237b895388def39b5aa9054adfa4b8837f216744112f333b5911a6dcceef96b0a0ca4df0f9b5e6528343fa232b3c7d962594e25c319d86741c7b4b4589d883eaaff1da11cde952ca77a43721a6b85204a0253a01c89383ad6fdb3346ecc97597ef20921c12df1c67b1c36cc2fc0d4f164a85fd0cb0bf4b71d39d21dffa152d9a6835d9b8e8647b85a9eacc254ce6b39c7b3c4fc44a3e3e5b9a486b2d5e97f66853fc36992b77ffd7eb06203e92bf309ffb1d8b760498971df0784c3f0aeaf38e8b542db9bee6389862716eaa507d0ec25d953ffd82e652f73b0995483f2c1c94080a172121b95d9727b292daf8a8add46c6b4e75400c51f85342a367150c54613c98ee1bb86406a5eaa3106f11e2770b05ebed3427ea001098ceefb2a9f2bbe393fd8122680606fae94afc9432db46053af4a61d859a631d222ea79430e32679a17500773e19e988ebaf87c52d3f1b7ce9a364846e81c0cdb67d953be9acefb5234b6b7877b153b234820a4c6726ab07a179edcab7fac44a3a55ec608ce6ea9797f27b042ed6198dac4b294ed0e8763ccce8de08982e4b468c86e5cf2e2e876449956f943f6239df9fb80e1bfab91917f3493a7f9614ffffebd2d0abcac9699ff0af948de25324f990b304973972e1f584a549f5186bb3c6bc7dc013bc07c07a8fb7783fb8132242ea0fb62e6fdf68f4ca0a72789cc01389c46dd817ca8e1aa07ec3c8ecdc2666fa33dc563a86e9e757fc33494b29d23c3d3160e1a2449d06dfc5b23f0cfc1735f80bb4416d23473ab5f7058a5c71848838a4d802a703fc1818d07451cdd631e8de5bb567825177778acc89f72eb9784b0ccc74f7f86ebab16ccca90c2191e4f2e622d47e751d2be14bde6307b64867772ec2907ce87fd282a90338c2d8e38d22d8cc5c5694c61b4c5cbaa4c7ef32e449d961d737ff63b43878c564de9e48398865ece2dd87ec06897f52257710cb7599b6f3f18bee61a1c69b801b17a79a4a50ed366e3e57a464db43d628c42c7198ed86247b93e939c172726a0c3966f5703b19f277670fe5697a6090ca73610bfc2347801605d770ad4c1f87dda1b064d74260d4420640f6d69bce9e27136cf8be9f116e6e9a3fcbe5c935a082e165e6664928e6ce22b156a0853fc5430b9738b493b216d73fb3410ac01b8600ffd44037cd0cfb163dd3a2756aac369c8ebbdd6b15879240f7fe1b1b44b93b0100822a9e3214422d3821fb9d5d9a19ecad2a24d7080319b676de5fa2ba3dfcd82af40962bee763f46615a414a1a8d6527d4b6055c6b690af3ffde8671b95d3c6d52531c6cc980fc83070b685225de847170e66597e47b5bca234221bd1fc0401be9a414a24e814d7acfd0d8611b95962829e431648e2fba8a8c2d496640b1857155c302d7cb2d87cfa2fb6209027dfaf0985a4ff766bafe9db194f4c281011546b7790fc43bd8ed1988043f989aef475a6eac8a36031d807bdbd854a50290e8369d761b6898f32f19a19684ba05bec2330a077b136bce082ddb75b0a9ac59e376d78434c64356eed60e4af761bec2a916a5ff508c071c1d7f42fbd86446eb7b6990184f90c2fa3e7aa631d6e7426af69aa4b2b74e74a691cffd38ea9a24e32bcb08f6a620fb95e754700fd79d8b3f0c5d179cce39eda8b3922023de805c2fbf450d81da53770ac2e35ea1a8d5fde31b2f15e4ae32e7bbf5f670aa34259a7b0a8bb95fb8015183b0015dbf1221fa8ffd3bff3e12df4cb32edd7f672277e430638201c80fd7a5b2142715e9c7ef85e1dbd34fc8addde1d09fdeaf8c233666de67da499f0fb9ba72b5b8be97494e027b041d75937e2c269cd07d7dd95832ec07f4f667c5ad2e141a55f31aba200cd9fab720975c970455d833464fbf43c7f55204adbef88ae1934fcc7ad18b1c891fc94b83bd2ddbccc81e6998a8b3e957590edf9ddc4464b0d0a3c556bb71c3f5449c0871b55b6994fc09e9f3d32d49ab6c850b2130acaca751c21585138fd742d5bb32ea43f6a25b08a7c5529451f31888f45f2f193c02e71b7aaacbe83160477da319d315ae136aa6790e3b163a9b42b724d95618148739e8643a1fa093b7971e332463846246150fd3c9b5bf548dbaffd6a08a9ca112a433e28cce9e98da489d1c576ea6eee353e99f9f56bfae609dce5af4f666fd4d72c4520cef3222df6cce82a54f4efdc28f89de3221d373fd3fef61362775ea880c2cbb49ee04ddd5d3bb5794689f098bbf394442d77b907908b0aae0c031bfc4df634fd83fe5a11ffaa37194303fd95a88d6e4ca37d42294627c9480ab6d151cb1fca05145728169dc4093c12f218851688b1ec887a452e058001d9aec6aaa62be5cc08ef121305be95f945da6d7da169ea93039d7b8c4a714b837ae422a656c2742f81319d95e3866b044e5ddd0b62e82a95ae87051b179920187e92efbc9d4eaee432a5a54a6040abf952abe90521abe078f8d1ad8f764ff88c27530b9c7247f2e1ee278f8f9851dc865c4b5819d1a75913232aa4fc502c3b98984276b12e1b551634a815e4e680010416828bf5d8bc9bcc7e8b2779c704044b5393fcb65ae220559efd5fe62b9eb3582e0d3f6d0682271912716583ac5ac553ae408ec4345d64faa4146d96ec27b3890b2aca25d338b27aede4fedf1d7236cfc7477bf7b39f698c0d7e41e2b0e9483ba3556adce46023679565bfa06455782121a051a1bcb988b97e97c4c26afd4c3916ff7768bac263438783ea913adbd24cf04144493cd0801b774ace35575eb850c326760ce6f4aada834e4e198837ea7fe5b00abb9ede7fef591f2f85e5d0589553ea203c9e89029cb002cfd18276f22684a8f7893f0b4f3d391f4dcf19fe754b0b32f6af66ca75a08cad0c5c122e93f022e01eab1dabc6d2841fad9518093c424044c4afb9acd2d420382b0fd813d5a2af20352b579ca56e1601c655c02b1835e3bac85341b7c8a7837a25e02bcb96a7cb475028740522cf727abd4f369a53e9944065eb2fd0d577311b43853f8396992bab5fd91ceca0496f4cb5aca3e1ade4dfbe9cc37e6a3f21ca91e32c08fa8200b6b9307710a6b543d80e7c3a57a8acf09fca948b14dc4cd32b0d9989704612face5c81d30b8a8c37921e950fb27572dea2b21ef165b56c3f141f0c0701c60a79acfdfc1b9515806d4e23e6c8d404298c1f9f247af86a025f0b30f7f33d112d0040ca02c76436709fb015ccdf310db4fe92ee42f9ed3a86f5e1c0e53426e55999efdbbdd44be877426b84f03aa0cd97fb7c2128e234eb2ee049bdc62c68a0a7358ea75fdb6fcbdfde19f23a97d551aae64ef4d46bf59b4df9a3c85c47801602e924cc377ffdb2db772df1247d4b44644e5dbb347a4502a59fb74b2a2eee38f0729dfb72ce29bb4746153a3f40bdb6af8c480c09a3d823b02c03880ac58756d6ff3959c0aa3f7332547f3e6e0c57f2da6b8f8a9ac1d68c2264fdc6a490a77ba36fb2a587de552aeb1ba95443d76880c28cf41a7a109bc9c66a19e6e5e55e33e76492cacdf55753eca94e7a92a2dca0ec6d2ed127927af7d66a884d94317216ea5c95a78e722d36213d844adb73f8f0203926219dd849fc7e1b0b53e1f89b698b7300fadac0ad7cfba855a55d2d012d66715fd564d45da8c65df6818c5b4ccdfc4cf89297fd9eb04bf3c467ea0ae4de1adb5cbf530f64f5063763d31a35036c25d03beb78ab72275b78e778996950c940e7c1efa287d0399f3af74927c33922fa6f0981b200677104ea4c1a43c248da25f36a97cab36053fa35df00c1ae204596d3417e644a7c24a33309ea516bdc3a3c53651d5dd47a5c68a092e4a1ba336ff138ad61394709f0e6713d88c61ba16e1a52a7a3ecc7c60ba317b7ced450e4ff5bb11e7cabb28e1562cf44eef0205af82b9aa81fc4eaab7eb629e90e65407a1b3cfbc7f9955f92f3d93e3784e80831c9bbe4df3747008889a5259dfd718e3fc070fa01a77500ef1f85a3cf673926a6fd64217f55f6d59567d120bdbceeb965a8bbe17fe890e434d2fc60b896ffab21c47a6f790ee397124f3d6f19cd48066ebbf5d7b3021ca9a34271b4a613b505a2902924131648f35e49b5d9625873205182549cbec5dab48ef74766c794ceef115014f2ca181eecd2625c21a7c0e6d6cfb505c177c7f5be59d5e9c3e3ab501695d457beaaafaf37fcc5906a225afedbdb424b25aff6dda3d3e731714e1320935ad59d61730d0150913830ed768f5928e90ba25c668d7519ccc4d5265650f3c6cc28fc3bfb393689624f4b7c2e39e4ec69287a406e596931a0f447d05b3373cb2bc6f1ec3c7775e2120abd447a6724c2d3c1fa75ff235bfdad862ae438683dbcb617fe5b7c200ee6e4092f2f4d436041645a4938a26fda5716e830546566b8f60ff796e2f48d48b216b08648a06f6d62289cdd6e3139209ff42dcc40e55f3bea495f3557305b6d6b01006dd9b144e8d6afa5ef7ebdb26873fecdbdc7502fd11cdb2c3809eab9a7c0fa2ba9ee114194e35265bcf3cd2fe61c9b2b00e82bdc0f95d7016874bb16238fc6981ecd8e11a05ddc70f0690547af9a62a0955ef97a6edc9f63632d5f497bc9208d613f8159682a0834cc607cd33b6c8f32943fc0e4ee2280a7dcef943cef81ba767d698f90a1e2b0c38307201895da44ea7baf0b071263c881cdf316d93d7b33a6a9f9b1805f546f1c489dc8b8bf940abaa36e2a94abd5b6eafa310af7f426c72d4f5d811b6d88b894e9a00a0e6f71a648d259042f584dd30358e61c33b608f82595903240296345a560ce1635e8d17a01dc2ff901a2c1d109130f3efadd21f9352693ff5672e8931ec72086b00f8db601bde2d58ab48d6c3f64471fc536e932e02a814c2abea5bc7b0b120779e54b4a2e8f351475052c65235e3c2745fe8705aa0ce781a226d54104548aaa763b63b0e8948aed62dcd3f0004ce4d73a0b992069a3a6bc87b17f6537e17432051a2169eef60594dd237571d70af2a480865634e0788baf59863383b91a9b1bc6aeea4b1a489fee32403acec14938c34aaf451feddeae4a812415aae4b868c68ffa13aa6efc758dee4291b157c6078b5c3f4224f095a3f2bf5cebbdbc8f1631bcb570fe060b146229f1b0e4e340884542dfbeb40991d0415511629481613edf465f99112799974c0c62129a2d2597dc31fab20297776c8256c91102c0033758acb5e7fbb5d4c18e1d7c6af11b55aefcb2a0d6a596964b7f9c08ab8170431c098636e12053d72a00bcc231d3cf2382beb1d79a1ed7ceb41279b4e03944d055bd502c089051f67ef51126de431e614af8e5bf1d6fa62d075b2b00a18fc1e83056599dd555d119fa627604ef99c670d5ad7ac6bc7dc40008e8d51919e1a2c22bc6e8577aed6d11aa80897d678ce62d485484adfaeb00b89a0215ac62fec6633c884d6f6563fbeca3d0803964d4dd2abd83e70b5c20e2e2be8551f5a1c50d8cbd1195f8afd8a5d436320a8ba17fb41a884b0d18bb7589f378917e7ce18a37a6ac8c438a1d2113af319ac4fb891cb03a3ff66b6eb1b24309ba4f8531b252f9a33873c2022e97856e04fece593abeaf962070a9b3e129d089bfab2b11a0dd5a79ca797b78eb054dde5c04966fa66dc3f1465ccf84ad086632958bf549c74d6af4e3e4267e4dc94fc28a3eabbcafd61235733724a3881f374b2ca593a8fac2e210070fe2952ad05d299b325b06c0d1964d437d2eee683e9ec79e95ef1053052bf60dd21586b7d90917cd38c07c3e4a9fdf538aa0e477cb122524b0e470497a202fee1eb6271a9b7b66f58a71762af749d78f6f26ac085aa4b5a88b197d1a161ad540624280197f2e30e8b9ccb1936dd665491bb399f067bdfb349d57bc804cd0fc043300fe894b0a2b5eefec5a9640544e70c8b580175d9b1f8c493b56e0a74fcda6102172a878e579d9524ba18bfb55bae255666489b29c19a3f5606e05f33cec95a21fec274667b7208859ff2bf98a1821a23856ccae2e6af063e8ee8c57f83e5de0a88aa4cce12929524c308049b6448b98b9ac40ee99aaacb36c0c383e7efe2c48f32271a0aee39b217205f426e1478100ac209148b1ba07567ac7e2fb224c230ac248dd172c968c7edc14a7a72b057989c6b42c6d5f5a27f5a242995c6b2b56ff36eee31dd661ccdb6a7a3e8b8eb8d12dcebea6366041b2f691122559e481e33f148c2e5b0b08d64db9b5ecf158712734f5ac86262c1c375133b2b84919cc3c8550ac506d6a29beb420a4b2e8983e1b48e74854d5d5fb04abe16a439285b4fed1bc7e9c42b2c0a1e1ac181f134cd25c5cb50e8b70dbbc666f6aa5220d5cb0a2f0ca5eeb590298d807dbaa0e58458f33b2246f5b215f66c3423387c25fce21fcdb1940d9d1d57735f8e9dd5acafa562be53de814a1b1895d7c43b18e328110602c87656a314ae1e7227b7fbae9ae94afacbca70446668228f73b89c25abb4bf598bc57e2dc0d516f075a4547a44f3a221e000b473089724f9ef1662b2355a7d169aa4297b2c0624b984a5be28e73f41538e97910e64961805ad72feed273964b42c8e0cce2c790f7e85447fe973fe44d7875ef5fe87838d5d20cbbc9be33c7600b5c609e78d8e17fe98de543ea68ee68096b2a2a9f55a454993fa45ea0f74c300d49cd88b67eda9b08235dff570b6ac8719771f17935b7fef32707e01b86a4197b868321bcfbb707bd1d2d5be288994cae86b00e9591987e0bb6149d09e17225cad149e6f258f8566dc35f63c38de5653ce8c051479a702f1c0a8dcea19bc3b68a381b5ec5307c9f15457169fcff2cb5df46cbba6530db6420181b026ff0823ea3d8835360efcd8f7a4669dca5d1e165707ef131553001d91fd15c44a13c89b6a75bd8092d8c3b39cf4a57278109db968061117a886fb2724879ff9313d00d67d8fb61355411bc83866738da646b94c9ccd0cda72cbdeceeaec75e288dc0f3259db9ca9a9030b71c7487e6347db5c1b5053c134dd15b6d5b9684c800bc106d79613212aca12a460015bb0f7299ded1e553b871baf0cabba1316801afa76c05b0d9ba2b19bef0a885126c08291bb54664cdba28343c12729e698859505cd63a8573b18c29f906133dfa84577e565a5541154274a2fabebbdd5ba140fc2fd2e4b3694d3d88846ad436606291544cf20f733264f384041d7c0d421e86064e5222d0573b96267e89a45138eb109cf4255c08fd62d641a1ccd4d0935b3f918eea4e683b909430552d3df40b439562a608c97c6bb9f291c3304f6c99b9fbd2cb0422df1226115041539abc247611f9c9b11ddf37440e4f5db07174491ce1499bf71f5c38df65d143c2f8a94943fd44bb5f8d25a2500cf68eb1b6cccfe47aabe8b10c4d412f361f1ce86ecf8dca38ae7f1ff68024235658ee0a0e27de67b82d019c780f3a95de2943b60e25ef111ecdb2ddbf1d6223209d3fbb0fed327761a2529e9550ac9cb4e844f77b455785bc01e3dd028d690b7481f7f288fc305068a880a6d650f82bbe791b2ac979f54d8edcf31c0607f8c1411bac0e581c17c1a35370062cf02f3d63f469fe134e5d5a94444a64421584f02fddc79b15b8cb0c8f2a197888bf1ca36cf3ee7bc7bc43a605ffbdafc479755c803b817aa2a61874b993f72407d203e83fd62ff98daea0f8d7370fca429170a6f9cfd16c29f3843950198038b8f205bb3e747f8a58d0ad7a57a50242dae9734c8be15293463be444425a888efe95d00dbbf235a6d6310ab2550daf5ec0be075132c22c90afdd619fb85f47e91da5546213e2826b861f44f6b181beeaebcb35c9c423c590501952dfc3c4e5c0593ef0674ee997c197422b66c2b43c3b6f6c17e6fa688d855bd1f69f4a8a765aa6097fef1766975cf2b100

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-25 03:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 13:06 88363 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2003-09-29 19:17 175616 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AspireService]
2006-01-19 13:46 110592 ----a-w- c:\program files\Acer\Acer eMode Management\AspireService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ElbyCheckAnyDVD]
2003-09-20 18:23 45056 ----a-w- c:\program files\SlySoft\AnyDVD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
2005-11-16 21:00 397312 ----a-w- c:\acer\Empowering Technology\eRecovery\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-04-20 14:10 50792 ----a-w- c:\program files\Common Files\AOL\1154916856\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 12:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-09-24 04:08 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 09:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
2006-02-17 13:59 124520 ----a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaSync]
2005-09-21 17:48 425984 ----a-w- c:\program files\Acer\Acer eConsole\MediaSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 09:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
2005-05-11 22:15 45056 ----a-w- c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-11-11 08:47 7311360 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2005-11-11 08:47 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-11-11 08:47 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 09:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 09:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
2004-03-10 19:26 406016 ----a-w- c:\windows\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCRemote]
2006-04-27 19:45 94208 ------w- c:\program files\Pinnacle\Shared Files\Programs\Remote\remoterm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCS]
2006-04-27 19:47 65536 ------w- c:\program files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-08-06 22:15 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 00:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-09-22 20:42 90112 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2004-02-25 15:48 665088 ----a-w- c:\program files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 17:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
2008-07-09 19:14 394240 ----a-w- c:\program files\TiVo\Desktop\TiVoNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
2008-07-09 19:15 1931264 ----a-w- c:\program files\TiVo\Desktop\TiVoServer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
2008-07-09 19:13 1189376 ----a-w- c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2004-11-22 12:18 307200 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
2004-11-11 04:15 111816 ----a-w- c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/9/2010 10:30 AM 64288]
S0 neexuhbq;neexuhbq; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/10/2008 3:22 PM 335240]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/10/2008 3:22 PM 297752]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 4:55 AM 1355928]
S2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [7/9/2008 3:13 PM 868864]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/16/2010 10:39 AM 15008]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/8/2010 10:49 PM 38224]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2/14/2008 3:41 PM 44928]
.
Contents of the 'Scheduled Tasks' folder

2010-09-05 c:\windows\Tasks\Ad-Aware Scan (s).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 14:34]

2010-09-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 14:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: gap.com\oldnavy
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
Notify-WgaLogon - (no file)
MSConfigStartUp-Aim6 - c:\program files\Common Files\AOL\Launch\AOLLaunch.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
AddRemove-{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA} - c:\program files\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exeUNINSTALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-05 09:43
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\windows\system32\vorbis.acm

- - - - - - - > 'explorer.exe'(1720)
c:\windows\system32\ieframe.dll
c:\program files\Microsoft Office\Office10\msohev.dll
.
Completion time: 2010-09-05 09:45:11
ComboFix-quarantined-files.txt 2010-09-05 13:45
ComboFix2.txt 2008-02-18 02:24

Pre-Run: 13,246,169,088 bytes free
Post-Run: 13,612,777,472 bytes free

- - End Of File - - EAFDA048777F081050FF6A8C90F08855


#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:30 PM

Posted 05 September 2010 - 09:19 AM

Some malware can spread through networks, so for now you should keep the infected machine separate from the network,
once you are clean you can set it up again.

Please post the contents of the following file.

C:\QooBox\ComboFix-quarantined-files.txt

unite.jpg


#10 caappold

caappold
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 06 September 2010 - 08:14 AM

2010-09-05 13:44:51 . 2010-09-05 13:44:52 1,700 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}.reg.dat
2010-09-05 13:44:43 . 2010-09-05 13:44:44 616 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ccApp.reg.dat
2010-09-05 13:44:42 . 2010-09-05 13:44:44 684 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Aim6.reg.dat
2010-09-05 13:44:41 . 2010-09-05 13:44:42 332 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-WgaLogon.reg.dat
2010-09-05 13:44:34 . 2010-09-05 13:44:36 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}.reg.dat
2010-09-04 19:24:46 . 2010-09-04 19:24:48 1,180 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_fkrnbiywetjw.reg.dat
2010-09-04 19:24:46 . 2010-09-04 19:24:48 838 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_fkrnbiywetjw.reg.dat
2010-09-04 19:22:50 . 2010-09-04 19:22:50 2,414 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat
2010-09-04 19:22:49 . 2010-09-04 19:22:50 1,208 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_NPF.reg.dat
2010-09-04 19:22:34 . 2010-09-05 13:42:50 6,957 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-08-04 18:35:57 . 2010-08-04 18:35:58 100,880 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Packet.dll.vir
2010-08-04 18:35:57 . 2010-08-04 18:35:58 281,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir
2010-08-04 18:35:57 . 2010-08-04 18:35:58 50,704 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\npf.sys.vir
2010-02-09 02:41:58 . 2010-02-09 02:42:00 6,778 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\{D6901B81-BB0E-484D-A5AC-54BCA3ECCCC5}\chrome\content\overlay.xul.vir
2010-02-09 02:41:58 . 2010-02-09 02:42:00 2,016 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\{D6901B81-BB0E-484D-A5AC-54BCA3ECCCC5}\chrome\content\_cfg.js.vir
2010-02-09 02:41:57 . 2010-02-09 02:42:00 764 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\{D6901B81-BB0E-484D-A5AC-54BCA3ECCCC5}\install.rdf.vir
2010-02-09 02:41:57 . 2010-02-09 02:41:58 122 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Local Settings\Application Data\{D6901B81-BB0E-484D-A5AC-54BCA3ECCCC5}\chrome.manifest.vir
2008-02-18 02:19:22 . 2010-09-05 13:38:48 725 ----a-w- C:\Qoobox\Quarantine\catchme.log
2008-02-14 19:40:49 . 2007-06-08 13:44:36 8,576 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\fkrnbiywetjw.sys.vir
2008-02-12 19:55:27 . 2008-02-14 17:48:12 2,179 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2008-02-06 13:33:44 . 2008-02-18 02:17:04 19,128 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\egrrimyt.dllbox.vir
2008-02-06 13:27:25 . 2008-02-18 02:19:24 27,136 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\byxyvuu.dll.vir
2007-08-16 07:02:40 . 2004-08-04 09:00:00 1,032,192 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\SET2DF7.tmp.vir
2007-04-08 15:21:28 . 2004-08-04 09:00:00 93,184 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\SET118.tmp.vir
2007-04-08 15:21:28 . 2007-01-04 10:03:40 18,432 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\SET117.tmp.vir
2007-04-08 15:21:28 . 2004-08-04 09:00:00 38,912 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\SET116.tmp.vir
2006-10-17 16:04:50 . 2006-10-17 16:04:50 69,120 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\SETB3.tmp.vir
2006-10-17 16:04:40 . 2006-10-17 16:04:40 622,080 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\SETB5.tmp.vir
2006-10-17 15:44:36 . 2006-10-17 15:44:36 60,416 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\SETB2.tmp.vir
2006-08-09 01:49:24 . 2008-09-15 11:57:42 1,846,016 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004333_.tmp.dll.vir
2006-08-09 01:48:23 . 2005-07-26 01:39:50 37,888 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004359_.tmp.dll.vir
2006-08-09 01:48:15 . 2006-05-19 09:59:42 111,616 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004379_.tmp.dll.vir
2005-04-28 15:31:12 . 2005-04-28 15:31:12 37,888 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000026_.tmp.dll.vir
2005-03-01 21:06:58 . 2005-03-01 21:06:58 1,836,288 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000006_.tmp.dll.vir
2004-12-07 15:32:34 . 2004-12-07 15:32:34 96,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004340_.tmp.dll.vir
2004-10-27 21:21:02 . 2007-11-07 08:26:56 721,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004370_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 611,328 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000007_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 553,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000005_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 111,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000008_.tmp.dll.vir
2004-08-04 09:00:00 . 2006-08-17 11:28:28 132,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004330_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 146,432 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004331_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 101,888 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004332_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 22,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004341_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004342_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004343_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 108,032 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004345_.tmp.dll.vir
2004-08-04 09:00:00 . 2007-04-25 14:21:16 144,896 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004346_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 415,744 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004349_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 64,000 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004350_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 58,880 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004352_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 61,440 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004353_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 657,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004354_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 236,544 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004356_.tmp.dll.vir
2004-08-04 09:00:00 . 2007-12-04 17:38:14 550,912 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004360_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 8,192 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004364_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 708,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004365_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 129,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004367_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 14,848 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004369_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 341,504 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004372_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 249,270 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004373_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 13,824 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004374_.tmp.dll.vir
2004-08-04 09:00:00 . 2007-04-16 15:52:54 984,576 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004375_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 144,384 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004376_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 135,168 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004380_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 32,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004381_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 276,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004382_.tmp.dll.vir
2004-08-04 09:00:00 . 2006-08-25 15:45:58 617,472 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004383_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 616,960 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004388_.tmp.dll.vir
2004-08-04 09:00:00 . 2004-08-04 09:00:00 2,897,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_004390_.tmp.dll.vir
2004-08-04 09:00:00 . 2008-04-13 18:40:46 62,976 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\cdrom.sys.vir


#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:30 PM

Posted 06 September 2010 - 11:32 AM

Can you tell me how the computer is running now and if you are still having any problems?


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/index.php?showtopic=343861

Collect::
c:\program files\Common Files\sevyluho.db
c:\program files\Common Files\fahopybeq.exe
c:\program files\Common Files\nafimy.bin
c:\program files\Common Files\xazevuwy.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
Driver::
neexuhbq


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#12 caappold

caappold
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 09 September 2010 - 04:44 PM

Computer is much better. No more redirects from google, and as far as I can tell no more pop-ups. Speed is improved. So far, so good. Here's the log.

ComboFix 10-09-08.03 - Owner 09/09/2010 17:14:49.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.539 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\program files\Common Files\fahopybeq.exe
file zipped: c:\program files\Common Files\nafimy.bin
file zipped: c:\program files\Common Files\sevyluho.db
file zipped: c:\program files\Common Files\xazevuwy.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\fahopybeq.exe
c:\program files\Common Files\nafimy.bin
c:\program files\Common Files\sevyluho.db
c:\program files\Common Files\xazevuwy.dll
c:\windows\system32\SET323.tmp
c:\windows\system32\SET41C.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_neexuhbq


((((((((((((((((((((((((( Files Created from 2010-08-09 to 2010-09-09 )))))))))))))))))))))))))))))))
.

2010-08-30 14:21 . 2010-08-30 14:21 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-28 16:50 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-08-28 16:50 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-08-25 18:20 . 2010-08-25 18:20 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-08-17 13:51 . 2010-08-17 13:51 -------- d-----w- C:\FOUND.012
2010-08-16 06:20 . 2010-08-16 06:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 20:02 . 2006-08-16 13:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-09 14:29 . 2010-08-09 14:29 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-09 14:27 . 2010-08-09 14:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-09 14:26 . 2010-08-09 14:26 -------- d-----w- c:\program files\Lavasoft
2010-07-12 08:56 . 2010-08-09 14:27 2979280 ----a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-12 08:55 . 2010-08-09 15:01 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-12 08:55 . 2010-08-09 14:30 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
.

------- Sigcheck -------

[7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\system32\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\$NtServicePackUninstall$\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[7] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB905414$\netman.dll

[7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\system32\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\$NtServicePackUninstall$\rpcss.dll
[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2005-04-28 . C8061F289E000703E7672916B7FE1571 . 395776 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\rpcss.dll
[-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[-] 2005-01-14 . 419899803CA479B73B02390318C787C0 . 395776 . . [5.1.2600.2595] . . c:\windows\$NtUninstallKB894391$\rpcss.dll
[-] 2005-01-14 . 94456045BEB4545B5EBE1DCC85951AFA . 395776 . . [5.1.2600.2595] . . c:\windows\$hf_mig$\KB873333\SP2QFE\rpcss.dll
[7] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB873333$\rpcss.dll

[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2005-06-10 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[7] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\linkinfo.dll
[-] 2005-08-31 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
[-] 2005-08-31 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\system32\linkinfo.dll
[-] 2005-08-31 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\$NtServicePackUninstall$\linkinfo.dll
[7] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB900725$\linkinfo.dll

[7] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tapisrv.dll
[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\system32\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$NtServicePackUninstall$\tapisrv.dll
[7] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893756$\tapisrv.dll

[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\system32\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll

[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

[7] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ole32.dll
[-] 2005-07-26 . AB8231D13692AC5088EB9C226B0C0576 . 1285120 . . [5.1.2600.2726] . . c:\windows\system32\ole32.dll
[-] 2005-07-26 . AB8231D13692AC5088EB9C226B0C0576 . 1285120 . . [5.1.2600.2726] . . c:\windows\$NtServicePackUninstall$\ole32.dll
[-] 2005-07-26 . A2F755E237FA2CDD748A80BFBE6657F3 . 1285632 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\ole32.dll
[-] 2005-04-28 . 5950E4F28FDA9D147576BF6798937397 . 1285120 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\ole32.dll
[-] 2005-04-28 . 7440D29F257B7E44329343F944F2142C . 1286144 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\ole32.dll
[-] 2005-01-14 . ABDEF60CED7C04AB35A415EFB6B96D81 . 1285120 . . [5.1.2600.2595] . . c:\windows\$NtUninstallKB894391$\ole32.dll
[-] 2005-01-14 . 2E752611C9A9AE1B6BFD0DA03CF7F17E . 1284608 . . [5.1.2600.2595] . . c:\windows\$hf_mig$\KB873333\SP2QFE\ole32.dll
[7] 2004-08-04 . 4FE9D9FA62D020E35E0AC6D1AEEB96F0 . 1281536 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB873333$\ole32.dll

[7] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\system32\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\$NtServicePackUninstall$\shsvcs.dll
[-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
[7] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB928255$\shsvcs.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-09-05_13.43.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-09 21:22 . 2010-09-09 21:22 16384 c:\windows\temp\Perflib_Perfdata_f4.dat
+ 2010-02-09 23:36 . 2010-09-09 21:21 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-09 23:36 . 2010-08-12 17:58 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-09 23:36 . 2010-09-09 21:21 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-02-09 23:36 . 2010-08-12 17:58 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-09-09 21:22 . 2010-09-09 21:21 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-02-09 23:36 . 2010-08-12 17:58 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TivoTransfer"="c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-07-09 1189376]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2008-07-09 394240]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2008-07-09 1931264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-06 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-11 7311360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [2010-09-03 53248]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LegacyDrive"= 7adf5e0807c645c0d8a3fef07c5f150188c77e2923f43487c80b216f47273e030d94fb03a63ee1e580697629f2a261e77cf5ceaa5160148012889552ddabe67286d630732458d73dd0765960f0a96078a91b649bf3616272404980d909381effd16d0cc7008afb6eef50326e40aa82a370ed7cadaf5ee195eff45ab33b606acf4a4ba08654df11ef2488057f6efcf12a6479a6cb844dc7c6b4d79c80ec905e759f03a7f936142b81a20301585295a79455ac4748bf1a38fb4db7c8594cb13929b624097f9feb7633cfb54291b15bb4526b70dfcb4f1a26657221004d9a46f96d5ed6f99a887fafc90fbe61d31a62682a15b6daca98442c20ed7d1acdc4a0f6a728dd4100b2ba782bfdb7303d592d6511c47c108f1665f72d7bb5c9b526246a49447c8ca52ffe7fa5e5014a07b8dcfa7146063a98b6ac7c2455f7635742dbef4aeaa883df71791a3c3eafe5d6b99e35ce53859c81c7c44f5aa049cfebfc4cc93d8f3c3a64ebf9d656fe43abfddc72028abe68860d4bc5a842175941ae6adf79ebbf42e8e8409b15fc75ed899be6f79e09d5bbd70b05ca164d84c11001c814fdc9fd0a94d79e09365243146afcb99289135851ba7491ca2106c7a7545660820f7f1bf0284da4bec5a2657acc18a0c0359be7bb88fa09dad54d9db3cf0e8a9e3d7b64ecfa8c937a4128b286279835c1693c4fa5687d12087202d8f24327e3acccab401932a8f1491ac94a4c24b79c44b5d411befa2cd7432aa88129970b85aaafb705db49a065ae39d20e345f780f9552a2cbf6af45efa0b283a85e032d1226d287f3fc254ba91471f06137682b8a6713b789c62051afb47d07683826b3b5a13ac3dc6d553b5d691a97fc291a0f460f5cae7c7749b827525ccd3e51d63aa4556112f327f480786af65b7ecea6fbd085ba4c79fb4620cec2e0caafcb02e809dcaf809f3e5a4f0bb6035dffb7a3d5d1d6ca14377e8700fb4ee5889be23f82d7e931d3ac50886669fb2bd848074ed94452e9d42f3d69d2ffb0a59b685f131fb14c3c15c08d6de27650b0bc431cfa0ff159a620c41322f0c5fbe9635bafb1a11b3be5bde1d0df559420122cf976c8230f84f1f5f5fc4213a9fb3798269a597fd0bfbc141239cda8460d4a89d50a92319fa41fbe9dff51a2c4496d9c2d4de5e77445dab15df0dfcebee500ae9927028d88f9eaede95ef4c8390b56a4dcc09ddb5054559aa4e62e9d30c5513a838cf4a19d912c625e8103303f44cbe44027b1c421399506d5f51a903422f902f0f89af6ca84e586064d550f1c384f35b0a9b3fb28c4ebb0252dd2dc3f439f845fdd23408a7d28cb62c70c12f038af8ba0148fc88da0324cff92c59d32c6029a5a32560fe31c4487fd8a046258fb71272c54221a7d1dd6129ded1585f22314e5c4f9d7d92f8b10a1c060387f6bd1cd45cae258a7d17fa39ea906270bbb06c49d0a46b5f4c70ac2071f91b7c358e216f41cc80969151c9a53b94226ef68f60f65b449b2efffe6993d4c9af1184fec143e47c6e94daf0cda6abdec5ad409b34b6e338909b71101a9fc0dee82ccc878edad03704a0dc0e1447ca4e85518a0c58c48d0318eada4f2da553dae52321afdf7cbf3c1f532e5badf36d055f73bd9fdc541040555e07aeefd020b9633110a5503ba01de62f1a266c0350109dc150169dcf30c989d08083848a886e026c73cc2b5bdb58bfb46478b1acd461625ea772a3229c751b00d3dc9fbe9542ee32e7db0a9388850c333fd089cf02f6bc0d7c22388ee6b9dfa37f703eb3f8f6b66f43a4d52b7a33b4eb21ccce06ce4dacf9aa5edcd3841f659d9ce41e43cdfa5331f06fd045897dcf421a3ae7da0b473f90b189cbd3f3a343a383f9bdefd19cf441058e9a80843ea9d7d28b80224f064323bf6ae7b2819cbd15d1066c47efee4b0c647ec34a7a127e5b06e4443b44940eb29dfe40fce00a28f2490f535daaf15a8511d93168a269ad31b569c592898e68d8e9b7944617a1506999b961208d783a28fdce57092d05578a93759009917f1d6825a6cd9597380ba99459a043640735ad3cde4950034ecfb9df61b4e407e7a8fa02f2e61a8e0036a338d55aa144c300b5983b639d059c1b3cb6aca2221bf0aea75fdde00bbdc70fbf7db946d4832f0732609608be8e798a6896d0b7eab440c2ab9dc5434f01937035a90edca8caad1c8d449cb93834ec8b9fc5f67a80ae7f5cb775e9cf6dacad704b08629beae420fff564b3316c90ce26cdcd5c0676ddcbb8ef7823ded65d7a6bb245ff93a7cbf16d5df20b3a8b3042a1ff96e74e01150927c9cd5d09fe13a478a6fdfa5c4049e310cae5b099130dcae66a7dbc3306e5a12213e37d02b9a00226d6a08dff2e5bb989ab52ed65856faa29ec04b954b1645346393bc460b47df607036f2c896eaa57b55693cc2a064ed060db18ae592fb5f858db95e29085c79023acd504751160c876e5f8b3ef21dbda7f8864ed2224885f6997a6c084fd3318de5881accac98dde287ee66e9cb51eb8d866a05533a83637d2f8ec02d0d6912cda96005ad20f3a7ee22da65a0914736274b6b16e3433bb60fd77472ea5edd831500cc763dcaebdcf9013c44f6b7f95b66519d03a14418d4a805975477eb23338dd337d355c2d307e5cbcc1bea346616e3d4243b8ebfdfd6a0261635b97885f497cdf97d8a8562d0282c2a8041a1c5fe15788a1ac59cc1c70839fdbe1f1fd9aba70bccecd3fdcea0cd0ee4c3723087fd9d650474a92f23e5314707f31a9155bfd45098b8dc96e5b486ffba40f99f2c357b39428cefb29c749bc558a12ff735e603cef906a13e11c8d4836478491d76d9961efbf87af4374e958eeaf3ae653ac24abdedb77e28db9b014da3e485e79ed6481011efe6c0a78271911ea2c3c5404113891599c77b57cb896b26c79d5efd6b72d9e5ef77e95ce8802f2cc92b8855f2fd69f0ae698aa298e9886553e8398b7ce03cffddc0d5cfe490f8e75357a41f383d727920ed6ea3883d25c49411ff74037cd00c6329a92181faf44b24eec02bfb4859bdacd3ee1c880d0f890e50089a237b895388def39b5aa9054adfa4b8837f216744112f333b5911a6dcceef96b0a0ca4df0f9b5e6528343fa232b3c7d962594e25c319d86741c7b4b4589d883eaaff1da11cde952ca77a43721a6b85204a0253a01c89383ad6fdb3346ecc97597ef20921c12df1c67b1c36cc2fc0d4f164a85fd0cb0bf4b71d39d21dffa152d9a6835d9b8e8647b85a9eacc254ce6b39c7b3c4fc44a3e3e5b9a486b2d5e97f66853fc36992b77ffd7eb06203e92bf309ffb1d8b760498971df0784c3f0aeaf38e8b542db9bee6389862716eaa507d0ec25d953ffd82e652f73b0995483f2c1c94080a172121b95d9727b292daf8a8add46c6b4e75400c51f85342a367150c54613c98ee1bb86406a5eaa3106f11e2770b05ebed3427ea001098ceefb2a9f2bbe393fd8122680606fae94afc9432db46053af4a61d859a631d222ea79430e32679a17500773e19e988ebaf87c52d3f1b7ce9a364846e81c0cdb67d953be9acefb5234b6b7877b153b234820a4c6726ab07a179edcab7fac44a3a55ec608ce6ea9797f27b042ed6198dac4b294ed0e8763ccce8de08982e4b468c86e5cf2e2e876449956f943f6239df9fb80e1bfab91917f3493a7f9614ffffebd2d0abcac9699ff0af948de25324f990b304973972e1f584a549f5186bb3c6bc7dc013bc07c07a8fb7783fb8132242ea0fb62e6fdf68f4ca0a72789cc01389c46dd817ca8e1aa07ec3c8ecdc2666fa33dc563a86e9e757fc33494b29d23c3d3160e1a2449d06dfc5b23f0cfc1735f80bb4416d23473ab5f7058a5c71848838a4d802a703fc1818d07451cdd631e8de5bb567825177778acc89f72eb9784b0ccc74f7f86ebab16ccca90c2191e4f2e622d47e751d2be14bde6307b64867772ec2907ce87fd282a90338c2d8e38d22d8cc5c5694c61b4c5cbaa4c7ef32e449d961d737ff63b43878c564de9e48398865ece2dd87ec06897f52257710cb7599b6f3f18bee61a1c69b801b17a79a4a50ed366e3e57a464db43d628c42c7198ed86247b93e939c172726a0c3966f5703b19f277670fe5697a6090ca73610bfc2347801605d770ad4c1f87dda1b064d74260d4420640f6d69bce9e27136cf8be9f116e6e9a3fcbe5c935a082e165e6664928e6ce22b156a0853fc5430b9738b493b216d73fb3410ac01b8600ffd44037cd0cfb163dd3a2756aac369c8ebbdd6b15879240f7fe1b1b44b93b0100822a9e3214422d3821fb9d5d9a19ecad2a24d7080319b676de5fa2ba3dfcd82af40962bee763f46615a414a1a8d6527d4b6055c6b690af3ffde8671b95d3c6d52531c6cc980fc83070b685225de847170e66597e47b5bca234221bd1fc0401be9a414a24e814d7acfd0d8611b95962829e431648e2fba8a8c2d496640b1857155c302d7cb2d87cfa2fb6209027dfaf0985a4ff766bafe9db194f4c281011546b7790fc43bd8ed1988043f989aef475a6eac8a36031d807bdbd854a50290e8369d761b6898f32f19a19684ba05bec2330a077b136bce082ddb75b0a9ac59e376d78434c64356eed60e4af761bec2a916a5ff508c071c1d7f42fbd86446eb7b6990184f90c2fa3e7aa631d6e7426af69aa4b2b74e74a691cffd38ea9a24e32bcb08f6a620fb95e754700fd79d8b3f0c5d179cce39eda8b3922023de805c2fbf450d81da53770ac2e35ea1a8d5fde31b2f15e4ae32e7bbf5f670aa34259a7b0a8bb95fb8015183b0015dbf1221fa8ffd3bff3e12df4cb32edd7f672277e430638201c80fd7a5b2142715e9c7ef85e1dbd34fc8addde1d09fdeaf8c233666de67da499f0fb9ba72b5b8be97494e027b041d75937e2c269cd07d7dd95832ec07f4f667c5ad2e141a55f31aba200cd9fab720975c970455d833464fbf43c7f55204adbef88ae1934fcc7ad18b1c891fc94b83bd2ddbccc81e6998a8b3e957590edf9ddc4464b0d0a3c556bb71c3f5449c0871b55b6994fc09e9f3d32d49ab6c850b2130acaca751c21585138fd742d5bb32ea43f6a25b08a7c5529451f31888f45f2f193c02e71b7aaacbe83160477da319d315ae136aa6790e3b163a9b42b724d95618148739e8643a1fa093b7971e332463846246150fd3c9b5bf548dbaffd6a08a9ca112a433e28cce9e98da489d1c576ea6eee353e99f9f56bfae609dce5af4f666fd4d72c4520cef3222df6cce82a54f4efdc28f89de3221d373fd3fef61362775ea880c2cbb49ee04ddd5d3bb5794689f098bbf394442d77b907908b0aae0c031bfc4df634fd83fe5a11ffaa37194303fd95a88d6e4ca37d42294627c9480ab6d151cb1fca05145728169dc4093c12f218851688b1ec887a452e058001d9aec6aaa62be5cc08ef121305be95f945da6d7da169ea93039d7b8c4a714b837ae422a656c2742f81319d95e3866b044e5ddd0b62e82a95ae87051b179920187e92efbc9d4eaee432a5a54a6040abf952abe90521abe078f8d1ad8f764ff88c27530b9c7247f2e1ee278f8f9851dc865c4b5819d1a75913232aa4fc502c3b98984276b12e1b551634a815e4e680010416828bf5d8bc9bcc7e8b2779c704044b5393fcb65ae220559efd5fe62b9eb3582e0d3f6d0682271912716583ac5ac553ae408ec4345d64faa4146d96ec27b3890b2aca25d338b27aede4fedf1d7236cfc7477bf7b39f698c0d7e41e2b0e9483ba3556adce46023679565bfa06455782121a051a1bcb988b97e97c4c26afd4c3916ff7768bac263438783ea913adbd24cf04144493cd0801b774ace35575eb850c326760ce6f4aada834e4e198837ea7fe5b00abb9ede7fef591f2f85e5d0589553ea203c9e89029cb002cfd18276f22684a8f7893f0b4f3d391f4dcf19fe754b0b32f6af66ca75a08cad0c5c122e93f022e01eab1dabc6d2841fad9518093c424044c4afb9acd2d420382b0fd813d5a2af20352b579ca56e1601c655c02b1835e3bac85341b7c8a7837a25e02bcb96a7cb475028740522cf727abd4f369a53e9944065eb2fd0d577311b43853f8396992bab5fd91ceca0496f4cb5aca3e1ade4dfbe9cc37e6a3f21ca91e32c08fa8200b6b9307710a6b543d80e7c3a57a8acf09fca948b14dc4cd32b0d9989704612face5c81d30b8a8c37921e950fb27572dea2b21ef165b56c3f141f0c0701c60a79acfdfc1b9515806d4e23e6c8d404298c1f9f247af86a025f0b30f7f33d112d0040ca02c76436709fb015ccdf310db4fe92ee42f9ed3a86f5e1c0e53426e55999efdbbdd44be877426b84f03aa0cd97fb7c2128e234eb2ee049bdc62c68a0a7358ea75fdb6fcbdfde19f23a97d551aae64ef4d46bf59b4df9a3c85c47801602e924cc377ffdb2db772df1247d4b44644e5dbb347a4502a59fb74b2a2eee38f0729dfb72ce29bb4746153a3f40bdb6af8c480c09a3d823b02c03880ac58756d6ff3959c0aa3f7332547f3e6e0c57f2da6b8f8a9ac1d68c2264fdc6a490a77ba36fb2a587de552aeb1ba95443d76880c28cf41a7a109bc9c66a19e6e5e55e33e76492cacdf55753eca94e7a92a2dca0ec6d2ed127927af7d66a884d94317216ea5c95a78e722d36213d844adb73f8f0203926219dd849fc7e1b0b53e1f89b698b7300fadac0ad7cfba855a55d2d012d66715fd564d45da8c65df6818c5b4ccdfc4cf89297fd9eb04bf3c467ea0ae4de1adb5cbf530f64f5063763d31a35036c25d03beb78ab72275b78e778996950c940e7c1efa287d0399f3af74927c33922fa6f0981b200677104ea4c1a43c248da25f36a97cab36053fa35df00c1ae204596d3417e644a7c24a33309ea516bdc3a3c53651d5dd47a5c68a092e4a1ba336ff138ad61394709f0e6713d88c61ba16e1a52a7a3ecc7c60ba317b7ced450e4ff5bb11e7cabb28e1562cf44eef0205af82b9aa81fc4eaab7eb629e90e65407a1b3cfbc7f9955f92f3d93e3784e80831c9bbe4df3747008889a5259dfd718e3fc070fa01a77500ef1f85a3cf673926a6fd64217f55f6d59567d120bdbceeb965a8bbe17fe890e434d2fc60b896ffab21c47a6f790ee397124f3d6f19cd48066ebbf5d7b3021ca9a34271b4a613b505a2902924131648f35e49b5d9625873205182549cbec5dab48ef74766c794ceef115014f2ca181eecd2625c21a7c0e6d6cfb505c177c7f5be59d5e9c3e3ab501695d457beaaafaf37fcc5906a225afedbdb424b25aff6dda3d3e731714e1320935ad59d61730d0150913830ed768f5928e90ba25c668d7519ccc4d5265650f3c6cc28fc3bfb393689624f4b7c2e39e4ec69287a406e596931a0f447d05b3373cb2bc6f1ec3c7775e2120abd447a6724c2d3c1fa75ff235bfdad862ae438683dbcb617fe5b7c200ee6e4092f2f4d436041645a4938a26fda5716e830546566b8f60ff796e2f48d48b216b08648a06f6d62289cdd6e3139209ff42dcc40e55f3bea495f3557305b6d6b01006dd9b144e8d6afa5ef7ebdb26873fecdbdc7502fd11cdb2c3809eab9a7c0fa2ba9ee114194e35265bcf3cd2fe61c9b2b00e82bdc0f95d7016874bb16238fc6981ecd8e11a05ddc70f0690547af9a62a0955ef97a6edc9f63632d5f497bc9208d613f8159682a0834cc607cd33b6c8f32943fc0e4ee2280a7dcef943cef81ba767d698f90a1e2b0c38307201895da44ea7baf0b071263c881cdf316d93d7b33a6a9f9b1805f546f1c489dc8b8bf940abaa36e2a94abd5b6eafa310af7f426c72d4f5d811b6d88b894e9a00a0e6f71a648d259042f584dd30358e61c33b608f82595903240296345a560ce1635e8d17a01dc2ff901a2c1d109130f3efadd21f9352693ff5672e8931ec72086b00f8db601bde2d58ab48d6c3f64471fc536e932e02a814c2abea5bc7b0b120779e54b4a2e8f351475052c65235e3c2745fe8705aa0ce781a226d54104548aaa763b63b0e8948aed62dcd3f0004ce4d73a0b992069a3a6bc87b17f6537e17432051a2169eef60594dd237571d70af2a480865634e0788baf59863383b91a9b1bc6aeea4b1a489fee32403acec14938c34aaf451feddeae4a812415aae4b868c68ffa13aa6efc758dee4291b157c6078b5c3f4224f095a3f2bf5cebbdbc8f1631bcb570fe060b146229f1b0e4e340884542dfbeb40991d0415511629481613edf465f99112799974c0c62129a2d2597dc31fab20297776c8256c91102c0033758acb5e7fbb5d4c18e1d7c6af11b55aefcb2a0d6a596964b7f9c08ab8170431c098636e12053d72a00bcc231d3cf2382beb1d79a1ed7ceb41279b4e03944d055bd502c089051f67ef51126de431e614af8e5bf1d6fa62d075b2b00a18fc1e83056599dd555d119fa627604ef99c670d5ad7ac6bc7dc40008e8d51919e1a2c22bc6e8577aed6d11aa80897d678ce62d485484adfaeb00b89a0215ac62fec6633c884d6f6563fbeca3d0803964d4dd2abd83e70b5c20e2e2be8551f5a1c50d8cbd1195f8afd8a5d436320a8ba17fb41a884b0d18bb7589f378917e7ce18a37a6ac8c438a1d2113af319ac4fb891cb03a3ff66b6eb1b24309ba4f8531b252f9a33873c2022e97856e04fece593abeaf962070a9b3e129d089bfab2b11a0dd5a79ca797b78eb054dde5c04966fa66dc3f1465ccf84ad086632958bf549c74d6af4e3e4267e4dc94fc28a3eabbcafd61235733724a3881f374b2ca593a8fac2e210070fe2952ad05d299b325b06c0d1964d437d2eee683e9ec79e95ef1053052bf60dd21586b7d90917cd38c07c3e4a9fdf538aa0e477cb122524b0e470497a202fee1eb6271a9b7b66f58a71762af749d78f6f26ac085aa4b5a88b197d1a161ad540624280197f2e30e8b9ccb1936dd665491bb399f067bdfb349d57bc804cd0fc043300fe894b0a2b5eefec5a9640544e70c8b580175d9b1f8c493b56e0a74fcda6102172a878e579d9524ba18bfb55bae255666489b29c19a3f5606e05f33cec95a21fec274667b7208859ff2bf98a1821a23856ccae2e6af063e8ee8c57f83e5de0a88aa4cce12929524c308049b6448b98b9ac40ee99aaacb36c0c383e7efe2c48f32271a0aee39b217205f426e1478100ac209148b1ba07567ac7e2fb224c230ac248dd172c968c7edc14a7a72b057989c6b42c6d5f5a27f5a242995c6b2b56ff36eee31dd661ccdb6a7a3e8b8eb8d12dcebea6366041b2f691122559e481e33f148c2e5b0b08d64db9b5ecf158712734f5ac86262c1c375133b2b84919cc3c8550ac506d6a29beb420a4b2e8983e1b48e74854d5d5fb04abe16a439285b4fed1bc7e9c42b2c0a1e1ac181f134cd25c5cb50e8b70dbbc666f6aa5220d5cb0a2f0ca5eeb590298d807dbaa0e58458f33b2246f5b215f66c3423387c25fce21fcdb1940d9d1d57735f8e9dd5acafa562be53de814a1b1895d7c43b18e328110602c87656a314ae1e7227b7fbae9ae94afacbca70446668228f73b89c25abb4bf598bc57e2dc0d516f075a4547a44f3a221e000b473089724f9ef1662b2355a7d169aa4297b2c0624b984a5be28e73f41538e97910e64961805ad72feed273964b42c8e0cce2c790f7e85447fe973fe44d7875ef5fe87838d5d20cbbc9be33c7600b5c609e78d8e17fe98de543ea68ee68096b2a2a9f55a454993fa45ea0f74c300d49cd88b67eda9b08235dff570b6ac8719771f17935b7fef32707e01b86a4197b868321bcfbb707bd1d2d5be288994cae86b00e9591987e0bb6149d09e17225cad149e6f258f8566dc35f63c38de5653ce8c051479a702f1c0a8dcea19bc3b68a381b5ec5307c9f15457169fcff2cb5df46cbba6530db6420181b026ff0823ea3d8835360efcd8f7a4669dca5d1e165707ef131553001d91fd15c44a13c89b6a75bd8092d8c3b39cf4a57278109db968061117a886fb2724879ff9313d00d67d8fb61355411bc83866738da646b94c9ccd0cda72cbdeceeaec75e288dc0f3259db9ca9a9030b71c7487e6347db5c1b5053c134dd15b6d5b9684c800bc106d79613212aca12a460015bb0f7299ded1e553b871baf0cabba1316801afa76c05b0d9ba2b19bef0a885126c08291bb54664cdba28343c12729e698859505cd63a8573b18c29f906133dfa84577e565a5541154274a2fabebbdd5ba140fc2fd2e4b3694d3d88846ad436606291544cf20f733264f384041d7c0d421e86064e5222d0573b96267e89a45138eb109cf4255c08fd62d641a1ccd4d0935b3f918eea4e683b909430552d3df40b439562a608c97c6bb9f291c3304f6c99b9fbd2cb0422df1226115041539abc247611f9c9b11ddf37440e4f5db07174491ce1499bf71f5c38df65d143c2f8a94943fd44bb5f8d25a2500cf68eb1b6cccfe47aabe8b10c4d412f361f1ce86ecf8dca38ae7f1ff68024235658ee0a0e27de67b82d019c780f3a95de2943b60e25ef111ecdb2ddbf1d6223209d3fbb0fed327761a2529e9550ac9cb4e844f77b455785bc01e3dd028d690b7481f7f288fc305068a880a6d650f82bbe791b2ac979f54d8edcf31c0607f8c1411bac0e581c17c1a35370062cf02f3d63f469fe134e5d5a94444a64421584f02fddc79b15b8cb0c8f2a197888bf1ca36cf3ee7bc7bc43a605ffbdafc479755c803b817aa2a61874b993f72407d203e83fd62ff98daea0f8d7370fca429170a6f9cfd16c29f3843950198038b8f205bb3e747f8a58d0ad7a57a50242dae9734c8be15293463be444425a888efe95d00dbbf235a6d6310ab2550daf5ec0be075132c22c90afdd619fb85f47e91da5546213e2826b861f44f6b181beeaebcb35c9c423c590501952dfc3c4e5c0593ef0674ee997c197422b66c2b43c3b6f6c17e6fa688d855bd1f69f4a8a765aa6097fef1766975cf2b100

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-25 03:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 13:06 88363 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2003-09-29 19:17 175616 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AspireService]
2006-01-19 13:46 110592 ----a-w- c:\program files\Acer\Acer eMode Management\AspireService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ElbyCheckAnyDVD]
2003-09-20 18:23 45056 ----a-w- c:\program files\SlySoft\AnyDVD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
2005-11-16 21:00 397312 ----a-w- c:\acer\Empowering Technology\eRecovery\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-04-20 14:10 50792 ----a-w- c:\program files\Common Files\AOL\1154916856\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 12:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-09-24 04:08 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 09:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
2006-02-17 13:59 124520 ----a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaSync]
2005-09-21 17:48 425984 ----a-w- c:\program files\Acer\Acer eConsole\MediaSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 09:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
2005-05-11 22:15 45056 ----a-w- c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-11-11 08:47 7311360 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2005-11-11 08:47 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-11-11 08:47 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 09:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 09:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
2004-03-10 19:26 406016 ----a-w- c:\windows\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCRemote]
2006-04-27 19:45 94208 ------w- c:\program files\Pinnacle\Shared Files\Programs\Remote\remoterm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCS]
2006-04-27 19:47 65536 ------w- c:\program files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-08-06 22:15 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 00:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-09-22 20:42 90112 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2004-02-25 15:48 665088 ----a-w- c:\program files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 17:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
2008-07-09 19:14 394240 ----a-w- c:\program files\TiVo\Desktop\TiVoNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
2008-07-09 19:15 1931264 ----a-w- c:\program files\TiVo\Desktop\TiVoServer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
2008-07-09 19:13 1189376 ----a-w- c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2004-11-22 12:18 307200 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
2004-11-11 04:15 111816 ----a-w- c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/9/2010 10:30 AM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/10/2008 3:22 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/10/2008 3:22 PM 297752]
R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [7/9/2008 3:13 PM 868864]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 4:55 AM 1355928]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/16/2010 10:39 AM 15008]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/8/2010 10:49 PM 38224]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2/14/2008 3:41 PM 44928]
.
Contents of the 'Scheduled Tasks' folder

2010-09-08 c:\windows\Tasks\Ad-Aware Scan (s).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 14:34]

2010-09-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 14:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: gap.com\oldnavy
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-09 17:37
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3552)
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Acer\Acer eConsole\MediaServerService.exe
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\windows\system32\wscntfy.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2010-09-09 17:40:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-09 21:40
ComboFix2.txt 2010-09-05 13:45
ComboFix3.txt 2008-02-18 02:24

Pre-Run: 11,709,448,192 bytes free
Post-Run: 12,355,993,600 bytes free

- - End Of File - - 13EEA1865B8E00792BA03BB71A738E17
Upload was successful


#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:30 PM

Posted 09 September 2010 - 06:26 PM

That's looking better, still a bit more to clean up though.


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/clickz/news/1714488/viewpoint-plunge-into-adware

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.



Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12)
    O3 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O3 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
    O3 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No CLSID value found.
    O3 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
    O3 - HKU\S-1-5-21-3903405293-2884909451-3221281461-1003\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Orbit.lnk = File not found
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/Facebo...toUploader3.cab (Reg Error: Key error.)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
    O33 - MountPoints2\{1c85f104-7c76-11de-a60b-001558261098}\Shell - "" = AutoRun
    O33 - MountPoints2\{1c85f104-7c76-11de-a60b-001558261098}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{1c85f104-7c76-11de-a60b-001558261098}\Shell\AutoRun\command - "" = F:\Connect.exe -- File not found
    O33 - MountPoints2\{22883889-8379-11df-a636-001558261098}\Shell\AutoRun\command - "" = F:\setup.exe -- File not found
    O33 - MountPoints2\{2f27417a-4863-11dc-a5b3-001558261098}\Shell - "" = AutoRun
    O33 - MountPoints2\{2f27417a-4863-11dc-a5b3-001558261098}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{2f27417a-4863-11dc-a5b3-001558261098}\Shell\AutoRun\command - "" = F:\Connect.exe -- File not found
    O36 - AppCertDlls: rsmuadow - (C:\WINDOWS\system32\edlirsvp.dll) - C:\WINDOWS\System32\edlirsvp.dll File not found
    O36 - AppCertDlls: xcopdl32 - (C:\WINDOWS\fastuirt.dll) - C:\WINDOWS\fastuirt.dll File not found
    MsConfig - StartUpReg: KernelFaultCheck - hkey= - key= - File not found
    MsConfig - StartUpReg: MSPY2002 - hkey= - key= - File not found
    MsConfig - StartUpReg: NvCplDaemon - hkey= - key= - File not found
    MsConfig - StartUpReg: NvMediaCenter - hkey= - key= - File not found
    MsConfig - StartUpReg: nwiz - hkey= - key= - File not found
    MsConfig - StartUpReg: PHIME2002A - hkey= - key= - File not found
    MsConfig - StartUpReg: PHIME2002ASync - hkey= - key= - File not found
    MsConfig - StartUpReg: PinnacleDriverCheck - hkey= - key= - File not found
    MsConfig - StartUpReg: ViewMgr - hkey= - key= - C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (Viewpoint Corporation)
    Drivers32: vidc.LEAD - LCODCCMP.DLL File not found
    [92 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
    [2008/11/07 11:00:45 | 000,019,987 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\osikibux.scr
    [2008/11/07 11:00:45 | 000,018,013 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\nyletaw.dll
    [2008/11/07 11:00:45 | 000,017,010 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\mugemeqe.bat
    [2008/11/07 11:00:45 | 000,013,680 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\ynasow.scr
    [2008/11/07 11:00:45 | 000,012,995 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\ykobo.inf
    [2008/11/07 11:00:45 | 000,011,151 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\cetys.dll
    [2008/11/07 11:00:45 | 000,010,226 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ufyzu.dll
    [2008/11/07 11:00:44 | 000,018,326 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\pabutofali.exe
    [2008/11/07 11:00:44 | 000,016,597 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\amytita.sys
    [2008/11/07 11:00:44 | 000,016,061 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\yhekunakuq.exe
    [2008/11/07 11:00:44 | 000,014,445 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\abyz.bat
    [2008/11/07 11:00:44 | 000,010,437 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\otifo.bin
    :Commands
    [emptytemp]
    [emptyflash]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run a new OTL scan by clicking Run Scan and post the new OTL log.

unite.jpg


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:30 PM

Posted 15 September 2010 - 06:15 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg


#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:09:30 PM

Posted 15 September 2010 - 05:54 PM

Topic reopened at OP request.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users