Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Suite Malware/Virus on Win XP


  • This topic is locked This topic is locked
23 replies to this topic

#1 nyclad

nyclad

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 07 September 2010 - 02:35 PM

Hello,

School just started and my kid's school friends were "studying" on the living room desktop PC, and as of yesterday it started having the "Security Suite" virus/malware. It's running Windows XP SP3 Build 2600(?) The kids said they didn't know what happened (porno surfing on malicious sites?)

When I initially turned it on, it was extremely slow in loading the Windows desktop, then had a warning box labeled RUNDLL "Error loading c:\windows\kbecligs.dll The specified file could not be found" and another error box labeled RTL "Unable to start driver for hppapml0.exe (hppapml0.exe)"

There's a little box by the lower right hand corner "Windows Security Alert" with text asking me to click on the box to activate the antivirus. Plus other windows doing the same.

Most all applications and internet connectivity have been disabled. If the applications aren't disabled, the Security Suite Virus turns it off a splity second after it starts up. I manually disconnected the LAN cable anyways as a safeguard.

I rebooted in Safe Mode and followed the directions on this site. Luckily I have my work laptop to help me out, but I still need my family's computer up and running.

Here is the DDS report:


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Steve at 8:49:21.62 on Tue 09/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1717 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: FCToolbarURLSearchHook Class: {da879c19-9088-418b-a63a-2e6fb294eaf0} - c:\program files\aadvantage eshoppingsm toolbar\Helper.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Freecause Toolbar BHO: {5712a6bb-b6c8-4e52-a152-1ba741c9a6a2} - c:\program files\aadvantage eshoppingsm toolbar\Toolbar.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: DCA BHO: {b49699fc-1665-4414-a1cb-c4a2a4a13eec} - c:\program files\consumer input\dca-bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: AAdvantage eShoppingSM Toolbar: {85741f1d-ed47-4dcf-9109-07d10213c4d0} - c:\program files\aadvantage eshoppingsm toolbar\Toolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Consumer Input Update] c:\program files\consumer input\dca-ua.exe
uRun: [SRS WOW HD for ViewSonic] "c:\program files\srs labs\wow hd for viewsonic\SRSViewSonic_Win32.exe" /hideme
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe" AcPro7_1_0 -reboot 1
uRun: [Dmezabihebaj] rundll32.exe "c:\windows\kbecligs.dll",Startup
uRun: [YXE7DXCQ37] c:\docume~1\steve\locals~1\temp\Clb.exe
uRun: [OTGV1DNWQQ] c:\docume~1\steve\locals~1\temp\Cln.exe
uRun: [pbrxiuqf] c:\documents and settings\steve\local settings\application data\ljwwqslwg\jqveqhcuqiw.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [HP SchedIndexer] c:\program files\hewlett-packard\laserjet all-in-one\hppschedindexer.exe
mRun: [HP AutoIndexer] c:\program files\hewlett-packard\laserjet all-in-one\hppautoindexer.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [DMXLauncher] "c:\program files\roxio\media experience\DMXLauncher.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [American Airlines DealFinder] "c:\program files\american airlines dealfinder\American_Airlines_DealFinder.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ewrgetuj] c:\docume~1\steve\locals~1\temp\geurge.exe
mRun: [pbrxiuqf] c:\documents and settings\steve\local settings\application data\ljwwqslwg\jqveqhcuqiw.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hplase~1.lnk - c:\program files\hewlett-packard\laserjet all-in-one\hppdirector.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
DPF: Web-Based Email Tools - hxxp://email06.secureserver.net/Download.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {45830FF9-D9E6-4F41-86ED-B266933D8E90} - hxxp://sheratonbostonipcams.hostacam.com:24762/RtspVaPgDec.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/55.16/uploader2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250963696515
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.epropertysites.com/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/ghbabeldeluxe/zylomplayer.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E4BBF5F2-453C-4D24-8547-A717DD7592B9} - hxxps://valuemanager.iasreo.com/BPO/ImageUploader6.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxps://www.assetlinklp.com/AssetLinkPortal/XUpload.ocx
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
TCP: NameServer = 93.188.162.238,93.188.161.238
TCP: {DCA09EC9-527B-4F97-A2B5-A5E1C4914D57} = 93.188.162.238,93.188.161.238
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: ddcyVnOE - ddcyVnOE.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-22 243024]
R3 mpfilt;mpfilt;c:\windows\system32\drivers\mpfilt.sys [2010-1-30 10588]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-22 216400]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-22 29584]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
S2 gupdate1ca2759550ee9b6;Google Update Service (gupdate1ca2759550ee9b6);c:\program files\google\update\GoogleUpdate.exe [2009-8-27 133104]
S2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-8-11 91456]
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-3-30 173824]
S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-3-30 29184]
S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-3-30 9088]
S3 HPUATA;HP CD Writer Plus Controller Driver;c:\windows\system32\drivers\HPUATA.sys [2001-9-24 75776]
S3 Normandy;Normandy SR2; [x]
S3 SRS_ViewSonic;SRS Labs WOW HD ViewSonic;c:\windows\system32\drivers\SRS_ViewSonic_i386.sys [2010-7-6 37504]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-8-22 845184]

=============== Created Last 30 ================

2010-09-07 00:03:21 20 ----a-w- c:\documents and settings\steve\defogger_reenable
2010-09-06 20:44:09 185856 ----a-w- c:\windows\Cdapig.exe
2010-09-06 20:42:22 185856 ----a-w- c:\windows\Cdapif.exe
2010-09-06 20:33:27 185856 ----a-w- c:\windows\Cdapie.exe
2010-09-06 19:31:57 185856 ----a-w- c:\windows\Cdapid.exe
2010-09-06 19:20:41 2843 ----a-w- c:\windows\epuyuyeb.dll
2010-09-06 19:15:49 185856 ----a-w- c:\windows\Cdapic.exe
2010-09-06 19:07:44 185856 ----a-w- c:\windows\Cdapib.exe
2010-09-06 19:04:53 782848 ----a-w- c:\windows\system32\drivers\dgoeuqq.sys
2010-09-06 19:02:33 185856 ----a-w- c:\windows\Cdapia.exe
2010-09-06 19:01:49 547734 ----a-w- C:\file.exe
2010-09-06 18:56:55 0 d-----w- c:\program files\WMR14
2010-09-03 21:52:45 0 d-----w- c:\program files\common files\Macrovision Shared
2010-09-03 21:51:17 46928 ----a-w- c:\windows\system32\AdobePDF.dll
2010-09-03 21:51:17 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-08-22 00:36:34 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-08-22 00:36:34 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-08-18 04:10:46 0 d-----w- c:\program files\Jagged Alliance 2 Gold
2010-08-12 04:47:02 0 d-----w- c:\program files\Motorola
2010-08-12 04:47:02 0 d-----w- c:\program files\common files\Motorola Shared
2010-08-10 12:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 12:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-08-08 23:26:02 0 d-----w- c:\program files\DAEMON Tools Lite

==================== Find3M ====================

2010-07-17 12:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-15 18:36:48 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 18:36:47 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 18:36:23 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

============= FINISH: 8:50:28.21 ===============




Thanks!
Steve busy.gif

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:51 AM

Posted 13 September 2010 - 12:53 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 nyclad

nyclad
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 14 September 2010 - 12:07 AM

Hi Myrti,

Thanks for responding to my problem.

I forgot to add that I have 2 antiviruses, AVG free edition, and Malwarebytes' Anti-Malware, also the free edition. The resident shield is activeon AVG, and Malwarebytes' doesn't come with any resident sheild type protection on the free edition.

Here is the OTL.TXT:

OTL logfile created on: 9/13/2010 9:32:09 PM - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Steve\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 85.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.50 Gb Total Space | 502.93 Gb Free Space | 53.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 3.99 Gb Total Space | 3.99 Gb Free Space | 100.00% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: STEVEDESKTOP
Current User Name: Steve
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/13 21:19:54 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
PRC - [2010/07/15 11:36:22 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/09/13 21:19:54 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2006/05/03 23:53:54 | 000,174,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\framedyn.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/09/03 14:52:45 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/07/15 11:36:46 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/06/24 14:34:52 | 000,091,456 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe -- (MotoConnect Service)
SRV - [2009/11/06 17:03:18 | 000,145,504 | ---- | M] (B.H.A Corporation) [Auto | Stopped] -- C:\WINDOWS\System32\bgsvcgen.exe -- (bgsvcgen)
SRV - [2006/08/10 04:11:14 | 000,057,344 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9)
SRV - [2006/08/10 04:10:50 | 000,294,912 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe -- (Roxio Upnp Server 9)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\InCDRm.sys -- (InCDRm)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\InCDPass.sys -- (InCDPass)
DRV - File not found [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\InCDFs.sys -- (InCDFs)
DRV - [2010/07/15 11:36:48 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/07/15 11:36:23 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/06/02 09:51:01 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Stopped] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/13 21:51:37 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/11/06 17:03:18 | 000,013,567 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\CDRBSDRV.SYS -- (cdrbsdrv)
DRV - [2009/09/15 12:44:05 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\Haspnt.sys -- (Haspnt)
DRV - [2009/08/05 06:16:44 | 000,039,424 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)
DRV - [2009/03/02 16:20:18 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/07/25 05:09:24 | 000,845,184 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\viahduaa.sys -- (VIAHdAudAddService)
DRV - [2008/04/25 12:45:38 | 000,010,588 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mpfilt.sys -- (mpfilt)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/24 14:24:44 | 000,037,504 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SRS_ViewSonic_i386.sys -- (SRS_ViewSonic)
DRV - [2008/03/16 17:45:50 | 005,955,872 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/02/13 23:12:00 | 001,389,056 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\monfilt.sys -- (monfilt)
DRV - [2006/08/09 04:30:42 | 000,050,688 | ---- | M] (Sonic Solutions) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\RxFilter.sys -- (RxFilter)
DRV - [2006/08/04 08:37:28 | 000,099,208 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2006/07/24 17:05:00 | 000,005,632 | ---- | M] () [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2004/08/13 03:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/07/14 12:54:42 | 000,676,864 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2001/09/24 03:36:28 | 000,075,776 | ---- | M] (SCM Microsystems Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPUATA.sys -- (HPUATA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1060284298-115176313-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1060284298-115176313-839522115-1004\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1060284298-115176313-839522115-1004\..\URLSearchHook: {da879c19-9088-418b-a63a-2e6fb294eaf0} - C:\Program Files\AAdvantage eShoppingSM Toolbar\Helper.dll ()
IE - HKU\S-1-5-21-1060284298-115176313-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-1060284298-115176313-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1060284298-115176313-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092



O1 HOSTS File: ([2010/09/03 14:38:48 | 000,000,794 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Freecause Toolbar BHO) - {5712A6BB-B6C8-4E52-A152-1BA741C9A6A2} - C:\Program Files\AAdvantage eShoppingSM Toolbar\Toolbar.dll ()
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O2 - BHO: (DCA BHO) - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Consumer Input\dca-bho.dll (Compete, Inc.)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (AAdvantage eShoppingSM Toolbar) - {85741F1D-ED47-4DCF-9109-07D10213C4D0} - C:\Program Files\AAdvantage eShoppingSM Toolbar\Toolbar.dll ()
O3 - HKU\S-1-5-21-1060284298-115176313-839522115-1004\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1060284298-115176313-839522115-1004\..\Toolbar\WebBrowser: (AAdvantage eShoppingSM Toolbar) - {85741F1D-ED47-4DCF-9109-07D10213C4D0} - C:\Program Files\AAdvantage eShoppingSM Toolbar\Toolbar.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [American Airlines DealFinder] C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe (Skinkers Communications)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Roxio\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [ewrgetuj] C:\Documents and Settings\Steve\Local Settings\Temp\geurge.exe ( )
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe (Hewlett-Packard)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NWEReboot] File not found
O4 - HKLM..\Run: [pbrxiuqf] C:\Documents and Settings\Steve\Local Settings\Application Data\ljwwqslwg\jqveqhcuqiw.exe (Security Suites Corporation)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKU\S-1-5-21-1060284298-115176313-839522115-1004..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-1060284298-115176313-839522115-1004..\Run: [Consumer Input Update] C:\Program Files\Consumer Input\dca-ua.exe (Compete, Inc.)
O4 - HKU\S-1-5-21-1060284298-115176313-839522115-1004..\Run: [Dmezabihebaj] C:\WINDOWS\kbecligs.DLL File not found
O4 - HKU\S-1-5-21-1060284298-115176313-839522115-1004..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-1060284298-115176313-839522115-1004..\Run: [OTGV1DNWQQ] C:\Documents and Settings\Steve\Local Settings\Temp\Cln.exe (Daniel Pistelli)
O4 - HKU\S-1-5-21-1060284298-115176313-839522115-1004..\Run: [pbrxiuqf] C:\Documents and Settings\Steve\Local Settings\Application Data\ljwwqslwg\jqveqhcuqiw.exe (Security Suites Corporation)
O4 - HKU\S-1-5-21-1060284298-115176313-839522115-1004..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-1060284298-115176313-839522115-1004..\Run: [SRS WOW HD for ViewSonic] C:\Program Files\SRS Labs\WOW HD for ViewSonic\SRSViewSonic_Win32.exe (SRS Labs, Inc.)
O4 - HKU\S-1-5-21-1060284298-115176313-839522115-1004..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe File not found
O4 - HKU\S-1-5-21-1060284298-115176313-839522115-1004..\Run: [YXE7DXCQ37] C:\Documents and Settings\Steve\Local Settings\Temp\Clb.exe (Daniel Pistelli)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1060284298-115176313-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} http://static.ak.facebook.com/fbplugin/win...fbootloader.cab (Reg Error: Key error.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {45830FF9-D9E6-4F41-86ED-B266933D8E90} http://sheratonbostonipcams.hostacam.com:2...RtspVaPgDec.cab (RtspVaPgCtrlNew Class)
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.google.com/s/v/55.16/uploader2.cab (UploadListView Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1250963696515 (WUWebControl Class)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab (GMNRev Class)
O16 - DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} http://www.epropertysites.com/ImageUploader6.cab (Image Uploader Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} http://www.worldwinner.com/games/launcher/....0/iewwload.cab (WorldWinner ActiveX Launcher Control)
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} http://aolsvc.aol.com/onlinegames/ghbabeld...zylomplayer.cab (Zylom Games Player)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-31-0.cab (EPUImageControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab (PopCapLoader Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E4BBF5F2-453C-4D24-8547-A717DD7592B9} https://valuemanager.iasreo.com/BPO/ImageUploader6.cab (IAS Image Uploader Control)
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} https://www.assetlinklp.com/AssetLinkPortal/XUpload.ocx (Persits Software XUpload)
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} http://realist2.firstamres.com/mapviewer/mapviewer.cab (First American Res MapActiveX Control)
O16 - DPF: Garmin Communicator Plug-In https://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB (Reg Error: Key error.)
O16 - DPF: Web-Based Email Tools http://email06.secureserver.net/Download.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.238,93.188.161.238
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\ddcyVnOE: DllName - ddcyVnOE.dll - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/22 10:09:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{c0d6809a-8fab-11de-b5d3-0026180f18ec}\Shell\AutoRun\command - "" = D:\REGSVR32.EXE -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E3465216-CD39-2987-E547-C22571AF05C8} - Browser Customizations
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.divxa32 - C:\WINDOWS\System32\DivXa32.acm (Kristal StudioDFileDescription)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3codec - C:\WINDOWS\System32\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivXNetworks, Inc.)
Drivers32: VIDC.FFDS - C:\Program Files\Combined Community Codec Pack\Filters\FFDShow\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.MP42 - C:\WINDOWS\System32\Mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.MP43 - C:\WINDOWS\System32\Mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.MPG4 - C:\WINDOWS\System32\Mpg4c32.dll (Microsoft Corporation)
Drivers32: VIDC.WMV3 - C:\WINDOWS\System32\wmv9vcm.dll (Microsoft Corporation)
Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: VIDC.YV12 - C:\WINDOWS\System32\DivX.dll (DivXNetworks, Inc.)

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/09/06 13:44:09 | 000,185,856 | ---- | C] (Daniel Pistelli) -- C:\WINDOWS\Cdapig.exe
[2010/09/06 13:42:22 | 000,185,856 | ---- | C] (Daniel Pistelli) -- C:\WINDOWS\Cdapif.exe
[2010/09/06 13:38:41 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
[2010/09/06 13:33:27 | 000,185,856 | ---- | C] (Daniel Pistelli) -- C:\WINDOWS\Cdapie.exe
[2010/09/06 12:31:57 | 000,185,856 | ---- | C] (Daniel Pistelli) -- C:\WINDOWS\Cdapid.exe
[2010/09/06 12:15:49 | 000,185,856 | ---- | C] (Daniel Pistelli) -- C:\WINDOWS\Cdapic.exe
[2010/09/06 12:07:44 | 000,185,856 | ---- | C] (Daniel Pistelli) -- C:\WINDOWS\Cdapib.exe
[2010/09/06 12:03:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Local Settings\Application Data\ljwwqslwg
[2010/09/06 12:02:33 | 000,185,856 | ---- | C] (Daniel Pistelli) -- C:\WINDOWS\Cdapia.exe
[2010/09/06 12:01:49 | 000,547,734 | ---- | C] (Microsoft Corporation) -- C:\file.exe
[2010/09/06 11:56:55 | 000,000,000 | ---D | C] -- C:\Program Files\WMR14
[2010/09/03 15:04:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2010/09/03 14:52:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macrovision Shared
[2010/09/03 14:51:17 | 000,046,928 | ---- | C] (Adobe Systems Inc) -- C:\WINDOWS\System32\AdobePDF.dll
[2010/09/03 14:51:17 | 000,022,872 | R--- | C] (Adobe Systems Inc.) -- C:\WINDOWS\System32\AdobePDFUI.dll
[2010/08/21 17:36:34 | 000,032,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbccgp.sys
[2010/08/20 15:37:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/08/20 13:49:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/08/20 13:48:51 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/20 13:48:51 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/20 13:48:51 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/17 21:10:46 | 000,000,000 | ---D | C] -- C:\Program Files\Jagged Alliance 2 Gold
[2006/07/11 14:29:00 | 000,028,672 | R--- | C] ( ) -- C:\WINDOWS\System32\DivXGraphBuilderCallback.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/13 21:32:44 | 000,782,848 | ---- | M] () -- C:\WINDOWS\System32\drivers\dgoeuqq.sys
[2010/09/13 21:19:54 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
[2010/09/13 21:13:43 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/13 21:13:39 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/08 21:38:23 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Steve\ntuser.ini
[2010/09/08 21:38:22 | 012,582,912 | -H-- | M] () -- C:\Documents and Settings\Steve\NTUSER.DAT
[2010/09/08 21:38:19 | 001,568,656 | -H-- | M] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\IconCache.db
[2010/09/08 19:41:19 | 000,002,539 | ---- | M] () -- C:\Documents and Settings\Steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook 2007 (2).lnk
[2010/09/07 21:49:19 | 000,035,328 | ---- | M] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/07 12:25:21 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/09/07 12:20:37 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/09/07 12:20:37 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2010/09/07 12:20:36 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/07 12:20:36 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1060284298-115176313-839522115-1004.job
[2010/09/07 12:20:08 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/06 17:03:34 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\Steve\defogger_reenable
[2010/09/06 13:35:16 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\wmy2l2lg.exe
[2010/09/06 13:32:20 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\RKUnhookerLE.EXE
[2010/09/06 12:20:41 | 000,002,843 | ---- | M] () -- C:\WINDOWS\epuyuyeb.dll
[2010/09/06 12:05:17 | 000,547,734 | ---- | M] (Microsoft Corporation) -- C:\file.exe
[2010/09/06 12:03:52 | 000,185,856 | ---- | M] (Daniel Pistelli) -- C:\WINDOWS\Cdapib.exe
[2010/09/06 12:03:20 | 000,185,856 | ---- | M] (Daniel Pistelli) -- C:\WINDOWS\Cdapig.exe
[2010/09/06 12:03:20 | 000,185,856 | ---- | M] (Daniel Pistelli) -- C:\WINDOWS\Cdapif.exe
[2010/09/06 12:03:20 | 000,185,856 | ---- | M] (Daniel Pistelli) -- C:\WINDOWS\Cdapie.exe
[2010/09/06 12:03:20 | 000,185,856 | ---- | M] (Daniel Pistelli) -- C:\WINDOWS\Cdapid.exe
[2010/09/06 12:03:20 | 000,185,856 | ---- | M] (Daniel Pistelli) -- C:\WINDOWS\Cdapic.exe
[2010/09/06 12:02:27 | 000,185,856 | ---- | M] (Daniel Pistelli) -- C:\WINDOWS\Cdapia.exe
[2010/09/06 11:31:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/06 08:10:27 | 064,355,736 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/09/06 08:08:31 | 000,000,180 | ---- | M] () -- C:\WINDOWS\hpbafd.ini
[2010/09/03 15:20:36 | 000,201,840 | ---- | M] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/09/03 15:04:31 | 000,001,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 9 Pro.lnk
[2010/09/03 14:54:51 | 000,685,704 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/31 11:45:30 | 000,000,090 | ---- | M] () -- C:\Documents and Settings\Steve\default.pls
[2010/08/31 11:45:26 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/08/31 11:43:59 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1060284298-115176313-839522115-1004.job
[2010/08/17 21:36:17 | 000,000,669 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Jagged Alliance 2 v1.13 (EN).lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/06 17:03:21 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\Steve\defogger_reenable
[2010/09/06 13:38:41 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\wmy2l2lg.exe
[2010/09/06 13:38:41 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\RKUnhookerLE.EXE
[2010/09/06 12:20:41 | 000,002,843 | ---- | C] () -- C:\WINDOWS\epuyuyeb.dll
[2010/09/06 12:04:53 | 000,782,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\dgoeuqq.sys
[2010/09/06 12:02:42 | 000,000,282 | -H-- | C] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2010/09/06 12:02:29 | 000,000,282 | -H-- | C] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/09/03 14:50:42 | 000,001,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 9 Pro.lnk
[2010/08/17 21:36:17 | 000,000,669 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Jagged Alliance 2 v1.13 (EN).lnk
[2010/07/13 11:40:08 | 000,000,021 | ---- | C] () -- C:\WINDOWS\asfbin.ini
[2010/07/06 12:28:41 | 000,037,504 | R--- | C] () -- C:\WINDOWS\System32\drivers\SRS_ViewSonic_i386.sys
[2010/07/06 12:28:41 | 000,019,712 | R--- | C] () -- C:\WINDOWS\System32\drivers\GraphicEQ_opt_kern_i386.sys
[2010/07/06 12:18:53 | 000,000,101 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2010/05/29 23:09:57 | 000,000,090 | ---- | C] () -- C:\WINDOWS\graphedt.INI
[2010/02/12 19:09:05 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LauncherAccess.dt
[2010/02/12 19:07:36 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2010/02/12 18:42:59 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Steve\Application Data\$_hpcst$.hpc
[2010/01/30 19:01:26 | 000,010,588 | R--- | C] () -- C:\WINDOWS\System32\drivers\mpfilt.sys
[2009/11/05 19:13:56 | 000,000,091 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2009/09/20 14:27:22 | 000,327,680 | R--- | C] () -- C:\WINDOWS\System32\psctsnmp.dll
[2009/09/15 12:44:05 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
[2009/09/05 09:30:19 | 001,037,744 | ---- | C] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\rx_image.Cache
[2009/09/05 09:18:45 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
[2009/09/05 09:16:36 | 000,000,166 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/09/01 12:30:53 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/09/01 12:30:52 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/09/01 12:30:52 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/09/01 12:30:51 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/09/01 12:30:51 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/08/30 07:52:12 | 000,000,659 | ---- | C] () -- C:\WINDOWS\FMTMSAM.INI
[2009/08/30 07:51:55 | 000,000,180 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2009/08/30 07:51:24 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2009/08/30 07:50:47 | 000,343,040 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2009/08/30 07:50:47 | 000,116,736 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2009/08/25 09:47:21 | 000,035,328 | ---- | C] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/24 08:54:59 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/08/23 18:26:03 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/22 13:09:47 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\Zlib.dll
[2009/08/22 13:09:39 | 000,041,984 | ---- | C] () -- C:\WINDOWS\System32\ZFExt.dll
[2009/08/22 10:18:59 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4935.dll
[2009/08/22 10:16:23 | 000,020,161 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2009/08/22 10:16:18 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/08/22 10:16:13 | 000,019,844 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/08/22 10:16:13 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/11/02 11:11:04 | 000,002,045 | -H-- | C] () -- C:\WINDOWS\System32\whlpda32e.dll
[2006/08/16 05:47:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/08/09 04:19:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/08/09 04:19:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2006/08/09 01:00:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\besched.dll
[2005/07/15 11:35:56 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/07/15 11:35:56 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/07/15 11:35:24 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2003/10/02 01:00:00 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2003/10/02 01:00:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
[2002/05/15 16:38:40 | 000,091,136 | ---- | C] () -- C:\WINDOWS\System32\mp4fil32.dll
[2002/05/04 06:19:00 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\avisynthEx.dll
[2002/04/21 11:30:14 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002/04/19 07:23:26 | 000,106,137 | ---- | C] () -- C:\WINDOWS\System32\libpostproc.dll
[2002/04/19 06:51:04 | 000,211,760 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2002/04/01 15:16:30 | 000,454,656 | ---- | C] () -- C:\WINDOWS\System32\VorbisEnc.dll
[2002/04/01 15:16:14 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2002/04/01 15:15:40 | 000,011,264 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2002/02/21 09:41:20 | 000,157,184 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2001/06/22 04:06:02 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\MPEG2DEC.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2010/09/06 12:05:17 | 000,547,734 | ---- | M] (Microsoft Corporation) -- C:\file.exe
[2007/05/03 08:32:29 | 000,000,385 | ---- | M] () -- C:\Iexplore201s.exe


< MD5 for: AGP440.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/08/22 12:33:09 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/08/22 12:33:09 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/08/22 12:33:09 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/08/22 12:33:09 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 05:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/09/13 21:38:49 | 000,782,848 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\dgoeuqq.sys

< %systemroot%\System32\config\*.sav >
[2009/08/22 02:54:24 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/08/22 02:54:24 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/08/22 02:54:24 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/07/15 11:36:23 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys
[2010/07/15 11:36:48 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys
[2010/09/13 21:38:49 | 000,782,848 | ---- | M] () -- C:\WINDOWS\system32\drivers\dgoeuqq.sys
[2010/06/21 08:27:11 | 000,354,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\srv.sys
< End of report >



Here is the EXTRA.TXT:


OTL Extras logfile created on: 9/13/2010 9:32:09 PM - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Steve\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 85.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.50 Gb Total Space | 502.93 Gb Free Space | 53.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 3.99 Gb Total Space | 3.99 Gb Free Space | 100.00% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: STEVEDESKTOP
Current User Name: Steve
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = 1

========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe" = C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe -- (Skinkers Communications)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- File not found
"C:\Program Files\NewsBin\nbpro.exe" = C:\Program Files\NewsBin\nbpro.exe:*:Enabled:NewsBin Pro -- (CMCEI)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe" = C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe -- (Skinkers Communications)
"C:\Program Files\AAdvantage eShoppingSM Toolbar\TroubleShooter.exe" = C:\Program Files\AAdvantage eShoppingSM Toolbar\TroubleShooter.exe:*:Enabled:AAdvantage eShoppingSM Toolbar (Helper) -- (FreeCause Inc.)
"C:\Program Files\AAdvantage eShoppingSM Toolbar\ToolbarUpdate.exe" = C:\Program Files\AAdvantage eShoppingSM Toolbar\ToolbarUpdate.exe:*:Enabled:AAdvantage eShoppingSM Toolbar (Update) -- (FreeCause Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}" = HP USB Disk Storage Format Tool
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 21
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
"{31A57C3E-30DD-421F-B5C7-974DACB0D05F}" = Canon Camera WIA Driver
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4781569D-5404-1F26-4B2B-6DF444441031}" = Nero 7 Ultra Edition
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{53454A1C-26F6-4599-A410-847B6AAD0009}" = Motorola Driver Installation 4.6.5
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{73090A5A-E0C0-4E0B-A320-E183877061A5}" = ALLDATA Repair
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{938B1CD7-7C60-491E-AA90-1F1888168240}" = Roxio Easy Media Creator 9 Suite
"{A1A70631-29A5-4CEB-B93B-035C49652E6B}" = TMPGEnc 4.0 XPress
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A93944F2-D2D4-4750-BFE7-9A288FEAF2CF}" = Apple Application Support
"{ABB18BC9-AAAE-44F0-852C-8BA0A7A15A86}" = SRS WOW HD for ViewSonic
"{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Franšais, Deutsch
"{AC76BA86-1033-F400-7760-000000000004}_934" = Adobe Acrobat 9.3.4 - CPSID_83708
"{AC76BA86-1033-F400-7760-000000000004}{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Franšais, Deutsch
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4FEA924-630D-11D4-B78E-005004566E4D}" = ViewSonic Monitor Drivers
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C26AE123-1628-4A1C-9893-613EC8B2BB94}" = TMPGEnc Authoring Works 4
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240BB}" = WinZip 14.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D17111CB-C992-42A9-9D56-C19395102AAA}" = Garmin WebUpdater
"{E4DC4718-90DD-48CC-A2DE-1C65BDDFBB8A}" = BlueWare
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{EB900AF8-CC61-4E15-871B-98D1EA3E8025}" = QuickTime
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"9657EE3B-8192-467a-8292-976253F38749_is1" = Jagged Alliance 2 v1.13 (EN) [1.0.0.2085]
"AAdvantage eShoppingSM Toolbar" = AAdvantage eShoppingSM Toolbar
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AIM_7" = AIM 7
"American Airlines DealFinder" = American Airlines DealFinder (remove only)
"American Airlines TravelDesk_is1" = American Airlines TravelDesk
"AVG9Uninstall" = AVG Free 9.0
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"DAEMON Tools Toolbar" = DAEMON Tools Toolbar
"DVD Shrink_is1" = DVD Shrink 3.2
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Google Updater" = Google Updater
"HDMI" = Intel® Graphics Media Accelerator Driver
"HP Drive Key Boot Utility" = HP Drive Key Boot Utility
"HP LaserJet 3200 Uninstaller" = HP LaserJet 3200 Uninstaller
"ie8" = Windows Internet Explorer 8
"ImgBurn" = ImgBurn
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"InstallShield_{31A57C3E-30DD-421F-B5C7-974DACB0D05F}" = Canon EOS Kiss REBEL 300D WIA Driver
"Jagged Alliance 2 Gold" = Jagged Alliance 2 Gold
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.0.5 (Full)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NewsBin5" = NewsBin Pro
"NimoCorp" = Nimo Codecs Pack v5.0 (Remove Only)
"Picasa 3" = Picasa 3
"Postage $aver Pro with Smart Barcoder" = Postage $aver Pro with Smart Barcoder
"Postage $aver Update" = Postage $aver Update
"QuickPar" = QuickPar 0.9
"RealPlayer 12.0" = RealPlayer
"Risk" = Risk (remove only)
"SAMSUNG CDMA Modem" = SAMSUNG CDMA Modem Driver Set
"Samsung Mobile phone USB driver" = Samsung Mobile phone USB driver Software
"SAMSUNG Mobile USB Modem" = SAMSUNG Mobile USB Modem Software
"SightSpeed" = SightSpeed (remove only)
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WINForms Desktop" = WINForms Desktop
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xerox Phaser 8200" = Xerox Phaser 8200
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger
"zipForm6" = zipForm6

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1060284298-115176313-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Consumer Input Software" = Consumer Input Software (remove only)
"Facebook Plug-In" = Facebook Plug-In

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/23/2010 9:45:34 PM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application outlook.exe, version 12.0.6504.5000, stamp 49e7f47e,
faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address
0x0046006f.

Error - 8/24/2010 2:43:37 AM | Computer Name = STEVEDESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/24/2010 7:36:19 AM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application outlook.exe, version 12.0.6504.5000, stamp 49e7f47e,
faulting module outlook.exe, version 12.0.6504.5000, stamp 49e7f47e, debug? 0,
fault address 0x001c1581.

Error - 8/30/2010 4:31:14 PM | Computer Name = STEVEDESKTOP | Source = Google Update | ID = 20
Description =

Error - 8/31/2010 2:27:54 PM | Computer Name = STEVEDESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/6/2010 9:56:43 AM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application outlook.exe, version 12.0.6504.5000, stamp 49e7f47e,
faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address
0x003601bd.

Error - 9/6/2010 3:04:26 PM | Computer Name = STEVEDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module , version 0.0.0.0, fault address 0x00000000.

Error - 9/6/2010 3:13:05 PM | Computer Name = STEVEDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module kbecligs.dll, version 6.0.1.1536, fault address 0x00002f17.

Error - 9/6/2010 3:13:30 PM | Computer Name = STEVEDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 9/6/2010 3:19:56 PM | Computer Name = STEVEDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module , version 0.0.0.0, fault address 0x00000000.

[ Application Events ]
Error - 8/23/2010 9:45:34 PM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application outlook.exe, version 12.0.6504.5000, stamp 49e7f47e,
faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address
0x0046006f.

Error - 8/24/2010 2:43:37 AM | Computer Name = STEVEDESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/24/2010 7:36:19 AM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application outlook.exe, version 12.0.6504.5000, stamp 49e7f47e,
faulting module outlook.exe, version 12.0.6504.5000, stamp 49e7f47e, debug? 0,
fault address 0x001c1581.

Error - 8/30/2010 4:31:14 PM | Computer Name = STEVEDESKTOP | Source = Google Update | ID = 20
Description =

Error - 8/31/2010 2:27:54 PM | Computer Name = STEVEDESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/6/2010 9:56:43 AM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application outlook.exe, version 12.0.6504.5000, stamp 49e7f47e,
faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address
0x003601bd.

Error - 9/6/2010 3:04:26 PM | Computer Name = STEVEDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module , version 0.0.0.0, fault address 0x00000000.

Error - 9/6/2010 3:13:05 PM | Computer Name = STEVEDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module kbecligs.dll, version 6.0.1.1536, fault address 0x00002f17.

Error - 9/6/2010 3:13:30 PM | Computer Name = STEVEDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 9/6/2010 3:19:56 PM | Computer Name = STEVEDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module , version 0.0.0.0, fault address 0x00000000.

[ OSession Events ]
Error - 5/5/2010 6:41:47 PM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6514.5001. This session lasted 22165
seconds with 300 seconds of active time. This session ended with a crash.

Error - 5/7/2010 1:14:33 PM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6514.5001. This session lasted 8347
seconds with 720 seconds of active time. This session ended with a crash.

Error - 5/28/2010 12:38:45 AM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6514.5001. This session lasted 6
seconds with 0 seconds of active time. This session ended with a crash.

Error - 6/2/2010 1:25:05 AM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6514.5001. This session lasted 27162
seconds with 960 seconds of active time. This session ended with a crash.

Error - 6/7/2010 8:01:11 AM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6514.5001. This session lasted 1503
seconds with 480 seconds of active time. This session ended with a crash.

Error - 6/24/2010 1:42:28 PM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6514.5001. This session lasted 2851
seconds with 180 seconds of active time. This session ended with a crash.

Error - 8/14/2010 12:31:43 AM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6514.5001. This session lasted 22576
seconds with 600 seconds of active time. This session ended with a crash.

Error - 8/23/2010 9:45:27 PM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6514.5001. This session lasted 30078
seconds with 1920 seconds of active time. This session ended with a crash.

Error - 8/24/2010 7:36:15 AM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6514.5001. This session lasted 12
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/6/2010 9:56:40 AM | Computer Name = STEVEDESKTOP | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6514.5001. This session lasted 178
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 9/8/2010 4:08:25 PM | Computer Name = STEVEDESKTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 9/8/2010 9:04:14 PM | Computer Name = STEVEDESKTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 9/9/2010 12:38:21 AM | Computer Name = STEVEDESKTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 9/14/2010 12:14:03 AM | Computer Name = STEVEDESKTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 9/14/2010 12:14:03 AM | Computer Name = STEVEDESKTOP | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 9/14/2010 12:14:15 AM | Computer Name = STEVEDESKTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 9/14/2010 12:15:23 AM | Computer Name = STEVEDESKTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 9/14/2010 12:15:24 AM | Computer Name = STEVEDESKTOP | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AvgLdx86 AvgMfx86 Fips intelppm StarOpen

Error - 9/14/2010 12:30:15 AM | Computer Name = STEVEDESKTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 9/14/2010 12:30:16 AM | Computer Name = STEVEDESKTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >



Thanks,
Steve

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:51 AM

Posted 14 September 2010 - 03:24 PM

Hi,
please run a scan with Rootkit Unhooker next:

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth, and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 nyclad

nyclad
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 14 September 2010 - 03:38 PM

Hi Myrti,

Thanks again for your help.


I downloaded RKUnhookerLE.exe to the desktop. When I double click on it, it does the "Rootkit Unhooker has detected parasite..." stuff like you said, so I clicked OK.

Upon clicking OK, another window says "Parasite removed, continue loading" to which I also click OK.

However immedaitely after that, I get an ERROR popup window that says "Error loading/opening driver."
There is another window behind it that says: "Please wait few seconds" and a blank progress bar, and "Initalizing@" below that. When I click on OK to the "Error loading/opening driver," everything disappears and nothing is running. Double clicking on the RKUnhookerLE again does the same thing, gets the "Error loading/opening driver" and the program closes once I click OK.

I tried re-downloading RKUnhookerLE again, as well as restarting the infected computer, but the results are the same. Please advise.

The infected computer is on Windows safe mode with networking, if that is relevant.


Just for reference if needed, the first Rootkit Unhooker warning says:

Parasite type: Unknown remote thread
Thread ID: 284
Priority: 8
Thread start address: 0x77DF848A
Module: advapi32.dll


Thanks,
Steve

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:51 AM

Posted 14 September 2010 - 04:43 PM

Hi,

the parasite is AVG, please disable your anti virus program and try to launch rootkit unhooker once more.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 nyclad

nyclad
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 14 September 2010 - 10:08 PM

QUOTE(myrti @ Sep 14 2010, 02:43 PM) View Post
Hi,

the parasite is AVG, please disable your anti virus program and try to launch rootkit unhooker once more.

regards myrti



Hi Myrti,


I booted up in Safe Mode, and the only instances I can find of AVG are 3 mentions of it in the Windows Task Manager Processes. I ended those processes, but the same result. RKUnhookerLE still has an ERROR window with "Error loading/opening driver" pop up and when I click on Okay, it kills RKUnhooker. I've tried it a fee times in Windows Safe Mode, Safe w/ Command Prompt and Safe w/ Networking.



Should I be trying to do this in standard Windows mode or some other mode? Any ideas? Thanks a lot.


Steve

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:51 AM

Posted 15 September 2010 - 04:32 AM

Hi,

yes, standard windows mode, would be best. Is there anything keeping you from doing this?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 nyclad

nyclad
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 15 September 2010 - 12:18 PM

Hi Myrti,


I booted my infected computer up in standard mode and successfully ran the RKUnhookerLE. I was under the impression that the virus would pop back up and disable any programs. Oddly enough, there was no visible indication of the virus, except that it still took twice as long for Windows XP to load. I do have my computer unhooked from the internet since I found the infection, and I've been using my work laptop since.



Here is the RKUnhooker LE report.txt


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB9742000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 5959680 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBF26A000 C:\WINDOWS\System32\igxpdx32.DLL 3235840 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xBF04F000 C:\WINDOWS\System32\igxpdv32.DLL 2207744 bytes (Intel Corporation, Component GHAL Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xA91EB000 C:\WINDOWS\system32\drivers\monfilt.sys 1392640 bytes (Creative Technology Ltd., Creative WDM Audio Driver (32-bit))
0xA9363000 C:\WINDOWS\system32\drivers\viahduaa.sys 847872 bytes (VIA Technologies, Inc., VIA High Definition Audio Function Driver)
0xB9EA3000 dgoeuqq.sys 806912 bytes
0xA7224000 C:\WINDOWS\system32\drivers\hardlock.sys 679936 bytes (Aladdin Knowledge Systems, Hardlock Device Driver for Windows NT)
0xB9D80000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA7EEA000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB9532000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA8057000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA6FC8000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA673F000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xA7FF5000 C:\WINDOWS\System32\Drivers\avgtdix.sys 237568 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xA7EB6000 C:\WINDOWS\System32\Drivers\avgldx86.sys 212992 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA78FC000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9D53000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB96B7000 C:\WINDOWS\system32\drivers\aticxcap.sys 176128 bytes (ATI Technologies, Inc., ATI TV Wonder Pro A/V Capture Driver)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 176128 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xA6444000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA7F5A000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB9706000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA7FA7000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA7FCF000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA7488000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA933F000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB96E2000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9694000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA7F85000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9E4C000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9E84000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9D39000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9E6C000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB9E0D000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB95C9000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB9E24000 drvmcdb.sys 90112 bytes (Sonic Solutions, Device Driver)
0xA7929000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB9680000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB972E000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA80B0000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xB9E3A000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9590000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA308000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA298000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB9600000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA2A8000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA178000 C:\WINDOWS\system32\DRIVERS\l1e51x86.sys 57344 bytes (Atheros Communications, Inc., Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller ndis miniport driver)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA198000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA218000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA188000 C:\WINDOWS\system32\drivers\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xA7E3E000 C:\WINDOWS\system32\drivers\Haspnt.sys 49152 bytes (Aladdin Knowledge Systems, HASP Kernel Device Driver for Windows NT)
0xBA238000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA2D8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA228000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA278000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA1F8000 C:\WINDOWS\system32\drivers\srs_ViewSonic_i386.sys 40960 bytes (-, SRS WOW HD, TSXT, CSII, Mobile HD Standalone driver)
0xBA258000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA208000 C:\WINDOWS\system32\drivers\wowhd_kern_i386.sys 40960 bytes (SRS Labs, Inc., WOW HD kernel mode DLL for Windows)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA2F8000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA168000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA248000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA2C8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA648F000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA0F8000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA2E8000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA458000 C:\WINDOWS\system32\drivers\aticxtun.sys 32768 bytes (ATI Technologies, Inc., ATI TV Wonder Pro Tuner Driver)
0xBA4A8000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA378000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA390000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xBA3B8000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA380000 C:\WINDOWS\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xBA3A0000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA3A8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA3E0000 C:\WINDOWS\System32\Drivers\StarOpen.SYS 24576 bytes
0xBA370000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA488000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA468000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xBA3C8000 C:\WINDOWS\system32\drivers\graphiceq_opt_kern_i386.sys 20480 bytes (-, SRS Labs Graphic EQ Kernel DLL)
0xBA498000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3F8000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA408000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA3E8000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA410000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA570000 C:\WINDOWS\System32\Drivers\cdrbsdrv.SYS 16384 bytes (B.H.A Corporation, CD-ROM Filter Driver for Windows2000/xp)
0xBA58C000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB9D0D000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA564000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA548000 C:\WINDOWS\system32\drivers\aticxxbr.sys 12288 bytes (ATI Technologies, Inc., ATI TV Wonder Pro A/V Crossbar Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA56C000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB95A1000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xBA594000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA578000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA560000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA5B2000 C:\WINDOWS\system32\DRIVERS\ASACPI.sys 8192 bytes (-, ATK0110 ACPI Utility)
0xBA5D0000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5CC000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5D4000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5AE000 C:\WINDOWS\system32\drivers\mpfilt.sys 8192 bytes
0xBA5C6000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xBA5D8000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5C0000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5C8000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA78E000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA7F4000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA7D7000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x89C0B190 unknown_irp_handler 3696 bytes
0x8A7B2480 unknown_irp_handler 2944 bytes
!!!!!!!!!!!Hidden driver: 0x8A537AEA ?_empty_? 1302 bytes
!!!!!!!!!!!Hidden driver: 0x8A7587A8 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xB9E6C000 WARNING: suspicious driver modification [atapi.sys::0x8A537AEA]
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\dgoeuqq.sys]
0xBA1C8000 WARNING: Virus alike driver modification [cdrom.sys], 65536 bytes

Thanks again!
Steve

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:51 AM

Posted 15 September 2010 - 02:50 PM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 nyclad

nyclad
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 15 September 2010 - 04:32 PM

Hi Myrti,


I'm trying the ComboFix, but when I click on it, it gets blocked (I'm assuming it's being blocked.)
Just out of curiosity, I opened the Windows Task Manager, and it does show an additional task when I double click on ComboFix, but it goes back to the original number after a brief second, so that's where I think I'm getting blocked.

My AVG free antivirus does have the resident shield turned off per the ComboFix how-to's.

I tried rebooting and returning to standard Windows XP mode, and same results.

Should I try rebooting and doing this via Safe Mode?


Thanks,
Steve

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:51 AM

Posted 15 September 2010 - 05:15 PM

Hi,

please try renaming combofix to fun.com first and run it. IF that doesn't work, please try safe mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 nyclad

nyclad
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 15 September 2010 - 06:16 PM

Hi Myrti,


Renaming the ComboFix worked. Here's log.txt from ComboFix.


ComboFix 10-09-14.05 - Steve 09/15/2010 15:39:05.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1553 [GMT -7:00]
Running from: c:\documents and settings\Steve\Desktop\fun.com
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Steve\Local Settings\Application Data\ljwwqslwg
c:\documents and settings\Steve\Local Settings\Application Data\ljwwqslwg\jqveqhcuqiw.exe
C:\file.exe
C:\Thumbs.db
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\epuyuyeb.dll
c:\windows\system32\drivers\dgoeuqq.sys
c:\windows\system32\spool\prtprocs\w32x86\5oCE5.dll
c:\windows\system32\spool\prtprocs\w32x86\aAA17e3.dll
c:\windows\system32\spool\prtprocs\w32x86\c31uOCEI9.dll
c:\windows\system32\spool\prtprocs\w32x86\gM5g5.dll
c:\windows\system32\spool\prtprocs\w32x86\yW9uO7.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_dgoeuqq
-------\Service_dgoeuqq


((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 )))))))))))))))))))))))))))))))
.

2010-09-15 22:38 . 2010-09-06 19:03 185856 ----a-w- c:\windows\Cdapih.exe
2010-09-15 22:30 . 2010-09-15 22:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-15 22:30 . 2010-09-15 22:30 -------- d-----w- c:\windows\system32\%APPDATA%
2010-09-06 20:44 . 2010-09-06 19:03 185856 ----a-w- c:\windows\Cdapig.exe
2010-09-06 20:42 . 2010-09-06 19:03 185856 ----a-w- c:\windows\Cdapif.exe
2010-09-06 20:33 . 2010-09-06 19:03 185856 ----a-w- c:\windows\Cdapie.exe
2010-09-06 19:31 . 2010-09-06 19:03 185856 ----a-w- c:\windows\Cdapid.exe
2010-09-06 19:15 . 2010-09-06 19:03 185856 ----a-w- c:\windows\Cdapic.exe
2010-09-06 19:07 . 2010-09-06 19:03 185856 ----a-w- c:\windows\Cdapib.exe
2010-09-06 19:02 . 2010-09-06 19:02 185856 ----a-w- c:\windows\Cdapia.exe
2010-09-06 18:56 . 2010-09-06 19:03 -------- d-----w- c:\program files\WMR14
2010-09-03 22:04 . 2010-09-03 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-09-03 21:52 . 2010-09-03 21:52 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-09-03 21:51 . 2009-08-20 06:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-09-03 21:51 . 2009-08-20 06:50 46928 ----a-w- c:\windows\system32\AdobePDF.dll
2010-08-22 00:36 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-08-22 00:36 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-08-20 22:37 . 2010-08-20 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-08-20 20:49 . 2010-08-20 20:49 -------- d-----w- c:\program files\Common Files\Java
2010-08-18 04:10 . 2010-08-18 04:36 -------- d-----w- c:\program files\Jagged Alliance 2 Gold

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-14 18:20 . 2009-09-04 00:02 201840 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-06 14:35 . 2010-05-15 22:20 -------- d-----w- c:\documents and settings\Steve\Application Data\American Airlines DealFinder
2010-09-03 21:52 . 2009-08-23 00:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-01 22:30 . 2009-09-03 18:25 -------- d-----w- c:\documents and settings\Steve\Application Data\Canon
2010-08-20 22:38 . 2010-08-12 11:41 -------- d-----w- c:\program files\QuickTime
2010-08-20 20:48 . 2010-04-10 00:52 -------- d-----w- c:\program files\Java
2010-08-17 05:40 . 2009-11-22 23:21 -------- d-----w- c:\program files\DOSBox-0.72
2010-08-12 11:41 . 2010-08-12 11:41 -------- d-----w- c:\program files\Common Files\Apple
2010-08-12 11:41 . 2010-08-12 11:41 -------- d-----w- c:\program files\Apple Software Update
2010-08-12 11:41 . 2010-08-12 11:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-08-12 04:47 . 2010-08-12 04:47 -------- d-----w- c:\program files\Motorola
2010-08-12 04:47 . 2010-08-12 04:47 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-08-09 15:03 . 2010-08-08 23:26 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-08-03 17:16 . 2010-08-03 17:16 -------- d-----w- c:\documents and settings\Steve\Application Data\Yahoo!
2010-07-24 00:09 . 2010-04-25 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-23 23:47 . 2010-05-15 22:22 -------- d-----w- c:\program files\American Airlines TravelDesk
2010-07-22 18:31 . 2010-07-22 18:31 -------- d-----w- c:\documents and settings\Steve\Application Data\Media Player Classic
2010-07-18 00:28 . 2009-08-23 00:17 -------- d-----w- c:\documents and settings\Steve\Application Data\AdobeUM
2010-07-17 12:00 . 2010-04-22 11:55 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-15 18:36 . 2009-08-22 17:41 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 18:36 . 2010-07-15 18:36 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 18:36 . 2009-08-22 17:41 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{da879c19-9088-418b-a63a-2e6fb294eaf0}"= "c:\program files\AAdvantage eShoppingSM Toolbar\Helper.dll" [2010-05-26 243200]

[HKEY_CLASSES_ROOT\clsid\{da879c19-9088-418b-a63a-2e6fb294eaf0}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{26582F40-76E8-4A2A-B30C-26832801B787}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5712A6BB-B6C8-4E52-A152-1BA741C9A6A2}]
2010-05-26 15:50 1558528 ----a-w- c:\program files\AAdvantage eShoppingSM Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{85741F1D-ED47-4DCF-9109-07D10213C4D0}"= "c:\program files\AAdvantage eShoppingSM Toolbar\Toolbar.dll" [2010-05-26 1558528]

[HKEY_CLASSES_ROOT\clsid\{85741f1d-ed47-4dcf-9109-07d10213c4d0}]
[HKEY_CLASSES_ROOT\FCTB000062125.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{5E8947F8-3769-4215-877F-BEA00225DC12}]
[HKEY_CLASSES_ROOT\FCTB000062125.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{85741F1D-ED47-4DCF-9109-07D10213C4D0}"= "c:\program files\AAdvantage eShoppingSM Toolbar\Toolbar.dll" [2010-05-26 1558528]

[HKEY_CLASSES_ROOT\clsid\{85741f1d-ed47-4dcf-9109-07d10213c4d0}]
[HKEY_CLASSES_ROOT\FCTB000062125.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{5E8947F8-3769-4215-877F-BEA00225DC12}]
[HKEY_CLASSES_ROOT\FCTB000062125.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-08 94208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
"Consumer Input Update"="c:\program files\Consumer Input\dca-ua.exe" [2010-05-14 179896]
"SRS WOW HD for ViewSonic"="c:\program files\SRS Labs\WOW HD for ViewSonic\SRSViewSonic_Win32.exe" [2009-02-04 1914096]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-21 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-21 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-21 137752]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-08-15 30003200]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP SchedIndexer"="c:\program files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe" [2000-08-10 81920]
"HP AutoIndexer"="c:\program files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe" [2000-08-10 77824]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 221184]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-24 202256]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"American Airlines DealFinder"="c:\program files\American Airlines DealFinder\American_Airlines_DealFinder.exe" [2009-03-17 759728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-06-20 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-06-19 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP LaserJet Director.lnk - c:\program files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe [2009-8-30 159744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 18:36 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NewsBin\\nbpro.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\program files\American Airlines DealFinder\American_Airlines_DealFinder.exe"= c:\program files\American Airlines DealFinder\American_Airlines_DealFinder.exe
"c:\\Program Files\\AAdvantage eShoppingSM Toolbar\\TroubleShooter.exe"=
"c:\\Program Files\\AAdvantage eShoppingSM Toolbar\\ToolbarUpdate.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/22/2009 10:41 AM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/22/2009 10:41 AM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 11:36 AM 308136]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [8/11/2010 9:47 PM 91456]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [3/30/2005 11:22 AM 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [3/30/2005 11:22 AM 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [3/30/2005 11:22 AM 9088]
R3 mpfilt;mpfilt;c:\windows\system32\drivers\mpfilt.sys [1/30/2010 7:01 PM 10588]
R3 SRS_ViewSonic;SRS Labs WOW HD ViewSonic;c:\windows\system32\drivers\SRS_ViewSonic_i386.sys [7/6/2010 12:28 PM 37504]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [8/22/2009 10:22 AM 845184]
S2 gupdate1ca2759550ee9b6;Google Update Service (gupdate1ca2759550ee9b6);c:\program files\Google\Update\GoogleUpdate.exe [8/27/2009 1:59 PM 133104]
S3 HPUATA;HP CD Writer Plus Controller Driver;c:\windows\system32\drivers\HPUATA.sys [9/24/2001 3:36 AM 75776]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/24/2009 8:38 AM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-09-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-27 20:58]

2010-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 20:59]

2010-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 20:59]

2010-09-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1060284298-115176313-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-08-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1060284298-115176313-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
DPF: Web-Based Email Tools - hxxp://email06.secureserver.net/Download.CAB
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {45830FF9-D9E6-4F41-86ED-B266933D8E90} - hxxp://sheratonbostonipcams.hostacam.com:24762/RtspVaPgDec.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxp://www.epropertysites.com/ImageUploader6.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/ghbabeldeluxe/zylomplayer.cab
DPF: {E4BBF5F2-453C-4D24-8547-A717DD7592B9} - hxxps://valuemanager.iasreo.com/BPO/ImageUploader6.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
HKCU-Run-Dmezabihebaj - c:\windows\kbecligs.dll
HKCU-Run-pbrxiuqf - c:\documents and settings\Steve\Local Settings\Application Data\ljwwqslwg\jqveqhcuqiw.exe
HKLM-Run-NWEReboot - (no file)
HKLM-Run-pbrxiuqf - c:\documents and settings\Steve\Local Settings\Application Data\ljwwqslwg\jqveqhcuqiw.exe
Notify-ddcyVnOE - ddcyVnOE.dll
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-SAMSUNG CDMA Modem - c:\windows\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-15 15:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1232)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Motorola\MotoConnectService\MotoConnect.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2010-09-15 16:01:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-15 23:01

Pre-Run: 539,919,204,352 bytes free
Post-Run: 540,164,870,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 7A7A773B3D1996F4BE09B039A4FE2D79





Thanks,
Steve

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:51 AM

Posted 16 September 2010 - 06:41 AM

Hi,

this looks quite promissing. How is the PC doing?

Please upload the following file to virustotal:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\Cdapig.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 nyclad

nyclad
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 16 September 2010 - 12:49 PM

Hi Myrti,


Well, this is the first time since the infection that I've hooked the computer up to the internet (I've been using my laptop and transferring files via USB drive) and it still seems to load windows a bit slow. The obvious signs of the virus (pop-ups with the virus warnings) are gone.

I did the Jotti and here are the results (I just did a highlight, cut and paste from the website.)




Jotti's malware scan
Filename: Cdapig.exe
Status: Scan finished. 14 out of 19 scanners reported malware.
Scan taken on: Thu 16 Sep 2010 19:39:37 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 185856 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 596e7c4908bffc7cc4307c4148396a3c
SHA1: 5ea9798f6c82b6127250b92cf1fe7ec799d66de9







Scanners
2010-09-16 Heur.W32 2010-09-16 Gen:Variant.Kazy.192
2010-09-16 Win32:MalOb-BX 2010-09-16 Found nothing
2010-09-16 Generic19.IAV 2010-09-16 Packed.Win32.Katusha.n
2010-09-16 TR/PCK.Katusha.N.3899 2010-09-16 Win32/TrojanDownloader.FakeAlert.AQI
2010-09-16 Gen:Variant.Kazy.192 2010-09-15 Found nothing
2010-09-16 Found nothing 2010-09-16 Found nothing
2010-09-16 Found nothing 2010-09-16 Mal/FakeAV-CX
2010-09-16 Trojan.DownLoader1.17982 2010-09-16 Malware-Cryptor.Win32.Gron.2
2010-09-16 W32/Renos.A!Generic 2010-09-16 Trojan.Codecpack.Gen.10
2010-09-16 Gen:Variant.Kazy.192



Thanks,
Steve




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users