Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus in Windows: crcdisk.sys, ID: Win32/Patched.DX


  • This topic is locked This topic is locked
2 replies to this topic

#1 ralphus

ralphus

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 18 November 2010 - 06:28 PM

Greetings;

My first sign of trouble was that Windows Media Player wouldn't play any songs--I get a circled red "X" and message that "WMP encountered a problem while playing the file..." then I started noticing seemingly random re-directs to phone directories etc, especially when I clicked on links to particular categories of sites like Microsoft and AVG. In general, diagnostics like AVG and Malaware pick up nothing, but at one point after repeated attempts I did find the following:

c: Windows\System32\drivers\crcdisk.sys
Virus identified Win32/Patched.DX
Object is white-listed (critical\system file that should not be removed)

This came through AVG; it would not take action. Also, I have gotten one message from windows stating that there is a corrupted file and I should run chkdsk, which I did, but it did not correct the problem.

Sometimes upon booting, the computer won't load the desktop; this is corrected on re-boot.

I sometimes get the following message:

Host Process For Windows Services Has Stopped Working

(The link provided with this warning takes you online to Windows Update, which I used to install Service Pak 2).

I have observed the warning not to run Combofix, but will post here the results of OTL and GMER scans (I did not see evidence of a minimized extra.txt report--will run OTL again if needed).

Early on I did two things, I installed Windows Service Pak 2 and I also deleted some programs which freed up a good 30 GB of hard drive space. I have seen your warnings about backdoors and will have to decide whether to try to fix this or wipe clean and start again. If there is a chance of continued infex I would probably opt for the latter... Thanks so much,

Ralphus

OTL logfile created on: 11/18/2010 11:19:53 AM - Run 2
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\chuckie\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 56.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 174.56 Gb Total Space | 114.64 Gb Free Space | 65.68% Space Free | Partition Type: NTFS
Drive D: | 11.75 Gb Total Space | 1.61 Gb Free Space | 13.73% Space Free | Partition Type: NTFS
Unable to calculate disk information.

Computer Name: PODPRN | User Name: chuckie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/17 16:50:35 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\chuckie\Desktop\OTL.exe
PRC - [2010/10/11 11:58:12 | 006,104,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2010/10/11 11:58:12 | 000,725,072 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2010/10/06 16:24:38 | 000,652,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
PRC - [2010/10/06 16:24:36 | 001,065,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
PRC - [2010/10/06 16:24:08 | 000,845,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe
PRC - [2010/10/06 16:24:08 | 000,647,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
PRC - [2010/09/15 04:29:10 | 002,745,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
PRC - [2010/09/10 00:45:22 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
PRC - [2010/09/07 02:50:22 | 001,047,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgemcx.exe
PRC - [2010/01/26 19:58:38 | 000,256,280 | R--- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashUtil10e.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/04/11 01:27:20 | 000,088,576 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\audiodg.exe
PRC - [2008/07/21 10:59:10 | 001,069,056 | ---- | M] (Audiovox Electronics Corp.) -- C:\Users\chuckie\Documents\RCA Detective\RCADetective.exe
PRC - [2008/01/20 21:23:43 | 000,056,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wermgr.exe
PRC - [2007/07/12 06:00:36 | 000,132,496 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
PRC - [2006/11/02 19:40:12 | 000,174,656 | ---- | M] () -- C:\Windows\System32\PSIService.exe


========== Modules (SafeList) ==========

MOD - [2010/11/17 16:50:35 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\chuckie\Desktop\OTL.exe
MOD - [2010/08/31 10:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll
MOD - [2008/01/20 21:24:11 | 001,386,496 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msvbvm60.dll
MOD - [2006/11/02 07:34:30 | 000,136,192 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dinput.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/10/11 11:58:12 | 006,104,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2010/10/06 10:31:48 | 000,517,448 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010/09/10 00:45:22 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/03/05 12:30:06 | 000,110,592 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe -- (Com4Qlb)
SRV - [2006/11/02 19:40:12 | 000,174,656 | ---- | M] () [Auto | Running] -- C:\Windows\System32\PSIService.exe -- (ProtexisLicensing)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\SymIM.sys -- (SymIMMP)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\SymIM.sys -- (SymIM)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - [2010/09/13 15:27:40 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2010/09/07 02:49:00 | 000,298,448 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2010/09/07 02:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2010/09/07 02:48:54 | 000,249,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/09/07 02:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2010/08/19 20:42:38 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/08/19 20:42:38 | 000,027,216 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2010/08/19 20:42:36 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2008/12/04 02:42:00 | 007,606,688 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/01/20 21:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 21:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 21:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 21:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 21:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 21:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 21:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 21:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 21:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 21:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/20 21:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 21:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 21:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 21:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 21:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 21:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 21:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 21:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 21:23:22 | 000,200,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2008/01/20 21:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 21:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 21:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 21:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 21:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 21:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 21:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2008/01/18 06:31:26 | 000,196,784 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/12/06 15:40:14 | 000,761,856 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2007/09/09 17:12:28 | 000,176,640 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDART.sys -- (HdAudAddService)
DRV - [2007/07/11 12:30:22 | 000,007,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqRemHid.sys -- (HpqRemHid)
DRV - [2007/07/10 09:27:56 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/06/20 06:29:56 | 000,984,064 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2007/06/20 06:28:34 | 000,208,896 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2007/06/20 06:28:22 | 000,660,480 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2007/06/18 19:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/03/22 00:02:04 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/03/06 21:15:58 | 001,059,112 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2007/02/24 16:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/02/16 16:50:32 | 000,012,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2007/01/23 18:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/02 04:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 04:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 04:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 04:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 04:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 04:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 04:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 04:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 04:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 04:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 03:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 03:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 03:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 03:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 03:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 03:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 02:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 02:30:53 | 000,464,384 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XV)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3789250962-4004923041-391265789-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
IE - HKU\S-1-5-21-3789250962-4004923041-391265789-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-3789250962-4004923041-391265789-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
IE - HKU\S-1-5-21-3789250962-4004923041-391265789-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3789250962-4004923041-391265789-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-3789250962-4004923041-391265789-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008/11/11 19:56:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\ [2010/11/01 12:12:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/04/05 18:08:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2009/10/22 21:23:05 | 000,000,000 | ---D | M] -- C:\Users\chuckie\AppData\Roaming\Mozilla\Extensions
[2009/10/22 21:23:05 | 000,000,000 | ---D | M] -- C:\Users\chuckie\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2010/06/23 12:20:50 | 000,000,000 | ---D | M] -- C:\Users\chuckie\AppData\Roaming\Mozilla\Firefox\extensions
[2010/06/23 12:20:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\chuckie\AppData\Roaming\Mozilla\Firefox\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}

O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-3789250962-4004923041-391265789-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-3789250962-4004923041-391265789-1000\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKU\S-1-5-21-3789250962-4004923041-391265789-1000\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\CVS\CVS Photo Editor Plus\Corel Photo Downloader.exe (Corel, Inc.)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-3789250962-4004923041-391265789-1000..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-3789250962-4004923041-391265789-1000..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe File not found
O4 - Startup: C:\Users\chuckie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RCA Detective.lnk = C:\Users\chuckie\Documents\RCA Detective\RCADetective.exe (Audiovox Electronics Corp.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O9 - Extra Button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - Reg Error: Value error. File not found
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O13 - gopher Prefix: missing
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-3789250962-4004923041-391265789-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.251
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.35,93.188.160.105
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\chuckie\AppData\Roaming\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Users\chuckie\AppData\Roaming\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/24 21:23:11 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 10:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O33 - MountPoints2\{4b899c69-5b6a-11de-a3c4-e65a65e837e0}\Shell - "" = AutoRun
O33 - MountPoints2\{4b899c69-5b6a-11de-a3c4-e65a65e837e0}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{88e045dc-4b33-11de-a01d-b2577aab3e7c}\Shell\AutoRun\command - "" = F:\rcaDVM_setup.exe -- File not found
O33 - MountPoints2\{88e045dc-4b33-11de-a01d-b2577aab3e7c}\Shell\install\command - "" = F:\rcaDVM_setup.exe -- File not found
O33 - MountPoints2\{dfce3bf8-79b0-11df-9f13-d5d37a14b72e}\Shell\AutoRun\command - "" = F:\rcaDVM_setup.exe -- File not found
O33 - MountPoints2\{dfce3bf8-79b0-11df-9f13-d5d37a14b72e}\Shell\install\command - "" = F:\rcaDVM_setup.exe -- File not found
O33 - MountPoints2\{e0b2718b-5490-11de-8c11-debb2bb8ba32}\Shell\AutoRun\command - "" = F:\rcaDVM_setup.exe -- File not found
O33 - MountPoints2\{e0b2718b-5490-11de-8c11-debb2bb8ba32}\Shell\install\command - "" = F:\rcaDVM_setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/17 16:50:32 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\chuckie\Desktop\OTL.exe
[2010/11/15 14:33:25 | 000,000,000 | ---D | C] -- C:\Windows\System32\vi-VN
[2010/11/15 14:33:25 | 000,000,000 | ---D | C] -- C:\Windows\System32\eu-ES
[2010/11/15 14:33:25 | 000,000,000 | ---D | C] -- C:\Windows\System32\ca-ES
[2010/11/04 13:59:26 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2010/11/04 13:59:09 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2010/11/04 13:58:23 | 000,000,000 | ---D | C] -- C:\ProgramData\HP Photo Creations
[2010/11/04 13:58:23 | 000,000,000 | ---D | C] -- C:\Program Files\HP Photo Creations
[2010/11/04 13:58:17 | 000,000,000 | ---D | C] -- C:\Program Files\Coupons
[2010/11/04 13:57:45 | 000,000,000 | ---D | C] -- C:\Users\chuckie\AppData\Roaming\HpUpdate
[2010/11/01 13:19:28 | 000,000,000 | ---D | C] -- C:\Users\chuckie\AppData\Roaming\AVG10
[2010/11/01 12:13:54 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2010/11/01 12:13:43 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG Security Toolbar
[2010/11/01 12:11:11 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG10
[2010/11/01 12:11:11 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\AVG
[2010/10/29 13:47:02 | 000,000,000 | ---D | C] -- C:\Program Files\SimpleOCR
[4 C:\Users\chuckie\Desktop\*.tmp files -> C:\Users\chuckie\Desktop\*.tmp -> ]
[1 C:\Users\chuckie\Documents\*.tmp files -> C:\Users\chuckie\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/18 11:17:18 | 000,069,839 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/11/18 11:17:18 | 000,069,839 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/11/18 11:16:18 | 000,036,273 | ---- | M] () -- C:\Users\chuckie\Desktop\Virus Info 2010.docx
[2010/11/18 11:12:06 | 000,076,200 | ---- | M] () -- C:\Users\chuckie\Desktop\index 2008.xlsx
[2010/11/18 10:46:09 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/11/18 10:46:09 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/11/18 10:35:06 | 000,002,585 | ---- | M] () -- C:\Users\chuckie\Desktop\Microsoft Office Excel 2007.lnk
[2010/11/18 10:20:29 | 000,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/11/18 10:20:29 | 000,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/11/17 22:49:35 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/17 22:47:28 | 000,000,396 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{D1E80A1C-06A2-4985-B28F-E73977C6D143}.job
[2010/11/17 22:47:26 | 000,000,258 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini
[2010/11/17 22:45:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/11/17 22:45:44 | 3152,883,712 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/17 21:22:26 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/17 19:54:42 | 000,022,525 | ---- | M] () -- C:\Users\chuckie\Desktop\OTL logfile created on.docx
[2010/11/17 19:54:17 | 000,002,627 | ---- | M] () -- C:\Users\chuckie\Desktop\Microsoft Office Word 2007.lnk
[2010/11/17 17:38:32 | 099,442,188 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2010/11/17 16:50:35 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\chuckie\Desktop\OTL.exe
[2010/11/16 23:44:31 | 000,000,162 | -H-- | M] () -- C:\Users\chuckie\Desktop\~$rus Info 2010.docx
[2010/11/16 16:04:17 | 000,099,464 | ---- | M] () -- C:\Users\chuckie\Desktop\FIX CHKDSK Try booting from your install CD.docx
[2010/11/16 15:43:42 | 000,000,162 | -H-- | M] () -- C:\Users\chuckie\Desktop\~$X CHKDSK Try booting from your install CD.docx
[2010/11/15 18:32:16 | 000,379,096 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/11/15 14:43:14 | 186,447,948 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/11/13 10:57:53 | 000,173,438 | ---- | M] () -- C:\Users\chuckie\Desktop\BROMIDE DOMINANCE.docx
[2010/11/12 15:07:19 | 000,025,936 | ---- | M] () -- C:\Users\chuckie\Desktop\flight christmas 2010.docx
[2010/11/12 14:57:17 | 000,010,299 | ---- | M] () -- C:\Users\chuckie\Desktop\Divorce--Custody--Synopsis.docx
[2010/11/08 19:44:32 | 000,406,714 | ---- | M] () -- C:\Users\chuckie\Desktop\Mrs S.docx
[2010/11/07 19:26:32 | 000,048,440 | ---- | M] () -- C:\Users\chuckie\Desktop\Deflazacort DRUG REVIEW Article.docx
[2010/11/07 19:26:32 | 000,000,162 | -H-- | M] () -- C:\Users\chuckie\Desktop\~$flazacort DRUG REVIEW Article.docx
[2010/11/05 11:13:06 | 000,000,666 | ---- | M] () -- C:\Windows\tasks\hpwebreg_CN08525HY605D2.job
[2010/11/04 14:05:49 | 000,002,828 | -HS- | M] () -- C:\Windows\System32\KGyGaAvL.sys
[2010/11/04 13:58:23 | 000,000,894 | ---- | M] () -- C:\Users\Public\Desktop\HP Photo Creations.lnk
[2010/11/04 13:57:02 | 000,002,139 | ---- | M] () -- C:\Users\Public\Desktop\HP Deskjet 1000 J110 series.lnk
[2010/11/01 12:13:25 | 000,000,830 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2010/10/30 17:43:55 | 000,000,165 | -H-- | M] () -- C:\Users\chuckie\Desktop\~$yDoc 1 PPT.pptx
[2010/10/29 13:47:40 | 000,000,142 | ---- | M] () -- C:\Windows\SoftWriting.ini
[2010/10/29 13:47:04 | 000,000,840 | ---- | M] () -- C:\Users\chuckie\Desktop\SimpleOCR.lnk
[2010/10/28 14:04:33 | 001,742,607 | ---- | M] () -- C:\Users\chuckie\Documents\Anthropos Demo.wma
[2010/10/21 20:13:41 | 004,843,965 | ---- | M] () -- C:\Users\chuckie\Desktop\Doc1.docx
[2010/10/21 08:15:07 | 000,000,165 | -H-- | M] () -- C:\Users\chuckie\Desktop\~$Doc 1 PPT.pptx
[2010/10/19 22:12:01 | 000,000,162 | -H-- | M] () -- C:\Users\chuckie\Desktop\~$Doc1.docx
[2010/10/19 20:55:57 | 000,013,577 | ---- | M] () -- C:\Users\chuckie\Desktop\BEHAVIORAL ABERRATIONS--MODEL.docx
[4 C:\Users\chuckie\Desktop\*.tmp files -> C:\Users\chuckie\Desktop\*.tmp -> ]
[1 C:\Users\chuckie\Documents\*.tmp files -> C:\Users\chuckie\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/17 22:47:28 | 000,000,396 | -H-- | C] () -- C:\Windows\tasks\User_Feed_Synchronization-{D1E80A1C-06A2-4985-B28F-E73977C6D143}.job
[2010/11/17 19:54:42 | 000,022,525 | ---- | C] () -- C:\Users\chuckie\Desktop\OTL logfile created on.docx
[2010/11/17 17:38:32 | 099,442,188 | ---- | C] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2010/11/16 23:44:31 | 000,000,162 | -H-- | C] () -- C:\Users\chuckie\Desktop\~$rus Info 2010.docx
[2010/11/16 19:24:47 | 000,036,273 | ---- | C] () -- C:\Users\chuckie\Desktop\Virus Info 2010.docx
[2010/11/16 15:43:42 | 000,000,162 | -H-- | C] () -- C:\Users\chuckie\Desktop\~$X CHKDSK Try booting from your install CD.docx
[2010/11/15 17:28:02 | 000,099,464 | ---- | C] () -- C:\Users\chuckie\Desktop\FIX CHKDSK Try booting from your install CD.docx
[2010/11/13 10:57:52 | 000,173,438 | ---- | C] () -- C:\Users\chuckie\Desktop\BROMIDE DOMINANCE.docx
[2010/11/12 14:51:55 | 000,025,936 | ---- | C] () -- C:\Users\chuckie\Desktop\flight to tampa christmas 2010.docx
[2010/11/11 10:33:44 | 000,010,299 | ---- | C] () -- C:\Users\chuckie\Desktop\--Synopsis.docx
[2010/11/07 19:26:32 | 000,000,162 | -H-- | C] () -- C:\Users\chuckie\Desktop\~$flazacort DRUG REVIEW Article.docx
[2010/11/07 19:26:30 | 000,048,440 | ---- | C] () -- C:\Users\chuckie\Desktop\Deflazacort DRUG REVIEW Article.docx
[2010/11/04 14:04:50 | 000,000,666 | ---- | C] () -- C:\Windows\tasks\hpwebreg_CN08525HY605D2.job
[2010/11/04 13:58:23 | 000,000,894 | ---- | C] () -- C:\Users\Public\Desktop\HP Photo Creations.lnk
[2010/11/04 13:57:02 | 000,002,139 | ---- | C] () -- C:\Users\Public\Desktop\HP Deskjet 1000 J110 series.lnk
[2010/11/01 12:13:25 | 000,000,830 | ---- | C] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2010/10/30 17:43:55 | 000,000,165 | -H-- | C] () -- C:\Users\chuckie\Desktop\~$yDoc 1 PPT.pptx
[2010/10/29 13:47:04 | 000,000,840 | ---- | C] () -- C:\Users\chuckie\Desktop\SimpleOCR.lnk
[2010/10/29 13:47:04 | 000,000,142 | ---- | C] () -- C:\Windows\SoftWriting.ini
[2010/10/21 08:15:07 | 000,000,165 | -H-- | C] () -- C:\Users\chuckie\Desktop\~$Doc 1 PPT.pptx
[2010/10/20 10:56:39 | 000,000,162 | -H-- | C] () -- C:\Users\chuckie\Desktop\~$s S.docx
[2010/10/19 22:12:01 | 000,000,162 | -H-- | C] () -- C:\Users\chuckie\Desktop\~$Doc1.docx
[2010/10/19 14:35:11 | 000,013,577 | ---- | C] () -- C:\Users\chuckie\Desktop\BEHAVIORAL ABERRATIONS--MODEL.docx
[2010/07/15 10:37:05 | 000,000,262 | ---- | C] () -- C:\Windows\ka.ini
[2010/03/26 03:13:04 | 000,000,008 | RHS- | C] () -- C:\Windows\System32\3DEAC7A050.sys
[2010/03/26 03:13:03 | 000,002,828 | -HS- | C] () -- C:\Windows\System32\KGyGaAvL.sys
[2010/03/26 03:11:25 | 001,300,048 | ---- | C] () -- C:\ProgramData\pswi_preloaded.exe
[2009/09/22 15:28:30 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/06/04 18:50:24 | 000,003,584 | ---- | C] () -- C:\Users\chuckie\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/02 20:18:40 | 000,000,452 | ---- | C] () -- C:\Windows\TB50.INI
[2009/03/02 20:18:28 | 000,000,138 | ---- | C] () -- C:\Windows\asym.ini
[2009/02/17 18:35:24 | 000,069,839 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/02/17 18:35:18 | 000,069,839 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2008/10/07 12:42:02 | 000,002,128 | ---- | C] () -- C:\Users\chuckie\AppData\Roaming\wklnhst.dat
[2008/08/30 15:36:54 | 000,000,680 | ---- | C] () -- C:\Users\chuckie\AppData\Local\d3d9caps.dat
[2008/08/20 23:17:19 | 000,027,525 | ---- | C] () -- C:\Users\chuckie\AppData\Roaming\nvModes.001
[2008/08/19 22:27:29 | 000,027,525 | ---- | C] () -- C:\Users\chuckie\AppData\Roaming\nvModes.dat
[2008/08/16 22:59:11 | 000,000,000 | ---- | C] () -- C:\Users\chuckie\AppData\Local\QSwitch.txt
[2008/08/16 22:59:11 | 000,000,000 | ---- | C] () -- C:\Users\chuckie\AppData\Local\DSwitch.txt
[2008/08/16 22:59:11 | 000,000,000 | ---- | C] () -- C:\Users\chuckie\AppData\Local\AtStart.txt
[2008/07/27 04:16:35 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2008/04/24 21:38:18 | 000,000,735 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 04:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

< End of report >




GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-18 13:18:08
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort2 ST9200827AS rev.3.BHA
Running: 6hy2u6n3.exe; Driver: C:\Users\chuckie\AppData\Local\Temp\kxldapoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9E2E4780]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x9E2E4830]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9E2E48D0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9E2E4970]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 820F9B54 4 Bytes [80, 47, 2E, 9E] {ADD BYTE [EDI+0x2e], 0x9e}
.text ntkrnlpa.exe!KeSetEvent + 621 820F9D84 8 Bytes [30, 48, 2E, 9E, D0, 48, 2E, ...] {XOR [EAX+0x2e], CL; SAHF ; ROR BYTE [EAX+0x2e], 0x1; SAHF }
.text ntkrnlpa.exe!KeSetEvent + 681 820F9DE4 4 Bytes [70, 49, 2E, 9E]
.rsrc C:\Windows\system32\drivers\crcdisk.sys entry point in ".rsrc" section [0x8A1C9014]
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8E203340, 0x3FA057, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3040] kernel32.dll!SetUnhandledExceptionFilter 7656A84F 5 Bytes JMP 622654C1 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3040] ole32.dll!OleLoadFromStream 76831E80 4 Bytes JMP 62D1D62A C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-0 861E3AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 861E3AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 861E3AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 861E3AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 861E3AEA

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Device\Ide\IdeDeviceP2T0L0-2 -> \??\IDE#DiskST9200827AS_____________________________3.BHA___#5&f552377&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 390721712 (+254): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\crcdisk.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Edited by Budapest, 18 November 2010 - 06:32 PM.
Moved from AII ~BP


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:10 PM

Posted 28 November 2010 - 09:53 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.


In your reply, please post both OTL logs.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:10 PM

Posted 03 December 2010 - 07:46 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users