Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pesky browser hijacker!


  • This topic is locked This topic is locked
51 replies to this topic

#1 Micheal B

Micheal B

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 29 December 2010 - 06:08 PM

I'm not entirely sure when I caught the infection, but the problems with it started on Christmas, or the day after.

Here are the problems I'm having:

When doing a Google search for anything, and click a link, any link that was returned there is a roughly 80-90% chance the shift to that page will be rapidly redirected to a long series of sites, most of which seem random and go by too quick to memorize but one called brawsing-check dot com or something to that effect keeps coming up. The site at the end of the line either attempts to download active x controls but fails because I don't hit allow, offers some manner of advertisement, or assuming I don't hit back or close tab right away (and I usually do) I start seeing odd files appear, and quickly disappear in Task Manager before I get a name. If I copy paste the link into my browser, this problem does not occur.

However, a page similar to this will sporadically pop up on its own, with no user input whatsoever.

This happens consistently with FF. I don't use IE.

After my computer has been on for about an hour, I will be informed that Generic Host Processes for Win32 has encountered an error and needs to close. Regardless of whether I choose to send error information to Microsoft, hit close, or do nothing a few seconds later the quality of my task bar, and of the menus of any programs I run degrade, looking low quality, almost like what happens when you run a program in safe mode. In addition to that while in this state my computer is incapable of playing most, but not all sounds, recognizing that there is a disk within a working disk drive, and it seems largely hit or miss as to whether other programs will function or not. Sometimes my taskbar and menus will revert to their usual appearance after a few minutes but the other problems remain.

Occasionally, computer performance will degrade to the point of near freezing. This doesn't seem tied to any particular user action. Just sometimes it will decide to run at about 1 frame per minute for a while.

Restarting the computer corrects these problems, but does not stop them from occurring again.

Solutions I have tried thus far:

Spyware Search and Destroy - the first thing I tried. I don't remember what it found.

Malwarebytes' Anti-Malware - the second thing I tried. It detected Trojan.Vundo and removed it. On a much later scan it found PUP.FunWebProducts and removed it.

Clearing cache and history in FF. Multiple times.

Uninstalling and reinstalling FF. Multiple times.

Microsoft Security Essentials - detected two java exploits: Java/CVE-2010-0840.L and Java/CVE-2010-0840.W. It removed both.

AdAware - detected SpyBuddy and removed it on a quick scan. I am unable to run a full scan, as it always seems to hang after a while. It is detecting anywhere from 2 to 14 threats before it freezes though.

I have also tried running some of these programs in Safe Mode. AdAware does not seem to want to load in Safe Mode. S&D and Malwarebytes run, but detect nothing new.

I have also, with the help of careful research and those programs attempted to remove certain registry entries and auto run entries. There were quite a few, and I don't remember them all.

And despite all the threats I have found, and supposedly removed by doing all of these things the problem still persists, just as bad as ever.

Here is a HijackThis log as well:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:02:06 PM, on 12/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\owner\My Documents\Downloads\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257465432296
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe

--
End of file - 4093 bytes

I'm about out of ideas, so I welcome any you have. I'm computer literate, but not an expert.

Edit: Forgot to mention that I also ran VundoFix and CWShredder. They did not detect anything on any of the attempts, some of which were made in Safe Mode.

Edit2: Oops, wrong forum. Sorry about that.

Edited by Micheal B, 29 December 2010 - 06:34 PM.
Moved from XP forum to Malware Removal Logs ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:50 PM

Posted 06 January 2011 - 03:50 AM

Hello, and :welcome: to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Watch Topic. By clicking this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. :)

  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the "Custom Scans/Fixes" section paste in the below in bold


    netsvc
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav

  • Push the Posted Image button.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into the body of your next reply.

***************************************************

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.log" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and copy/paste its contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try unchecking the Devices box in addition to the others previously requested. Also, try running GMER in Safe Mode.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


~Blade


In your next reply, please include the following:
OTL.txt
Extras.txt
Gmer.log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Micheal B

Micheal B
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 06 January 2011 - 11:22 AM

Hm. I have a full reply typed up and saved. However I am unable to send it. Every time I attempt to the connection to the server is reset while the page is loading. I am able to send this message just fine, so I can only presume that the problem is that my post is excessively long, mostly due to the logs you directed me to copy paste into it. Ideas, here?

Attaching the text document containing my post to this one also does not work. Doesn't matter if I hit create new post or edit this one. It resets the connection on me.

Edit yet again: This probably isn't the way you wanted me to submit the logs but it's the only way I could dodge the connection resetting error.

Anyways.

Yes, the problem is still there, and while several more problems have been detected, fixing them does not fix the problem. I see what you mean about the regeneration thing.

In addition, a few other problems have came up:

Whenever I close Firefox, I get this error message:

The instruction at "0x00000000" referenced memory at "0x00000000". The memory could not be "written".

Click on OK to terminate the program.

This same message also occurs when closing IE, so it is not FF exclusive. It also rarely occurs when opening FF. It does not seem to cause any harm, but it is quite annoying.

This problem did not start until several days after making my original post.

For some reason it does not like me typing windows update dot microsoft dot com. However I am completely unable to connect to that site via either FF or IE.

Lastly, there is a problem with my DVD drive. It is unable to detect DVDs, but works fine reading or writing CDs. I have no idea if this is related to the malware problem or not. I am kind of hoping it is, as the alternative is that the drive is shot. Though this problem has persisted for a while, I did not mention it at first because I believed the problem was simply that the DVD I was using was in poor condition. However the problem also occurs with a brand new DVD that works perfectly within another computer. I obtained this new DVD only recently, so I was not able to determine this problem before. I mainly mention this for the sake of completeness.

Anyways.

The first program you mentioned worked perfectly.

I have not taken any actions regarding the stuff in the first log or the other logs, but two things stood out as odd to me. First, the no name listed entries in my Firefox plugins. Second, the C:\Program Files\xerox folder. It doesn't sound like anything I'd install. And it doesn't contain anything but an empty folder named nwwia. Again, I've taken no actions. Just things that stood out to me.

Important Note: I encountered SEVERE problems attempting to run Gmer. The first time I ran the scan as instructed it closed after 30-60 seconds. There was no error message of any kind. I restarted and tried again. After 30-60 seconds I was informed that [random file name of Gmer] has encountered an error and needs to close. I tried a third time... and my computer restarted the instant I double clicked it. When it had rebooted, an error message popped up informing me that my system had recovered from a serious error and asked if I wanted to report it to Microsoft. The fourth time I tried it it worked fine.

One more thing. You say to uncheck Show All in Gmer. But it unchecked itself whenever I unchecked IAT/EAT. Dunno if that's intended or not, but all three things you mentioned were unchecked when I ran the scan.

Edited by Blade Zephon, 21 January 2011 - 09:45 AM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:50 PM

Posted 07 January 2011 - 03:44 AM

Hello.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Micheal B

Micheal B
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 07 January 2011 - 09:45 AM

A couple of things. First, following your directions in order resulted in me downloading the file before turning off my security programs. The first link set off alarms on ZoneAlarm, but the second did not. It claimed the file in the first link modified program behavior so that one program could load another or something to that effect. I know about false positives and all, but the file sizes between the two links were also different. I used the second, safe link but you should probably look into the safety of the first.

Second, while not displayed in the log ComboFix had to reboot because it detected that sptd.sys was a rootkit. Apparently that file is a part of Daemon Tools, which I did have installed at one point but removed.

Third, when ComboFix restarted a second time towards the end it told me not to open any programs. Well I didn't, I didn't even touch my computer but it did automatically load the programs set to run at startup, notably Spybot S&D and ZoneAlarm. This did not seem to interfere with the scan but I mention it anyways.

Anyways, here is my log.

ComboFix 11-01-06.06 - owner 01/07/2011 7:37.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.454 [GMT -6:00]
Running from: c:\documents and settings\owner\Desktop\renamed.exe
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\owner\Application Data\Local
C:\Install.exe
c:\windows\system32\_004621_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-07 to 2011-01-07 )))))))))))))))))))))))))))))))
.

2011-01-04 23:46 . 2011-01-04 23:46 -------- d-----w- c:\program files\ACW
2011-01-04 22:01 . 2011-01-04 22:02 -------- d-----w- C:\MyBackup
2011-01-04 21:59 . 2011-01-04 22:15 -------- d-----w- c:\program files\PC Tune-Up
2011-01-04 21:33 . 2011-01-04 21:33 -------- d-----w- c:\documents and settings\owner\Application Data\Canneverbe Limited
2011-01-04 21:33 . 2011-01-04 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2011-01-04 21:28 . 2009-11-12 19:48 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2011-01-04 21:27 . 2011-01-04 21:28 -------- d-----w- c:\program files\CDBurnerXP
2011-01-04 20:58 . 2011-01-04 20:58 -------- d-----w- C:\Softpaq
2011-01-04 17:59 . 2011-01-04 17:59 -------- d-----w- c:\documents and settings\owner\Application Data\ElevatedDiagnostics
2011-01-04 16:59 . 2011-01-07 12:57 -------- d-----w- c:\documents and settings\owner\Application Data\#ISW.FS#
2011-01-02 16:07 . 2011-01-02 16:07 -------- d-----w- c:\documents and settings\owner\Downloads
2011-01-02 13:53 . 2011-01-02 13:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-01-01 16:25 . 2011-01-01 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-12-30 15:50 . 2010-12-30 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky SDK
2010-12-30 15:49 . 2010-12-30 15:49 -------- d-----w- c:\documents and settings\owner\Application Data\MailFrontier
2010-12-30 15:49 . 2010-12-30 15:49 -------- d-----w- c:\documents and settings\owner\Application Data\CheckPoint
2010-12-30 15:26 . 2010-12-30 15:26 -------- d-----w- c:\program files\CheckPoint
2010-12-30 15:26 . 2010-08-29 08:53 72704 ----a-w- c:\windows\zllsputility.exe
2010-12-30 15:26 . 2009-10-13 00:15 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-12-30 15:20 . 2010-08-29 08:53 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-12-30 15:20 . 2010-08-29 08:53 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-12-30 15:19 . 2010-08-29 08:53 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-12-30 15:19 . 2010-12-30 17:04 -------- d-----w- c:\windows\system32\ZoneLabs
2010-12-30 15:19 . 2010-12-30 15:19 -------- d-----w- c:\program files\Zone Labs
2010-12-30 15:13 . 2011-01-07 14:12 -------- d-----w- c:\windows\Internet Logs
2010-12-29 20:25 . 2010-12-29 20:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-12-29 15:00 . 2010-12-29 15:00 174 ---ha-w- C:\aaw7boot.cmd
2010-12-29 04:48 . 2010-12-30 21:52 -------- dc----w- c:\windows\system32\DRVSTORE
2010-12-29 04:47 . 2010-12-29 04:47 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-29 04:36 . 2010-12-29 04:36 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\Sunbelt Software
2010-12-29 04:18 . 2010-12-30 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-12-29 03:41 . 2010-10-19 16:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-29 03:40 . 2010-11-16 18:01 6273872 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F5BC4BE6-4A34-400D-A2BC-9490379EBC8B}\mpengine.dll
2010-12-29 03:20 . 2010-12-30 21:19 -------- d-----w- c:\program files\Microsoft Security Client
2010-12-29 02:48 . 2010-12-29 02:50 -------- d-----w- C:\600aac11e4c1ee9836
2010-12-29 02:44 . 2010-12-29 02:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-28 22:42 . 2010-12-28 22:43 -------- d-----w- c:\documents and settings\Administrator
2010-12-28 19:36 . 2010-12-28 22:02 -------- d-----w- C:\SpybotBootCD
2010-12-28 19:36 . 2010-12-28 20:32 -------- d-----w- c:\program files\Safer Networking
2010-12-28 00:01 . 2010-12-28 13:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-28 00:01 . 2010-12-28 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-12-27 19:49 . 2010-12-27 19:49 -------- d-----w- C:\VundoFix Backups
2010-12-27 13:57 . 2010-12-27 13:57 -------- d-----w- c:\documents and settings\owner\Application Data\Malwarebytes
2010-12-27 13:56 . 2010-12-27 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-27 12:51 . 2010-12-27 12:51 -------- d-----w- c:\program files\Common Files\Java
2010-12-27 12:50 . 2010-11-13 00:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-27 12:50 . 2010-11-13 00:53 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-17 15:50 . 2010-12-17 15:50 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-12-17 15:45 . 2007-01-02 02:03 40960 ----a-r- c:\windows\system32\psfind.dll
2010-12-17 15:45 . 2006-07-12 00:43 1060864 ----a-w- c:\windows\system32\mfc71.dll
2010-12-17 15:45 . 2006-07-12 00:35 503808 ----a-w- c:\windows\system32\MSVCP71.dll
2010-12-17 15:25 . 2005-11-14 05:19 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2010-12-17 14:07 . 2010-12-17 20:07 682232 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-12-16 21:08 . 2010-12-16 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-12-16 16:32 . 2010-12-16 16:32 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\TQVault
2010-12-16 16:03 . 2010-12-16 16:03 -------- d-----w- c:\program files\Soul's Software
2010-12-16 16:03 . 2010-12-16 16:03 -------- d-----w- c:\program files\bman654
2010-12-16 14:34 . 2010-12-17 16:21 -------- d-----w- c:\program files\THQ
2010-12-15 04:22 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 04:19 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-17 20:07 . 2010-12-17 20:07 682232 ----a-w- c:\windows\system32\drivers\sptd.svs
2010-11-18 18:12 . 2009-11-04 21:11 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 00:44 . 2010-11-12 00:44 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-11-10 04:20 . 2010-11-10 04:20 299984 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-11-08 22:57 . 2010-11-08 22:57 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2010-11-06 00:26 . 2006-03-15 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2006-03-15 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2006-03-15 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2006-03-15 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2006-03-15 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2006-03-15 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2006-03-15 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-25 03:25 . 2010-10-25 03:25 165264 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2005-05-09 262144]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-08-29 1039360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-18 339968]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraMouse]
c:\program files\HydraMouse\HydraMouse [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-03-18 03:05 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-11 04:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"ehTray"=c:\windows\ehome\ehtray.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"SoundMan"=SOUNDMAN.EXE
"WinampAgent"="c:\program files\Winamp\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\owner\\My Documents\\Downloads\\Crafting(2)\\Crafting\\ShroudUpdate.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/17/2010 8:07 AM 682232]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 2:48 AM 249424]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/9/2010 10:20 PM 299984]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [8/27/2010 3:33 AM 26352]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [8/27/2010 3:34 AM 493032]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 8:42 PM 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 8:42 PM 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 8:42 PM 26192]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys --> c:\windows\system32\DRIVERS\avgrkx86.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S2 avgwd;AVG WatchDog;"c:\program files\AVG\AVG10\avgwdsvc.exe" --> c:\program files\AVG\AVG10\avgwdsvc.exe [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [8/27/2010 3:33 AM 35568]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S4 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\yjoqefw8.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Resurrect Pages: {0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3} - %profile%\extensions\{0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3}
FF - Ext: NoRedirect: {c1970c0d-dbe6-4d91-804f-c9c0de643a57} - %profile%\extensions\{c1970c0d-dbe6-4d91-804f-c9c0de643a57}
FF - Ext: ForceField Toolbar: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ATNSOFT Key Remapper - c:\program files\ATNSOFT Key Remapper\keyremapper.exe
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-07 08:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-515967899-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{173B17C1-9108-4065-9705-F0EB5969F21C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iacgdiacbonaeoegmg"=hex:6a,61,6f,61,67,61,70,68,6b,62,6c,6a,6a,68,6a,6f,6d,66,
68,6d,00,eb
"haaijlmfpjggpjfj"=hex:6a,61,6f,61,64,61,65,69,6a,62,69,64,6b,64,63,66,6c,63,
68,63,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'lsass.exe'(832)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll

- - - - - - - > 'explorer.exe'(3356)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\mlfhook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll

- - - - - - - > 'csrss.exe'(740)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\CyberPower PowerPanel Personal Edition\ppped.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
.
**************************************************************************
.
Completion time: 2011-01-07 08:20:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-07 14:20

Pre-Run: 188,904,583,168 bytes free
Post-Run: 190,267,072,512 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

- - End Of File - - F7877AC4C22CFFF35A139CC429D19F97

Important Note: I also Googled the three additional things it said it deleted. The third links to a bunch of pages of people complaining of a similar problem to my own. I clicked random Google links and did not suffer any further redirects, so I certainly suspect that to be related. However I will continue to follow this thread and the directions therein. Particularly since as I was typing the word however a random search page came up regarding "c:\windows\system32\_004621_.tmp.dll" without any input from me. And not too long after that the exact problem started again.

Oh and forgot to mention: When I completed the scan, IE appeared on my desktop. Is this normal?

Edited by Micheal B, 07 January 2011 - 11:58 AM.


#6 Micheal B

Micheal B
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 08 January 2011 - 03:38 PM

Apologies for the double post, but I suspect that I fixed the problem. I remembered that ComboFix mentioned a TDL3 rootkit. It did not fix it (though it tried to), however Googling that name brought up a series of links, and the first was an article on this forum to remove that rootkit. I downloaded the tool and followed the instructions and it found this:

2011/01/08 13:24:58.0625 Detected object count: 2
2011/01/08 13:25:51.0265 Locked file(sptd) - User select action: Skip
2011/01/08 13:25:51.0312 \HardDisk0 - will be cured after reboot
2011/01/08 13:25:51.0312 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/08 13:25:57.0203 Deinitialize success

The problem did not go away at first, but when I scanned again and directed it to delete the aforementioned locked file instead of skipping it it seems to have corrected my problem.

For example, before I was unable to say the words "windowsupdate" without putting a space in between them (if I tried, it refused to allow me to submit the post, instead resetting the server during the attempt or something to that effect), and was unable to connect to windowsupdate.microsoft.com as it acted as if the site was down. Now I can.

I will continue to follow this thread to ensure it's really gone, but I think I got it this time.

Edited by Micheal B, 08 January 2011 - 03:40 PM.


#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:50 PM

Posted 09 January 2011 - 12:42 AM

Glad things appear to be working better. You ran TDSSKiller, correct?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 Micheal B

Micheal B
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 09 January 2011 - 08:22 AM

Glad things appear to be working better. You ran TDSSKiller, correct?


Yes. I also followed up with MalwareBytes as per the guide. It found one thing, a wirelesskeyview.exe. But it was already in the recycler so dunno how much difference it was making, and it removed it and then came out clean afterwards.

However there a few things I still noticed.

While I can now type windowsupdate, and connect to it, and download updates I cannot actually install those updates. No matter which I actually pick I am told that the installation failed.

My DVD drive is still unable to read DVDs, but reads and writes CDs fine. I cannot test it with writing DVDs, or with a bootable DVD because I don't have any, and the DVD game in question (TQ: Gold Box) works perfectly in another drive within another computer. While I suspect it could be that the DVD part of the drive has failed, or that the DVD laser needs to be cleaned I also suspect that it could be a related software problem as sptd.sys showed up as a component of Daemon Tools when I checked and I did have that program on my hard drive for a short time, so it could have interfered with some setting regarding reading DVDs. I have already tried updating the firmware (which is how I know the drive still writes CDs), Autofix.exe from Microsoft, and mats_dvd.exe from Microsoft with no success. Interestingly, while the latter program ran before, and found a problem but didn't tell me what it was and could not fix it now when I run that program I am told it is not designed for my system or something.

So not sure if I'm really all clear. At the very least there seems to be some damage left behind.

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:50 PM

Posted 10 January 2011 - 04:09 AM

Hello.

Alright. . . The thing with Windows Updates you mention could be related to malware, but could be unrelated. We'll look into this.

The issue with the DVD drive is not malware. I will need to refer you to one of our other forums for assistance with that issue once we're done here.

***************************************************

Please generate a fresh OTL log for me.

  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • When the scan completes, it will open a notepad window. Please copy/paste its contents into your next reply.

~Blade


In your next reply, please include the following:
OTL log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 Micheal B

Micheal B
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 10 January 2011 - 07:56 AM

Ok.

OTL logfile created on: 1/10/2011 6:34:50 AM - Run 2
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\owner\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 280.00 Mb Available Physical Memory | 31.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 57.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 176.88 Gb Free Space | 75.96% Space Free | Partition Type: NTFS

Computer Name: OWNER-E2B0B1643 | User Name: owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/06 08:13:41 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\owner\Desktop\OTL.exe
PRC - [2010/12/03 13:35:08 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/12/03 13:35:08 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/08/29 02:54:52 | 002,434,568 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2010/08/29 02:53:14 | 001,039,360 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2010/08/27 03:34:02 | 000,493,032 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2010/08/27 03:34:00 | 000,730,600 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2010/04/29 15:59:14 | 005,248,312 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2009/12/22 01:57:30 | 000,349,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
PRC - [2009/09/10 11:15:42 | 000,870,672 | ---- | M] (SonicWALL, Inc.) -- C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/05/06 15:12:22 | 000,466,944 | ---- | M] () -- C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe


========== Modules (SafeList) ==========

MOD - [2011/01/06 08:13:41 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\owner\Desktop\OTL.exe
MOD - [2010/08/27 03:34:08 | 000,640,488 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
MOD - [2010/08/27 03:33:58 | 000,562,664 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll
MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2009/09/10 11:15:48 | 000,013,072 | ---- | M] () -- C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\MlfHook.dll
MOD - [2009/07/12 01:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2009/07/12 01:09:20 | 000,554,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - File not found [Auto | Stopped] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/08/29 02:54:52 | 002,434,568 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2010/08/27 03:34:02 | 000,493,032 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc)
SRV - [2009/09/23 16:37:30 | 000,051,168 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2005/05/06 15:12:22 | 000,466,944 | ---- | M] () [Auto | Running] -- C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe -- (ppped)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\mcdbus.sys -- (mcdbus)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys -- (Lavasoft Kernexplorer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\renamed\catchme.sys -- (catchme)
DRV - File not found [File_System | Boot | Stopped] -- C:\WINDOWS\System32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | Disabled | Stop_Pending] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/11/09 22:20:58 | 000,299,984 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2010/09/07 02:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2010/09/07 02:48:54 | 000,249,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/08/27 03:33:54 | 000,035,568 | ---- | M] (Check Point Software Technologies) [Kernel | On_Demand | Running] -- C:\Program Files\CheckPoint\ZAForceField\AK\icsak.sys -- (icsak)
DRV - [2010/08/27 03:33:54 | 000,026,352 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2010/08/19 20:42:38 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2010/08/19 20:42:36 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/08/19 20:42:34 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2010/06/09 19:16:12 | 000,528,128 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2009/10/12 18:15:30 | 000,317,072 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2009/10/12 18:15:26 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\kl1.sys -- (kl1)
DRV - [2009/03/25 06:29:52 | 000,130,432 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2007/04/16 21:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2005/07/22 11:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/22 11:01:10 | 000,231,168 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/07/22 11:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/03/14 17:54:00 | 001,032,192 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/11/17 22:05:38 | 002,297,664 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/03 16:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1614895754-515967899-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.search.selectedEngine: "AVG Secure Search"
FF - prefs.js..browser.search.update: false
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: {0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3}:2.0.5
FF - prefs.js..extensions.enabledItems: {FFB96CC1-7EB3-449D-B827-DB661701C6BB}:1.5.152.14
FF - prefs.js..extensions.enabledItems: {c1970c0d-dbe6-4d91-804f-c9c0de643a57}:1.2.4
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.0.900


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\
FF - HKLM\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2010/12/30 09:53:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared
FF - HKLM\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/01/05 15:14:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/01/05 15:14:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/08 14:09:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/08 14:09:09 | 000,000,000 | ---D | M]

[2009/11/05 16:53:37 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\owner\Application Data\Mozilla\Extensions
[2011/01/08 17:47:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\yjoqefw8.default\extensions
[2010/11/04 07:46:34 | 000,000,000 | ---D | M] (Resurrect Pages) -- C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\yjoqefw8.default\extensions\{0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3}
[2011/01/05 11:58:32 | 000,000,000 | ---D | M] (NoRedirect) -- C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\yjoqefw8.default\extensions\{c1970c0d-dbe6-4d91-804f-c9c0de643a57}
[2010/12/25 09:43:59 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\yjoqefw8.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/01/08 14:09:10 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/30 09:53:29 | 000,000,000 | ---D | M] (ForceField Toolbar) -- C:\PROGRAM FILES\CHECKPOINT\ZAFORCEFIELD\TRUSTCHECKER
[2011/01/05 15:14:43 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 &lt;video&gt;) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\HTML5VIDEO
[2011/01/05 15:14:43 | 000,000,000 | ---D | M] (DivX HiQ) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\WPA
[2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/01/08 12:55:35 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (ZoneAlarm Toolbar Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKLM\..\Toolbar: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKU\S-1-5-21-1614895754-515967899-725345543-1003\..\Toolbar\WebBrowser: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKU\S-1-5-21-1614895754-515967899-725345543-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108855
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1614895754-515967899-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1614895754-515967899-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1614895754-515967899-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108855
O7 - HKU\S-1-5-21-1614895754-515967899-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257465432296 (MUWebControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - Reg Error: Key error. File not found
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\crypt32chain: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\cryptnet: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\cscdll: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\dimsntfy: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\ScCertProp: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\Schedule: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\sclgntfy: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\SensLogn: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\termsrv: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\wlballoon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2009/11/04 15:14:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\PROGRA~1\AVG\AVG10\avgchsvx.exe File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\PROGRA~1\AVG\AVG10\avgrsx.exe File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/08 15:02:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/01/08 15:02:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/01/08 15:02:43 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/01/08 15:02:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/01/08 15:00:20 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\owner\Desktop\mbam-setup-1.50.1.1100.exe
[2011/01/08 14:06:33 | 008,582,536 | ---- | C] (Mozilla) -- C:\Documents and Settings\owner\Desktop\Firefox Setup 3.6.13.exe
[2011/01/08 13:36:31 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2011/01/08 13:21:20 | 001,345,624 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\owner\Desktop\3585845.com
[2011/01/08 13:12:04 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/01/08 12:24:09 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/01/07 10:44:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\Desktop\PHB2_Errata
[2011/01/07 10:44:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\Desktop\SharnErrata02062006
[2011/01/07 10:44:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\Desktop\SpellComp_Errata
[2011/01/07 07:04:27 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/01/07 07:04:27 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/01/07 07:04:27 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/01/07 07:04:27 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/01/07 07:04:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/01/07 07:02:52 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/01/06 08:13:41 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\owner\Desktop\OTL.exe
[2011/01/05 09:39:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\My Documents\VGA_ATI_v.6.14.10.6525_XPx86
[2011/01/04 17:46:51 | 000,000,000 | ---D | C] -- C:\Program Files\ACW
[2011/01/04 17:39:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\Desktop\CDTest
[2011/01/04 16:01:15 | 000,000,000 | ---D | C] -- C:\MyBackup
[2011/01/04 15:59:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\Start Menu\Programs\PC Tune-Up
[2011/01/04 15:59:46 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tune-Up
[2011/01/04 15:33:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\Application Data\Canneverbe Limited
[2011/01/04 15:33:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
[2011/01/04 14:58:06 | 000,000,000 | ---D | C] -- C:\Softpaq
[2011/01/04 11:59:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\Application Data\ElevatedDiagnostics
[2011/01/04 11:41:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows PowerShell 1.0
[2011/01/04 11:41:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2011/01/04 10:59:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\Application Data\#ISW.FS#
[2011/01/02 10:07:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\Downloads
[2011/01/02 07:53:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2011/01/02 07:53:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2011/01/01 10:25:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/12/30 09:50:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky SDK
[2010/12/30 09:49:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\My Documents\ForceField Shared Files
[2010/12/30 09:49:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\Application Data\MailFrontier
[2010/12/30 09:49:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\Application Data\CheckPoint
[2010/12/30 09:26:55 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2010/12/30 09:26:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ZoneAlarm
[2010/12/30 09:26:34 | 000,072,704 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\zllsputility.exe
[2010/12/30 09:26:25 | 000,128,016 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\kl1.sys
[2010/12/30 09:22:20 | 000,317,072 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2010/12/30 09:20:59 | 000,058,368 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsregexp.dll
[2010/12/30 09:20:40 | 000,103,936 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcommdb.dll
[2010/12/30 09:20:39 | 000,069,120 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zlcomm.dll
[2010/12/30 09:20:20 | 000,043,520 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vswmi.dll
[2010/12/30 09:19:57 | 001,238,528 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\zpeng25.dll
[2010/12/30 09:19:56 | 000,110,080 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsxml.dll
[2010/12/30 09:19:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2010/12/30 09:19:53 | 000,300,544 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vspubapi.dll
[2010/12/30 09:19:49 | 000,107,520 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsmonapi.dll
[2010/12/30 09:19:42 | 000,528,128 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys
[2010/12/30 09:19:35 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2010/12/30 09:13:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2010/12/30 09:12:48 | 000,112,128 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdata.dll
[2010/12/30 09:12:45 | 000,229,376 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsinit.dll
[2010/12/30 09:12:43 | 000,686,592 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsutil.dll
[2010/12/29 14:25:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2010/12/28 22:48:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2010/12/28 22:47:37 | 000,098,392 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/12/28 22:36:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\Local Settings\Application Data\Sunbelt Software
[2010/12/28 22:18:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/12/28 21:41:54 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/12/28 21:20:36 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2010/12/28 20:48:46 | 000,000,000 | ---D | C] -- C:\600aac11e4c1ee9836
[2010/12/28 20:44:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/12/28 14:32:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Safer Networking
[2010/12/28 13:36:57 | 000,000,000 | ---D | C] -- C:\SpybotBootCD
[2010/12/28 13:36:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot-S&D Boot CD creator
[2010/12/28 13:36:00 | 000,000,000 | ---D | C] -- C:\Program Files\Safer Networking
[2010/12/28 09:19:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox
[2010/12/28 07:14:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/12/27 18:01:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2010/12/27 18:01:03 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/12/27 18:01:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/12/27 13:49:18 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2010/12/27 07:57:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\Application Data\Malwarebytes
[2010/12/27 07:56:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/12/27 06:51:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/12/27 06:51:13 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/12/27 06:50:55 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/12/26 18:01:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/12/26 18:01:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/12/26 15:34:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/12/26 15:34:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/12/17 14:07:34 | 000,682,232 | ---- | C] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.svs
[2010/12/17 09:50:33 | 000,098,304 | ---- | C] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010/12/17 09:46:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\THQ
[2010/12/17 09:45:07 | 001,060,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mfc71.dll
[2010/12/16 15:08:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nero
[2010/12/16 10:32:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\Local Settings\Application Data\TQVault
[2010/12/16 10:32:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\owner\My Documents\My Games
[2010/12/16 10:03:58 | 000,000,000 | ---D | C] -- C:\Program Files\Soul's Software
[2010/12/16 10:03:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Soul's Software
[2010/12/16 10:03:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TQVault
[2010/12/16 10:03:18 | 000,000,000 | ---D | C] -- C:\Program Files\bman654
[2010/12/16 08:34:52 | 000,000,000 | ---D | C] -- C:\Program Files\THQ
[2010/12/14 22:22:18 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2010/12/14 22:19:51 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/10 04:50:49 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2011/01/08 16:35:45 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/08 16:33:45 | 000,000,144 | ---- | M] () -- C:\WINDOWS\System32\pdfl.dat
[2011/01/08 16:31:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/08 16:31:21 | 938,004,480 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/08 15:02:50 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/01/08 15:01:25 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\owner\Desktop\mbam-setup-1.50.1.1100.exe
[2011/01/08 14:09:14 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/01/08 14:09:14 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/01/08 14:08:08 | 008,582,536 | ---- | M] (Mozilla) -- C:\Documents and Settings\owner\Desktop\Firefox Setup 3.6.13.exe
[2011/01/08 13:21:20 | 001,345,624 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\owner\Desktop\3585845.com
[2011/01/08 12:55:35 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/01/08 12:24:16 | 000,000,353 | RHS- | M] () -- C:\boot.ini
[2011/01/08 12:19:23 | 004,150,119 | R--- | M] () -- C:\Documents and Settings\owner\Desktop\renamed.exe
[2011/01/07 10:42:52 | 000,006,803 | ---- | M] () -- C:\Documents and Settings\owner\Desktop\SharnErrata02062006.zip
[2011/01/07 10:42:48 | 000,010,548 | ---- | M] () -- C:\Documents and Settings\owner\Desktop\SpellComp_Errata.zip
[2011/01/07 10:42:42 | 000,049,585 | ---- | M] () -- C:\Documents and Settings\owner\Desktop\PHB2_Errata.zip
[2011/01/07 08:31:23 | 000,000,296 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110108-103223.backup
[2011/01/07 07:26:51 | 000,000,353 | ---- | M] () -- C:\Boot.bak
[2011/01/06 14:12:51 | 000,235,302 | ---- | M] () -- C:\Documents and Settings\owner\Desktop\New Bitmap Image (10).bmp
[2011/01/06 09:55:35 | 003,932,214 | ---- | M] () -- C:\Documents and Settings\owner\Desktop\New Bitmap Image (8).bmp
[2011/01/06 08:15:18 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\owner\Desktop\94q4iuej.exe
[2011/01/06 08:13:41 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\owner\Desktop\OTL.exe
[2011/01/05 15:14:58 | 000,001,469 | ---- | M] () -- C:\Documents and Settings\owner\Desktop\DivX Movies.lnk
[2011/01/05 12:58:12 | 000,001,977 | ---- | M] () -- C:\Documents and Settings\owner\Desktop\ProtectionId (Safe Mode).lnk
[2011/01/05 12:58:12 | 000,001,965 | ---- | M] () -- C:\Documents and Settings\owner\Desktop\ProtectionId.lnk
[2011/01/05 09:27:06 | 000,554,526 | ---- | M] () -- C:\Documents and Settings\owner\Desktop\Hardware ID.bmp
[2011/01/04 15:59:59 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\owner\Desktop\PC Tune-Up.lnk
[2011/01/02 16:01:11 | 001,076,893 | ---- | M] () -- C:\Documents and Settings\owner\Desktop\1262899625957.png
[2011/01/01 10:04:38 | 103,190,490 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2010/12/30 15:29:45 | 000,002,121 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2010/12/30 09:35:38 | 000,425,725 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/12/30 09:27:11 | 000,000,144 | ---- | M] () -- C:\WINDOWS\System32\lkfl.dat
[2010/12/30 09:27:10 | 000,000,080 | ---- | M] () -- C:\WINDOWS\System32\ibfl.dat
[2010/12/30 09:26:38 | 000,000,731 | ---- | M] () -- C:\Documents and Settings\owner\Desktop\ZoneAlarm Security.lnk
[2010/12/29 09:00:53 | 000,000,174 | -H-- | M] () -- C:\aaw7boot.cmd
[2010/12/29 08:07:28 | 000,454,170 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/12/29 08:07:28 | 000,074,628 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/12/28 22:47:37 | 000,098,392 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/12/28 20:45:02 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/28 17:43:44 | 000,428,313 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2010/12/28 17:39:41 | 000,428,313 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20101228-174343.backup
[2010/12/28 08:52:08 | 000,000,388 | ---- | M] () -- C:\WINDOWS\tasks\AVG PC Tuneup 2011 Integrator Start On Windows Logon.job.bak
[2010/12/28 08:32:55 | 000,428,313 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20101228-173941.backup
[2010/12/27 18:01:25 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/12/27 18:01:25 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\owner\Desktop\Spybot - Search & Destroy.lnk
[2010/12/27 13:17:06 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/17 20:07:36 | 000,682,232 | ---- | M] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.svs
[2010/12/17 10:27:00 | 000,001,763 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Titan Quest - Immortal Throne.lnk
[2010/12/17 09:50:33 | 000,098,304 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2010/12/17 09:46:22 | 000,001,672 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Titan Quest.lnk
[2010/12/16 15:04:35 | 000,120,544 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/16 10:03:59 | 000,001,930 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TQ Defiler.NET.lnk
[2010/12/16 10:03:19 | 000,001,900 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TQVault.lnk
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/08 15:02:50 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/01/07 10:42:52 | 000,006,803 | ---- | C] () -- C:\Documents and Settings\owner\Desktop\SharnErrata02062006.zip
[2011/01/07 10:42:47 | 000,010,548 | ---- | C] () -- C:\Documents and Settings\owner\Desktop\SpellComp_Errata.zip
[2011/01/07 10:42:42 | 000,049,585 | ---- | C] () -- C:\Documents and Settings\owner\Desktop\PHB2_Errata.zip
[2011/01/07 07:26:51 | 000,000,353 | ---- | C] () -- C:\Boot.bak
[2011/01/07 07:26:47 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/01/07 07:04:27 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/01/07 07:04:27 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/01/07 07:04:27 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/01/07 07:04:27 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/01/07 07:04:27 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/07 06:56:10 | 004,150,119 | R--- | C] () -- C:\Documents and Settings\owner\Desktop\renamed.exe
[2011/01/06 14:12:09 | 000,235,302 | ---- | C] () -- C:\Documents and Settings\owner\Desktop\New Bitmap Image (10).bmp
[2011/01/06 09:46:31 | 003,932,214 | ---- | C] () -- C:\Documents and Settings\owner\Desktop\New Bitmap Image (8).bmp
[2011/01/06 08:15:18 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\owner\Desktop\94q4iuej.exe
[2011/01/05 15:14:58 | 000,001,469 | ---- | C] () -- C:\Documents and Settings\owner\Desktop\DivX Movies.lnk
[2011/01/05 12:54:50 | 000,001,977 | ---- | C] () -- C:\Documents and Settings\owner\Desktop\ProtectionId (Safe Mode).lnk
[2011/01/05 12:54:50 | 000,001,965 | ---- | C] () -- C:\Documents and Settings\owner\Desktop\ProtectionId.lnk
[2011/01/05 09:24:46 | 000,554,526 | ---- | C] () -- C:\Documents and Settings\owner\Desktop\Hardware ID.bmp
[2011/01/04 15:59:59 | 000,000,714 | ---- | C] () -- C:\Documents and Settings\owner\Desktop\PC Tune-Up.lnk
[2011/01/02 16:00:53 | 001,076,893 | ---- | C] () -- C:\Documents and Settings\owner\Desktop\1262899625957.png
[2010/12/30 09:27:10 | 000,000,144 | ---- | C] () -- C:\WINDOWS\System32\pdfl.dat
[2010/12/30 09:27:10 | 000,000,144 | ---- | C] () -- C:\WINDOWS\System32\lkfl.dat
[2010/12/30 09:27:10 | 000,000,080 | ---- | C] () -- C:\WINDOWS\System32\ibfl.dat
[2010/12/30 09:26:39 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/12/30 09:26:38 | 000,000,731 | ---- | C] () -- C:\Documents and Settings\owner\Desktop\ZoneAlarm Security.lnk
[2010/12/30 09:19:42 | 000,425,725 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/12/29 14:13:35 | 938,004,480 | -HS- | C] () -- C:\hiberfil.sys
[2010/12/29 09:00:53 | 000,000,174 | -H-- | C] () -- C:\aaw7boot.cmd
[2010/12/28 21:26:21 | 000,002,121 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2010/12/28 09:19:43 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/12/28 09:19:43 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/12/27 18:01:25 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/12/27 18:01:25 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\owner\Desktop\Spybot - Search & Destroy.lnk
[2010/12/20 07:54:05 | 000,000,388 | ---- | C] () -- C:\WINDOWS\tasks\AVG PC Tuneup 2011 Integrator Start On Windows Logon.job.bak
[2010/12/17 10:26:59 | 000,001,763 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Titan Quest - Immortal Throne.lnk
[2010/12/17 09:46:22 | 000,001,672 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Titan Quest.lnk
[2010/12/17 09:45:07 | 000,040,960 | R--- | C] () -- C:\WINDOWS\System32\psfind.dll
[2010/12/16 10:03:59 | 000,001,930 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TQ Defiler.NET.lnk
[2010/12/16 10:03:19 | 000,001,900 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TQVault.lnk
[2010/04/08 06:07:39 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\owner\Local Settings\Application Data\housecall.guid.cache
[2010/02/10 15:46:37 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/10 14:16:00 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\owner\Local Settings\Application Data\fusioncache.dat
[2009/11/04 17:32:14 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2009/11/04 08:40:42 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/03/03 12:18:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2005/08/05 14:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

< End of report >

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:50 PM

Posted 10 January 2011 - 09:21 AM

Hello.

We're going to try repairing Windows Update.

  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program.
  • Press the green double checkmark box (Looks like this: Posted Image)
  • UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
    Posted Image
  • When the window looks like this, press the GO button in the bottom of the window.
    Posted Image
  • Exit/Close Dial-A-Fix

Do Windows Updates install correctly now?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 Micheal B

Micheal B
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 10 January 2011 - 01:41 PM

There is a problem running that tool. When I first load it it says it is unable to determine my version of IE and that it would skip some DLLs or something to that effect. Then when I run it it gets to Empty System32/Catroot2 where it is attempting to stop CRYPTSVC and then hangs. It advanced through all the other steps very quickly but stayed at this one for over 5 minutes. I then reloaded it and it did the exact same thing.

#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:50 PM

Posted 11 January 2011 - 02:07 AM

Hello.

Do you have a Windows XP disk available? The next thing to attempt is a repair installation as some files may have been corrupted.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 Micheal B

Micheal B
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 11 January 2011 - 10:13 AM

Hello.

Do you have a Windows XP disk available? The next thing to attempt is a repair installation as some files may have been corrupted.


No I don't. This is one of those computers that didn't come with any software discs, even OEM discs. Instead it just gave you some blank CDs and said make your own backups. Except that I didn't realize they did that until it was far too late because I did not RTFM. It screwed me over once when the hard drive failed and I had to pay more to have software reinstalled. Thing is, the backup utility is only added at the factory, so they couldn't put that back.

#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:50 PM

Posted 12 January 2011 - 05:47 PM

Hello.

No I don't. This is one of those computers that didn't come with any software discs, even OEM discs. Instead it just gave you some blank CDs and said make your own backups. Except that I didn't realize they did that until it was far too late because I did not RTFM. It screwed me over once when the hard drive failed and I had to pay more to have software reinstalled. Thing is, the backup utility is only added at the factory, so they couldn't put that back.


It probably goes without saying this, but this doesn't leave you in a very good situation. You may be able to obtain a set of disks by contacting the manufacturer of the machine, but there's no guarantee since the recovery partition is no longer present on the drive.

We will try to find a solution though. Please try following the steps here. http://support.microsoft.com/kb/971058

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users