Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring malware/trojan,


  • This topic is locked This topic is locked
20 replies to this topic

#1 sh0ckker

sh0ckker

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 14 September 2010 - 07:41 AM

Hi there,

Thanks in advance for any assistance you can offer. I went to the pirate bay on saturday and was warned in Google Chrome that there was suspicious activity on the site, but having been there before without problems, continued on. Long story short, have been infected. Ran spybot, avg, ad aware, malwarebytes and more recently, house call. They all seemed to remove various nasties, and I thought I had got rid of it. Tuneup utilities was helpful as well with regards to stopping the problem-causer starting up 70 odd new programs at computer startup. One thing that kept happening was windows explorer kept "encountering a problem and needs to close..."

However last night a screen came up in black box with red writing to the effect of "spyware detected run spyware remover etc". Shut down laptop and ran house call in windows safe mode which 10 hours later came back saying it had found pe tdss.a and troj burnix.smep and I wrote down usrini~1.exe but can't remember which one it related to.
Later on I ran malwarebytes which also found 2 problems. I have cleaned/quarantined/deleted them out of each program when asked. the computer is running better now but I would really appreciate some help making sure there aren't any remnants I have missed, as I thought I had got rid of everything earlier as well! Sorry for long story and thanks again. Logs attached as well as hijackthis log if its any help.

PS should I be wary of anything "attacking" an external harddrive I connected, after everything above, to back up before posting this?

DDS LOG



DDS (Ver_10-03-17.01) - NTFSx86
Run by at 22:27:36.07 on Tue 14/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1022.355 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Guy Shelton\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com.au/
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/ie
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\guy shelton\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [AClntUsr] c:\program files\altiris\aclient\AClntUsr.EXE
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
dRunOnce: [FFTI] c:\documents and settings\guy shelton\application data\mozilla\firefox\profiles\xctgjxne.default\extensions\{b13721c7-f507-4982-b2e5-502a71474fed}\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
IE: &Search - ?p=ZUfox000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} - hxxps://atlas.atlassolutions.com/dl/AtlasCtrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197345027643
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {07B6AF3F-504D-42CF-B4AB-D59F68B35340} = 208.67.220.220,208.67.222.222
TCP: {44E4CF45-E603-4E15-9DFD-BF9C7056B202} = 208.67.220.220,208.67.222.222
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\guyshe~1\applic~1\mozilla\firefox\profiles\xctgjxne.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\guy shelton\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll
FF - plugin: c:\utilities\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\utilities\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\utilities\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {90E9F5EB-4C2D-4932-9CD5-B8D17147612E} - c:\documents and settings\guy shelton\local settings\application data\{90E9F5EB-4C2D-4932-9CD5-B8D17147612E}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-1-17 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-1-17 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-17 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-17 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-17 243024]
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2007-5-29 9216]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-6-19 55520]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-6-19 42048]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-16 921952]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-7-16 2331032]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2010-7-6 1051968]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-1-17 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-1-17 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-1-17 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-1-17 26192]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-7-16 5897808]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-1-17 30104]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys --> c:\windows\system32\drivers\ivusb.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

=============== Created Last 30 ================


==================== Find3M ====================

2010-09-14 05:56:42 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-09-09 20:08:54 0 -c--a-w- c:\windows\system32\drivers\lvuvc.hs
2010-09-09 20:08:52 0 -c--a-w- c:\windows\system32\drivers\logiflt.iad
2010-07-15 23:39:36 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-06 11:57:50 30528 ----a-w- c:\windows\system32\TURegOpt.exe
2010-07-06 11:52:04 30016 ----a-w- c:\windows\system32\uxtuneup.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2005-11-15 05:32:22 3638 -c--a-r- c:\program files\common files\Altiris_Icon.ico
2008-06-24 00:25:58 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062420080625\index.dat

============= FINISH: 22:28:21.87 ===============





HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:36:26 PM, on 14/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Utilities\HijackThis.exe
C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FFTI] C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FFTI] C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZUfox000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} (FileMgr Class) - https://atlas.atlassolutions.com/dl/AtlasCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1197345027643
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07B6AF3F-504D-42CF-B4AB-D59F68B35340}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{44E4CF45-E603-4E15-9DFD-BF9C7056B202}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{07B6AF3F-504D-42CF-B4AB-D59F68B35340}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

--
End of file - 9407 bytes

Sorry I also remember that last night the "program" antivirus 2010 was on the computer as well telling me all the problems I had and they could fix it etc which I just ignored, never downloaded that either, only ever had avg for antivirus

Attached Files


Edited by sh0ckker, 14 September 2010 - 07:43 AM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:07 AM

Posted 20 September 2010 - 02:24 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 sh0ckker

sh0ckker
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 21 September 2010 - 06:25 AM

Hi there and thanks for getting back to me.

Below is the dds log asked for.

i have another question regarding my computers security, is it safe to login to say
email, ebay, internet banking, skype-anything that requires a password while I may still be
infected with whatever i may have?

I think I covered most of what I had already done to remove the majority of the problems in my first
post but please let me know if you would like more information.

In the week or so since posting I have run spybot s+d and malwarebytes, spybot came up with a
microsoft.windows.disablefirewall (or something to that effect) and microsoft.windows.disablesystemrestore
(or something to that effect).

I have tried 3 times to get a log from gmer but the first time it simply crashed the computer, 2nd time came back to find the computer hanging on just the desktop image with no icons and 3rd time went to save the log after it scanned for about an hour, then it just hung with the save box (the time on the computer kept up to date but I could not do anything else, tried ctrl+alt+del but no luck).

Thanks and regards.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Guy Shelton at 12:28:26.14 on Tue 21/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1022.498 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Altiris\AClient\AClntUsr.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Documents and Settings\Guy Shelton\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com.au/
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/ie
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\guy shelton\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [AClntUsr] c:\program files\altiris\aclient\AClntUsr.EXE
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
dRunOnce: [FFTI] c:\documents and settings\guy shelton\application data\mozilla\firefox\profiles\xctgjxne.default\extensions\{b13721c7-f507-4982-b2e5-502a71474fed}\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
StartupFolder: c:\docume~1\guyshe~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
IE: &Search - ?p=ZUfox000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} - hxxps://atlas.atlassolutions.com/dl/AtlasCtrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197345027643
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {07B6AF3F-504D-42CF-B4AB-D59F68B35340} = 208.67.220.220,208.67.222.222
TCP: {44E4CF45-E603-4E15-9DFD-BF9C7056B202} = 208.67.220.220,208.67.222.222
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\guyshe~1\applic~1\mozilla\firefox\profiles\xctgjxne.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\guy shelton\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll
FF - plugin: c:\utilities\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\utilities\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\utilities\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {90E9F5EB-4C2D-4932-9CD5-B8D17147612E} - c:\documents and settings\guy shelton\local settings\application data\{90E9F5EB-4C2D-4932-9CD5-B8D17147612E}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-1-17 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-1-17 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-17 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-17 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-17 243024]
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2007-5-29 9216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-6-19 55520]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-6-19 42048]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-16 921952]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-7-16 2331032]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2010-8-27 1051968]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-1-17 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-1-17 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-1-17 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-1-17 26192]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-7-16 5897808]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-1-17 30104]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys --> c:\windows\system32\drivers\ivusb.sys [?]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-9-20 14424]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-8 14904]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

=============== Created Last 30 ================

2010-09-20 12:11:50 0 d-----w- c:\program files\Secunia
2010-09-20 11:58:19 0 d-----w- c:\program files\PeerBlock
2010-09-18 11:12:00 0 d-----w- c:\docume~1\guyshe~1\applic~1\SUPERAntiSpyware.com
2010-09-18 11:12:00 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2010-09-18 11:11:47 0 d-----w- c:\program files\SUPERAntiSpyware
2010-09-16 09:54:35 3255 ----a-w- c:\windows\system32\wbem\Outlook_01cb55852b2890e2.mof
2010-09-14 21:08:03 0 ----a-w- c:\documents and settings\guy shelton\defogger_reenable
2010-09-13 12:36:34 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-09-10 22:47:41 0 ----a-w- c:\windows\Yzeninaqaf.bin
2010-09-10 22:47:40 120 ----a-w- c:\windows\Rnolasaxogapog.dat
2010-09-10 22:46:41 0 d-sh--w- c:\documents and settings\guy shelton\.COMMgr
2010-09-10 22:44:38 0 d-----w- c:\docume~1\guyshe~1\applic~1\5B6DDA162E75C9D0D55A3C4B0EB53ABC

==================== Find3M ====================

2010-09-09 20:08:54 0 -c--a-w- c:\windows\system32\drivers\lvuvc.hs
2010-09-09 20:08:52 0 -c--a-w- c:\windows\system32\drivers\logiflt.iad
2010-08-27 13:02:10 30528 ----a-w- c:\windows\system32\TURegOpt.exe
2010-08-27 12:56:30 30016 ----a-w- c:\windows\system32\uxtuneup.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-15 23:39:36 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-06 11:52:04 30016 ----a-w- c:\windows\system32\uxt8D9.tmp
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2005-11-15 05:32:22 3638 -c--a-r- c:\program files\common files\Altiris_Icon.ico
2008-06-24 00:25:58 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062420080625\index.dat

============= FINISH: 12:29:11.94 ===============

Attached Files



#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:07 AM

Posted 22 September 2010 - 01:51 PM

Hi-

Thank you for the logs. In answer to your question - "is it safe to login to say email, ebay, internet banking, skype-anything that requires a password while I may still be infected with whatever i may have?" -, you have at least one backdoor trojan and you should not log into anything while a backdor trojan is on your system. A backdoor trojan allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to continue -
  • Please download Rootkit Unhooker and save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

    Copy the entire contents of the report and paste it in your reply.
Note** you may get this warning it is ok, just ignore
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


Next, we need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Under the Custom Scan box paste in the contents of the CODE box.
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.exe
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
  • Push the button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In your reply, please copy in the RKU report and the two OTL reports.
Shannon

#5 sh0ckker

sh0ckker
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 23 September 2010 - 07:29 AM

Hi,

When I ran rootkit unhooker it came up with a info pane(?) saying the kernel module wasn't
the same as the one it should be or something like
that (sorry to be vague). anyway the report is below.

Will this malware/trojan affect an external hard drive and if so
what is the course of action to take? Will I need to format that and lose all info on it (its 1 Tb) or can I scan it?

I haven't logged into anything password based for fear of something like this happening, just wanted an expert opinion to be certain.

With regards to re-formatting the computer, I suppose I would just like as much help to clean it and your opinion at the end of what we are doing as to how well it has gone, however I am open to the option if there is still a significant risk, better to be sure its gone than an empty bank account (not that they'd get much!!)
But if reformatting, how safe are any files I require from the computer (such as music or movies or programs) to then backup and then re-install after renewing windows? Do those sort of files get infected or mainly system files deep in the computer? Sorry for 20 questions, might as well pick your brain while I have the opportunity! Thanks again for all of your help and advice, you guys do a great service.

another thing, not sure if it helps-I was just looking through the OTL log and noticed on the 11th september these two entries at the time the computer was "attacked"

[2010/09/11 08:47:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Yzeninaqaf.bin
[2010/09/11 08:47:40 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Rnolasaxogapog.dat

And I noticed in my startup manager in tuneup utilities on the same date these programs assigned themselves to start automatically

jmajipej (.exe i think)
qlubovitgolop (also .exe)

Just some more pieces for the puzzle that might help


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xAD37C000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4800512 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF16C000 C:\WINDOWS\System32\ati3duag.dll 3137536 bytes (ATI Technologies Inc. , ati3duag.dll)
0xB9CCF000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 2854912 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0x804D7000 PnpManager 2400256 bytes
0x804D7000 RAW 2400256 bytes
0x804D7000 C:\WINDOWS\system32\TUKERNEL.EXE 2400256 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 WMIxWDM 2400256 bytes
0xB9A33000 C:\WINDOWS\system32\DRIVERS\NETw4x32.sys 2236416 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF46A000 C:\WINDOWS\System32\ativvaxx.dll 1605632 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xF76B7000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF057000 C:\WINDOWS\System32\ati2cqag.dll 499712 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xAD02D000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xBF0D1000 C:\WINDOWS\System32\atikvmag.dll 442368 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xB98E1000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAD25C000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA9FFE000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 282624 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xAA285000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB9C55000 C:\WINDOWS\system32\DRIVERS\e1e5132.sys 253952 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 5.2 deserialized driver)
0xAD222000 C:\WINDOWS\System32\Drivers\avgtdix.sys 237568 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xACFF9000 C:\WINDOWS\System32\Drivers\avgldx86.sys 212992 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xB993F000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xBF13D000 C:\WINDOWS\System32\atiok3x2.dll 192512 bytes (ATI Technologies Inc., Ring 0 x2 component)
0xF7807000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF768A000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA8C14000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAD09D000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAA713000 C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys 163840 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Driver.)
0xB9C93000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xAD10C000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF7793000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xAD1FC000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA8C3F000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xAD358000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9A0F000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB99C4000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAD0EA000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xAD0C8000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x80721000 ACPI_HAL 134400 bytes
0x80721000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF775B000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF77B9000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF77D8000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF7670000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF777B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xACFE1000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7744000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9980000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xAAB73000 C:\WINDOWS\system32\DRIVERS\irda.sys 90112 bytes (Microsoft Corporation, IRDA Protocol Driver)
0xAA60E000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB99E7000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB99FB000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xB9CBB000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAD2B5000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF77F6000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB996F000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7996000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xA9695000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB9FA8000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7866000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xB9F98000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF78F6000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF7A56000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xA96B5000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xAA79B000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7A66000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7876000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF78B6000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7906000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF79A6000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7896000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF78D6000 avgrkx86.sys 49152 bytes (AVG Technologies CZ, s.r.o., AVG Anti-Rootkit Driver)
0xF79C6000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB9FF8000 C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys 49152 bytes
0xB9FE8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xA9F4E000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7886000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF79B6000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF79F6000 C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys 40960 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Filter Driver.)
0xAAA8B000 C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys 40960 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Loader Driver.)
0xF7856000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7A16000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF79E6000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF78E6000 AVGIDSxx.sys 36864 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Helper Driver.)
0xF78A6000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7946000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xB9FB8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF79D6000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA018000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA95C5000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF78C6000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB9F88000 C:\WINDOWS\system32\DRIVERS\smcirda.sys 36864 bytes (SMC, SMC IrCC NDIS 5.0 IrDA FIR Device Driver)
0xB9FD8000 C:\WINDOWS\System32\Drivers\tcusb.sys 36864 bytes (UPEK Inc., TouchChip USB Kernel Driver)
0xBA008000 C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys 36864 bytes (Sun Microsystems, Inc., VirtualBox USB Monitor Driver)
0xF7AC6000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7C4E000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7B0E000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF7BC6000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7BDE000 C:\WINDOWS\system32\DRIVERS\avgfwdx.sys 28672 bytes (AVG Technologies CZ, s.r.o., AVG Firewall intermediate miniport driver)
0xF7C5E000 C:\WINDOWS\System32\Drivers\CCDevice.SYS 28672 bytes (Altiris, Carbon Copy Kernel mode Driver)
0xF7C36000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7AD6000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7AEE000 C:\WINDOWS\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xF7BCE000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7BD6000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7C56000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xF7BBE000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7C3E000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7B46000 C:\WINDOWS\system32\Drivers\LVPr2Mon.sys 20480 bytes (-, -)
0xF7C46000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7ADE000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7BFE000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7BEE000 C:\WINDOWS\system32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)
0xF7C06000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7BF6000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7B3E000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7C6E000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF7D42000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xBA36C000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xAACA9000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7D46000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7C72000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF7C66000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7C6A000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xAD2F0000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xAD354000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF7D4A000 C:\WINDOWS\system32\DRIVERS\irenum.sys 12288 bytes (Microsoft Corporation, Infra-Red Bus Enumerator)
0xAD350000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7638000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7648000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7DD2000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7D5A000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7DEE000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7DD0000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7D98000 C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS 8192 bytes
0xF7D56000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7DD4000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7DE0000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7D6C000 C:\WINDOWS\system32\DRIVERS\psi_mf.sys 8192 bytes (Secunia, Secunia PSI Driver)
0xF7DD6000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7D9C000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7DBC000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7D58000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7F36000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7EBD000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7F8B000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7E1F000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7E1E000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7ECC000 C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys 4096 bytes (TuneUp Software, TuneUp Utilities Driver)
==============================================
>Stealth
==============================================
0x05430000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Wizard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 102400 bytes
0x00CC0000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x84E42DA0 ] PID: 3212, 110592 bytes
0x03880000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 110592 bytes
0x066E0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 110592 bytes
0x06750000 Hidden Image-->CLI.Aspect.Grid.HydraVision.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 118784 bytes
0x06260000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 126976 bytes
0x06180000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 143360 bytes
0x05EE0000 Hidden Image-->CLI.Component.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 1519616 bytes
0x05B70000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 1683456 bytes
0x066A0000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 176128 bytes
0x05AF0000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Wizard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 208896 bytes
0x061B0000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 225280 bytes
0x04880000 Hidden Image-->CLI.Caste.Graphics.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 258048 bytes
0x00E90000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x84E42DA0 ] PID: 3212, 28672 bytes
0x01110000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x84E42DA0 ] PID: 3212, 28672 bytes
0x048E0000 Hidden Image-->DEM.OS.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x00D40000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x00D60000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x03A50000 Hidden Image-->CLI.Component.Runtime.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x03AA0000 Hidden Image-->CLI.Component.Runtime.Extension.EEU.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x03AE0000 Hidden Image-->AEM.Plugin.EEU.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x03BF0000 Hidden Image-->AEM.Server.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x03C30000 Hidden Image-->AEM.Plugin.DPPE.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x03C50000 Hidden Image-->AEM.Plugin.Hotkeys.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x03C90000 Hidden Image-->DEM.Graphics.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x03C80000 Hidden Image-->DEM.Foundation.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x04810000 Hidden Image-->CLI.Caste.HydraVision.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x04840000 Hidden Image-->AEM.Actions.CCAA.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x048D0000 Hidden Image-->DEM.OS.I0602.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x04910000 Hidden Image-->AEM.Plugin.GD.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x04D90000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x04DA0000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x04EF0000 Hidden Image-->CLI.Caste.Graphics.Runtime.Shared.Private.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x04F40000 Hidden Image-->DEM.Graphics.I0706.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x050E0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x05310000 Hidden Image-->APM.Foundation.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x05380000 Hidden Image-->CLI.Caste.Graphics.Wizard.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x05530000 Hidden Image-->CLI.Component.Dashboard.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x05540000 Hidden Image-->CLI.Component.Dashboard.Shared.Private.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x05550000 Hidden Image-->CLI.Caste.Graphics.Dashboard.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x05890000 Hidden Image-->LOCALIZATION.Foundation.Private.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x058A0000 Hidden Image-->CLI.Component.Client.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x059C0000 Hidden Image-->CLI.Component.Wizard.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x05E70000 Hidden Image-->atixclib.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x06720000 Hidden Image-->CLI.Caste.HydraVision.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 28672 bytes
0x01130000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x84E42DA0 ] PID: 3212, 307200 bytes
0x00DA0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x84FC5020 ] PID: 1608, 307200 bytes
0x054E0000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Wizard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 315392 bytes
0x06460000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 339968 bytes
0x064C0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 364544 bytes
0x01230000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x84E42DA0 ] PID: 3212, 36864 bytes
0x038A0000 Hidden Image-->CLI.Foundation.XManifest.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 36864 bytes
0x03AB0000 Hidden Image-->AEM.Foundation.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 36864 bytes
0x03A80000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 36864 bytes
0x047F0000 Hidden Image-->CLI.Caste.HydraVision.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 36864 bytes
0x048C0000 Hidden Image-->ACE.Graphics.DisplaysManager.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 36864 bytes
0x04F10000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 36864 bytes
0x05080000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 36864 bytes
0x05010000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 36864 bytes
0x04FE0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 36864 bytes
0x050D0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 36864 bytes
0x051C0000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 36864 bytes
0x05370000 Hidden Image-->CLI.Component.Wizard.Shared.Private.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 36864 bytes
0x059D0000 Hidden Image-->LOCALIZATION.Foundation.Implementation.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 36864 bytes
0x03CB0000 Hidden Image-->ATIDEMGX.dll [ EPROCESS 0x84FC5020 ] PID: 1608, 372736 bytes
0x05E80000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Wizard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 372736 bytes
0x03D20000 Hidden Image-->System.Management.dll [ EPROCESS 0x84FC5020 ] PID: 1608, 380928 bytes
0x05460000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Wizard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 413696 bytes
0x06300000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 413696 bytes
0x061F0000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 446464 bytes
0x00CF0000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x84E42DA0 ] PID: 3212, 45056 bytes
0x00D60000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x84E42DA0 ] PID: 3212, 45056 bytes
0x00D10000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 45056 bytes
0x00D30000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 45056 bytes
0x00E00000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 45056 bytes
0x03A60000 Hidden Image-->ATICCCom.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 45056 bytes
0x04F50000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 45056 bytes
0x04F20000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 45056 bytes
0x05000000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 45056 bytes
0x05070000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 45056 bytes
0x05660000 Hidden Image-->CLI.Component.Systemtray.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 471040 bytes
0x057F0000 Hidden Image-->CLI.Component.Wizard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 479232 bytes
0x06280000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 487424 bytes
0x053B0000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Wizard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 495616 bytes
0x01210000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x84E42DA0 ] PID: 3212, 53248 bytes
0x03920000 Hidden Image-->CLI.Component.Runtime.Shared.Private.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 53248 bytes
0x03930000 Hidden Image-->CLI.Foundation.Private.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 53248 bytes
0x03A70000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 53248 bytes
0x03C10000 Hidden Image-->AEM.Plugin.Source.Kit.Server.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 53248 bytes
0x03C70000 Hidden Image-->DEM.Graphics.I0601.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 53248 bytes
0x04FD0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 53248 bytes
0x04F00000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 53248 bytes
0x05020000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 53248 bytes
0x050B0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 53248 bytes
0x05190000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 53248 bytes
0x05360000 Hidden Image-->CLI.Caste.Graphics.Wizard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 53248 bytes
0x056E0000 Hidden Image-->CLI.Component.Client.Shared.Private.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 53248 bytes
0x05B50000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 53248 bytes
0xF793C090 Unknown thread object [ ETHREAD 0x8723C020 ] , 600 bytes
0x06530000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 602112 bytes
0x05300000 Hidden Image-->APM.Server.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 61440 bytes
0x00D50000 Hidden Image-->CLI.Foundation.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 61440 bytes
0x05030000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 61440 bytes
0x050F0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 61440 bytes
0x051B0000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 61440 bytes
0x00D70000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x84E42DA0 ] PID: 3212, 69632 bytes
0x00D70000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 69632 bytes
0x04860000 Hidden Image-->CLI.Caste.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 69632 bytes
0x05090000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 69632 bytes
0x05110000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 69632 bytes
0x04920000 Hidden Image-->ATIDEMOS.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 77824 bytes
0x04ED0000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 77824 bytes
0x04F90000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 77824 bytes
0x05160000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 77824 bytes
0x065D0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 806912 bytes
0x03900000 Hidden Image-->CLI.Component.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 86016 bytes
0x04F60000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Runtime.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 86016 bytes
0x06160000 Hidden Image-->CLI.Caste.Graphics.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 86016 bytes
0x06370000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Dashboard.DLL [ EPROCESS 0x84FC5020 ] PID: 1608, 913408 bytes


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

+++++++++++================+++++++++++++++++++====================++++++++++++++++++

OTL logfile created on: 23/09/2010 9:33:06 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Guy Shelton\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1,022.00 Mb Total Physical Memory | 358.00 Mb Available Physical Memory | 35.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 87.62 Gb Total Space | 32.28 Gb Free Space | 36.85% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EMITCH-0B853313
Current User Name: Guy Shelton
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/23 21:27:14 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/09/23 21:22:12 | 000,621,920 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/09/23 21:20:18 | 002,331,544 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgfws9.exe
PRC - [2010/09/23 21:16:54 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Guy Shelton\Desktop\OTL.exe
PRC - [2010/09/21 21:14:47 | 000,184,320 | ---- | M] () -- C:\Program Files\Altiris\AClient\AClntUsr.EXE
PRC - [2010/09/17 09:01:42 | 000,975,928 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2010/09/11 02:20:20 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2010/08/27 23:01:24 | 000,743,232 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
PRC - [2010/08/27 22:59:38 | 001,051,968 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
PRC - [2010/07/21 21:43:54 | 000,965,176 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi.exe
PRC - [2010/07/21 09:40:19 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/07/16 09:39:36 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/07/16 09:39:31 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/07/16 09:38:04 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/07/16 09:38:02 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/06/30 11:35:16 | 000,286,720 | ---- | M] () -- C:\Program Files\Orb Networks\Orb\bin\OrbjetManager.exe
PRC - [2010/06/30 11:34:50 | 000,198,144 | ---- | M] (Orb Networks, Inc.) -- C:\Program Files\Orb Networks\Orb\bin\Orb.exe
PRC - [2009/10/07 01:47:34 | 000,154,136 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2008/07/07 08:15:18 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/04/19 01:09:00 | 005,169,228 | ---- | M] (Altiris, Inc.) -- C:\Program Files\Altiris\AClient\ACLIENT.EXE
PRC - [2008/04/14 10:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/31 13:09:29 | 001,277,952 | ---- | M] (Altiris, Inc.) -- C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
PRC - [2007/05/29 19:13:16 | 001,437,696 | ---- | M] (Altiris) -- C:\Program Files\Altiris\Carbon Copy\Client.exe
PRC - [2007/05/29 19:13:16 | 000,724,992 | ---- | M] (Altiris) -- C:\Program Files\Altiris\Carbon Copy\ShellKer.exe
PRC - [2007/05/29 18:52:10 | 000,049,152 | ---- | M] (Altiris) -- C:\WINDOWS\system32\CCSRVC.exe
PRC - [2007/01/31 13:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2002/04/11 23:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brsvc01a.exe
PRC - [2001/12/12 23:01:00 | 000,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe


========== Modules (SafeList) ==========

MOD - [2010/09/23 21:16:54 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Guy Shelton\Desktop\OTL.exe
MOD - [2008/04/14 10:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/09/23 21:20:18 | 002,331,544 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgfws9.exe -- (avgfws9)
SRV - [2010/09/20 22:05:46 | 000,435,008 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2010/08/27 22:59:38 | 001,051,968 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - [2010/08/27 22:56:30 | 000,030,016 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2010/07/21 09:40:19 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/07/16 09:39:31 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/07/16 09:39:19 | 005,897,808 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2009/10/07 01:47:34 | 000,154,136 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2008/07/07 08:15:18 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/04/19 01:09:00 | 005,169,228 | ---- | M] (Altiris, Inc.) [Auto | Running] -- C:\Program Files\Altiris\AClient\AClient.exe -- (AClient)
SRV - [2008/01/31 13:09:29 | 001,277,952 | ---- | M] (Altiris, Inc.) [Auto | Running] -- C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe -- (AeXNSClient)
SRV - [2007/10/25 14:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/05/29 18:52:10 | 000,049,152 | ---- | M] (Altiris) [Auto | Running] -- C:\WINDOWS\system32\CCSRVC.exe -- (CarbonCopy32)
SRV - [2007/01/31 13:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2002/04/11 23:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) [Auto | Running] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\ivusb.sys -- (ivusb)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\ewusbmdm.sys -- (hwdatacard)
DRV - [2010/07/16 09:39:40 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/07/16 09:39:23 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys -- (AVGIDSFilterxpx)
DRV - [2010/07/16 09:39:23 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys -- (AVGIDSShimxpx)
DRV - [2010/07/16 09:39:23 | 000,025,168 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\AVGIDSxx.sys -- (AVGIDSErHrxpx)
DRV - [2010/07/16 09:39:22 | 000,122,448 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys -- (AVGIDSDriverxpx)
DRV - [2010/07/16 09:38:04 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/07/08 00:05:32 | 000,014,904 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2010/06/06 21:54:15 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/05/11 04:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/03/17 07:25:34 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\System32\Drivers\avgrkx86.sys -- (AvgRkx86)
DRV - [2010/02/18 04:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/17 21:55:13 | 000,030,104 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwfd)
DRV - [2010/01/17 21:55:13 | 000,030,104 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwdx)
DRV - [2010/01/03 20:36:28 | 000,002,401 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AlKernel.sys -- (AlKernel)
DRV - [2009/10/14 06:24:44 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - [2009/10/07 18:49:50 | 000,023,832 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2009/10/07 18:49:38 | 006,756,632 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 9000(UVC)
DRV - [2009/10/07 18:47:54 | 000,266,008 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2009/10/07 01:46:36 | 000,025,752 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2009/09/28 02:02:44 | 000,014,424 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter)
DRV - [2009/05/09 00:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/07/27 01:26:20 | 000,041,752 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/05/31 01:42:54 | 000,042,048 | ---- | M] (Sun Microsystems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VBoxUSBMon.sys -- (VBoxUSBMon)
DRV - [2008/05/31 01:42:46 | 000,055,520 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VBoxDrv.sys -- (VBoxDrv)
DRV - [2008/05/06 16:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/04/14 04:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/14 02:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/20 14:32:52 | 002,236,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/11/14 16:14:02 | 004,625,408 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/11/02 15:52:04 | 002,644,480 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/10/12 11:59:12 | 001,920,920 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvpopflt.sys -- (lvpopflt)
DRV - [2007/09/10 11:34:40 | 000,030,816 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2007/08/30 11:07:22 | 000,242,320 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2007/05/29 18:55:50 | 000,009,216 | ---- | M] (Altiris) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\CCDevice.sys -- (CCDevice)
DRV - [2007/03/08 17:41:42 | 000,040,848 | ---- | M] (UPEK Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tcusb.sys -- (TcUsb)
DRV - [2007/02/04 04:27:55 | 000,490,784 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LV561AV.SYS -- (PID_0928) Logitech QuickCam Express(PID_0928)
DRV - [2004/10/15 12:50:20 | 000,015,295 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
DRV - [2001/08/17 22:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
IE - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com.au/"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.845
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {66E978CD-981F-47DF-AC42-E3CF417C1467}:0.4.2
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.3
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {90E9F5EB-4C2D-4932-9CD5-B8D17147612E}:1.9.1
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/09/23 21:23:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{90E9F5EB-4C2D-4932-9CD5-B8D17147612E}: C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\{90E9F5EB-4C2D-4932-9CD5-B8D17147612E} [2010/09/11 08:47:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/12 19:48:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/12 19:48:56 | 000,000,000 | ---D | M]

[2008/08/13 21:04:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Extensions
[2010/09/20 22:26:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\extensions
[2010/09/20 22:26:41 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/01/21 19:57:56 | 000,000,000 | ---D | M] (New Tab Homepage) -- C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
[2010/09/20 22:26:41 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/09/20 22:26:52 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/29 17:23:46 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2005/06/26 01:08:08 | 006,153,728 | ---- | M] (VideoLAN Team) -- C:\Program Files\Mozilla Firefox\plugins\npvlc.dll
[2010/09/12 19:48:49 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/09/12 19:48:49 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/09/12 19:48:49 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/09/12 19:48:49 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2001/08/23 22:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKU\S-1-5-21-1547161642-2139871995-725345543-1009..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\.DEFAULT..\RunOnce: [FFTI] C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\unins000.exe File not found
O4 - HKU\S-1-5-18..\RunOnce: [FFTI] C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\unins000.exe File not found
O4 - Startup: C:\Documents and Settings\Guy Shelton\Start Menu\Programs\Startup\Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe (Secunia)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} https://atlas.atlassolutions.com/dl/AtlasCtrl.cab (FileMgr Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1197345027643 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/12/11 11:24:11 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{449f6cd2-6016-11df-8c68-0019d2611bca}\Shell - "" = AutoRun
O33 - MountPoints2\{449f6cd2-6016-11df-8c68-0019d2611bca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{449f6cd2-6016-11df-8c68-0019d2611bca}\Shell\AutoRun\command - "" = E:\WD SmartWare.exe -- File not found
O33 - MountPoints2\{554a87fb-5008-11df-8c5d-0019d2611bca}\Shell - "" = AutoRun
O33 - MountPoints2\{554a87fb-5008-11df-8c5d-0019d2611bca}\Shell\1\Command - "" = F:\Recycled.exe -- File not found
O33 - MountPoints2\{554a87fb-5008-11df-8c5d-0019d2611bca}\Shell\2\Command - "" = F:\Recycled.exe -- File not found
O33 - MountPoints2\{554a87fb-5008-11df-8c5d-0019d2611bca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7da84a02-5fc5-11df-8c67-0019d2611bca}\Shell - "" = AutoRun
O33 - MountPoints2\{7da84a02-5fc5-11df-8c67-0019d2611bca}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7da84a02-5fc5-11df-8c67-0019d2611bca}\Shell\AutoRun\command - "" = E:\WD SmartWare.exe -- File not found
O33 - MountPoints2\{fcb43223-fa97-11dd-8bfc-0019d2611bca}\Shell\AutoRun\command - "" = E:\wd_windows_tools\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: UxTuneUp - C:\WINDOWS\system32\uxtuneup.dll (TuneUp Software)
NetSvcs: WmdmPmSp - File not found
Unable to start service SrService!

========== Files/Folders - Created Within 30 Days ==========

[2010/09/23 21:16:47 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Guy Shelton\Desktop\OTL.exe
[2010/09/20 22:11:50 | 000,000,000 | ---D | C] -- C:\Program Files\Secunia
[2010/09/20 22:04:39 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/09/20 21:58:19 | 000,000,000 | ---D | C] -- C:\Program Files\PeerBlock
[2010/09/18 21:12:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Application Data\SUPERAntiSpyware.com
[2010/09/18 21:12:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
[2010/09/18 21:11:47 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/09/13 22:36:34 | 000,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/09/12 19:43:28 | 001,913,032 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Guy Shelton\My Documents\HousecallLauncher.exe
[2010/09/11 08:47:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\{90E9F5EB-4C2D-4932-9CD5-B8D17147612E}
[2010/09/11 08:46:41 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Guy Shelton\.COMMgr
[2010/09/11 08:45:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\hxovdhldq
[2010/09/11 08:45:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\qwivdpkln
[2010/09/11 08:44:41 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Server
[2010/09/11 08:44:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Application Data\5B6DDA162E75C9D0D55A3C4B0EB53ABC
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/23 21:31:15 | 000,059,558 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\My Documents\rootkit remove report
[2010/09/23 21:25:25 | 000,001,002 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-2139871995-725345543-1009UA.job
[2010/09/23 21:24:27 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\prvlcl.dat
[2010/09/23 21:22:01 | 065,173,360 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/09/23 21:16:54 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Guy Shelton\Desktop\OTL.exe
[2010/09/23 21:16:26 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Desktop\RKUnhookerLE.EXE
[2010/09/23 10:02:55 | 000,168,448 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/23 10:02:48 | 009,175,040 | -H-- | M] () -- C:\Documents and Settings\Guy Shelton\NTUSER.DAT
[2010/09/23 07:25:00 | 000,000,950 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-2139871995-725345543-1009Core.job
[2010/09/23 06:36:27 | 000,000,310 | ---- | M] () -- C:\WINDOWS\tasks\Orb Index when idle.job
[2010/09/21 21:14:46 | 000,001,390 | ---- | M] () -- C:\AClient.cfg
[2010/09/21 21:14:41 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/21 21:13:12 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/21 21:12:51 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/21 21:12:48 | 1071,697,920 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/21 17:27:54 | 001,061,376 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\My Documents\BleepingComputerhowto.doc
[2010/09/21 09:34:45 | 000,621,192 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavifw.avm
[2010/09/20 22:12:26 | 000,000,720 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Start Menu\Programs\Startup\Secunia PSI.lnk
[2010/09/20 22:05:46 | 000,001,731 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\TuneUp 1-Click Maintenance.lnk
[2010/09/20 22:05:46 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\TuneUp Utilities.lnk
[2010/09/18 21:11:52 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/09/18 15:45:08 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\My Documents\auction letter.doc
[2010/09/18 15:45:05 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\My Documents\1st Impressions envelope.doc
[2010/09/16 22:15:35 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Guy Shelton\ntuser.ini
[2010/09/16 19:54:40 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2010/09/16 19:54:35 | 000,510,282 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/09/16 19:54:35 | 000,435,594 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/09/16 19:54:35 | 000,068,490 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/09/16 19:06:37 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/09/16 19:06:13 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/15 07:08:03 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\defogger_reenable
[2010/09/15 07:07:04 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Desktop\Defogger.exe
[2010/09/13 22:08:53 | 000,018,421 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\.wtav
[2010/09/12 19:43:43 | 001,913,032 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Guy Shelton\My Documents\HousecallLauncher.exe
[2010/09/12 19:34:21 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\housecall.guid.cache
[2010/09/12 15:16:14 | 004,959,888 | -H-- | M] () -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\IconCache.db
[2010/09/11 08:47:41 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Rnolasaxogapog.dat
[2010/09/11 08:47:41 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Yzeninaqaf.bin
[2010/09/10 17:34:38 | 000,002,283 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Application Data\Microsoft\Internet Explorer\Quick Launch\Skype.lnk
[2010/09/10 06:08:54 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2010/09/10 06:08:52 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
[2010/08/27 23:02:10 | 000,030,528 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\TURegOpt.exe
[2010/08/27 22:56:30 | 000,030,016 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\uxtuneup.dll
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/23 21:31:15 | 000,059,558 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\My Documents\rootkit remove report
[2010/09/23 21:16:24 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Desktop\RKUnhookerLE.EXE
[2010/09/21 17:27:53 | 001,061,376 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\My Documents\BleepingComputerhowto.doc
[2010/09/20 22:12:26 | 000,000,720 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Start Menu\Programs\Startup\Secunia PSI.lnk
[2010/09/20 22:05:46 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\TuneUp Utilities.lnk
[2010/09/18 21:11:52 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/09/18 15:45:05 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\My Documents\1st Impressions envelope.doc
[2010/09/16 20:07:02 | 000,026,624 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\My Documents\auction letter.doc
[2010/09/15 07:08:03 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\defogger_reenable
[2010/09/15 07:07:02 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Desktop\Defogger.exe
[2010/09/14 19:54:02 | 1071,697,920 | -HS- | C] () -- C:\hiberfil.sys
[2010/09/13 21:32:54 | 000,018,421 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\.wtav
[2010/09/12 19:34:21 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\housecall.guid.cache
[2010/09/11 11:01:55 | 000,002,293 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\avgrep.txt
[2010/09/11 08:47:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Yzeninaqaf.bin
[2010/09/11 08:47:40 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Rnolasaxogapog.dat
[2010/06/17 15:14:41 | 000,000,210 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2010/06/17 15:14:41 | 000,000,093 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2010/06/17 15:13:24 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2010/06/17 15:10:31 | 000,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2010/02/01 07:50:17 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\prvlcl.dat
[2010/01/16 08:41:48 | 000,000,180 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Application Data\setup.log
[2010/01/16 08:41:39 | 000,000,760 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Application Data\setup_ldm.iss
[2010/01/15 15:59:04 | 000,000,462 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2010/01/15 15:59:04 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2010/01/15 15:59:04 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/10/07 01:46:36 | 000,025,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2009/10/07 01:23:08 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2009/04/19 16:14:22 | 000,157,696 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/04/19 16:14:20 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[2009/04/19 16:14:19 | 000,856,064 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/04/19 16:14:19 | 000,568,850 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2009/04/19 16:14:19 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/04/19 16:14:17 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/04/19 16:14:17 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/10/08 21:04:32 | 000,000,464 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/09/20 07:57:34 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/09/20 07:55:10 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/09/20 07:55:10 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/09/01 11:32:40 | 000,000,082 | ---- | C] () -- C:\WINDOWS\Eltm.ini
[2008/09/01 10:22:04 | 000,000,115 | ---- | C] () -- C:\WINDOWS\Fsas.ini
[2008/08/27 20:04:48 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2008/08/27 20:04:47 | 000,000,149 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2008/08/16 16:44:02 | 000,082,289 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/08/11 20:20:52 | 000,168,448 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/11 17:52:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\client.INI
[2008/07/11 14:27:23 | 000,002,401 | ---- | C] () -- C:\WINDOWS\System32\drivers\AlKernel.sys
[2008/06/19 12:16:44 | 000,055,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\VBoxDrv.sys
[2008/04/23 14:09:51 | 000,000,035 | ---- | C] () -- C:\WINDOWS\Blink.ini
[2007/12/12 08:12:38 | 000,000,488 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/12/11 15:00:34 | 000,000,175 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2005/11/15 15:32:22 | 000,003,638 | R--- | C] () -- C:\Program Files\Common Files\Altiris_Icon.ico
[2004/08/04 00:56:38 | 000,533,568 | ---- | C] () -- C:\WINDOWS\System32\msmqutuy.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2010/09/23 21:27:20 | 001,278,304 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgfrw.exe
[2010/09/23 21:22:59 | 002,331,032 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgfws9.exe
[2010/09/23 21:23:03 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgnsx.exe
[2010/09/23 21:27:21 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgtray.exe
[2010/09/23 21:27:21 | 004,100,960 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgui.exe
[2010/09/23 21:23:04 | 003,586,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9\update\backup\setup.exe
[2010/08/18 10:35:38 | 006,944,624 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe
[2010/05/01 19:47:36 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
[2009/07/31 18:40:08 | 001,962,544 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe


< MD5 for: AGP440.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/06/24 10:00:07 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/06/24 10:00:07 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/14 04:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/14 04:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/06/24 10:00:07 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/06/24 10:00:07 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/14 04:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/14 04:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 21:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 10:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 10:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/02/12 14:36:54 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\drivers\hdd\intel\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 10:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 10:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 10:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 10:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2007/11/02 14:10:06 | 000,364,544 | ---- | M] (Advanced Micro Devices, Inc.) Unable to obtain MD5 -- C:\WINDOWS\system32\ATIDEMGX.dll
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[6 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >
< End of report >


===========+++++++++==============++++++++++++++++====================+++++++++++++++++


OTL Extras logfile created on: 23/09/2010 9:33:06 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Guy Shelton\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1,022.00 Mb Total Physical Memory | 358.00 Mb Available Physical Memory | 35.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 87.62 Gb Total Space | 32.28 Gb Free Space | 36.85% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EMITCH-0B853313
Current User Name: Guy Shelton
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1547161642-2139871995-725345543-1009\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [MediaMonkey.1Play] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.)
Directory [MediaMonkey.2PlayNext] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.)
Directory [MediaMonkey.3Enqueue] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"41952:TCP" = 41952:TCP:*:Enabled:Xbox
"41952:UDP" = 41952:UDP:*:Enabled:Xbox1
"10243:TCP" = 10243:TCP:*:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:*:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:*:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:*:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:*:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:*:Enabled:Windows Media Player Network Sharing Service
"80:TCP" = 80:TCP:*:Enabled:Orbport
"81:TCP" = 81:TCP:*:Enabled:Orbport2

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- File not found
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- File not found
"C:\Program Files\Altiris\AClient\AClntUsr.EXE" = C:\Program Files\Altiris\AClient\AClntUsr.EXE:*:Enabled:AClntUsr - AClient Interactive User Service -- ()
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Altiris\AClient\AClntUsr.EXE" = C:\Program Files\Altiris\AClient\AClntUsr.EXE:*:Enabled:AClntUsr - AClient Interactive User Service -- ()
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\AVG\AVG9\avgam.exe" = C:\Program Files\AVG\AVG9\avgam.exe:*:Enabled:avgam.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgdiagex.exe" = C:\Program Files\AVG\AVG9\avgdiagex.exe:*:Enabled:avgdiagex.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\SopCast\adv\SopAdver.exe" = C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- (www.sopcast.com)
"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application -- (www.sopcast.com)
"C:\Program Files\Orb Networks\Orb\bin\OrbjetManager.exe" = C:\Program Files\Orb Networks\Orb\bin\OrbjetManager.exe:*:Enabled:Orb -- ()
"C:\Program Files\Orb Networks\Orb\bin\OrbSetupWizard.exe" = C:\Program Files\Orb Networks\Orb\bin\OrbSetupWizard.exe:*:Enabled:OrbSetupWizard -- ()
"C:\Program Files\Orb Networks\Orb\bin\Orb.exe" = C:\Program Files\Orb Networks\Orb\bin\Orb.exe:*:Enabled:Orb -- (Orb Networks, Inc.)
"C:\Program Files\Orb Networks\Orb\bin\OrbStreamerClient.exe" = C:\Program Files\Orb Networks\Orb\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client -- ()
"C:\Program Files\Orb Networks\Orb\bin\OrbControlPanel.exe" = C:\Program Files\Orb Networks\Orb\bin\OrbControlPanel.exe:*:Enabled:OrbControlPanel -- ()
"C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe" = C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe:*:Enabled:OrbLauncher -- (Orb Networks)
"C:\Program Files\TVersity\Media Server\MediaServer.exe" = C:\Program Files\TVersity\Media Server\MediaServer.exe:*:Disabled:TVersity Media Server -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.0.0 (r181)
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{11FBBEEE-4F17-D27F-299E-73C3F823D9D7}" = Catalyst Control Center Graphics Previews Common
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F7B8AFF-0E53-8F7A-9134-C4BBE25E295A}" = ccc-utility
"{2133CB3F-F891-4081-8681-FEE2B2419FF4}" = Orb Runtime libraries
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 17
"{2851123E-5786-41BE-A3F1-A9B21E499EEB}" = Altiris Task Synchronization Agent
"{295B5F60-3C54-DA2F-4260-600FA00E7AF4}" = Antivirus 2010
"{2B193F00-E9B0-43B4-A2BB-58FD886E65F9}" = Learn To Multiply
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{332454D8-73B0-4b4a-954C-D96089CD898A}" = Altiris Carbon Copy Solution Agent
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3956DD06-7A44-C9E6-EEF4-F56C507485FB}" = ccc-core-static
"{39DAAC18-49A1-1E67-5286-F142A7D2332E}" = Catalyst Control Center Graphics Full Existing
"{51729BDF-5ED6-41ED-9CC6-5BFC7F4A4C18}" = Better Homes and Gardens Landscaping and Deck Designer 7.0
"{53735ECE-E461-4FD0-B742-23A352436D3A}" = Logitech Updater
"{597E70FF-7C46-4EED-8092-91B7C2E0529D}" = Google SketchUp 7
"{5A9D5486-6755-4FD5-BCB2-1379EF3024BA}" = World of Goo Demo
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6E22BE0F-DDB0-4D85-8829-0F30CED8062D}" = Altiris Service Control Task Agent
"{721FEDC0-456E-3E8B-C4AF-3C3DC8196DB4}" = ccc-core-preinstall
"{75B61CF0-B8A8-46E2-8709-C4A79898AC1D}" = Data Lifeguard Diagnostic for Windows
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7AABF28C-E8DC-9859-D016-FCEED1183753}" = Catalyst Control Center Core Implementation
"{7F9C75FD-4057-C67F-54DD-84F00CEEC07A}" = Skins
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85BE9445-EFE2-4FE8-8883-F30DB489225F}" = Altiris Script Task Agent
"{885F858E-E0C0-42FD-A622-0B040F562AA7}" = Altiris Client Task Agent
"{89BC7626-A4B4-0466-1624-B3D44DB47B8B}" = CCC Help English
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A1BC55F-C69F-43C8-9BB6-2488597F5C46}" = Google AdWords Editor
"{A0A1EB01-A6FD-423A-8480-364055A7C961}" = Altiris Software Delivery Solution Agent
"{A17EABB6-D0C6-44E5-820C-72DC7F495064}" = PaperPort
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7DB362E-16DC-4E29-8A34-E74381E00B5B}" = Adobe Shockwave Player
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.4
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BB9AC6BF-71B6-42A4-9689-C17D9F44E79A}" = Brother MFL-Pro Suite
"{BD8D12CE-31BC-482E-A0BB-CD5F780BB8B5}" = Fun & Spooky Adding & Subtracting
"{C031202D-36D2-42FF-875F-09299AE3B7EF}" = Altiris Power Management Agent
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C27BC2A2-30DD-4014-B22E-63EB0DB572F9}" = Logitech Webcam Software
"{CD704325-6572-7653-B5B2-08FD243E5D46}" = Catalyst Control Center Graphics Light
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}" = TuneUp Utilities
"{DDD0A758-F44C-47D3-8E88-692FFF775127}" = Intel® PRO Network Connections 12.3.31.0
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E2EA0C33-43B3-48A4-87CA-2BDA2F8ABF68}" = Sun xVM VirtualBox
"{E5D720C6-67A3-DD48-30E0-7B5EAE4DDA13}" = Catalyst Control Center Graphics Full New
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F7B0E599-C114-4493-BC4D-D8FC7CBBABBB}" = 32 Bit HP CIO Components Installer
"{FE3997D3-6B56-4AC4-A99C-9DDFC45359BF}" = TuneUp Utilities Language Pack (en-US)
"0BF49E9448DA0DFB69DB9D673379652AB9087171" = Windows Driver Package - Intel net (09/26/2007 11.5.0.32)
"54C387968987D0308E3C2F0A5D723BC3CB8926B9" = Windows Driver Package - 2Wire (2WIREPCP) Net (09/18/2002 1.4.0.5)
"5D81FBED6E61194F43FF1556F43BD8309BA44634" = Windows Driver Package - Intel (NETw4x32) net (09/26/2007 11.5.0.32)
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 5.0 Limited Edition" = Adobe Photoshop 5.0 Limited Edition
"All ATI Software" = ATI - Software Uninstall Utility
"Altiris Carbon Copy Solution Agent " = Altiris Carbon Copy Solution Agent 6.2
"ATI Display Driver" = ATI Display Driver
"AVG9Uninstall" = AVG 9.0
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CSCLIB" = Canon Camera Support Core Library
"DirectVobSub" = DirectVobSub (remove only)
"EFD65E7CD7A28D00217941F33C5CA55964F96136" = Windows Driver Package - Intel (w29n51) net (07/25/2007 9.0.4.37)
"EOS Utility" = Canon Utilities EOS Utility
"Fotosizer" = Fotosizer 1.27
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 1.53
"legacyqcam_10.51" = Logitech Legacy USB Camera Driver Package
"lvdrivers_12.10" = Logitech Webcam Software Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaMonkey_is1" = MediaMonkey 3.2
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Orb" = Orb
"PeerGuardian_is1" = PeerGuardian 2.0
"PhotoStitch" = Canon Utilities PhotoStitch
"Picasa 3" = Picasa 3
"Power Data Recovery_is1" = Power Data Recovery 4.1.1
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureDC" = Canon Utilities RemoteCapture DC
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Secunia PSI" = Secunia PSI
"SopCast" = SopCast 3.2.9
"The Blocklist Manager_is1" = BLM 2.7.7
"Timber Solutions" = Timber Solutions
"TuneUp Utilities" = TuneUp Utilities
"uTorrent" = µTorrent
"VLC media player" = VideoLAN VLC media player 0.8.2
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WinAce Archiver" = WinAce Archiver
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1547161642-2139871995-725345543-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"07140e809c2bb6df" = IPFilter Updater
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 22/09/2010 9:25:06 PM | Computer Name = EMITCH-0B853313 | Source = Google Update | ID = 20
Description =

Error - 22/09/2010 10:25:06 PM | Computer Name = EMITCH-0B853313 | Source = Google Update | ID = 20
Description =

Error - 22/09/2010 11:25:06 PM | Computer Name = EMITCH-0B853313 | Source = Google Update | ID = 20
Description =

Error - 23/09/2010 12:25:05 AM | Computer Name = EMITCH-0B853313 | Source = Google Update | ID = 20
Description =

Error - 23/09/2010 1:25:05 AM | Computer Name = EMITCH-0B853313 | Source = Google Update | ID = 20
Description =

Error - 23/09/2010 2:25:05 AM | Computer Name = EMITCH-0B853313 | Source = Google Update | ID = 20
Description =

Error - 23/09/2010 3:25:06 AM | Computer Name = EMITCH-0B853313 | Source = Google Update | ID = 20
Description =

Error - 23/09/2010 4:25:06 AM | Computer Name = EMITCH-0B853313 | Source = Google Update | ID = 20
Description =

Error - 23/09/2010 5:25:07 AM | Computer Name = EMITCH-0B853313 | Source = Google Update | ID = 20
Description =

Error - 23/09/2010 6:25:05 AM | Computer Name = EMITCH-0B853313 | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 21/09/2010 3:16:20 AM | Computer Name = EMITCH-0B853313 | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 21/09/2010 3:17:18 AM | Computer Name = EMITCH-0B853313 | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

Error - 21/09/2010 7:13:09 AM | Computer Name = EMITCH-0B853313 | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 21/09/2010 7:13:54 AM | Computer Name = EMITCH-0B853313 | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 21/09/2010 7:14:31 AM | Computer Name = EMITCH-0B853313 | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

Error - 22/09/2010 3:15:32 AM | Computer Name = EMITCH-0B853313 | Source = PlugPlayManager | ID = 12
Description = The device 'MQTSHYTQ DVD=RQM0UZ-850S0' (IDE\CdRomMQTSHYTQ_DVD=RQM0UZ-850S0_______________1>90____\5&195506ac&0&0.0.0)
disappeared from the system without first being prepared for removal.

Error - 22/09/2010 4:37:26 PM | Computer Name = EMITCH-0B853313 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the avg9wd service.

Error - 23/09/2010 7:24:00 AM | Computer Name = EMITCH-0B853313 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the avg9wd service.

Error - 23/09/2010 7:33:55 AM | Computer Name = EMITCH-0B853313 | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 23/09/2010 7:33:55 AM | Computer Name = EMITCH-0B853313 | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

[ TuneUp Events ]
Error - 6/04/2010 8:44:42 PM | Computer Name = EMITCH-0B853313 | Source = TuneUp.UtilitiesSvc | ID = 300
Description =

Error - 20/07/2010 1:07:03 AM | Computer Name = EMITCH-0B853313 | Source = TuneUp.UtilitiesSvc | ID = 300
Description =

Error - 9/08/2010 11:48:29 PM | Computer Name = EMITCH-0B853313 | Source = TuneUp.UtilitiesSvc | ID = 300
Description =


< End of report >


#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:07 AM

Posted 24 September 2010 - 07:35 AM

Hi-

QUOTE
Will this malware/trojan affect an external hard drive and if so
what is the course of action to take? Will I need to format that and lose all info on it
(its 1 Tb) or can I scan it?

if reformatting, how safe are any files I require from the computer (such as music or
movies or programs) to then backup and then re-install after renewing windows? Do those
sort of files get infected or mainly system files deep in the computer?

Yes, your external hard drive as well as any external flash storage drives can get infected and in turn infect your internal hard drive. The file types that normally transmit infections are;
.exe
.scr
.htm
.html
.xml
.zip
.rar
.asp
.php
.

If all of your files on the external drive are data, photo, and music type files then you are probably ok, but, if you have file types like those listed above out there, they could be infected. Later, we will scan the external drive for infections.

To lesssen the chance of spreading the infections between your removable and fixed drives, please run Flash_Disinfector. Flash_Disinfector is a specialized fix tool created by sUBs to remove infections that load an autorun.inf file on removable media. Flash_Disinfector will create a hidden "dummy" autorun folder/file with special permissions in each partition and every external drive that was connected when the tool was run. This folder helps to keep the malicious autorun.ini file from being installed on the root drive and running other malicious files which will infect the computer.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

First, let's clean off some your infections.

Download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
How to Temporarily Disable your Anti-virusl

To disable the AVG 9 Resident Shield, please:
  • Open AVG User Interface.
  • Double-click on the Resident Shield.
  • Un-tick the option Resident Shield active.
  • Save the changes.
    For more Information
Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Next, do a new OTL scan.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • A report will open, copy and paste it into your reply:
  • OTL.txt <-- Will be the opened report

In your reply, please copy in the ComboFix report and the OTL scan report.

Thanks,


Shannon

#7 sh0ckker

sh0ckker
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 26 September 2010 - 04:11 AM

Hi,
apologies for the delay in not getting back to you sooner. thanks for the info about the external hard drive, it is mainly movies and music, will run the flash disinfector as soon as I have sent this on. For the moment the logs from combofix and OTL are below...


ComboFix 10-09-25.06 - Guy Shelton 26/09/2010 18:32:21.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1022.562 [GMT 10:00]
Running from: c:\documents and settings\Guy Shelton\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\.wtav
c:\documents and settings\All Users.WINDOWS\Documents\Server\admin.txt
c:\documents and settings\All Users.WINDOWS\Documents\Server\server.dat
c:\documents and settings\Guy Shelton\.COMMgr
c:\documents and settings\Guy Shelton\Local Settings\Application Data\{90E9F5EB-4C2D-4932-9CD5-B8D17147612E}
c:\documents and settings\Guy Shelton\Local Settings\Application Data\{90E9F5EB-4C2D-4932-9CD5-B8D17147612E}\chrome.manifest
c:\documents and settings\Guy Shelton\Local Settings\Application Data\{90E9F5EB-4C2D-4932-9CD5-B8D17147612E}\chrome\content\_cfg.js
c:\documents and settings\Guy Shelton\Local Settings\Application Data\{90E9F5EB-4C2D-4932-9CD5-B8D17147612E}\chrome\content\overlay.xul
c:\documents and settings\Guy Shelton\Local Settings\Application Data\{90E9F5EB-4C2D-4932-9CD5-B8D17147612E}\install.rdf
c:\windows\Client.ini

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_USERINIT


((((((((((((((((((((((((( Files Created from 2010-08-26 to 2010-09-26 )))))))))))))))))))))))))))))))
.

2010-09-23 11:27 . 2010-09-23 11:27 4100960 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgui.exe
2010-09-23 11:27 . 2010-09-23 11:27 3951968 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avguires.dll
2010-09-23 11:27 . 2010-09-23 11:27 2448224 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avguiadv.dll
2010-09-23 11:27 . 2010-09-23 11:27 2065760 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgtray.exe
2010-09-23 11:27 . 2010-09-23 11:27 1278304 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgfrw.exe
2010-09-23 11:27 . 2010-09-23 11:27 1247584 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgabout.dll
2010-09-23 11:23 . 2010-09-23 11:23 3586912 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\setup.exe
2010-09-23 11:23 . 2010-09-23 11:23 620896 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgnsx.exe
2010-09-23 11:23 . 2010-09-23 11:23 1619296 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgssie.dll
2010-09-23 11:23 . 2010-09-23 11:23 1377632 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgssff.dll
2010-09-23 11:22 . 2010-09-23 11:22 942432 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-23 11:22 . 2010-09-23 11:22 598368 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-23 11:22 . 2010-09-23 11:22 4371296 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgcorex.dll
2010-09-23 11:22 . 2010-09-23 11:22 2331032 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgfws9.exe
2010-09-23 11:22 . 2010-09-23 11:22 5649320 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\winspamcatcher.dll
2010-09-23 11:22 . 2010-09-23 11:22 300896 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgchclx.dll
2010-09-23 11:17 . 2010-09-23 11:17 1690952 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgupd.dll
2010-09-20 12:11 . 2010-09-20 12:11 -------- d-----w- c:\program files\Secunia
2010-09-20 11:58 . 2010-09-21 02:26 -------- d-----w- c:\program files\PeerBlock
2010-09-18 11:13 . 2010-09-18 11:13 63488 ----a-w- c:\documents and settings\Guy Shelton\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-18 11:13 . 2010-09-18 11:13 52224 ----a-w- c:\documents and settings\Guy Shelton\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-18 11:13 . 2010-09-18 11:13 117760 ----a-w- c:\documents and settings\Guy Shelton\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-18 11:12 . 2010-09-18 11:12 -------- d-----w- c:\documents and settings\Guy Shelton\Application Data\SUPERAntiSpyware.com
2010-09-18 11:12 . 2010-09-18 11:12 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-09-18 11:11 . 2010-09-18 11:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-13 12:36 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-09-10 22:47 . 2010-09-10 22:47 0 ----a-w- c:\windows\Yzeninaqaf.bin
2010-09-10 22:47 . 2010-09-10 22:47 120 ----a-w- c:\windows\Rnolasaxogapog.dat
2010-09-10 22:45 . 2010-09-12 07:35 -------- d-----w- c:\documents and settings\Guy Shelton\Local Settings\Application Data\hxovdhldq
2010-09-10 22:45 . 2010-09-12 07:35 -------- d-----w- c:\documents and settings\Guy Shelton\Local Settings\Application Data\qwivdpkln
2010-09-10 22:44 . 2010-09-12 06:01 -------- d-----w- c:\documents and settings\Guy Shelton\Application Data\5B6DDA162E75C9D0D55A3C4B0EB53ABC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-26 05:38 . 2010-01-31 21:50 0 ----a-w- c:\documents and settings\Guy Shelton\Local Settings\Application Data\prvlcl.dat
2010-09-22 21:10 . 2010-01-13 11:31 -------- d-----w- c:\documents and settings\Guy Shelton\Application Data\uTorrent
2010-09-20 12:05 . 2010-03-20 03:45 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-09-20 11:50 . 2010-01-31 09:09 -------- d-----w- c:\program files\PeerGuardian2
2010-09-10 22:29 . 2008-08-11 10:56 -------- d-----w- c:\documents and settings\Guy Shelton\Application Data\Skype
2010-09-10 07:34 . 2010-01-31 22:44 -------- d-----w- c:\documents and settings\Guy Shelton\Application Data\skypePM
2010-09-09 20:08 . 2008-12-18 11:39 0 -c--a-w- c:\windows\system32\drivers\lvuvc.hs
2010-09-09 20:08 . 2008-12-18 11:38 0 -c--a-w- c:\windows\system32\drivers\logiflt.iad
2010-08-31 22:35 . 2010-01-16 06:48 -------- d-----w- c:\program files\uTorrent
2010-08-27 13:02 . 2010-03-20 03:46 30528 ----a-w- c:\windows\system32\TURegOpt.exe
2010-08-27 12:56 . 2010-07-12 22:05 30016 ----a-w- c:\windows\system32\uxtuneup.dll
2010-08-18 01:03 . 2008-08-11 11:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-18 00:40 . 2008-08-11 11:31 -------- d-----w- c:\program files\Lavasoft
2010-08-18 00:37 . 2008-07-11 04:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-08-18 00:35 . 2008-08-11 11:31 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2010-08-17 13:17 . 2004-08-03 14:56 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-09 23:02 . 2008-08-11 10:35 -------- d-----w- c:\documents and settings\Guy Shelton\Application Data\U3
2010-08-04 04:46 . 2009-09-25 09:39 -------- d-----w- c:\documents and settings\Guy Shelton\Application Data\dvdcss
2010-07-31 06:06 . 2010-07-31 06:06 89784 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-31 03:00 . 2010-07-31 02:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\OrbNetworks
2010-07-31 02:54 . 2010-07-31 02:54 -------- d-----w- c:\program files\Orb Networks
2010-07-31 02:51 . 2010-07-31 02:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\MediaMonkey
2010-07-29 03:35 . 2010-07-29 03:35 -------- d-----w- c:\program files\TVersity
2010-07-22 15:49 . 2004-08-03 14:56 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-17 08:28 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-15 23:39 . 2010-01-17 11:56 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 23:39 . 2010-07-15 23:39 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 23:39 . 2010-01-17 11:56 25168 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-07-15 23:38 . 2010-01-17 11:56 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-07 14:05 . 2010-07-07 14:05 14904 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-07-06 21:45 . 2010-07-06 21:46 53632 ----a-w- c:\documents and settings\Guy Shelton\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-06 21:45 . 2010-07-06 21:46 53632 ----a-w- c:\documents and settings\Default User.WINDOWS\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-30 12:31 . 2004-08-03 14:56 149504 ----a-w- c:\windows\system32\schannel.dll
2005-11-15 05:32 . 2005-11-15 05:32 3638 -c--a-r- c:\program files\Common Files\Altiris_Icon.ico
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Guy Shelton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-31 135664]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-10 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-05 16855552]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-09-23 2065760]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"AClntUsr"="c:\program files\Altiris\AClient\AClntUsr.EXE" [2010-09-26 184320]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\Guy Shelton\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-7-21 965176]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 23:39 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1715567821-839522115-3238\Scripts\Logon\0\0]
"Script"=\\emitch.com.au\SysVol\emitch.com.au\scripts\LOGON-syd2.BAT

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1715567821-839522115-3253\Scripts\Logon\0\0]
"Script"=\\emitch.com.au\SysVol\emitch.com.au\scripts\LOGON-syd2.BAT

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1715567821-839522115-3390\Scripts\Logon\0\0]
"Script"=\\emitch.com.au\SysVol\emitch.com.au\scripts\LOGON-syd2.BAT

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-546423565-1359028110-635785055-11120\Scripts\Logoff\0\0]
"Script"=\\mitch.mitchells.com.au\netlogon\user.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-546423565-1359028110-635785055-11120\Scripts\Logon\0\0]
"Script"=\\mitch.mitchells.com.au\netlogon\user.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"PeerGuardian"=c:\program files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" /hide
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"ControlCenter2.0"=c:\program files\Brother\ControlCenter2\brctrcen.exe /autorun
"PaperPort PTD"=c:\program files\ScanSoft\PaperPort\pptd40nt.exe
"IndexSearch"=c:\program files\ScanSoft\PaperPort\IndexSearch.exe
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"SetDefPrt"=c:\program files\Brother\Brmfl05a\BrStDvPt.exe
"AClntUsr"=c:\program files\Altiris\AClient\AClntUsr.EXE
"Synchronization Manager"=%SystemRoot%\system32\mobsync.exe /logon

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbjetManager.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbSetupWizard.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbControlPanel.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbLauncher.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"41952:TCP"= 41952:TCP:Xbox
"41952:UDP"= 41952:UDP:Xbox1
"10243:TCP"= 10243:TCP:Windows Media Player Network Sharing Service
"10280:UDP"= 10280:UDP:Windows Media Player Network Sharing Service
"10281:UDP"= 10281:UDP:Windows Media Player Network Sharing Service
"10282:UDP"= 10282:UDP:Windows Media Player Network Sharing Service
"10283:UDP"= 10283:UDP:Windows Media Player Network Sharing Service
"10284:UDP"= 10284:UDP:Windows Media Player Network Sharing Service
"81:TCP"= 81:TCP:Orbport2

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [17/01/2010 9:56 PM 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [17/01/2010 9:56 PM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [17/01/2010 9:56 PM 216400]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [17/01/2010 9:56 PM 243024]
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [29/05/2007 6:55 PM 9216]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [18/02/2010 4:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/05/2010 4:41 AM 67656]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [19/06/2008 12:16 PM 55520]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [19/06/2008 12:16 PM 42048]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [16/07/2010 9:38 AM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [16/07/2010 9:39 AM 308136]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [16/07/2010 9:38 AM 2331544]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [27/08/2010 10:59 PM 1051968]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [17/01/2010 9:55 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [17/01/2010 9:55 PM 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [17/01/2010 9:55 PM 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [17/01/2010 9:55 PM 26192]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [14/10/2009 6:24 AM 10064]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [16/07/2010 9:39 AM 5897808]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [17/01/2010 9:55 PM 30104]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys --> c:\windows\system32\DRIVERS\ivusb.sys [?]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [20/09/2010 9:58 PM 14424]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [8/07/2010 12:05 AM 14904]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [6/05/2008 4:06 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-2139871995-725345543-1009Core.job
- c:\documents and settings\Guy Shelton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-31 21:57]

2010-09-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-2139871995-725345543-1009UA.job
- c:\documents and settings\Guy Shelton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-31 21:57]

2010-09-26 c:\windows\Tasks\Orb Index when idle.job
- c:\program files\Orb Networks\Orb\bin\OrbLauncher.exe [2010-06-30 01:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {07B6AF3F-504D-42CF-B4AB-D59F68B35340} = 208.67.220.220,208.67.222.222
TCP: {44E4CF45-E603-4E15-9DFD-BF9C7056B202} = 208.67.220.220,208.67.222.222
DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} - hxxps://atlas.atlassolutions.com/dl/AtlasCtrl.cab
FF - ProfilePath - c:\documents and settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Guy Shelton\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
FF - plugin: c:\utilities\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\utilities\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\utilities\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-RunOnce-FFTI - c:\documents and settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-26 18:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(6980)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe
c:\windows\system32\brss01a.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Altiris\AClient\AClient.exe
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\windows\system32\ccsrvc.exe
c:\program files\Altiris\Carbon Copy\shellker.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\Altiris\CARBON~1\client.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-26 18:47:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-26 08:47

Pre-Run: 35,420,921,856 bytes free
Post-Run: 35,447,996,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /TUTag=WV3K8Q /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=WV3K8Q-BAK

- - End Of File - - 85D76B1C27DCAB7F4A1D905D234EC706



+++++++++++===========+++++++++++++++=============+++++++++++++=============+++++++++++++=========



OTL logfile created on: 26/09/2010 6:55:35 PM - Run 2
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Guy Shelton\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1,022.00 Mb Total Physical Memory | 485.00 Mb Available Physical Memory | 47.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 87.62 Gb Total Space | 33.03 Gb Free Space | 37.70% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EMITCH-0B853313
Current User Name: Guy Shelton
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/26 18:43:20 | 000,184,320 | ---- | M] () -- C:\Program Files\Altiris\AClient\AClntUsr.EXE
PRC - [2010/09/23 21:27:14 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/09/23 21:22:12 | 000,621,920 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/09/23 21:20:18 | 002,331,544 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgfws9.exe
PRC - [2010/09/23 21:16:54 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Guy Shelton\Desktop\OTL.exe
PRC - [2010/09/11 02:20:20 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2010/08/27 23:01:24 | 000,743,232 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
PRC - [2010/08/27 22:59:38 | 001,051,968 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
PRC - [2010/07/21 09:40:19 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/07/16 09:39:36 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/07/16 09:39:31 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/07/16 09:38:04 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/07/16 09:38:02 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/10/07 01:47:34 | 000,154,136 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2008/07/07 08:15:18 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/04/19 01:09:00 | 005,169,228 | ---- | M] (Altiris, Inc.) -- C:\Program Files\Altiris\AClient\ACLIENT.EXE
PRC - [2008/04/14 10:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/31 13:09:29 | 001,277,952 | ---- | M] (Altiris, Inc.) -- C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
PRC - [2007/05/29 19:13:16 | 001,437,696 | ---- | M] (Altiris) -- C:\Program Files\Altiris\Carbon Copy\Client.exe
PRC - [2007/05/29 19:13:16 | 000,724,992 | ---- | M] (Altiris) -- C:\Program Files\Altiris\Carbon Copy\ShellKer.exe
PRC - [2007/05/29 18:52:10 | 000,049,152 | ---- | M] (Altiris) -- C:\WINDOWS\system32\CCSRVC.exe
PRC - [2007/01/31 13:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2001/12/12 23:01:00 | 000,045,056 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\system32\brss01a.exe


========== Modules (SafeList) ==========

MOD - [2010/09/23 21:16:54 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Guy Shelton\Desktop\OTL.exe
MOD - [2008/04/14 10:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/09/23 21:20:18 | 002,331,544 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgfws9.exe -- (avgfws9)
SRV - [2010/09/20 22:05:46 | 000,435,008 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2010/08/27 22:59:38 | 001,051,968 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - [2010/08/27 22:56:30 | 000,030,016 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2010/07/21 09:40:19 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/07/16 09:39:31 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/07/16 09:39:19 | 005,897,808 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2009/10/07 01:47:34 | 000,154,136 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2008/07/07 08:15:18 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/04/19 01:09:00 | 005,169,228 | ---- | M] (Altiris, Inc.) [Auto | Running] -- C:\Program Files\Altiris\AClient\AClient.exe -- (AClient)
SRV - [2008/01/31 13:09:29 | 001,277,952 | ---- | M] (Altiris, Inc.) [Auto | Running] -- C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe -- (AeXNSClient)
SRV - [2007/10/25 14:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/05/29 18:52:10 | 000,049,152 | ---- | M] (Altiris) [Auto | Running] -- C:\WINDOWS\system32\CCSRVC.exe -- (CarbonCopy32)
SRV - [2007/01/31 13:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2002/04/11 23:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) [Auto | Stopped] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\ivusb.sys -- (ivusb)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\ewusbmdm.sys -- (hwdatacard)
DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/07/16 09:39:40 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/07/16 09:39:23 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys -- (AVGIDSFilterxpx)
DRV - [2010/07/16 09:39:23 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys -- (AVGIDSShimxpx)
DRV - [2010/07/16 09:39:23 | 000,025,168 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\AVGIDSxx.sys -- (AVGIDSErHrxpx)
DRV - [2010/07/16 09:39:22 | 000,122,448 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys -- (AVGIDSDriverxpx)
DRV - [2010/07/16 09:38:04 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/07/08 00:05:32 | 000,014,904 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2010/06/06 21:54:15 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/05/11 04:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/03/17 07:25:34 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\System32\Drivers\avgrkx86.sys -- (AvgRkx86)
DRV - [2010/02/18 04:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/17 21:55:13 | 000,030,104 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwfd)
DRV - [2010/01/17 21:55:13 | 000,030,104 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwdx)
DRV - [2010/01/03 20:36:28 | 000,002,401 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AlKernel.sys -- (AlKernel)
DRV - [2009/10/14 06:24:44 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - [2009/10/07 18:49:50 | 000,023,832 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2009/10/07 18:49:38 | 006,756,632 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 9000(UVC)
DRV - [2009/10/07 18:47:54 | 000,266,008 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2009/10/07 01:46:36 | 000,025,752 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2009/09/28 02:02:44 | 000,014,424 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter)
DRV - [2009/05/09 00:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/07/27 01:26:20 | 000,041,752 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/05/31 01:42:54 | 000,042,048 | ---- | M] (Sun Microsystems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VBoxUSBMon.sys -- (VBoxUSBMon)
DRV - [2008/05/31 01:42:46 | 000,055,520 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VBoxDrv.sys -- (VBoxDrv)
DRV - [2008/05/06 16:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/04/14 04:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/14 02:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/20 14:32:52 | 002,236,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/11/14 16:14:02 | 004,625,408 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/11/02 15:52:04 | 002,644,480 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/10/12 11:59:12 | 001,920,920 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvpopflt.sys -- (lvpopflt)
DRV - [2007/09/10 11:34:40 | 000,030,816 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2007/08/30 11:07:22 | 000,242,320 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2007/05/29 18:55:50 | 000,009,216 | ---- | M] (Altiris) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\CCDevice.sys -- (CCDevice)
DRV - [2007/03/08 17:41:42 | 000,040,848 | ---- | M] (UPEK Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tcusb.sys -- (TcUsb)
DRV - [2007/02/04 04:27:55 | 000,490,784 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LV561AV.SYS -- (PID_0928) Logitech QuickCam Express(PID_0928)
DRV - [2004/10/15 12:50:20 | 000,015,295 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
DRV - [2001/08/17 22:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
IE - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com.au/"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.845
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {66E978CD-981F-47DF-AC42-E3CF417C1467}:0.4.2
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.3
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {90E9F5EB-4C2D-4932-9CD5-B8D17147612E}:1.9.1
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/09/23 21:24:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/12 19:48:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/12 19:48:56 | 000,000,000 | ---D | M]

[2008/08/13 21:04:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Extensions
[2010/09/20 22:26:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\extensions
[2010/09/20 22:26:41 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/01/21 19:57:56 | 000,000,000 | ---D | M] (New Tab Homepage) -- C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
[2010/09/20 22:26:41 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/09/20 22:26:52 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/29 17:23:46 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2005/06/26 01:08:08 | 006,153,728 | ---- | M] (VideoLAN Team) -- C:\Program Files\Mozilla Firefox\plugins\npvlc.dll
[2010/09/12 19:48:49 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/09/12 19:48:49 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/09/12 19:48:49 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/09/12 19:48:49 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/09/26 18:41:03 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE ()
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKU\S-1-5-21-1547161642-2139871995-725345543-1009..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\Guy Shelton\Start Menu\Programs\Startup\Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe (Secunia)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} https://atlas.atlassolutions.com/dl/AtlasCtrl.cab (FileMgr Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1197345027643 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/12/11 11:24:11 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/09/26 18:30:58 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/09/26 18:27:59 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/26 18:27:59 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/26 18:27:58 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/26 18:27:58 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/26 18:27:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/26 18:27:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/23 21:16:47 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Guy Shelton\Desktop\OTL.exe
[2010/09/20 22:11:50 | 000,000,000 | ---D | C] -- C:\Program Files\Secunia
[2010/09/20 22:04:39 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/09/20 21:58:19 | 000,000,000 | ---D | C] -- C:\Program Files\PeerBlock
[2010/09/18 21:12:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Application Data\SUPERAntiSpyware.com
[2010/09/18 21:12:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
[2010/09/18 21:11:47 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/09/13 22:36:34 | 000,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/09/12 19:43:28 | 001,913,032 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Guy Shelton\My Documents\HousecallLauncher.exe
[2010/09/11 08:45:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\hxovdhldq
[2010/09/11 08:45:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\qwivdpkln
[2010/09/11 08:44:41 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Server
[2010/09/11 08:44:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Application Data\5B6DDA162E75C9D0D55A3C4B0EB53ABC
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/26 18:43:18 | 000,001,390 | ---- | M] () -- C:\AClient.cfg
[2010/09/26 18:43:06 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/26 18:41:22 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/26 18:41:13 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/26 18:41:03 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/09/26 18:40:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/26 18:40:48 | 1071,697,920 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/26 18:39:48 | 009,175,040 | -H-- | M] () -- C:\Documents and Settings\Guy Shelton\NTUSER.DAT
[2010/09/26 18:31:03 | 000,000,506 | RHS- | M] () -- C:\boot.ini
[2010/09/26 18:25:07 | 000,001,002 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-2139871995-725345543-1009UA.job
[2010/09/26 17:55:57 | 003,854,099 | R--- | M] () -- C:\Documents and Settings\Guy Shelton\Desktop\ComboFix.exe
[2010/09/26 15:38:38 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\prvlcl.dat
[2010/09/26 15:21:33 | 000,623,062 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavifw.avm
[2010/09/26 15:21:31 | 065,288,245 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/09/26 15:18:27 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Desktop\Flash_Disinfector.exe
[2010/09/26 15:16:31 | 000,000,310 | ---- | M] () -- C:\WINDOWS\tasks\Orb Index when idle.job
[2010/09/26 07:25:01 | 000,000,950 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-2139871995-725345543-1009Core.job
[2010/09/24 22:09:08 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Guy Shelton\ntuser.ini
[2010/09/24 13:25:56 | 000,168,448 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/23 21:31:15 | 000,059,558 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\My Documents\rootkit remove report
[2010/09/23 21:16:54 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Guy Shelton\Desktop\OTL.exe
[2010/09/23 21:16:26 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Desktop\RKUnhookerLE.EXE
[2010/09/21 17:27:54 | 001,061,376 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\My Documents\BleepingComputerhowto.doc
[2010/09/20 22:12:26 | 000,000,720 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Start Menu\Programs\Startup\Secunia PSI.lnk
[2010/09/20 22:05:46 | 000,001,731 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\TuneUp 1-Click Maintenance.lnk
[2010/09/20 22:05:46 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\TuneUp Utilities.lnk
[2010/09/18 21:11:52 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/09/18 15:45:08 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\My Documents\auction letter.doc
[2010/09/18 15:45:05 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\My Documents\1st Impressions envelope.doc
[2010/09/16 19:54:40 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2010/09/16 19:54:35 | 000,510,282 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/09/16 19:54:35 | 000,435,594 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/09/16 19:54:35 | 000,068,490 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/09/16 19:06:37 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/09/16 19:06:13 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/15 07:08:03 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\defogger_reenable
[2010/09/15 07:07:04 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Desktop\Defogger.exe
[2010/09/12 19:43:43 | 001,913,032 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Guy Shelton\My Documents\HousecallLauncher.exe
[2010/09/12 19:34:21 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\housecall.guid.cache
[2010/09/12 15:16:14 | 004,959,888 | -H-- | M] () -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\IconCache.db
[2010/09/11 08:47:41 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Rnolasaxogapog.dat
[2010/09/11 08:47:41 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Yzeninaqaf.bin
[2010/09/10 17:34:38 | 000,002,283 | ---- | M] () -- C:\Documents and Settings\Guy Shelton\Application Data\Microsoft\Internet Explorer\Quick Launch\Skype.lnk
[2010/09/10 06:08:54 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2010/09/10 06:08:52 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
[2010/08/27 23:02:10 | 000,030,528 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\TURegOpt.exe
[2010/08/27 22:56:30 | 000,030,016 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\uxtuneup.dll
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/26 18:31:03 | 000,000,389 | ---- | C] () -- C:\Boot.bak
[2010/09/26 18:31:00 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/09/26 18:27:59 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/26 18:27:59 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/26 18:27:58 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/26 18:27:58 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/26 18:27:58 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/26 17:55:57 | 003,854,099 | R--- | C] () -- C:\Documents and Settings\Guy Shelton\Desktop\ComboFix.exe
[2010/09/26 15:18:24 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Desktop\Flash_Disinfector.exe
[2010/09/23 21:31:15 | 000,059,558 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\My Documents\rootkit remove report
[2010/09/23 21:16:24 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Desktop\RKUnhookerLE.EXE
[2010/09/21 17:27:53 | 001,061,376 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\My Documents\BleepingComputerhowto.doc
[2010/09/20 22:12:26 | 000,000,720 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Start Menu\Programs\Startup\Secunia PSI.lnk
[2010/09/20 22:05:46 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\TuneUp Utilities.lnk
[2010/09/18 21:11:52 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/09/18 15:45:05 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\My Documents\1st Impressions envelope.doc
[2010/09/16 20:07:02 | 000,026,624 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\My Documents\auction letter.doc
[2010/09/15 07:08:03 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\defogger_reenable
[2010/09/15 07:07:02 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Desktop\Defogger.exe
[2010/09/14 19:54:02 | 1071,697,920 | -HS- | C] () -- C:\hiberfil.sys
[2010/09/12 19:34:21 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\housecall.guid.cache
[2010/09/11 11:01:55 | 000,002,293 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\avgrep.txt
[2010/09/11 08:47:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Yzeninaqaf.bin
[2010/09/11 08:47:40 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Rnolasaxogapog.dat
[2010/06/17 15:14:41 | 000,000,210 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2010/06/17 15:14:41 | 000,000,093 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2010/06/17 15:13:24 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2010/06/17 15:10:31 | 000,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2010/02/01 07:50:17 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\prvlcl.dat
[2010/01/16 08:41:48 | 000,000,180 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Application Data\setup.log
[2010/01/16 08:41:39 | 000,000,760 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Application Data\setup_ldm.iss
[2010/01/15 15:59:04 | 000,000,462 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2010/01/15 15:59:04 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2010/01/15 15:59:04 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/10/07 01:46:36 | 000,025,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2009/10/07 01:23:08 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2009/04/19 16:14:22 | 000,157,696 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/04/19 16:14:20 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[2009/04/19 16:14:19 | 000,856,064 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/04/19 16:14:19 | 000,568,850 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2009/04/19 16:14:19 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/04/19 16:14:17 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/04/19 16:14:17 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/10/08 21:04:32 | 000,000,464 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/09/20 07:57:34 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/09/20 07:55:10 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/09/20 07:55:10 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/09/01 11:32:40 | 000,000,082 | ---- | C] () -- C:\WINDOWS\Eltm.ini
[2008/09/01 10:22:04 | 000,000,115 | ---- | C] () -- C:\WINDOWS\Fsas.ini
[2008/08/27 20:04:48 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2008/08/27 20:04:47 | 000,000,149 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2008/08/16 16:44:02 | 000,082,289 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/08/11 20:20:52 | 000,168,448 | ---- | C] () -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/11 14:27:23 | 000,002,401 | ---- | C] () -- C:\WINDOWS\System32\drivers\AlKernel.sys
[2008/06/19 12:16:44 | 000,055,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\VBoxDrv.sys
[2008/04/23 14:09:51 | 000,000,035 | ---- | C] () -- C:\WINDOWS\Blink.ini
[2007/12/12 08:12:38 | 000,000,488 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/12/11 15:00:34 | 000,000,175 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2005/11/15 15:32:22 | 000,003,638 | R--- | C] () -- C:\Program Files\Common Files\Altiris_Icon.ico
[2004/08/04 00:56:38 | 000,533,568 | ---- | C] () -- C:\WINDOWS\System32\msmqutuy.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
< End of report >



#8 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:07 AM

Posted 27 September 2010 - 08:26 AM

Hi-

Thanks for the ComboFix and OTL logs. We need to do more work though to clean your computer.

Your Java runtimes are out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version here - Java Runtime Environment (JRE) Version 6
  • Scroll down to where it says "JDK 6 Update 21 (JRE) ...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
Your logs show that you are using peer-to-peer (P2P) or file-sharing programs like uTorrent.
    These programs allow to share files between users as the name(s) suggest. In today's world, the cyber crime has grown to an enormous business and any means is used to infect personal computers and to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

    It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject - Risks of File-Sharing Technology

    It is pretty much certain that if you continue to use P2P programs, you will get infected again.

    I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove this program, you can do so via Start > Control Panel > Add/Remove Programs.
Next, we need to run an OTL Fix.
  • Please reopen on your desktop.
  • Copy and Paste the following code into the textbox. Do not include the word "Code"
CODE
:OTL
DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
IE - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092
[2010/09/11 08:45:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\hxovdhldq
[2010/09/11 08:45:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\qwivdpkln
[2010/09/11 08:44:41 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Server
[2010/09/11 08:44:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Application Data\5B6DDA162E75C9D0D55A3C4B0EB53ABC
[2010/09/11 08:47:41 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Rnolasaxogapog.dat
[2010/09/11 08:47:41 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Yzeninaqaf.bin
FF - prefs.js..extensions.enabledItems: {90E9F5EB-4C2D-4932-9CD5-B8D17147612E}:1.9.1
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
:commands
[EMPTYTEMP]
  • Push
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click .
  • A report will open. Copy and Paste that report in your next reply.
  • If you have to reboot, once back up, open the C:\_OTL\MovedFiles folder and copy the newest log into your next reply.

Please run Malwarebytes' Anti-Malware (MBAM)
  • Click on the Update tab and click the Check for Updates button.
  • When the update is finished, click on the Scanner tab.
  • Select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

I'd like for you to scan your machine with ESET OnlineScan
  • Hold down Control key and click on the following link to open ESET OnlineScan in a new window.
  • ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip the next two steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push

Scan your external hard drive (G:) with SUPERAntiSpyware (SAS). This could run for awhile depending on how many files are on the drive.
  • On your desktop, double-click on the SUPERAntiSpyware icon.
  • Update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check G:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
In your reply, copy in the OTL Fix, MBAM, ESET (if you get one), and SAS reports. Also, please tell me how your computer is running now and what problems you still have.

Thanks,

Shannon

#9 sh0ckker

sh0ckker
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 29 September 2010 - 06:00 AM

Hi,

Regarding the peer to peer software-I have been using utorrent and similar programs for some time, and while aware of the risks, have not had problems using such software.
In what you say, with regards to the problems you have been assisting me correct on my computer, do I now have a computer that is somehow more open to attacks than before I was infected with the various rootkit/malware/spyware that has been (hopefully) removed?

Here are the logs you requested, the scan of my external harddrive took 10 hours (!) and came back with no infections, which was good. During both the malwarebytes and superantispyware scans, AVG resident shield came up with a warning about a load of tracking cookies. I tried to delete them but it wouldn't, so I just closed the window both times. The process name was the spyware program that was running at the time. Should I run spybot s+d or ad aware to get rid of them?

The computer is running fine, a bit hot at times but that could mean I just need to clear the fan with some compressed air. I am more concerned about logging into any password pages like my email or skype, that those will be corrupted/stolen-i.e. its what I can't see going on which is probably the worry.

One last thing (sorry) is it okay that I have ALL of these programs on the computer (not all running at the same time) or will a few of these programs overlap or interfere with one another and sould be removed?

Spybot s+d
Ad aware
AVG 9
superantispyware
secunia psi
eset

And what should I remove regarding the various programs (or which should I remove/leave) that you have asked me to save to the desktop during this process. I normally save any programs to a "utilities" folder so they are all in the one place, should I move these to there or do they require running from the desktop specifically?

Apologies for the 20 questions, thanks again for all your help. here are the logs, didn't attach the sas one as nothing was found.


++++++++++++++++++++===============+++++++++++++++++++======================+++++++++++++++++++++



All processes killed
Error: Unable to interpret <OTL> in the current context!
Error: Unable to interpret <DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)> in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>> in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092> in the current context!
Error: Unable to interpret <[2010/09/11 08:45:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\hxovdhldq> in the current context!
Error: Unable to interpret <[2010/09/11 08:45:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\qwivdpkln> in the current context!
Error: Unable to interpret <[2010/09/11 08:44:41 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Server> in the current context!
Error: Unable to interpret <[2010/09/11 08:44:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Application Data\5B6DDA162E75C9D0D55A3C4B0EB53ABC> in the current context!
Error: Unable to interpret <[2010/09/11 08:47:41 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Rnolasaxogapog.dat> in the current context!
Error: Unable to interpret <[2010/09/11 08:47:41 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Yzeninaqaf.bin> in the current context!
Error: Unable to interpret <FF - prefs.js..extensions.enabledItems: {90E9F5EB-4C2D-4932-9CD5-B8D17147612E}:1.9.1> in the current context!
Error: Unable to interpret <O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)> in the current context!
Error: Unable to interpret <O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)> in the current context!
Error: Unable to interpret <O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)> in the current context!
Error: Unable to interpret <O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)> in the current context!
Error: Unable to interpret <O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)> in the current context!
Error: Unable to interpret <O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)> in the current context!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Administrator.EMITCH-0B853313
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: All Users.WINDOWS

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56504 bytes

User: Guy Shelton
->Temp folder emptied: 3888600 bytes
->Temporary Internet Files folder emptied: 8827902 bytes
->Java cache emptied: 55546578 bytes
->FireFox cache emptied: 58308685 bytes
->Google Chrome cache emptied: 272959331 bytes
->Flash cache emptied: 2172596 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 82054 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 4528145 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 143963 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 565944 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 390.00 mb


OTL by OldTimer - Version 3.2.14.1 log created on 09282010_142505

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



+++++++++++++++++++++++======================+++++++++++++++++++==================



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4710

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

29/09/2010 12:01:38 AM
mbam-log-2010-09-29 (00-01-38).txt

Scan type: Full scan (C:\|)
Objects scanned: 250571
Time elapsed: 1 hour(s), 29 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


++++++++++++++++++=================+++++++++++++++++========================++++++++++++++++++



C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WinAgentws.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined




#10 sh0ckker

sh0ckker
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 30 September 2010 - 03:50 AM

Hi again, one more thing,

AVG resident shield keeps popping up everytime I run a program (was running a spybot search and it came up saying that was the process, went to file and this was where it was coming from-below) it (resident shield) also came up saying the process was c://windows/explorer.exe with the same location

C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\cookies.sqlite

I did a quick search and found some information on another forum regarding "yoog malware" which seems to embed itself in a similar file location on others computers. How should I proceed? Uninstalling firefox and/or chrome? I only use Chrome but my GF uses internet explorer. there were suggestions on the other website-via majorgeeks-on how to remove/fix the problem. I won't do anything until I hear back from you in case I ruin all the work we have done so far!

I have attached a screenshot, not sure how to insert it into the post.

thanks again.

Attached Files



#11 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:07 AM

Posted 30 September 2010 - 06:27 AM

Hi-

We need to run the OTL fix again. Make sure when you copy the Code window contents that you include the ':OTL'
  • Please reopen on your desktop.
  • Copy and Paste the following code into the textbox. Do not include the word "Code"
CODE
:OTL
DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
IE - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1547161642-2139871995-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092
[2010/09/11 08:45:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\hxovdhldq
[2010/09/11 08:45:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\qwivdpkln
[2010/09/11 08:44:41 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Server
[2010/09/11 08:44:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Guy Shelton\Application Data\5B6DDA162E75C9D0D55A3C4B0EB53ABC
[2010/09/11 08:47:41 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Rnolasaxogapog.dat
[2010/09/11 08:47:41 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Yzeninaqaf.bin
FF - prefs.js..extensions.enabledItems: {90E9F5EB-4C2D-4932-9CD5-B8D17147612E}:1.9.1
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
  • Push
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click .
  • A report will open. Copy and Paste that report in your next reply.
  • If you have to reboot, once back up, open the C:\_OTL\MovedFiles folder and copy the newest log into your next reply.

In your reply, please copy in the OTL Fix report.

On to your questions -

QUOTE
do I now have a computer that is somehow more open to attacks than before I was infected with the various rootkit/malware/spyware that has been (hopefully) removed?

No, once we clean up your computer, you should not be any more susceptible to malware than you were before.

QUOTE
One last thing (sorry) is it okay that I have ALL of these programs on the computer (not all running at the same time) or will a few of these programs overlap or interfere with one another and should be removed?

Spybot s+d
Ad aware
AVG 9
superantispyware
secunia psi
eset

Secunia PSI checks the for availability of updates to your installed software and does not conflict with any of the others listed. ESET - I don't see where you have it installed - if you are asking about the the ESET Online scan, it can be useful and runs only when you ask it to. SUPERAntiSpyware is similar to Malwarebytes' Anti-Malware (MBAM), which you also have installed. Of the two, I prefer MBAM, which I update and run (quick scan) at least once a week. AdAware - I no longer use. Spybot - Search & Destroy - I do use. I update and run a scan every week or so. I use its 'Immunize' function, as well. AVG 9 is, of course, your main software defense against malware and should be active in your computer at all times. None of the others need to be active in the system all the time.

QUOTE
And what should I remove regarding the various programs (or which should I remove/leave) that you have asked me to save to the desktop during this process. I normally save any programs to a "utilities" folder so they are all in the one place, should I move these to there or do they require running from the desktop specifically?

None of the programs that I have had you install should be removed yet. We will remove them when your computer is clean and we no longer need them.


Shannon

#12 sh0ckker

sh0ckker
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 30 September 2010 - 08:05 AM

Here is the OTL report, it did it very quickly and did not need to reboot.

thanks for your answers to my questions-is Ad Aware no longer a useful program or do the other programs offer the same "services" that ad aware does as well? If it is just taking up space, I would rather just uninstall it.
The Eset scanner was the online one you got me to download, the smart installer, it is on my desktop, should I run that weekly as well as the others mentioned.
I also downloaded housecall at the start of this malware problem, if possible, once you are happy with the result, could you advise of any programs I no longer need with regards to security or any you would suggest I get in addition.

Thanks again and here is the OTL log


========== OTL ==========
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\ComboFix\catchme.sys not found.
HKU\S-1-5-21-1547161642-2139871995-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-21-1547161642-2139871995-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\hxovdhldq folder moved successfully.
C:\Documents and Settings\Guy Shelton\Local Settings\Application Data\qwivdpkln folder moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Documents\Server folder moved successfully.
C:\Documents and Settings\Guy Shelton\Application Data\5B6DDA162E75C9D0D55A3C4B0EB53ABC folder moved successfully.
C:\WINDOWS\Rnolasaxogapog.dat moved successfully.
C:\WINDOWS\Yzeninaqaf.bin moved successfully.
Prefs.js: {90E9F5EB-4C2D-4932-9CD5-B8D17147612E}:1.9.1 removed from extensions.enabledItems
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.

OTL by OldTimer - Version 3.2.14.1 log created on 09302010_225607

Edited by sh0ckker, 01 October 2010 - 03:49 AM.


#13 sh0ckker

sh0ckker
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 01 October 2010 - 03:57 AM

Hi this screen came up when I ran SAS again this afternoon, the same screen has come up a few times when running programs, warning me of tracking cookies. Spybot didn't clear any of these after I had run a scan earlier today?

As well, it was suggested in another discussion on majorgeeks that malwarebytes and SUPERAntiSpyware only work "properly" if you buy the product as opposed to only using the free version??

One more thing, while cleaning up recommendations from secunia PSI, i saw the program "Antivirus2010", which was popping up a few weeks back, causing problems. I tried to remove it, thinking it wouldn't be as easy as hitting remove, tried anyway and it came up with the screen shown below-Let me know if it is too hard to read.

Attached Files


Edited by sh0ckker, 01 October 2010 - 07:23 AM.


#14 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:07 AM

Posted 01 October 2010 - 02:43 PM

Hi-

Your question -
QUOTE
is Ad Aware no longer a useful program or do the other programs offer the same "services" that ad aware does as well??
AdAware is still a useful program but I don't use it anymore. I use SpyBot S&D to keep adware under control.

For your cookie situation, we will just remove your cookies.

For IE-

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Close all open browsers before using.,
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • Click on Exit

For Firefox-
  • Open Firefox.
  • Click on Tools in the upper menu bar.
  • Click on Options.
  • Click on the Privacy tab
  • Click on the Show Cookies button
  • Click on the Remove All Cookies button
  • Click on the Close button

In your reply, let me know if it appears that the AVG/cookie problem is gone. Also, let me know how your computer is doing. Let me know what is left to be fixed

Thanks.


Shannon

#15 sh0ckker

sh0ckker
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 03 October 2010 - 08:12 PM

Okay, I cleared all the cookies from IE, firefox and just to be safe, chrome as well and have not had the alert that was coming up previous.

The folder that kept coming up in the alert is still there

C:\Documents and Settings\Guy Shelton\Application Data\Mozilla\Firefox\Profiles\xctgjxne.default\cookies.sqlite

Is this a required folder or should I remove it, does it have something to do with the yoog malware?

Computer is running "normally" haven't had any virus alerts or similar.

What else, if anything, remains to be done to finish the cleaning process?

Thanks again






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users