Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Phoenix Kit Exploit Kit , Google Gomeo Redirects , agutekudat.dll .. ThinkPoint related ?


  • Please log in to reply
15 replies to this topic

#1 Wynder

Wynder

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 12 December 2010 - 08:17 AM

I would like to point out I am by no means an expert with computers, this is all new to me so please bare with me. I have had my laptop about 3 years & never had an antivirus / firewall etc as I always in the past found them to block all sorts for no apparent reason , I also never had a problem until about a month ago. I got a fake antivirus add "ThinkPoint" one of the ones that tries to sell you something that fixes nothing, it appeared as a legit Windows Defender link then when I restarted the program kicked in, I am mentioning this as I believe it may be related. I found a link somewhere of how to get rid of this virus, it was simple enough. Afterwards the internet wouldn't load any sites I fixed this through a change proxy settings option in google chrome. After this happened though I started to get re-directed to random add sites , E.G. Gomeo.co.uk from google searches, finding I had to right click enter new tab on the links to get around this. If that was the only problem I could live with it but things started getting worse over the past week. I have re-installed AVG along with a number of other programs SpyBot - Search & Destroy , Malware bites , Ad Aware , CC Cleaner. Everytime I run a scan or fix with any of them they appear to be fixing something but the problem persists. A few days ago I started getting an error when I tried to open any programs , alter install/uninstall anything

RunDDL

Error Loading
C:\Windows\system32\config\systemprofile\AppData\L ocal\agutekudat.dll

Access is denied.

I managed to get rid of this error also through simple AVG /Malwarebites scans etc but I now get a similar RunDLL error on start up instead, it doesnt seem to effect anything though, however since I "fixed" that error Ive had 2 blue screens in 24 hours , for no apparent reason both times, I find this odd as I have never had the recurring blue screen problem on my laptop. I also noticed in the system tray something called Server SQL , it seems to be a legit microsoft thing but I have no idea what it is or does, it has the options play pause stop but they're all unresponsive... I decided to post on here as I cant really live with blue screens cutting in every few hours for no apparent reason & I would like to clean & fix my computer but a complete restore of windows is really out of the question except for a very last resort.

DSS log:


DDS (Ver_10-12-12.01) - NTFSx86
Run by Andy at 12:30:53.73 on 12/12/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3002.1084 [GMT 0:00]

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *Enabled/Updated* {222A897C-5018-402e-943F-7E7AC8560DA7}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {DAAC1C79-1A96-9DFE-FC4C-6940214C33E6}
AV: AVG Anti-Virus *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SMINST\BLService.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
"C:\Windows\System32\svchost.exe"
"C:\Windows\System32\svchost.exe"
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\Andy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Users\Andy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\notepad.exe
C:\Windows\notepad.exe
C:\Users\Andy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Andy\Downloads\dds.scr
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www.ultimatebuzz.net/forum
uDefault_Page_URL = hxxp://www.skybroadband.com
uSearch Page =
uSearch Bar =
uWindow Title = Internet Explorer Provided By Sky Broadband
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://uk.yahoo.com
mDefault_Search_URL = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: @c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Ucapegirifadu] rundll32.exe "c:\windows\system32\config\systemprofile\appdata\local\agutekudat.dll",Startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRun: [KfKbwniYVL.exe] c:\windows\temp\KfKbwniYVL.exe
dRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download Link Using Mega Manager... - c:\program files\megaupload\mega manager\mm_file.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-12-9 52872]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-10 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-12-9 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-12-9 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-12-9 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-12-10 921952]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-12-10 308136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1389400]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-7-31 361808]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-7-31 193840]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-4 113664]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]
S2 kroover;kroover;c:\windows\system32\drivers\kroover.exe --> c:\windows\system32\drivers\kroover.exe [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-12-10 517448]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2010-12-12 12:19:59 -------- d-----w- c:\users\andy\appdata\local\MigWiz
2010-12-12 11:38:29 -------- d-----w- C:\_OTL
2010-12-10 20:43:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-12-10 20:43:18 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-10 20:38:57 -------- d-----w- c:\users\andy\appdata\local\Sunbelt Software
2010-12-10 20:38:17 -------- dc-h--w- c:\progra~2\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-10 20:37:21 -------- d-----w- c:\program files\Lavasoft
2010-12-10 20:27:03 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-12-10 20:27:01 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-12-10 20:26:59 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-12-10 20:26:59 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-12-10 20:23:37 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-12-10 20:23:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-10 20:19:07 -------- d-----w- c:\users\andy\appdata\roaming\SUPERAntiSpyware.com
2010-12-10 20:19:07 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-12-10 20:18:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-10 12:57:53 -------- d-----w- c:\program files\VirtualDJ
2010-12-10 01:44:09 -------- d-----w- c:\users\andy\appdata\roaming\AVG9
2010-12-10 00:35:20 5144576 ----a-w- c:\users\andy\appdata\roaming\microsoft\windows\start menu\programs\image-line\fl studio 9\FLEngine.dll
2010-12-10 00:34:06 1554944 ----a-w- c:\windows\system32\vorbis.acm
2010-12-10 00:33:31 -------- d-----w- c:\program files\VstPlugins
2010-12-10 00:24:34 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-12-10 00:17:28 671744 ----a-w- c:\users\andy\appdata\roaming\microsoft\windows\start menu\programs\image-line\toxic biohazard\Toxic Biohazard.dll
2010-12-10 00:17:28 532480 ----a-w- c:\users\andy\appdata\roaming\microsoft\windows\start menu\programs\image-line\sawer\Sawer.dll
2010-12-10 00:17:28 512000 ----a-w- c:\users\andy\appdata\roaming\microsoft\windows\start menu\programs\image-line\hardcore\Hardcore.dll
2010-12-10 00:17:28 495616 ----a-w- c:\users\andy\appdata\roaming\microsoft\windows\start menu\programs\image-line\poizone\PoiZone.dll
2010-12-09 21:50:39 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-12-09 21:50:38 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-12-09 21:50:17 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-12-09 21:50:08 -------- d-----w- c:\windows\system32\drivers\Avg
2010-12-09 21:49:57 -------- d-----w- c:\progra~2\AVG Security Toolbar
2010-12-09 21:31:45 -------- d-----w- c:\program files\ESET
2010-12-02 13:40:54 -------- d-----w- C:\Adobe
2010-12-02 13:40:53 45568 ----a-w- c:\windows\system32\test.exe
2010-11-13 19:57:50 -------- d-----w- c:\users\andy\.jmf
2010-11-13 19:57:47 -------- d-----w- c:\users\andy\Mercury
2010-11-13 19:45:51 -------- d-----w- c:\program files\Windows Live SkyDrive

==================== Find3M ====================

2010-11-11 04:34:02 175 ----a-w- c:\users\andy\appdata\roaming\sdtsh.bat
2010-10-19 10:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-16 00:34:41 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: TOSHIBA_MK2552GSX rev.LV011C -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86B59446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86b5f504]; MOV EAX, [0x86b5f580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81E79962] -> \Device\Harddisk0\DR0[0x85EF0A60]
3 CLASSPNP[0x824CA8B3] -> ntkrnlpa!IofCallDriver[0x81E79962] -> [0x865730A0]
\Driver\atapi[0x85ED17F8] -> IRP_MJ_CREATE -> 0x86B59446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskTOSHIBA_MK2552GSX_______________________LV011C__#5&3b0a2a42&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86B59292
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 12:32:40.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:25 AM

Posted 20 December 2010 - 02:17 PM

Hello Wynder

Welcome to BleepingComputer :)
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 Wynder

Wynder
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 21 December 2010 - 05:18 AM

Thanks very much for the reply first off , was beginning to wonder if I had been over looked , this seems to be a common virus I was wondering if a quick fix had been developed that I was over looking. I have ran Otl as you say,

Unfortunately OTL hasnt loaded the Extras.Txt file , the Otl.Txt file information is as follows:


OTL logfile created on: 21/12/2010 10:11:50 - Run 3
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Andy\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 39.00% Memory free
6.00 Gb Paging File | 4.00 Gb Available in Paging File | 64.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 223.53 Gb Total Space | 108.13 Gb Free Space | 48.37% Space Free | Partition Type: NTFS
Drive D: | 9.36 Gb Total Space | 1.63 Gb Free Space | 17.37% Space Free | Partition Type: NTFS
Drive F: | 1.87 Gb Total Space | 0.13 Gb Free Space | 7.11% Space Free | Partition Type: FAT

Computer Name: ANDY-PC | User Name: Andy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/16 11:10:11 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2010/12/12 11:23:15 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Andy\Desktop\OTL.exe
PRC - [2010/12/10 00:24:39 | 002,069,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/12/10 00:24:35 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/12/10 00:24:34 | 000,621,920 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/12/10 00:24:26 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/12/10 00:22:23 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/12/10 00:22:23 | 000,725,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/12/10 00:22:22 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/12/10 00:22:21 | 000,842,592 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgam.exe
PRC - [2010/12/08 23:28:23 | 000,991,800 | ---- | M] (Google Inc.) -- C:\Users\Andy\AppData\Local\Google\Chrome\Application\chrome.exe
PRC - [2010/12/03 09:05:32 | 001,389,400 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/12/03 09:05:32 | 000,930,032 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/09/22 11:03:38 | 000,249,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/04/10 22:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/01/26 15:31:16 | 002,144,088 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/11/09 20:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/26 08:15:26 | 000,361,808 | ---- | M] () -- C:\WINDOWS\SMINST\BLService.exe
PRC - [2002/12/17 17:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe


========== Modules (SafeList) ==========

MOD - [2010/12/12 11:23:15 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Andy\Desktop\OTL.exe
MOD - [2010/12/10 00:24:34 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
MOD - [2010/08/31 15:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Windows\System32\drivers\kroover.exe -- (kroover)
SRV - [2010/12/10 00:24:26 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/12/10 00:22:23 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/12/03 09:05:32 | 001,389,400 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/10/06 11:31:48 | 000,517,448 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010/09/22 11:03:38 | 000,249,136 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2010/03/18 12:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/09/25 01:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\FntCache.dll -- (FontCache)
SRV - [2008/11/09 20:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/04/26 08:15:26 | 000,361,808 | ---- | M] () [Auto | Running] -- C:\WINDOWS\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/02/03 19:00:00 | 000,129,992 | ---- | M] (EasyBits Sofware AS) [Auto | Stopped] -- C:\WINDOWS\System32\ezsvc7.dll -- (ezSharedSvc)
SRV - [2008/01/21 02:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2002/12/17 17:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR)
SRV - [2002/12/17 17:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - [2010/12/10 00:24:37 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/12/10 00:24:34 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/12/10 00:22:23 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/12/10 00:22:21 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\Drivers\avgrkx86.sys -- (AvgRkx86)
DRV - [2010/12/03 09:05:34 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/12/03 09:05:33 | 000,015,264 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/07/28 20:02:48 | 009,023,488 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2010/05/10 18:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 18:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/09/05 15:55:36 | 001,183,744 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\athr.sys -- (athr)
DRV - [2009/04/23 11:33:34 | 000,064,512 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\RTSTOR.sys -- (RTSTOR)
DRV - [2009/01/20 05:49:26 | 000,142,848 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/10/03 02:39:28 | 000,222,208 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/06/04 17:54:22 | 000,113,664 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV - [2008/03/28 01:06:00 | 000,199,472 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/03/17 10:05:30 | 000,101,632 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2008/01/21 02:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/21 02:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/21 02:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/21 02:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/21 02:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/21 02:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/21 02:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/21 02:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/21 02:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/21 02:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/21 02:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/21 02:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/21 02:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/21 02:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/21 02:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/21 02:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/21 02:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/21 02:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/21 02:23:22 | 000,200,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2008/01/21 02:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/21 02:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/21 02:23:21 | 000,073,088 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/01/21 02:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/21 02:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/21 02:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/21 02:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/21 02:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/11/01 01:51:26 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2007/11/01 01:47:54 | 000,208,896 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2007/11/01 01:47:08 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2007/10/17 23:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/06/19 00:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2006/11/02 09:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 09:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 09:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 09:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 09:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 09:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 09:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 09:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 09:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 09:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 09:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 08:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 08:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 08:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 08:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 08:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 08:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 07:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 07:30:56 | 000,429,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\nvm60x32.sys -- (NVENETFD)
DRV - [2006/11/02 07:30:53 | 000,464,384 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\BCMWL6.SYS -- (BCM43XV)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.ultimatebuzz.net/forum
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.defaultthis.engineName: "MessengerPlusLive UK TB Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2719324&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "MessengerPlusLive UK TB Customized Web Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT2719324&SearchSource=13"
FF - prefs.js..extensions.enabledItems: {c2f863cd-0429-48c7-bb54-db756a951760}:5.20.1.1
FF - prefs.js..extensions.enabledItems: {E9A1DEE0-C623-4439-8932-001E7D17607D}:2.1.0.5
FF - prefs.js..extensions.enabledItems: {0b38152b-1b20-484d-a11f-5e04a9b0661f}:5.6.11.2
FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.5.6.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {fcf7bd65-beb7-48cd-8d51-268eb6802e56}:2.7.1.3
FF - prefs.js..extensions.enabledItems: m3ffxtbr@mywebsearch.com:1.1
FF - prefs.js..extensions.enabledItems: ffxtlbr@Facemoods.com:1.1.0
FF - prefs.js..extensions.enabledItems: {EEE6C361-6118-11DC-9C72-001320C79847}:1.0.0.10
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.5
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2719324&q="
FF - prefs.js..sweetim.toolbar.previous.keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2719324&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 50370
FF - prefs.js..network.proxy.type: 1


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/09/16 00:35:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{581E9271-A272-4DC4-A87B-BE1507426BF8}: C:\Windows\system32\config\systemprofile\AppData\Local\{581E9271-A272-4DC4-A87B-BE1507426BF8}\ [2010/12/10 06:29:40 | 000,000,000 | ---D | M]

[2009/01/04 18:00:13 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\Mozilla\Extensions
[2010/11/13 19:22:23 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\dwpf7g9p.default\extensions
[2009/08/21 19:24:57 | 000,000,000 | ---D | M] (Winamp Toolbar) -- C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\dwpf7g9p.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}
[2010/10/01 15:07:12 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\dwpf7g9p.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/04/16 13:34:54 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\dwpf7g9p.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/02/07 23:37:58 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\dwpf7g9p.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2009/05/01 03:39:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\dwpf7g9p.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
[2010/12/11 00:34:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\dwpf7g9p.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}
[2010/09/15 11:18:20 | 000,000,000 | ---D | M] (MessengerPlusLive UK TB Toolbar) -- C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\dwpf7g9p.default\extensions\{fcf7bd65-beb7-48cd-8d51-268eb6802e56}
[2010/09/15 21:38:45 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\dwpf7g9p.default\extensions\ffxtlbr@Facemoods.com
[2010/10/01 15:07:13 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\dwpf7g9p.default\extensions\SkipScreen@SkipScreen
[2009/05/01 03:39:37 | 000,001,739 | ---- | M] () -- C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\dwpf7g9p.default\searchplugins\aim-search.xml
[2010/07/31 22:45:54 | 000,000,949 | ---- | M] () -- C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\dwpf7g9p.default\searchplugins\conduit.xml
[2009/08/21 19:25:11 | 000,001,201 | ---- | M] () -- C:\Users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\dwpf7g9p.default\searchplugins\winamp-search.xml
[2010/10/04 18:26:57 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/06 03:33:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/17 04:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/07/12 16:33:56 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2010/12/11 10:51:00 | 000,426,930 | R--- | M]) - C:\WINDOWS\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 14705 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (IeMonitorBho Class) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll (Megaupload Limited)
O2 - BHO: (Bing Bar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll (Microsoft Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (@C:\Program Files\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe File not found
O4 - HKLM..\Run: [Ucapegirifadu] C:\Windows\System32\config\systemprofile\AppData\Local\agutekudat.DLL (VoLT, 2010)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - Startup: C:\Users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trillian.lnk = C:\Program Files\Trillian\trillian.exe (Cerulean Studios)
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\Andy\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Andy\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/31 20:16:21 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{1b486477-73c8-11de-92ac-001f164c8afa}\Shell - "" = AutoRun
O33 - MountPoints2\{1b486477-73c8-11de-92ac-001f164c8afa}\Shell\AutoRun\command - "" = F:\AutoRun.exe -- File not found
O33 - MountPoints2\{1b486478-73c8-11de-92ac-001f164c8afa}\Shell - "" = AutoRun
O33 - MountPoints2\{1b486478-73c8-11de-92ac-001f164c8afa}\Shell\AutoRun\command - "" = F:\AutoRun.exe -- File not found
O33 - MountPoints2\{1b48649f-73c8-11de-92ac-001f164c8afa}\Shell - "" = AutoRun
O33 - MountPoints2\{1b48649f-73c8-11de-92ac-001f164c8afa}\Shell\AutoRun\command - "" = F:\AutoRun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/13 20:17:19 | 000,000,000 | ---D | C] -- C:\Users\Andy\Desktop\Mnaola
[2010/12/12 12:19:59 | 000,000,000 | ---D | C] -- C:\Users\Andy\AppData\Local\MigWiz
[2010/12/12 11:38:29 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/12/12 11:23:11 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\Andy\Desktop\OTL.exe
[2010/12/10 20:43:23 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\Windows\System32\drivers\Lbd.sys
[2010/12/10 20:43:18 | 000,098,392 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2010/12/10 20:38:57 | 000,000,000 | ---D | C] -- C:\Users\Andy\AppData\Local\Sunbelt Software
[2010/12/10 20:38:17 | 000,000,000 | -H-D | C] -- C:\ProgramData\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
[2010/12/10 20:37:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010/12/10 20:37:21 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/12/10 20:30:30 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Users\Andy\Desktop\setup-spybotsd162.exe
[2010/12/10 20:27:03 | 000,000,000 | ---D | C] -- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
[2010/12/10 20:27:01 | 000,000,000 | ---D | C] -- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
[2010/12/10 20:26:59 | 000,000,000 | ---D | C] -- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
[2010/12/10 20:26:59 | 000,000,000 | ---D | C] -- C:\Program Files\SDHelper (Spybot - Search & Destroy)
[2010/12/10 20:23:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/12/10 20:23:33 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/12/10 20:19:07 | 000,000,000 | ---D | C] -- C:\Users\Andy\AppData\Roaming\SUPERAntiSpyware.com
[2010/12/10 20:19:07 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/12/10 20:18:46 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/12/10 15:23:07 | 000,000,000 | ---D | C] -- C:\Users\Andy\AppData\Roaming\InstallShield
[2010/12/10 12:58:41 | 022,738,669 | ---- | C] (Atomix Productions) -- C:\Users\Andy\Desktop\virtualdj_pro.exe
[2010/12/10 12:57:53 | 000,000,000 | ---D | C] -- C:\Users\Andy\Documents\VirtualDJ
[2010/12/10 12:57:53 | 000,000,000 | ---D | C] -- C:\Program Files\VirtualDJ
[2010/12/10 01:44:09 | 000,000,000 | ---D | C] -- C:\Users\Andy\AppData\Roaming\AVG9
[2010/12/10 00:45:53 | 000,000,000 | ---D | C] -- C:\Users\Andy\Desktop\MUSIC PRODUCTION
[2010/12/10 00:44:01 | 000,000,000 | ---D | C] -- C:\Users\Andy\Desktop\Audios
[2010/12/10 00:42:58 | 000,000,000 | ---D | C] -- C:\Users\Andy\Desktop\Desktoped Pics
[2010/12/10 00:40:07 | 000,000,000 | ---D | C] -- C:\Users\Andy\Desktop\Shortcuts
[2010/12/10 00:36:55 | 000,000,000 | ---D | C] -- C:\Users\Andy\Desktop\Wynder Documents
[2010/12/10 00:36:00 | 000,000,000 | ---D | C] -- C:\Users\Andy\Desktop\WYNDER MIXES
[2010/12/10 00:34:06 | 001,554,944 | ---- | C] (HMS http://hp.vector.co.jp/authors/VA012897/) -- C:\Windows\System32\vorbis.acm
[2010/12/10 00:33:31 | 000,000,000 | ---D | C] -- C:\Program Files\VstPlugins
[2010/12/10 00:24:34 | 000,012,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2010/12/09 21:50:39 | 000,052,872 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgrkx86.sys
[2010/12/09 21:50:38 | 000,243,024 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/12/09 21:50:17 | 000,216,400 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2010/12/09 21:50:16 | 000,029,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
[2010/12/09 21:50:08 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\Avg
[2010/12/09 21:49:57 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG Security Toolbar
[2010/12/09 21:31:45 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/12/02 13:40:54 | 000,000,000 | ---D | C] -- C:\Adobe
[2010/12/02 13:40:53 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\test.exe
[2010/07/28 19:20:56 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll

========== Files - Modified Within 30 Days ==========

[2010/12/21 10:13:47 | 000,758,272 | ---- | M] () -- C:\Windows\System32\drivers\iddlg.sys
[2010/12/21 10:00:29 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/12/21 10:00:29 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/12/21 08:25:45 | 069,151,557 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2010/12/21 06:55:00 | 000,000,902 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3637053399-770358152-3192921690-1000UA.job
[2010/12/20 16:55:00 | 000,000,850 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3637053399-770358152-3192921690-1000Core.job
[2010/12/20 16:02:11 | 000,000,286 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini
[2010/12/20 16:00:03 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/12/20 15:59:59 | 3149,078,528 | -HS- | M] () -- C:\hiberfil.sys
[2010/12/20 09:57:29 | 232,286,475 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/12/15 21:57:25 | 000,002,037 | ---- | M] () -- C:\Users\Andy\Desktop\Google Chrome.lnk
[2010/12/15 21:57:25 | 000,001,999 | ---- | M] () -- C:\Users\Andy\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/12/14 14:21:19 | 003,667,432 | ---- | M] () -- C:\Users\Andy\Desktop\P1000399.JPG
[2010/12/14 10:18:00 | 000,627,026 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/12/14 10:18:00 | 000,125,360 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/12/13 20:46:39 | 000,000,898 | ---- | M] () -- C:\Users\Andy\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/12/13 14:45:00 | 004,042,391 | ---- | M] () -- C:\Users\Andy\Desktop\P1000402.JPG
[2010/12/13 14:44:48 | 003,795,847 | ---- | M] () -- C:\Users\Andy\Desktop\P1000401.JPG
[2010/12/13 14:44:38 | 004,397,801 | ---- | M] () -- C:\Users\Andy\Desktop\P1000400.JPG
[2010/12/13 14:44:20 | 003,847,648 | ---- | M] () -- C:\Users\Andy\Desktop\P1000398.JPG
[2010/12/13 14:43:40 | 002,685,243 | ---- | M] () -- C:\Users\Andy\Desktop\P1000397.JPG
[2010/12/12 12:28:46 | 000,000,000 | ---- | M] () -- C:\Users\Andy\defogger_reenable
[2010/12/12 11:23:15 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Andy\Desktop\OTL.exe
[2010/12/11 10:51:00 | 000,426,930 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/12/10 23:18:27 | 000,000,903 | ---- | M] () -- C:\Users\Andy\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/12/10 20:43:18 | 000,098,392 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2010/12/10 20:38:13 | 000,000,991 | ---- | M] () -- C:\Users\Andy\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/12/10 20:38:12 | 000,000,967 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/12/10 20:33:51 | 000,001,039 | ---- | M] () -- C:\Users\Andy\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/12/10 20:33:51 | 000,001,015 | ---- | M] () -- C:\Users\Andy\Desktop\Spybot - Search & Destroy.lnk
[2010/12/10 20:31:22 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Users\Andy\Desktop\setup-spybotsd162.exe
[2010/12/10 20:18:49 | 000,001,760 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/12/10 15:35:38 | 000,303,344 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/12/10 15:16:21 | 000,002,006 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Service Manager.lnk
[2010/12/10 10:38:32 | 000,001,184 | ---- | M] () -- C:\Users\Andy\Documents\cc_20101210_103830.reg
[2010/12/10 10:38:02 | 000,069,454 | ---- | M] () -- C:\Users\Andy\Documents\cc_20101210_103753.reg
[2010/12/10 08:46:38 | 000,016,384 | ---- | M] () -- C:\Users\Andy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/10 01:38:24 | 000,000,200 | ---- | M] () -- C:\sqmnoopt01.sqm
[2010/12/10 00:34:34 | 000,000,892 | ---- | M] () -- C:\Users\Public\Desktop\FL Studio 9.lnk
[2010/12/10 00:24:37 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgtdix.sys
[2010/12/10 00:24:34 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
[2010/12/10 00:24:34 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\avgrsstx.dll
[2010/12/10 00:22:23 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgldx86.sys
[2010/12/10 00:22:21 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgrkx86.sys
[2010/12/09 21:50:16 | 000,113,461 | ---- | M] () -- C:\Windows\System32\drivers\Avg\iavichjw.avm
[2010/12/09 21:50:10 | 000,492,629 | ---- | M] () -- C:\Windows\System32\drivers\Avg\miniavi.avg
[2010/12/09 21:50:10 | 000,142,495 | ---- | M] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2010/12/09 21:50:09 | 006,061,540 | ---- | M] () -- C:\Windows\System32\drivers\Avg\avi7.avg
[2010/12/09 21:27:07 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/12/09 21:27:07 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/12/09 10:25:52 | 000,000,296 | ---- | M] () -- C:\sqmnoopt00.sqm
[2010/12/09 10:25:43 | 000,000,288 | ---- | M] () -- C:\Windows\tasks\RealUpgradeScheduledTaskS-1-5-18.job
[2010/12/03 09:05:34 | 000,064,288 | ---- | M] (Lavasoft AB) -- C:\Windows\System32\drivers\Lbd.sys
[2010/11/21 12:06:08 | 000,000,294 | ---- | M] () -- C:\Users\Andy\Documents\Andy - Shortcut.lnk

========== Files Created - No Company Name ==========

[2010/12/21 00:54:22 | 065,046,383 | ---- | C] () -- C:\Users\Andy\Desktop\Wynder - Gets Pissed.mp3
[2010/12/20 09:01:34 | 061,930,863 | ---- | C] () -- C:\Users\Andy\Desktop\kiss mix maybe..mp3
[2010/12/15 22:53:24 | 003,843,589 | ---- | C] () -- C:\Users\Andy\Desktop\WYNDER - LUCKY STAR REMIX 2008.mp3
[2010/12/14 14:18:49 | 004,397,801 | ---- | C] () -- C:\Users\Andy\Desktop\P1000400.JPG
[2010/12/14 14:18:49 | 004,042,391 | ---- | C] () -- C:\Users\Andy\Desktop\P1000402.JPG
[2010/12/14 14:18:49 | 003,847,648 | ---- | C] () -- C:\Users\Andy\Desktop\P1000398.JPG
[2010/12/14 14:18:49 | 003,795,847 | ---- | C] () -- C:\Users\Andy\Desktop\P1000401.JPG
[2010/12/14 14:18:49 | 003,667,432 | ---- | C] () -- C:\Users\Andy\Desktop\P1000399.JPG
[2010/12/14 14:18:49 | 002,685,243 | ---- | C] () -- C:\Users\Andy\Desktop\P1000397.JPG
[2010/12/13 20:37:14 | 022,465,223 | ---- | C] () -- C:\Users\Andy\Desktop\Manola Tempo Accapela.mp3
[2010/12/13 20:17:20 | 007,380,864 | ---- | C] () -- C:\Users\Andy\Desktop\02-tempo_feat._manola-everybody_get_up_(max_extended_mix)-funteek.mp3
[2010/12/13 11:01:16 | 232,286,475 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/12/12 12:28:46 | 000,000,000 | ---- | C] () -- C:\Users\Andy\defogger_reenable
[2010/12/12 10:32:20 | 3149,078,528 | -HS- | C] () -- C:\hiberfil.sys
[2010/12/10 23:29:33 | 000,002,037 | ---- | C] () -- C:\Users\Andy\Desktop\Google Chrome.lnk
[2010/12/10 23:29:33 | 000,001,999 | ---- | C] () -- C:\Users\Andy\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/12/10 20:38:13 | 000,000,991 | ---- | C] () -- C:\Users\Andy\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/12/10 20:38:12 | 000,000,967 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk
[2010/12/10 20:33:51 | 000,001,039 | ---- | C] () -- C:\Users\Andy\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/12/10 20:23:39 | 000,001,015 | ---- | C] () -- C:\Users\Andy\Desktop\Spybot - Search & Destroy.lnk
[2010/12/10 20:18:49 | 000,001,760 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/12/10 15:23:39 | 000,000,766 | ---- | C] () -- C:\Windows\System\CRIcon.ico
[2010/12/10 15:16:21 | 000,002,006 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Service Manager.lnk
[2010/12/10 10:38:31 | 000,001,184 | ---- | C] () -- C:\Users\Andy\Documents\cc_20101210_103830.reg
[2010/12/10 10:37:55 | 000,069,454 | ---- | C] () -- C:\Users\Andy\Documents\cc_20101210_103753.reg
[2010/12/10 01:38:24 | 000,000,200 | ---- | C] () -- C:\sqmnoopt01.sqm
[2010/12/10 00:34:34 | 000,000,892 | ---- | C] () -- C:\Users\Public\Desktop\FL Studio 9.lnk
[2010/12/09 21:50:16 | 000,113,461 | ---- | C] () -- C:\Windows\System32\drivers\Avg\iavichjw.avm
[2010/12/09 21:50:10 | 069,151,557 | ---- | C] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2010/12/09 21:50:10 | 000,492,629 | ---- | C] () -- C:\Windows\System32\drivers\Avg\miniavi.avg
[2010/12/09 21:50:10 | 000,142,495 | ---- | C] () -- C:\Windows\System32\drivers\Avg\microavi.avg
[2010/12/09 21:50:08 | 006,061,540 | ---- | C] () -- C:\Windows\System32\drivers\Avg\avi7.avg
[2010/12/09 21:27:07 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2010/12/09 21:27:07 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2010/12/09 10:25:52 | 000,000,296 | ---- | C] () -- C:\sqmnoopt00.sqm
[2010/11/21 12:06:08 | 000,000,294 | ---- | C] () -- C:\Users\Andy\Documents\Andy - Shortcut.lnk
[2010/11/21 11:10:34 | 000,000,288 | ---- | C] () -- C:\Windows\tasks\RealUpgradeScheduledTaskS-1-5-18.job
[2010/11/11 13:39:08 | 000,000,006 | ---- | C] () -- C:\Users\Andy\AppData\Roaming\start
[2010/11/11 13:37:44 | 000,000,006 | ---- | C] () -- C:\Users\Andy\AppData\Roaming\completescan
[2010/11/11 11:17:03 | 000,000,010 | ---- | C] () -- C:\Users\Andy\AppData\Roaming\install
[2010/11/11 11:08:45 | 000,758,272 | ---- | C] () -- C:\Windows\System32\drivers\iddlg.sys
[2010/11/11 04:34:02 | 000,000,175 | ---- | C] () -- C:\Users\Andy\AppData\Roaming\sdtsh.bat
[2010/11/11 04:33:08 | 000,000,019 | ---- | C] () -- C:\ProgramData\pluglog.txt
[2010/10/04 21:02:48 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2010/09/16 10:23:56 | 000,000,680 | ---- | C] () -- C:\Users\Andy\AppData\Local\d3d9caps.dat
[2010/07/28 19:14:38 | 000,208,896 | ---- | C] () -- C:\Windows\System32\iglhsip32.dll
[2010/07/28 19:14:38 | 000,143,360 | ---- | C] () -- C:\Windows\System32\iglhcp32.dll
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/04/03 17:08:03 | 000,000,000 | ---- | C] () -- C:\Users\Andy\AppData\Local\FnF4.txt
[2009/01/03 22:03:30 | 000,016,384 | ---- | C] () -- C:\Users\Andy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/03 21:08:18 | 000,000,000 | ---- | C] () -- C:\Users\Andy\AppData\Local\QSwitch.txt
[2009/01/03 21:08:18 | 000,000,000 | ---- | C] () -- C:\Users\Andy\AppData\Local\DSwitch.txt
[2009/01/03 21:08:18 | 000,000,000 | ---- | C] () -- C:\Users\Andy\AppData\Local\AtStart.txt
[2008/06/12 18:59:22 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1502.dll
[2008/06/04 17:54:12 | 000,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll
[2006/11/02 12:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 07:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 09:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== LOP Check ==========

[2009/05/01 03:10:19 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\acccore
[2010/12/10 01:44:09 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\AVG9
[2010/11/12 15:32:01 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\Azureus
[2009/09/21 12:28:20 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\Camfrog
[2010/11/12 14:23:08 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\Iphei
[2010/10/30 02:56:46 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\Iron
[2009/09/14 11:24:59 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\Leadertech
[2010/11/12 11:33:01 | 000,000,000 | -HSD | M] -- C:\Users\Andy\AppData\Roaming\lowsec
[2010/09/29 13:02:56 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\Megaupload
[2009/01/08 17:57:06 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\NetMedia Providers
[2009/01/08 17:57:06 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\Publish Providers
[2010/10/04 18:13:52 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\Sony
[2010/10/08 19:16:55 | 000,000,000 | ---D | M] -- C:\Users\Andy\AppData\Roaming\Trillian
[2010/12/21 07:19:12 | 000,032,556 | ---- | M] () -- C:\WINDOWS\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:80ED6380

< End of report >

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:25 AM

Posted 21 December 2010 - 07:08 AM

Quick fixes are not always available.
=======================
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    O4 - HKLM..\Run: [Ucapegirifadu] C:\Windows\System32\config\systemprofile\AppData\Local\agutekudat.DLL (VoLT, 2010)
    [2010/11/11 13:39:08 | 000,000,006 | ---- | C] () -- C:\Users\Andy\AppData\Roaming\start
    [2010/11/11 13:37:44 | 000,000,006 | ---- | C] () -- C:\Users\Andy\AppData\Roaming\completescan
    [2010/11/11 11:17:03 | 000,000,010 | ---- | C] () -- C:\Users\Andy\AppData\Roaming\install
    [2010/11/11 11:08:45 | 000,758,272 | ---- | C] () -- C:\Windows\System32\drivers\iddlg.sys
    [2010/11/11 04:34:02 | 000,000,175 | ---- | C] () -- C:\Users\Andy\AppData\Roaming\sdtsh.bat
    [2010/11/12 11:33:01 | 000,000,000 | -HSD | M] -- C:\Users\Andy\AppData\Roaming\lowsec
    
    :Commands
    [emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.
================================Malwarebytes' Anti-Malware=================================
Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
================================Virus scan=================================
Please click here to download Kaspersky Virus Removal Tool.

  • Double click on the file you just downloaded and let it install.
  • It will install to your desktop.
  • After that leave what is selected and put a check next to My Computer.
  • Click on the option that says Threat Detection and change it to Disinfect,delete if disinfection fails.
  • Then click on Start Scan.
  • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  • When the scan is done no log will be produced.
  • Click on the bottom where it says Report to open the report.
  • Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  • You can save this on the desktop.
  • Post the contents of the document in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.


Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 Wynder

Wynder
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 23 December 2010 - 06:30 AM

Hi thankss for another speedy reply , here are the reports requested


All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Ucapegirifadu deleted successfully.
C:\WINDOWS\System32\config\systemprofile\AppData\Local\agutekudat.dll moved successfully.
C:\Users\Andy\AppData\Roaming\start moved successfully.
C:\Users\Andy\AppData\Roaming\completescan moved successfully.
C:\Users\Andy\AppData\Roaming\install moved successfully.
File C:\Windows\System32\drivers\iddlg.sys not found.
C:\Users\Andy\AppData\Roaming\sdtsh.bat moved successfully.
C:\Users\Andy\AppData\Roaming\lowsec folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Andy
->Temp folder emptied: 37563449 bytes
->Temporary Internet Files folder emptied: 60510153 bytes
->Java cache emptied: 9695163 bytes
->FireFox cache emptied: 42474777 bytes
->Google Chrome cache emptied: 8130146 bytes
->Flash cache emptied: 9859 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3764865 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 748872 bytes

Total Files Cleaned = 155.00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 12212010_234655

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...





Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5369

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

22/12/2010 08:49:18
mbam-log-2010-12-22 (08-49-09).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 326474
Time elapsed: 2 hour(s), 8 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\brumatkjegrm.brumatkjegrm (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\brumatkjegrm.brumatkjegrm.1.0 (Trojan.BHO) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\$ntuninstallmtf197$\ukwjn.exe (Trojan.Agent) -> No action taken.
c:\windows\system32\drivers\iddlg.sys (Trojan.Bubnix) -> No action taken.




Autoscan: stopped 20 hours ago (events: 7, objects: 971, time: 04:57:14)
22/12/2010 10:25:01 Task started
22/12/2010 10:25:01 Detected: MEM:Rootkit.Win32.TDSS.fa Unknown application
22/12/2010 10:25:01 Cannot be backed up: MEM:Rootkit.Win32.TDSS.fa Unknown application
22/12/2010 10:27:23 Detected: HEUR:Trojan.Win32.Generic C:\WINDOWS\System32\drivers\iddlg.sys
22/12/2010 10:28:38 Will be quarantined on system restart: HEUR:Trojan.Win32.Generic C:\WINDOWS\System32\drivers\iddlg.sys
22/12/2010 10:34:42 Detected: MEM:Rootkit.Win32.TDSS.fa System Memory
22/12/2010 15:22:15 Task stopped
Disinfect active threats: completed 19 hours ago (events: 8, objects: 6176, time: 00:04:41)
22/12/2010 15:22:15 Task started
22/12/2010 15:22:15 Detected: MEM:Rootkit.Win32.TDSS.fa System Memory
22/12/2010 15:22:15 Disinfected: MEM:Rootkit.Win32.TDSS.fa System Memory
22/12/2010 15:22:15 Disinfected: MEM:Rootkit.Win32.TDSS.fa System Memory
22/12/2010 15:26:53 Detected: Rootkit.Win32.TDSS.mbr \Device\Harddisk0\DR0
22/12/2010 15:26:53 Disinfected: Rootkit.Win32.TDSS.mbr \Device\Harddisk0\DR0
22/12/2010 15:26:53 Disinfected: Rootkit.Win32.TDSS.mbr \Device\Harddisk0\DR0
22/12/2010 15:26:56 Task completed




Thankfully they all ran without a hitch

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:25 AM

Posted 23 December 2010 - 07:12 AM

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and has been killed, because of it's backdoor functionality, your PC could h ave been compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following


===================
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
========
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 Wynder

Wynder
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 23 December 2010 - 09:01 AM

I use this laptop for all sorts really so it does need to be sorted , paypal etc

If running the fixes isnt going to work then its starting to look like a re-install is the only option , how ever i didnt get any form of back up disk when i got my laptop so I dont even think i could do that so what would you suggest ? Is there some way i can re-install windows without the disk ?

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:25 AM

Posted 23 December 2010 - 09:05 AM

The fixes will work.

It depends does the system have a recovery partition?
Or what make and model is the machine?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 Wynder

Wynder
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 24 December 2010 - 04:51 AM

To my knowledge there is no recovery partition

Here is a screen shot taken of the make / model / operating system

Attached File  System Info.jpg   54.99KB   2 downloads

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:25 AM

Posted 24 December 2010 - 07:34 AM

Yes it does :)

Here is instructions on how to do so:
http://h10025.www1.hp.com/ewfrf/wc/document?docname=c00809678&lc=en&dlc=en&cc=us&product=4121178#RestoreWithoutWindows
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 Wynder

Wynder
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 24 December 2010 - 03:42 PM

cheers for that , i know there is a 3 day no reply thread deletion policy but as it is Christmas i must announce that i may not be active until after new year, i hope you understand the time of year & situation & wont lock the thread , thanks in advance

I have been advised by a relative to partition the drive to keep files & then wipe the computer would this work to save files or cause a break in security

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:25 AM

Posted 25 December 2010 - 02:59 PM

You can save the files to a flash drive this will be fine.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 Wynder

Wynder
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 07 January 2011 - 07:42 AM

I dont have a big enough flash drive , ive created the partition just hope it doesnt get wiped with everything else

The computer is functioning reasonably normally again though but im still restoring to be on the safe side , reason for the length of time to reply is that our internet provider put our account on hold as it had been reported our IP had been spamming 1000s of emails so if that goes down again in a months time ill know the problem still exists

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:25 AM

Posted 07 January 2011 - 07:47 AM

Ok if you have restored the computer then you should be fine if not then it cold happen again.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 Wynder

Wynder
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 08 January 2011 - 07:20 AM

ive restored & have avg back on , my partition had a trojan within a .rar file which i promptly deleted , after that the avg scan only found a few tracking cookies , will this be sufficient or are there any other steps you would recommend ?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users