Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with multiple viruses


  • This topic is locked This topic is locked
15 replies to this topic

#1 hYlAnDeR~TFC

hYlAnDeR~TFC

  • Members
  • 257 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 12 February 2011 - 01:53 PM

My computer runs extremely slow. I have free version of Malwarebytes, but it never found anything wrong. I also have SpyZooka, that too never found anything wrong. When I navigate on either Firefox or IE, my computer hangs up, or goes to webpages other than what I Googled, or locks up. I get unwarrented pop ups. I also occasionally lose internet connectivity.

Below is a list of viruses that StopZilla has detected recently on my system:

Gen Malware Detection 0.0
Google Redirector
System Tool 2011 Rogue
System Defragmenter Trojan
System Policies Disable Registry Hijacker
DriveCleaner Rogue
Smart Defragmentor Spyware
Usbuhcii Trojan
GASF Trojan
Search Hijacker.H
Ms-counter Trojan
AntiVirus.Net spyware
Cognac
Ipv4mons Spyware
Swreg Adware
Vundo.A7
InternetSecurity Spyware
MalPak.D Spyware

I have completed all the steps in the Preparation Guide before asking help up to step #7. At step # 7, when I attempted to activate the DDS program from my desktop, The anti spyware program "StopZilla" popped up and indicated that I had a virus and then the DDS program never finished scanning. I attempted it again after disabling StopZilla and started to scan, but again it never finished and I never received any Attch.txt or DDS.txt information from Notepad. The DDS seems to just hang up and not work.

I have no DDS.txt or attach.txt to paste or attach to this message due to the aforementioned problems. However, I was able to successfully complete step#8 and run the Gmer program and will attach the results accordingly.

Thank you very much in advance for your help and I look forward to hearing back from you when you get a chance.

Warm Regards and Thanks.

Attached File  ark.txt   10.61KB   4 downloadsAttached File  ark.txt   10.61KB   4 downloads

Edited by hYlAnDeR~TFC, 12 February 2011 - 02:18 PM.

hYlAnDeR~TFC~
[OF/FA] Orion Faction-Retired
Game Squad Fleet Admiral~Retired

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:34 AM

Posted 12 February 2011 - 05:56 PM

Hello hYlAnDeR~TFC ,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
  • 1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the Posted Image icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized


2.
Download Bootkit Remover to your desktop

1. Extract the file to your desktop.
2. Double click Remover.exe to run it (Right click and run as Administrator for Vista).
3. It will show a Black screen with some data on it.
4. Right click on the screen and choose [/b]Select All[/b].
5. Press Control+C (to copy the data).
6. Open a notepad, Click on Edit tab > paste.
7. Exit the Remover.exe window.
8. Please post the contents of the notepad when you reply.

3.
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

Things to include in your next reply::
OTL.txt
Attach.txt
BootKit Remover log
MBRCheck log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 hYlAnDeR~TFC

hYlAnDeR~TFC
  • Topic Starter

  • Members
  • 257 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 13 February 2011 - 05:46 PM

Per your request, here are the attached scans: By the way, I actually have 2 hard drives running as a single RAID drive on my system, in case you were wondering why it was reading a C and D drives. thanks.



STEP 1A
OTL.txt

OTL logfile created on: 2/13/2011 1:57:20 PM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\WILLIAM NIELSEN\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 348.00 Mb Available Physical Memory | 34.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 64.12 Gb Free Space | 43.02% Space Free | Partition Type: NTFS
Drive D: | 413.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: HYLANDER | User Name: WILLIAM NIELSEN | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/13 13:53:56 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WILLIAM NIELSEN\Desktop\OTL.exe
PRC - [2011/02/03 18:11:00 | 000,177,616 | R--- | M] (iS3, Inc.) -- c:\Program Files\STOPzilla!\STOPzilla.exe
PRC - [2011/02/03 18:10:56 | 000,062,928 | R--- | M] (iS3, Inc.) -- c:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
PRC - [2010/12/25 08:43:51 | 000,274,608 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\realplayer\Update\realsched.exe
PRC - [2009/12/27 13:34:48 | 000,786,424 | ---- | M] (BluePenguin Software Inc.) -- C:\Program Files\SpyZooka\spyzooka.exe
PRC - [2009/12/08 21:29:44 | 000,240,992 | ---- | M] (Microsoft Corp.) -- C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
PRC - [2009/11/12 20:03:00 | 000,323,392 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe
PRC - [2009/08/07 17:15:06 | 000,242,048 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/09/30 14:06:50 | 000,485,208 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2008/04/13 16:12:28 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2005/03/09 19:51:37 | 000,039,936 | ---- | M] (C-Dilla Ltd) -- C:\WINNT\system32\drivers\CDAC11BA.EXE
PRC - [2004/04/12 11:14:24 | 001,695,830 | ---- | M] (ABIT Computer Corporation) -- C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
PRC - [2004/04/08 12:19:32 | 000,229,376 | ---- | M] (AIBT Computer Corp.) -- C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe


========== Modules (SafeList) ==========

MOD - [2011/02/13 13:53:56 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WILLIAM NIELSEN\Desktop\OTL.exe
MOD - [2010/12/25 08:44:05 | 000,040,448 | ---- | M] (RealNetworks, Inc.) -- C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
MOD - [2008/07/29 08:05:08 | 000,655,872 | ---- | M] (Microsoft Corporation) -- C:\WINNT\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
MOD - [2008/07/29 08:05:08 | 000,572,928 | ---- | M] (Microsoft Corporation) -- C:\WINNT\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (wuauserv)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (CLTNetCnService)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/02/03 18:10:56 | 000,062,928 | R--- | M] (iS3, Inc.) [Auto | Running] -- c:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe -- (szserver)
SRV - [2010/06/02 08:02:00 | 003,578,120 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINNT\System32\GameMon.des -- (npggsvc)
SRV - [2009/08/07 17:15:06 | 000,242,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2007/01/31 12:11:41 | 002,975,352 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2005/03/09 19:51:37 | 000,039,936 | ---- | M] (C-Dilla Ltd) [Auto | Running] -- C:\WINNT\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA)


========== Driver Services (SafeList) ==========

DRV - [2011/02/12 16:22:38 | 000,138,520 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\PnkBstrK.sys -- (PnkBstrK)
DRV - [2010/05/12 17:01:06 | 000,059,280 | R--- | M] (iS3, Inc.) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\szkgfs.sys -- (szkgfs)
DRV - [2009/12/07 16:59:32 | 000,061,328 | R--- | M] (iS3 Inc.) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\szkg.sys -- (szkg5)
DRV - [2009/12/07 16:59:32 | 000,061,328 | R--- | M] (iS3 Inc.) [Kernel | Boot | Stopped] -- C:\WINNT\system32\drivers\is3srv.sys -- (is3srv)
DRV - [2007/08/20 00:00:00 | 000,865,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070820.048\NAVEX15.SYS -- (NAVEX15)
DRV - [2007/08/20 00:00:00 | 000,395,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2007/08/20 00:00:00 | 000,081,232 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070820.048\NAVENG.SYS -- (NAVENG)
DRV - [2007/03/21 14:37:04 | 000,276,792 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2007/03/21 14:37:04 | 000,247,608 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINNT\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2007/03/21 14:37:04 | 000,025,400 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINNT\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2007/03/14 17:57:15 | 001,986,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/02/11 21:00:43 | 000,271,360 | ---- | M] () [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2007/02/11 21:00:43 | 000,018,048 | ---- | M] () [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2005/08/10 04:44:04 | 000,050,688 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2005/05/16 05:20:39 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2005/03/09 19:51:37 | 000,008,864 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\CDAC15BA.SYS -- (CdaC15BA)
DRV - [2004/06/23 12:08:48 | 000,610,988 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/06/23 12:08:48 | 000,391,424 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2004/05/02 00:47:08 | 000,023,040 | R--- | M] () [Kernel | Auto | Running] -- C:\WINNT\System32\drivers\GVCplDrv.sys -- (GVCplDrv)
DRV - [2004/03/23 04:13:58 | 000,467,200 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2004/02/26 17:52:22 | 000,010,752 | ---- | M] (ABIT Computer Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\Drivers\uGuru.sys -- (uGuru)
DRV - [2003/08/12 16:27:22 | 000,065,280 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\Rtlnic51.sys -- (RTL8023)
DRV - [2003/01/16 12:48:46 | 000,245,120 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\sndp202.sys -- (SNDP202) Dual Mode Camera (8008 VGA)
DRV - [2002/10/01 09:22:32 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\pfc.sys -- (pfc)
DRV - [2002/09/17 12:55:06 | 000,003,548 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\ABIT\ABIT uGuru\WinFlash.sys -- (Winflash)
DRV - [2001/11/29 19:49:56 | 000,004,047 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\ABIT\ABIT uGuru\MEMCTL.SYS -- (Memctl)
DRV - [2001/08/17 14:02:50 | 000,002,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\HIDSwvd.sys -- (HIDSwvd)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Search Assistant = http://www.google.com/ie
IE - HKLM\..\URLSearchHook: {D3F669EB-57CE-4f45-8FBD-E245CBB46366} - c:\Program Files\STOPzilla!\Toolbar\SZIESearchHook.dll (iS3 Inc.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Customize Search =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:61939

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {92C6B92D-23E6-49DE-8CA7-EE13BC244F7E}:1.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.1
FF - prefs.js..extensions.enabledItems: searchtoolbar@zugo.com:1.2
FF - prefs.js..keyword.URL: "http://www.bing.com/search?pc=ZUGO&form=ZGAADF&q="
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\Extensions\\{92C6B92D-23E6-49DE-8CA7-EE13BC244F7E}: C:\WINNT\system32\config\systemprofile\Local Settings\Application Data\{92C6B92D-23E6-49DE-8CA7-EE13BC244F7E}\ [2009/01/07 17:54:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{780044d1-e8c0-488f-8059-4522ddbfc2ea}: c:\Program Files\Stopzilla!\Toolbar\Extension [2010/01/24 15:14:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/01/27 06:36:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/12/25 08:44:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/25 08:44:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/02/10 12:58:52 | 000,000,000 | ---D | M]

[2010/08/17 04:48:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\WILLIAM NIELSEN\Application Data\Mozilla\Extensions
[2011/02/11 08:58:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\WILLIAM NIELSEN\Application Data\Mozilla\Firefox\Profiles\1fox774n.default\extensions
[2010/12/30 18:30:19 | 000,000,000 | ---D | M] (Search Toolbar) -- C:\Documents and Settings\WILLIAM NIELSEN\Application Data\Mozilla\Firefox\Profiles\1fox774n.default\extensions\searchtoolbar@zugo.com
[2010/12/30 18:30:20 | 000,001,919 | ---- | M] () -- C:\Documents and Settings\WILLIAM NIELSEN\Application Data\Mozilla\Firefox\Profiles\1fox774n.default\searchplugins\bing-zugo.xml
[2011/02/11 08:58:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/10/17 00:54:01 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/12/16 13:51:47 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2010/12/25 08:44:06 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
[2009/11/08 06:57:10 | 000,000,000 | ---D | M] (Move Media Player) -- C:\DOCUMENTS AND SETTINGS\WILLIAM NIELSEN\APPLICATION DATA\MOVE NETWORKS
[2010/04/18 18:26:22 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2009/01/07 17:54:50 | 000,000,000 | ---D | M] (XUL Cache) -- C:\WINNT\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\APPLICATION DATA\{92C6B92D-23E6-49DE-8CA7-EE13BC244F7E}
[2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/02/03 22:25:11 | 000,000,027 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ZILLAbar Browser Helper Object) - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - c:\Program Files\STOPzilla!\Toolbar\SZSG.dll (iS3, Inc)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No CLSID value found.
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found.
O2 - BHO: (no name) - {CAFD2FAA-548C-4306-B02E-8C1CA227917B} - No CLSID value found.
O2 - BHO: (no name) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - No CLSID value found.
O2 - BHO: (STOPzilla Browser Helper Object) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - c:\Program Files\STOPzilla!\SZIEBHO.dll (iS3, Inc.)
O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No CLSID value found.
O3 - HKLM\..\Toolbar: (STOPzilla) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - c:\Program Files\STOPzilla!\Toolbar\SZSG.dll (iS3, Inc)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe (ABIT Computer Corporation)
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSN Toolbar] C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe (Microsoft Corp.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [SpyZooka] C:\Program Files\SpyZooka\SpyZookaLdr.exe (BluePenguin Software Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE ()
O9 - Extra 'Tools' menuitem : ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE ()
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Reg Error: Key error. File not found
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} http://www.acclaim.com/cabs/acclaim_v5.cab (GameLauncher Control)
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\WILLIAM NIELSEN\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\WILLIAM NIELSEN\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/03/07 11:31:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [1999/02/05 11:38:36 | 000,217,088 | R--- | M] (Dynamix, Inc) - D:\Autorun.exe -- [ CDFS ]
O32 - AutoRun File - [1999/02/16 04:03:58 | 000,000,049 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [1999/02/05 11:32:58 | 000,221,313 | R--- | M] () - D:\autorun.tbv -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: wuauserv - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2011/02/13 13:53:54 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\WILLIAM NIELSEN\Desktop\OTL.exe
[2011/02/12 16:49:37 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\WILLIAM NIELSEN\Recent
[2011/02/04 13:42:09 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/02/03 22:27:03 | 000,000,000 | ---D | C] -- C:\WINNT\temp
[2011/02/03 22:18:59 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINNT\SWREG.exe
[2011/02/03 19:45:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\STOPzilla
[2011/02/03 18:10:50 | 000,132,560 | R--- | C] (iS3, Inc.) -- C:\WINNT\System32\IS3HTUI5.dll
[2011/02/03 18:10:50 | 000,022,992 | R--- | C] (iS3, Inc.) -- C:\WINNT\System32\SZIO5.dll
[2011/02/03 18:10:48 | 000,546,256 | R--- | C] (iS3, Inc.) -- C:\WINNT\System32\SZComp5.dll
[2011/02/03 18:10:48 | 000,452,048 | R--- | C] (iS3, Inc.) -- C:\WINNT\System32\SZBase5.dll
[2011/02/03 18:10:48 | 000,398,800 | R--- | C] (iS3, Inc.) -- C:\WINNT\System32\IS3DBA5.dll
[2011/02/03 18:10:48 | 000,099,792 | R--- | C] (iS3, Inc.) -- C:\WINNT\System32\IS3Svc5.dll
[2011/02/03 18:10:48 | 000,067,024 | R--- | C] (iS3, Inc.) -- C:\WINNT\System32\IS3Hks5.dll
[2011/02/03 18:10:48 | 000,028,624 | R--- | C] (iS3, Inc.) -- C:\WINNT\System32\IS3XDat5.dll
[2011/02/03 18:10:46 | 000,738,768 | R--- | C] (iS3, Inc.) -- C:\WINNT\System32\IS3Base5.dll
[2011/02/03 18:10:46 | 000,390,608 | R--- | C] (iS3, Inc.) -- C:\WINNT\System32\IS3UI5.dll
[2011/02/03 18:10:46 | 000,230,864 | R--- | C] (iS3, Inc.) -- C:\WINNT\System32\IS3Win325.dll
[2011/02/03 18:10:46 | 000,099,792 | R--- | C] (iS3, Inc.) -- C:\WINNT\System32\IS3Inet5.dll
[2011/01/31 18:30:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ICS
[2011/01/30 01:51:16 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner

========== Files - Modified Within 30 Days ==========

[2011/02/13 13:53:56 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WILLIAM NIELSEN\Desktop\OTL.exe
[2011/02/13 13:51:14 | 000,001,144 | ---- | M] () -- C:\WINNT\System32\drivers\kgpcpy.cfg
[2011/02/13 13:50:50 | 000,000,300 | ---- | M] () -- C:\WINNT\tasks\RealUpgradeLogonTaskS-1-5-21-3153008980-3137500025-2304659736-1006.job
[2011/02/13 13:50:48 | 000,000,308 | ---- | M] () -- C:\WINNT\tasks\RealUpgradeScheduledTaskS-1-5-21-3153008980-3137500025-2304659736-1006.job
[2011/02/13 13:50:30 | 000,000,882 | ---- | M] () -- C:\WINNT\tasks\GoogleUpdateTaskMachineCore.job
[2011/02/13 13:50:24 | 000,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2011/02/12 16:38:03 | 000,000,886 | ---- | M] () -- C:\WINNT\tasks\GoogleUpdateTaskMachineUA.job
[2011/02/12 16:22:38 | 000,138,520 | ---- | M] () -- C:\WINNT\System32\drivers\PnkBstrK.sys
[2011/02/12 16:22:25 | 000,234,536 | ---- | M] () -- C:\WINNT\System32\PnkBstrB.xtr
[2011/02/12 11:13:23 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\WILLIAM NIELSEN\defogger_reenable
[2011/02/11 14:41:06 | 000,006,121 | ---- | M] () -- C:\Documents and Settings\WILLIAM NIELSEN\Application Data\EB7A.244
[2011/02/11 13:31:37 | 000,000,049 | ---- | M] () -- C:\WINNT\NeroDigital.ini
[2011/02/11 13:27:32 | 000,109,568 | ---- | M] () -- C:\Documents and Settings\WILLIAM NIELSEN\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/11 09:56:47 | 000,054,156 | -H-- | M] () -- C:\WINNT\QTFont.qfn
[2011/02/10 12:58:53 | 000,001,725 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/02/10 08:30:28 | 000,012,648 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2011/02/04 14:12:37 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\WILLIAM NIELSEN\Desktop\gmer.zip
[2011/02/04 14:11:20 | 000,624,128 | ---- | M] () -- C:\Documents and Settings\WILLIAM NIELSEN\Desktop\dds.scr
[2011/02/04 13:50:50 | 000,000,323 | RHS- | M] () -- C:\boot.ini
[2011/02/03 22:25:11 | 000,000,027 | ---- | M] () -- C:\WINNT\System32\drivers\etc\hosts
[2011/02/03 18:10:50 | 000,132,560 | R--- | M] (iS3, Inc.) -- C:\WINNT\System32\IS3HTUI5.dll
[2011/02/03 18:10:50 | 000,022,992 | R--- | M] (iS3, Inc.) -- C:\WINNT\System32\SZIO5.dll
[2011/02/03 18:10:48 | 000,546,256 | R--- | M] (iS3, Inc.) -- C:\WINNT\System32\SZComp5.dll
[2011/02/03 18:10:48 | 000,452,048 | R--- | M] (iS3, Inc.) -- C:\WINNT\System32\SZBase5.dll
[2011/02/03 18:10:48 | 000,398,800 | R--- | M] (iS3, Inc.) -- C:\WINNT\System32\IS3DBA5.dll
[2011/02/03 18:10:48 | 000,099,792 | R--- | M] (iS3, Inc.) -- C:\WINNT\System32\IS3Svc5.dll
[2011/02/03 18:10:48 | 000,067,024 | R--- | M] (iS3, Inc.) -- C:\WINNT\System32\IS3Hks5.dll
[2011/02/03 18:10:48 | 000,028,624 | R--- | M] (iS3, Inc.) -- C:\WINNT\System32\IS3XDat5.dll
[2011/02/03 18:10:46 | 000,738,768 | R--- | M] (iS3, Inc.) -- C:\WINNT\System32\IS3Base5.dll
[2011/02/03 18:10:46 | 000,390,608 | R--- | M] (iS3, Inc.) -- C:\WINNT\System32\IS3UI5.dll
[2011/02/03 18:10:46 | 000,230,864 | R--- | M] (iS3, Inc.) -- C:\WINNT\System32\IS3Win325.dll
[2011/02/03 18:10:46 | 000,099,792 | R--- | M] (iS3, Inc.) -- C:\WINNT\System32\IS3Inet5.dll
[2011/02/01 18:47:24 | 000,558,155 | ---- | M] () -- C:\Documents and Settings\WILLIAM NIELSEN\My Documents\bookmark.htm
[2011/01/30 01:59:22 | 000,200,090 | ---- | M] () -- C:\Documents and Settings\WILLIAM NIELSEN\My Documents\cc_20110130_015903.reg

========== Files Created - No Company Name ==========

[2011/02/13 13:51:11 | 000,001,144 | ---- | C] () -- C:\WINNT\System32\drivers\kgpcpy.cfg
[2011/02/12 11:13:23 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\WILLIAM NIELSEN\defogger_reenable
[2011/02/11 14:34:08 | 000,006,121 | ---- | C] () -- C:\Documents and Settings\WILLIAM NIELSEN\Application Data\EB7A.244
[2011/02/04 14:12:34 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\WILLIAM NIELSEN\Desktop\gmer.zip
[2011/02/04 14:11:18 | 000,624,128 | ---- | C] () -- C:\Documents and Settings\WILLIAM NIELSEN\Desktop\dds.scr
[2011/02/03 22:18:59 | 000,256,512 | ---- | C] () -- C:\WINNT\PEV.exe
[2011/02/01 18:47:08 | 000,558,155 | ---- | C] () -- C:\Documents and Settings\WILLIAM NIELSEN\My Documents\bookmark.htm
[2011/01/30 01:59:09 | 000,200,090 | ---- | C] () -- C:\Documents and Settings\WILLIAM NIELSEN\My Documents\cc_20110130_015903.reg
[2009/11/07 18:16:14 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Dance Kit
[2009/11/07 18:16:14 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\WILLIAM NIELSEN\Application Data\Contextual Menu Items
[2009/11/07 18:16:14 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2009/01/04 01:17:46 | 000,002,882 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2009/01/03 04:36:54 | 000,005,184 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\N360BUOptions.ini
[2008/04/11 20:52:06 | 000,000,324 | ---- | C] () -- C:\WINNT\game.ini
[2008/01/15 04:31:00 | 000,000,530 | ---- | C] () -- C:\WINNT\System32\tx14_ic.ini
[2007/09/16 16:13:13 | 000,138,520 | ---- | C] () -- C:\WINNT\System32\drivers\PnkBstrK.sys
[2007/02/11 21:00:43 | 000,271,360 | ---- | C] () -- C:\WINNT\System32\drivers\atksgt.sys
[2007/02/11 21:00:43 | 000,018,048 | ---- | C] () -- C:\WINNT\System32\drivers\lirsgt.sys
[2006/08/20 20:10:59 | 000,000,010 | ---- | C] () -- C:\WINNT\WININIT.INI
[2006/06/12 11:43:22 | 000,045,056 | ---- | C] () -- C:\WINNT\System32\AgCPanelTraditionalChinese.dll
[2006/06/12 11:43:22 | 000,045,056 | ---- | C] () -- C:\WINNT\System32\AgCPanelSwedish.dll
[2006/06/12 11:43:22 | 000,045,056 | ---- | C] () -- C:\WINNT\System32\AgCPanelSpanish.dll
[2006/06/12 11:43:22 | 000,045,056 | ---- | C] () -- C:\WINNT\System32\AgCPanelSimplifiedChinese.dll
[2006/06/12 11:43:22 | 000,045,056 | ---- | C] () -- C:\WINNT\System32\AgCPanelPortugese.dll
[2006/06/12 11:43:22 | 000,045,056 | ---- | C] () -- C:\WINNT\System32\AgCPanelKorean.dll
[2006/06/12 11:43:22 | 000,045,056 | ---- | C] () -- C:\WINNT\System32\AgCPanelJapanese.dll
[2006/06/12 11:43:22 | 000,045,056 | ---- | C] () -- C:\WINNT\System32\AgCPanelGerman.dll
[2006/06/12 11:43:22 | 000,045,056 | ---- | C] () -- C:\WINNT\System32\AgCPanelFrench.dll
[2006/05/14 17:32:09 | 000,000,075 | ---- | C] () -- C:\WINNT\cdplayer.ini
[2006/03/23 20:31:16 | 000,000,028 | ---- | C] () -- C:\WINNT\atid.ini
[2005/11/16 15:04:31 | 000,215,552 | ---- | C] () -- C:\WINNT\System32\Webupdate2.dll
[2005/11/16 15:04:31 | 000,002,309 | ---- | C] () -- C:\WINNT\System32\french.ini
[2005/11/16 15:04:31 | 000,001,673 | ---- | C] () -- C:\WINNT\System32\english.ini
[2005/11/16 15:04:30 | 000,002,194 | ---- | C] () -- C:\WINNT\System32\spanish.ini
[2005/10/22 13:50:08 | 000,000,819 | ---- | C] () -- C:\WINNT\CoDUO.INI
[2005/10/22 13:27:46 | 000,000,766 | ---- | C] () -- C:\WINNT\CoD.INI
[2005/06/29 18:23:33 | 000,307,200 | ---- | C] () -- C:\WINNT\System32\sndp2023.dll
[2005/06/29 18:23:33 | 000,286,720 | ---- | C] () -- C:\WINNT\System32\sndp2022.dll
[2005/06/29 18:23:33 | 000,245,120 | ---- | C] () -- C:\WINNT\System32\drivers\sndp202.sys
[2005/06/29 18:23:33 | 000,045,056 | ---- | C] () -- C:\WINNT\System32\dsndp202.dll
[2005/06/29 18:23:33 | 000,015,522 | ---- | C] () -- C:\WINNT\sndp202.ini
[2005/06/29 18:23:27 | 000,036,864 | ---- | C] () -- C:\WINNT\System32\vsndp202.dll
[2005/06/29 18:21:20 | 000,028,747 | ---- | C] () -- C:\WINNT\System32\KMemoryMMX.dll
[2005/06/29 18:21:20 | 000,024,653 | ---- | C] () -- C:\WINNT\System32\KMemoryPIII.dll
[2005/06/29 18:21:20 | 000,024,632 | ---- | C] () -- C:\WINNT\System32\KMemory.dll
[2005/06/29 18:21:20 | 000,020,546 | ---- | C] () -- C:\WINNT\System32\KMemoryC.dll
[2005/06/29 18:21:00 | 000,000,002 | ---- | C] () -- C:\WINNT\PhotoSuite.ini
[2005/06/29 18:20:54 | 000,122,880 | ---- | C] () -- C:\WINNT\System32\EnrouteStitch.dll
[2005/06/29 18:20:53 | 000,458,752 | ---- | C] () -- C:\WINNT\System32\Fpl.dll
[2005/06/29 18:20:53 | 000,332,800 | ---- | C] () -- C:\WINNT\System32\FPXLIB.DLL
[2005/06/29 18:20:53 | 000,122,880 | ---- | C] () -- C:\WINNT\System32\JPEGLIB.DLL
[2005/06/29 18:20:53 | 000,019,968 | ---- | C] () -- C:\WINNT\System32\CPUINF32.DLL
[2005/04/23 00:00:43 | 000,000,169 | ---- | C] () -- C:\WINNT\RtlRack.ini
[2005/04/21 19:36:11 | 000,000,754 | ---- | C] () -- C:\WINNT\WORDPAD.INI
[2005/04/16 07:51:19 | 000,021,840 | ---- | C] () -- C:\WINNT\System32\SIntfNT.dll
[2005/04/16 07:51:19 | 000,017,212 | ---- | C] () -- C:\WINNT\System32\SIntf32.dll
[2005/04/16 07:51:19 | 000,012,067 | ---- | C] () -- C:\WINNT\System32\SIntf16.dll
[2005/03/30 18:26:59 | 000,003,972 | ---- | C] () -- C:\WINNT\System32\drivers\PciBus.sys
[2005/03/18 21:29:28 | 000,017,920 | ---- | C] () -- C:\WINNT\System32\astro32.dll
[2005/03/14 20:13:23 | 000,023,040 | R--- | C] () -- C:\WINNT\System32\drivers\GVCplDrv.sys
[2005/03/13 12:30:09 | 000,000,000 | ---- | C] () -- C:\WINNT\OpPrintServer.INI
[2005/03/12 00:10:55 | 000,109,568 | ---- | C] () -- C:\Documents and Settings\WILLIAM NIELSEN\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/03/09 22:25:13 | 000,018,606 | ---- | C] () -- C:\WINNT\System32\FlashMenu.sys
[2005/03/09 22:25:13 | 000,010,414 | ---- | C] () -- C:\WINNT\System32\drivers\FlashMenu.sys
[2005/03/09 22:25:13 | 000,005,018 | ---- | C] () -- C:\WINNT\System32\drivers\HWIOCTL.SYS
[2005/03/09 22:25:13 | 000,004,047 | ---- | C] () -- C:\WINNT\System32\drivers\MEMCTL.SYS
[2005/03/09 22:25:13 | 000,003,548 | ---- | C] () -- C:\WINNT\System32\drivers\WINFLASH.SYS
[2005/03/09 22:25:13 | 000,002,721 | ---- | C] () -- C:\WINNT\System32\drivers\AMINTSYS.SYS
[2005/03/09 21:07:24 | 000,000,379 | ---- | C] () -- C:\WINNT\MARIS.INI
[2005/03/09 21:06:53 | 000,000,000 | ---- | C] () -- C:\WINNT\SETUP32.INI
[2005/03/09 20:52:39 | 000,000,724 | ---- | C] () -- C:\WINNT\BZII.INI
[2005/03/09 19:51:37 | 000,008,864 | ---- | C] () -- C:\WINNT\System32\drivers\CDAC15BA.SYS
[2005/03/09 19:39:07 | 000,000,049 | ---- | C] () -- C:\WINNT\NeroDigital.ini
[2005/03/09 19:03:05 | 000,000,695 | ---- | C] () -- C:\WINNT\SIERRA.INI
[2005/03/07 18:37:49 | 000,000,061 | ---- | C] () -- C:\WINNT\smscfg.ini
[2005/03/07 11:58:43 | 000,000,164 | ---- | C] () -- C:\WINNT\avrack.ini
[2005/03/07 11:58:42 | 000,155,648 | ---- | C] () -- C:\WINNT\System32\RTLCPAPI.dll
[2005/03/07 03:26:48 | 000,004,073 | ---- | C] () -- C:\WINNT\ODBCINST.INI

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/03 17:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/01 09:05:26 | 023,852,652 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/09/01 09:05:26 | 023,852,652 | ---- | M] () .cab file -- C:\WINNT\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINNT\ERDNT\cache\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINNT\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINNT\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/03 17:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/01 09:05:26 | 023,852,652 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp3.cab:atapi.sys
[2008/09/01 09:05:26 | 023,852,652 | ---- | M] () .cab file -- C:\WINNT\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINNT\ERDNT\cache\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINNT\ServicePackFiles\i386\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINNT\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINNT\$NtServicePackUninstall$\atapi.sys
[2004/08/03 14:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINNT\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINNT\ERDNT\cache\eventlog.dll
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINNT\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINNT\system32\eventlog.dll
[2004/08/03 16:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINNT\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2004/03/23 04:13:58 | 000,467,200 | ---- | M] (Intel Corporation) MD5=F26BFD48B1C314E0F23BF77ACFA75940 -- C:\WINNT\OemDir\iaStor.sys
[2004/03/23 04:13:58 | 000,467,200 | ---- | M] (Intel Corporation) MD5=F26BFD48B1C314E0F23BF77ACFA75940 -- C:\WINNT\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINNT\ERDNT\cache\netlogon.dll
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINNT\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINNT\system32\netlogon.dll
[2004/08/03 16:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINNT\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/03 16:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINNT\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINNT\ERDNT\cache\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINNT\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINNT\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >









STEP 1B
Extras.Txt


OTL Extras logfile created on: 2/13/2011 1:57:20 PM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\WILLIAM NIELSEN\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 348.00 Mb Available Physical Memory | 34.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 64.12 Gb Free Space | 43.02% Space Free | Partition Type: NTFS
Drive D: | 413.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: HYLANDER | User Name: WILLIAM NIELSEN | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"56977:TCP" = 56977:TCP:*:Enabled:Pando Media Booster
"56977:UDP" = 56977:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"56977:TCP" = 56977:TCP:*:Enabled:Pando Media Booster
"56977:UDP" = 56977:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Dynamix\Starsiege\Starsiege.exe" = C:\Dynamix\Starsiege\Starsiege.exe:*:Enabled:Starsiege -- ()
"C:\Program Files\Microsoft Games\MechWarrior Vengeance\MW4.ICD" = C:\Program Files\Microsoft Games\MechWarrior Vengeance\MW4.ICD:*:Enabled:MechWarrior IV -- (Microsoft Corp.)
"C:\Program Files\EA GAMES\Battlefield 1942\BF1942.exe" = C:\Program Files\EA GAMES\Battlefield 1942\BF1942.exe:*:Enabled:BF1942 -- ()
"C:\Program Files\ICQ\Icq.exe" = C:\Program Files\ICQ\Icq.exe:*:Enabled:ICQ -- ()
"C:\Program Files\Microsoft Games\MechWarrior Vengeance\mw4x\MW4x.exe" = C:\Program Files\Microsoft Games\MechWarrior Vengeance\mw4x\MW4x.exe:*:Enabled:MechWarrior IV -- (Microsoft Corp.)
"C:\Program Files\GigaByte\VGA Utility Manager\gvupdate.exe" = C:\Program Files\GigaByte\VGA Utility Manager\gvupdate.exe:*:Enabled:gvupdate -- (GIGABYTE)
"C:\Program Files\GigaByte\VGA Utility Manager\G-vga.exe" = C:\Program Files\GigaByte\VGA Utility Manager\G-vga.exe:*:Enabled:Menu -- ()
"C:\Program Files\EA GAMES\Battlefield 2\BF2.exe" = C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:*:Enabled:Battlefield 2 -- ()
"C:\Program Files\EA GAMES\MOHAA\MOHAA.exe" = C:\Program Files\EA GAMES\MOHAA\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault™ -- (Electronic Arts Inc.)
"C:\Program Files\Starsiege 2845 Alpha Tech Release\SS2845\ss2845.exe" = C:\Program Files\Starsiege 2845 Alpha Tech Release\SS2845\ss2845.exe:*:Enabled:ss2845 -- ()
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}" = Battlefield 2: Deluxe Edition
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = MSN Toolbar
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
"{0DEA94ED-915A-4834-A87E-388D012C8E02}" = Medal of Honor Allied Assault
"{141E4A1C-4D02-4B72-96D6-D2AC08D6DA59}" = Rappelz Epic3
"{14FB1C47-B0F2-4DB6-B9C0-1A817862F9A3}" = ArcSoft Camera Suite 2.1
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{237CD223-1B9D-47E8-A76C-E478B83CCEA2}" = File Uploader
"{2656D0AB-9EA4-4C58-A117-635F3CED8B93}" = Microsoft UI Engine
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 23
"{26BDE7D8-93F0-4A07-AD47-1707DB417941}" = Camera Support Core Library
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{2DF7B278-D3B6-40A4-B25C-0E7149F439EA}" = 3DMark05
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{61BEA823-ECAF-49F1-8378-A59B3B8AD247}" = Microsoft Default Manager
"{67880EA3-63C2-4143-88F4-51A21B516CBE}" = e-Sword
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68E7E8BD-2233-49BE-81D6-1A1FAF1B5196}" = RAW Image Task 1.1
"{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}" = Battlefield 1942
"{6FE4AA77-DF4C-48E9-A3E8-494926D163A4}" = SpyZooka
"{7029D123-6CF0-4414-A3B2-4B3B99B21E59}" = e-Sword
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73CB01A1-A9D0-41CA-B490-348880975F48}" = STOPzilla
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{7914BE1E-F186-4790-B8F4-9F63C52A41C1}" = Medal of Honor Allied Assault™ Spearhead
"{823A68CC-3049-4A6B-8F63-7DC85E4BB1C9}" = Medal of Honor Allied Assault™ Breakthrough
"{89B0C771-F81E-4A3C-B501-6F86897344ED}" = Rappelz
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A360B9F7-7424-4D0D-A9BD-8AEEB08DC537}" = Jetboat Superchamps 2
"{A5653E98-C00B-421B-86A2-E7DA75BFD97A}" = STOPzilla Toolbar
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A65F7CF8-6F76-40CE-B44D-D5A89D9881C7}" = MSN Toolbar Platform
"{A662E280-64A8-4CF5-8407-13D0808602B3}" = Call of Duty - United Offensive
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.2
"{B34BE30D-A759-4EC2-B58F-19FE2DEBF651}" = Camera Window
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B73B4A99-4173-4747-BBEC-0F05E966F9D2}" = Battlefield 1942: Secret Weapons of WWII
"{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}" = Canon PhotoRecord
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon Utilities ZoomBrowser EX
"{CB84F0F2-927B-458D-9DC5-87832E3DC653}" = GearDrvs
"{CF2C1A86-5A98-4862-A3AE-9992E3A6427D}" = RemoteCapture Task 1.0.3
"{D057AA08-8CBF-42E3-9EAB-23B8FED1C279}" = Battlefield 1942: The Road To Rome
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D45E8C45-B601-4A80-AFD8-E16338744DE1}" = ArcSoft Panorama Maker 4
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}" = Symantec Real Time Storage Protection Component
"{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}" = LiveUpdate Notice (Symantec Corporation)
"{DE286975-ACF1-45B8-9EF7-34E162B2C817}" = MovieEdit Task
"{E144A786-D2DD-428B-9C1A-0EE3FA3515EA}" = Rappelz_USA
"{E85397AD-D60E-4141-82E6-FAA312A09271}" = Dual Mode Camera (8008 VGA)
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{EAD475E8-14E5-4854-8AF5-CE6B4024237C}_is1" = Rappelz_US
"{EF4C7EB0-D71B-43A3-9552-8053DE4B0401}" = PhotoStitch
"{EFE6E3B6-8CA9-4837-B292-5F11A80339A9}" = PunkBuster for Joint Operations: Typhoon Rising
"{F7A467A0-CE76-4D2B-8390-5300876D7632}" = AdwareAlert
"{F8A3C1B6-D2E0-4CE1-80A2-555D6F71C639}" = Microsoft Search Enhancement Pack
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FF8500E6-EA0D-11D7-8755-0080C8F92A32}" = ABIT uGuru
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AGEIA PhysX v2.4.4" = AGEIA PhysX v2.4.4
"All ATI Software" = ATI - Software Uninstall Utility
"AOL Instant Messenger" = AOL Instant Messenger
"Astronomer's Control Panel" = Astronomer's Control Panel
"Astronomy: RedShift Deluxe" = Astronomy: RedShift Deluxe
"ATI Display Driver" = ATI Display Driver
"Bibles and Religion" = Bibles and Religion
"Bookshop Classics" = Bookshop Classics
"Call of Duty" = Call of Duty
"CCleaner" = CCleaner
"Chessmaster 8000" = Chessmaster 8000
"Diablo" = Diablo
"Diablo II" = Diablo II
"Exterminate It!" = Exterminate It!
"GameSpy Arcade" = GameSpy Arcade
"GameSpy Software" = GameSpy Software
"GIGABYTE VGA Utility Manager" = GIGABYTE VGA Utility Manager
"Google Chrome" = Google Chrome
"ie8" = Windows Internet Explorer 8
"InstallShield_{26BDE7D8-93F0-4A07-AD47-1707DB417941}" = Canon Camera Support Core Library
"InstallShield_{68E7E8BD-2233-49BE-81D6-1A1FAF1B5196}" = Canon RAW Image Task for ZoomBrowser EX
"InstallShield_{A662E280-64A8-4CF5-8407-13D0808602B3}" = Call of Duty - United Offensive
"InstallShield_{B34BE30D-A759-4EC2-B58F-19FE2DEBF651}" = Canon Camera Window for ZoomBrowser EX
"InstallShield_{CF2C1A86-5A98-4862-A3AE-9992E3A6427D}" = Canon RemoteCapture Task for ZoomBrowser EX
"InstallShield_{DE286975-ACF1-45B8-9EF7-34E162B2C817}" = Canon MovieEdit Task for ZoomBrowser EX
"InstallShield_{EF4C7EB0-D71B-43A3-9552-8053DE4B0401}" = Canon Utilities PhotoStitch 3.1
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MechWarrior 3" = MechWarrior 3
"MechWarrior Black Knight" = MechWarrior Black Knight
"MechWarrior Clan Pak" = Clan 'Mech Pak
"MechWarrior IS Pak" = Inner Sphere 'Mech Pak
"MechWarrior Mercenaries" = MechWarrior 4 Mercenaries
"MechWarrior Vengeance" = MechWarrior Vengeance
"MercenariesDeinstKey" = Mercenaries
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MSCSR" = Microsoft Speech Recognition Engine 4.0 (English)
"Need For Speed III" = Need For Speed III
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NET Bible for e-Sword (version 9.x)2.0" = NET Bible for e-Sword (version 9.x)
"NET_Bible_Html_Help_1.0" = NET Bible First Edition 1.0
"Netscape Browser" = Netscape Browser (remove only)
"Paint Shop Pro 5.01" = Paint Shop Pro 5.01
"QuickTime" = QuickTime
"RealPlayer 12.0" = RealPlayer
"ROXIO_PRISM_V4_0" = PhotoSuite 4 (Remove Only)
"Sierra Utilities" = Sierra Utilities
"SpywareBlaster_is1" = SpywareBlaster v3.3
"Starry Night Bundle Edition" = Starry Night Bundle Edition
"Starsiege" = Starsiege
"Starsiege 2845 Alpha Tech Release1.0" = Starsiege 2845 Alpha Tech Release
"tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine
"UnrealTournament" = Unreal Tournament
"Viper Racing" = Viper Racing
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WindowsScriptHost" = Microsoft Windows Script Host
"Xfire" = Xfire (remove only)
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA" = DNA
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/30/2011 5:28:04 AM | Computer Name = HYLANDER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/30/2011 5:28:04 AM | Computer Name = HYLANDER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/30/2011 5:28:04 AM | Computer Name = HYLANDER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/31/2011 10:30:44 PM | Computer Name = HYLANDER | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 2/4/2011 5:01:13 PM | Computer Name = HYLANDER | Source = Application Error | ID = 1000
Description = Faulting application wmplayer.exe, version 10.0.0.3802, faulting module
nevideo.ax, version 2.0.0.17, fault address 0x00034836.

Error - 2/10/2011 1:04:09 PM | Computer Name = HYLANDER | Source = Application Error | ID = 1000
Description = Faulting application wmplayer.exe, version 10.0.0.3802, faulting module
quicktime.qts, version 4.0.1.9, fault address 0x002718ff.

Error - 2/10/2011 4:07:58 PM | Computer Name = HYLANDER | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3989, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/10/2011 4:23:07 PM | Computer Name = HYLANDER | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3989, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/11/2011 4:26:07 PM | Computer Name = HYLANDER | Source = Application Error | ID = 1000
Description = Faulting application recordingmanager.exe, version 12.0.1.609, faulting
module rjm4pln.dll, version 12.0.1.609, fault address 0x00005876.

Error - 2/12/2011 2:30:03 PM | Computer Name = HYLANDER | Source = Application Hang | ID = 1002
Description = Hanging application gmer.exe, version 1.0.15.15530, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 2/12/2011 5:57:21 PM | Computer Name = HYLANDER | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 2/12/2011 5:57:21 PM | Computer Name = HYLANDER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IntelIde SABKUTIL

Error - 2/13/2011 5:50:41 PM | Computer Name = HYLANDER | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 2/13/2011 5:50:43 PM | Computer Name = HYLANDER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IntelIde SABKUTIL

Error - 2/13/2011 5:51:01 PM | Computer Name = HYLANDER | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.DebugCRT could not be found and
Last Error was The referenced assembly is not installed on your system.

Error - 2/13/2011 5:51:01 PM | Computer Name = HYLANDER | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference
error message: The referenced assembly is not installed on your system. .

Error - 2/13/2011 5:51:01 PM | Computer Name = HYLANDER | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for c:\program files\real\realplayer\plugins\rmxrend.dll.
Reference
error message: The operation completed successfully. .

Error - 2/13/2011 5:56:55 PM | Computer Name = HYLANDER | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.DebugCRT could not be found and
Last Error was The referenced assembly is not installed on your system.

Error - 2/13/2011 5:56:55 PM | Computer Name = HYLANDER | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.DebugCRT. Reference
error message: The referenced assembly is not installed on your system. .

Error - 2/13/2011 5:56:55 PM | Computer Name = HYLANDER | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for c:\program files\real\realplayer\plugins\rmxrend.dll.
Reference
error message: The operation completed successfully. .


< End of report >










*********************
STEP #2
I attempted several times to download BootKit Remover file using both Firefox and IE. The file downloads, but does not execute, The Remover Screen pops up for about 1/2 a second and then disappears and reloads and repeats the file download cycle, "do you want to open or save the file? ; open/save/cancel etc....And now, even as I am typing this, my computer is running very slow. Each keystroke takes almost 1 to 2 seconds to register on my monitor. So, I have to skip Step #2 since I have no information to post. Sorry, I don't have Windows Vista, I still have Windows XP Home Edition. Also, I disabled StopZilla while attempting to do this .

**********************


Step#3
MBRCheck Log




MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 132):
0x804D7000 \WINNT\system32\ntkrnlpa.exe
0x806E4000 \WINNT\system32\hal.dll
0xF7A1B000 \WINNT\system32\KDCOM.DLL
0xF792B000 \WINNT\system32\BOOTVID.dll
0xF751B000 szkg.sys
0xF752B000 szkgfs.sys
0xF73EC000 ACPI.sys
0xF7A1D000 \WINNT\system32\DRIVERS\WMILIB.SYS
0xF73DB000 pci.sys
0xF754B000 isapnp.sys
0xF755B000 ohci1394.sys
0xF756B000 \WINNT\system32\DRIVERS\1394BUS.SYS
0xF7AE3000 pciide.sys
0xF779B000 \WINNT\system32\DRIVERS\PCIIDEX.SYS
0xF757B000 MountMgr.sys
0xF73BC000 ftdisk.sys
0xF77A3000 PartMgr.sys
0xF758B000 VolSnap.sys
0xF73A4000 atapi.sys
0xF7331000 iaStor.sys
0xF759B000 disk.sys
0xF75AB000 \WINNT\system32\DRIVERS\CLASSPNP.SYS
0xF7311000 fltmgr.sys
0xF72FF000 sr.sys
0xF75BB000 PxHelp20.sys
0xF72E8000 KSecDD.sys
0xF725B000 Ntfs.sys
0xF722E000 NDIS.sys
0xF77AB000 uGuru.sys
0xF77B3000 sfhlp02.sys
0xF721C000 sfdrv01.sys
0xF7202000 Mup.sys
0xF763B000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF462E000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF461A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7913000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF45F6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF791B000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF765B000 \SystemRoot\system32\DRIVERS\Rtlnic51.sys
0xF766B000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF4563000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF453F000 \SystemRoot\system32\drivers\portcls.sys
0xF767B000 \SystemRoot\system32\drivers\drmk.sys
0xF451C000 \SystemRoot\system32\drivers\ks.sys
0xF44BC000 \SystemRoot\system32\drivers\ALCXSENS.SYS
0xF7923000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF768B000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7A07000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF44A8000 \SystemRoot\system32\DRIVERS\parport.sys
0xF769B000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77C3000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF77E3000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF76AB000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7A0B000 \SystemRoot\system32\drivers\pfc.sys
0xF48D4000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF48C4000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7A0F000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF7BD7000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF48B4000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A17000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF4491000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF48A4000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF4894000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77EB000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF4480000 \SystemRoot\system32\DRIVERS\psched.sys
0xF4884000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77F3000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77FB000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF4874000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7AB7000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF4422000 \SystemRoot\system32\DRIVERS\update.sys
0xF71CE000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF37FF000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF37CF000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A3F000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAE525000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xAA6BB000 \SystemRoot\System32\Drivers\SRTSP.SYS
0xAA6AA000 \SystemRoot\System32\Drivers\SRTSPX.SYS
0xAA5D8000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070820.048\NAVEX15.SYS
0xAA5C5000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070820.048\NAVENG.SYS
0xAF64F000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA6E0E000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA6D4F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xADFAC000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xAD275000 \SystemRoot\System32\Drivers\Null.SYS
0xADFAA000 \SystemRoot\System32\Drivers\Beep.SYS
0xA6DFE000 \SystemRoot\system32\DRIVERS\GcKernel.sys
0xA6D47000 \SystemRoot\System32\drivers\vga.sys
0xA77AA000 \SystemRoot\system32\DRIVERS\HIDSwvd.sys
0xADFA8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xA9756000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xAD80F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA64E1000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA64D9000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA71A6000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA4E29000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA4DD0000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA4DA8000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA4D82000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA6330000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA4D60000 \SystemRoot\System32\drivers\afd.sys
0xA6320000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA6310000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA4D35000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA4CC5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA6300000 \SystemRoot\System32\Drivers\Fips.SYS
0xA4C62000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xF2E5A000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA1284000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xA4E60000 \SystemRoot\System32\drivers\Dxapi.sys
0xF2DB2000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xA1F3C000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF057000 \SystemRoot\System32\ati2cqag.dll
0xBF0AE000 \SystemRoot\System32\atikvmag.dll
0xBF0FD000 \SystemRoot\System32\ati3duag.dll
0xBF3AE000 \SystemRoot\System32\ativvaxx.dll
0xF3583000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9F047000 \SystemRoot\system32\drivers\wdmaud.sys
0xF76DB000 \SystemRoot\system32\drivers\sysaudio.sys
0x9EEDC000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB0ED3000 \SystemRoot\System32\Drivers\ParVdm.SYS
0x9EDD1000 \SystemRoot\system32\DRIVERS\atksgt.sys
0x9EEBC000 \SystemRoot\System32\Drivers\GVCplDrv.SYS
0xF2DDA000 \SystemRoot\system32\DRIVERS\lirsgt.sys
0x9ED2A000 \SystemRoot\system32\DRIVERS\srv.sys
0xF2E8A000 \SystemRoot\system32\DRIVERS\secdrv.sys
0x9E929000 \SystemRoot\System32\Drivers\HTTP.sys
0x9E256000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINNT\system32\ntdll.dll

Processes (total 48):
0 System Idle Process
4 System
608 C:\WINNT\system32\smss.exe
664 csrss.exe
696 C:\WINNT\system32\winlogon.exe
744 C:\WINNT\system32\services.exe
756 C:\WINNT\system32\lsass.exe
916 C:\WINNT\system32\ati2evxx.exe
936 C:\WINNT\system32\svchost.exe
992 C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
1052 svchost.exe
1168 C:\WINNT\system32\svchost.exe
1320 svchost.exe
1416 svchost.exe
1520 C:\WINNT\system32\spoolsv.exe
1804 C:\WINNT\explorer.exe
1992 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
2008 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
2016 C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
2024 C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
2040 C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
144 C:\Program Files\Common Files\Java\Java Update\jusched.exe
208 C:\Program Files\Real\realplayer\Update\realsched.exe
256 C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
276 C:\Program Files\DNA\btdna.exe
320 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
328 C:\WINNT\system32\ctfmon.exe
344 C:\Program Files\Messenger\msmsgs.exe
416 C:\Program Files\SpyZooka\spyzooka.exe
132 svchost.exe
964 C:\WINNT\system32\drivers\CDAC11BA.EXE
1160 C:\Program Files\Java\jre6\bin\jqs.exe
1348 C:\WINNT\system32\PnkBstrA.exe
1588 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
1744 C:\WINNT\system32\svchost.exe
1828 wdfmgr.exe
1968 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2676 alg.exe
3576 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
3704 C:\WINNT\system32\svchost.exe
2616 C:\Program Files\Outlook Express\msimn.exe
3912 C:\Program Files\Internet Explorer\iexplore.exe
3976 C:\Program Files\Internet Explorer\iexplore.exe
2840 C:\WINNT\notepad.exe
3056 C:\Program Files\Internet Explorer\iexplore.exe
3756 C:\Program Files\Mozilla Firefox\firefox.exe
1380 C:\Program Files\Mozilla Firefox\plugin-container.exe
2388 C:\Documents and Settings\WILLIAM NIELSEN\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: IntelRaid 0 Volume, Rev: 0.1.

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!






Computer is still running very poorly. Based on the fact that I cannot run the Bootkit Removal file, it is evident that something is seriously blocking or resisting my system to being fixed. Every time I boot up my computer, Stopzilla keeps identifying dozens of viruses which says it cleans but does not. Malwarebytes does not identify any problsm to fix, but I am only using the free version.
hYlAnDeR~TFC~
[OF/FA] Orion Faction-Retired
Game Squad Fleet Admiral~Retired

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:34 AM

Posted 13 February 2011 - 08:50 PM

Hello,


First off please Uninstall Stopzilla for now so it wont interfere with our fix.


1.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

2.
Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

SpyZooka

Additional instructions can be found here if needed.
This is known to give false positives and not very reliable.


3.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

4.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 hYlAnDeR~TFC

hYlAnDeR~TFC
  • Topic Starter

  • Members
  • 257 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 13 February 2011 - 11:15 PM

I removed / uninstalled both StopZilla and SpyZooka. I feel a bit naked, so to speak, since now I have no anti virus/anti spyware/ or anti malware on my computer as of right now. Spybots S & D TeaTimer et al was disabled. Rkill ran successfully. And, Combofix evidently ran successfully as well. However, it must not have found anything because Combofix did not reboot my computer nor was I prompted to do so. Anyways, below is the requested Combofix.txt:



ComboFix 11-02-13.01 - WILLIAM NIELSEN 02/13/2011 19:48:02.15.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.545 [GMT -8:00]
Running from: c:\documents and settings\WILLIAM NIELSEN\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2011-01-14 to 2011-02-14 )))))))))))))))))))))))))))))))
.

2011-02-01 02:30 . 2011-02-01 02:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2011-01-30 22:57 . 2011-01-30 22:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-01-30 22:57 . 2011-01-30 22:57 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-01-30 09:51 . 2011-01-30 09:51 -------- d-----w- c:\program files\CCleaner
2011-01-30 08:12 . 2011-01-30 08:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-01-24 02:13 . 2011-01-24 02:13 -------- d-sh--w- c:\documents and settings\William\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-13 00:22 . 2007-09-17 00:13 138520 ----a-w- c:\winnt\system32\drivers\PnkBstrK.sys
2011-02-13 00:22 . 2009-08-16 23:41 234536 ----a-w- c:\winnt\system32\PnkBstrB.xtr
2011-02-13 00:22 . 2007-09-17 00:12 234536 ----a-w- c:\winnt\system32\PnkBstrB.exe
2010-12-26 20:05 . 2010-12-26 20:05 1409 ----a-w- c:\winnt\QTFont.for
2010-12-25 16:43 . 2003-02-21 11:42 348160 ----a-w- c:\winnt\system32\msvcr71.dll
2010-12-21 02:09 . 2010-10-04 12:49 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-12-21 02:08 . 2010-10-04 12:49 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot_2011-01-19_22.44.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-13 21:50 . 2011-02-13 21:50 16384 c:\winnt\temp\Perflib_Perfdata_488.dat
+ 2010-09-23 11:47 . 2010-09-23 11:47 35760 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\reader_sl.exe
+ 2010-09-23 10:03 . 2010-09-23 10:03 99776 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\eula.exe
+ 2010-09-23 09:52 . 2010-09-23 09:52 27048 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrotextextractor.exe
+ 2010-09-23 01:12 . 2010-09-23 01:12 15800 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32Info.exe
+ 2010-09-11 01:17 . 2010-09-11 01:17 684032 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\JP2KLib.dll
+ 2010-09-23 03:41 . 2010-09-23 03:41 542168 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AdobeCollabSync.exe
+ 2010-09-23 11:47 . 2010-09-23 11:47 349616 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32.exe
+ 2010-09-23 01:04 . 2010-09-23 01:04 660912 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroPDF.dll
+ 2010-09-23 02:39 . 2010-09-23 02:39 280024 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobroker.exe
+ 2010-09-23 01:50 . 2010-09-23 01:50 251296 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\a3dutility.exe
+ 2010-09-23 01:05 . 2010-09-23 01:05 2405784 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\rt3d.dll
+ 2010-06-20 00:51 . 2010-06-20 00:51 5713920 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AGM.dll
+ 2011-01-31 10:45 . 2011-01-31 10:45 11135488 c:\winnt\Installer\f61278.msp
+ 2010-09-23 10:03 . 2010-09-23 10:03 20460984 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-01 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-01 344064]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"ABIT uGuru"="c:\program files\ABIT\ABIT uGuru\uGuru.exe" [2004-04-12 1695830]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-12-25 274608]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Dynamix\\Starsiege\\Starsiege.exe"=
"c:\\Program Files\\Microsoft Games\\MechWarrior Vengeance\\MW4.ICD"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\Microsoft Games\\MechWarrior Vengeance\\mw4x\\MW4x.exe"=
"c:\\Program Files\\GigaByte\\VGA Utility Manager\\gvupdate.exe"=
"c:\\Program Files\\GigaByte\\VGA Utility Manager\\G-vga.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\Starsiege 2845 Alpha Tech Release\\SS2845\\ss2845.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56977:TCP"= 56977:TCP:Pando Media Booster
"56977:UDP"= 56977:UDP:Pando Media Booster

R0 uGuru;uGuru;c:\winnt\system32\drivers\uGuru.SYS [3/9/2005 10:25 PM 10752]
S0 AC2003;AC2003; [x]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S2 gupdate1ca2cf34490dd20;Google Update Service (gupdate1ca2cf34490dd20);c:\program files\Google\Update\GoogleUpdate.exe [9/3/2009 4:04 PM 133104]
S3 GAGPDrv;GAGPDrv; [x]
S3 npggsvc;nProtect GameGuard Service;c:\winnt\system32\GameMon.des -service --> c:\winnt\system32\GameMon.des -service [?]
S3 SNDP202;Dual Mode Camera (8008 VGA);c:\winnt\system32\drivers\sndp202.sys [6/29/2005 6:23 PM 245120]
S3 XDva007;XDva007;\??\c:\winnt\system32\XDva007.sys --> c:\winnt\system32\XDva007.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2011-02-14 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 00:04]

2011-02-14 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 00:04]

2011-02-13 c:\winnt\Tasks\RealUpgradeLogonTaskS-1-5-21-3153008980-3137500025-2304659736-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]

2011-02-13 c:\winnt\Tasks\RealUpgradeScheduledTaskS-1-5-21-3153008980-3137500025-2304659736-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:61939
FF - ProfilePath - c:\documents and settings\WILLIAM NIELSEN\Application Data\Mozilla\Firefox\Profiles\1fox774n.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: XUL Cache: {92C6B92D-23E6-49DE-8CA7-EE13BC244F7E} - c:\winnt\system32\config\systemprofile\Local Settings\Application Data\{92C6B92D-23E6-49DE-8CA7-EE13BC244F7E}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\WILLIAM NIELSEN\Application Data\Move Networks
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-13 19:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\npggsvc]
"ImagePath"="c:\winnt\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3228)
c:\winnt\system32\WININET.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\webcheck.dll
.
Completion time: 2011-02-13 19:56:26
ComboFix-quarantined-files.txt 2011-02-14 03:56

Pre-Run: 68,739,428,352 bytes free
Post-Run: 68,776,144,896 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 0447D735BF56965F17E72A3273A9A4AD



I cannot tell whether my system is running better or not at the moment. One thing I do notice, however, is that my kkeystrokes are simultaneous on the moniter compared to the 1 to 2 second delay when responding while on the forum. I will reboot my system now and navigate around to sites I am positive that are safe. I will try some online gaming for a bit and see if the performance has improved or not.

Once, or if this is all cleared up, I would like to make a donation. But, I am afraid of sending money via the internet. As a result of my computer virus/ and computer getting hacked, I also had my Paypal account hacked and that is what started the whole mess. So, If I can send a check, please give me the address so I can donate via U.S. Mail. Also, if you can steer me in the right direction regarding firewall and better anti virus/spyware protection, I would be eternally grateful. I was considering purchasing the full version of Malwarebytes. At any rate, we can cross that bridge when we get to it since I am not sure how much more things we may have to fix here.

Thanks again for your help and look forward to the next steps.

William
hYlAnDeR~TFC~
[OF/FA] Orion Faction-Retired
Game Squad Fleet Admiral~Retired

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:34 AM

Posted 13 February 2011 - 11:48 PM

Hello,

I think that the combination of Stopzilla,Spyzooka and Spybot all running at the same time was Lagging your system down. Stopzilla s known to be a resource hog. Once we know your all clean I will give you a link to some good Free Antivirus And Firewalls Along with Antispyware. Most Antivirus have built in Antispyware nowadays. There are signs of a previous infection in your logs. We will clean up those leftovers and due some more checking just to be sure.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Firefox::
FF - ProfilePath - c:\documents and settings\WILLIAM NIELSEN\Application Data\Mozilla\Firefox\Profiles\1fox774n.default\
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com

DDS::
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:61939

Driver::
AC2003
SABKUTIL
GAGPDrv
npggsvc
XDva007

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

Reglockdel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

3.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

4.
Spybot S&D or Ad-Aware are no longer recommended
  • mvps.org is no longer recommending Spybot S&D or Ad-Aware due to poor testing results. See here - (scroll down and read under Freeware Antispyware Products)
  • Further, most people don't understand Spybot's TeaTimer or how to use it and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and even prevent disinfection of malware by those tools.
  • More effective alternatives are Malwarebytes Anti-Malware and SUPERAntiSpyware Free.


Things to include in your next reply::
Combofix.txt
MBAm log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 hYlAnDeR~TFC

hYlAnDeR~TFC
  • Topic Starter

  • Members
  • 257 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 14 February 2011 - 06:20 AM

Fireman,

Here ya go!





Combofix.txt




ComboFix 11-02-13.01 - WILLIAM NIELSEN 02/13/2011 21:32:53.16.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.612 [GMT -8:00]
Running from: c:\documents and settings\WILLIAM NIELSEN\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\WILLIAM NIELSEN\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SABKUTIL
-------\Legacy_XDVA007
-------\Service_AC2003
-------\Service_GAGPDrv
-------\Service_npggsvc
-------\Service_SABKUTIL
-------\Service_XDva007


((((((((((((((((((((((((( Files Created from 2011-01-14 to 2011-02-14 )))))))))))))))))))))))))))))))
.

2011-02-01 02:30 . 2011-02-01 02:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2011-01-30 22:57 . 2011-01-30 22:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-01-30 22:57 . 2011-01-30 22:57 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-01-30 09:51 . 2011-01-30 09:51 -------- d-----w- c:\program files\CCleaner
2011-01-30 08:12 . 2011-01-30 08:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-01-24 02:13 . 2011-01-24 02:13 -------- d-sh--w- c:\documents and settings\William\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-13 00:22 . 2007-09-17 00:13 138520 ----a-w- c:\winnt\system32\drivers\PnkBstrK.sys
2011-02-13 00:22 . 2009-08-16 23:41 234536 ----a-w- c:\winnt\system32\PnkBstrB.xtr
2011-02-13 00:22 . 2007-09-17 00:12 234536 ----a-w- c:\winnt\system32\PnkBstrB.exe
2010-12-26 20:05 . 2010-12-26 20:05 1409 ----a-w- c:\winnt\QTFont.for
2010-12-25 16:43 . 2003-02-21 11:42 348160 ----a-w- c:\winnt\system32\msvcr71.dll
2010-12-21 02:09 . 2010-10-04 12:49 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-12-21 02:08 . 2010-10-04 12:49 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot_2011-01-19_22.44.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-14 05:42 . 2011-02-14 05:42 16384 c:\winnt\temp\Perflib_Perfdata_f0.dat
+ 2010-09-23 11:47 . 2010-09-23 11:47 35760 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\reader_sl.exe
+ 2010-09-23 10:03 . 2010-09-23 10:03 99776 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\eula.exe
+ 2010-09-23 09:52 . 2010-09-23 09:52 27048 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrotextextractor.exe
+ 2010-09-23 01:12 . 2010-09-23 01:12 15800 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32Info.exe
+ 2010-09-11 01:17 . 2010-09-11 01:17 684032 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\JP2KLib.dll
+ 2010-09-23 03:41 . 2010-09-23 03:41 542168 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AdobeCollabSync.exe
+ 2010-09-23 11:47 . 2010-09-23 11:47 349616 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32.exe
+ 2010-09-23 01:04 . 2010-09-23 01:04 660912 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroPDF.dll
+ 2010-09-23 02:39 . 2010-09-23 02:39 280024 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobroker.exe
+ 2010-09-23 01:50 . 2010-09-23 01:50 251296 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\a3dutility.exe
+ 2010-09-23 01:05 . 2010-09-23 01:05 2405784 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\rt3d.dll
+ 2010-06-20 00:51 . 2010-06-20 00:51 5713920 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AGM.dll
+ 2011-01-31 10:45 . 2011-01-31 10:45 11135488 c:\winnt\Installer\f61278.msp
+ 2010-09-23 10:03 . 2010-09-23 10:03 20460984 c:\winnt\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-01 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-01 344064]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"ABIT uGuru"="c:\program files\ABIT\ABIT uGuru\uGuru.exe" [2004-04-12 1695830]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-12-25 274608]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Dynamix\\Starsiege\\Starsiege.exe"=
"c:\\Program Files\\Microsoft Games\\MechWarrior Vengeance\\MW4.ICD"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\Microsoft Games\\MechWarrior Vengeance\\mw4x\\MW4x.exe"=
"c:\\Program Files\\GigaByte\\VGA Utility Manager\\gvupdate.exe"=
"c:\\Program Files\\GigaByte\\VGA Utility Manager\\G-vga.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\Starsiege 2845 Alpha Tech Release\\SS2845\\ss2845.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56977:TCP"= 56977:TCP:Pando Media Booster
"56977:UDP"= 56977:UDP:Pando Media Booster

R0 uGuru;uGuru;c:\winnt\system32\drivers\uGuru.SYS [3/9/2005 10:25 PM 10752]
S2 gupdate1ca2cf34490dd20;Google Update Service (gupdate1ca2cf34490dd20);c:\program files\Google\Update\GoogleUpdate.exe [9/3/2009 4:04 PM 133104]
S3 SNDP202;Dual Mode Camera (8008 VGA);c:\winnt\system32\drivers\sndp202.sys [6/29/2005 6:23 PM 245120]
.
Contents of the 'Scheduled Tasks' folder

2011-02-14 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 00:04]

2011-02-14 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 00:04]

2011-02-14 c:\winnt\Tasks\RealUpgradeLogonTaskS-1-5-21-3153008980-3137500025-2304659736-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]

2011-02-14 c:\winnt\Tasks\RealUpgradeScheduledTaskS-1-5-21-3153008980-3137500025-2304659736-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\WILLIAM NIELSEN\Application Data\Mozilla\Firefox\Profiles\1fox774n.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: XUL Cache: {92C6B92D-23E6-49DE-8CA7-EE13BC244F7E} - c:\winnt\system32\config\systemprofile\Local Settings\Application Data\{92C6B92D-23E6-49DE-8CA7-EE13BC244F7E}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\WILLIAM NIELSEN\Application Data\Move Networks
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-13 21:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1772)
c:\winnt\system32\WININET.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\Ati2evxx.exe
c:\winnt\system32\drivers\CDAC11BA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\winnt\system32\PnkBstrA.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\winnt\system32\wdfmgr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\winnt\system32\wscntfy.exe
c:\program files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
.
**************************************************************************
.
Completion time: 2011-02-13 21:45:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-14 05:45
ComboFix2.txt 2011-02-14 03:56
ComboFix3.txt 2011-02-14 05:27

Pre-Run: 68,800,225,280 bytes free
Post-Run: 68,784,549,888 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,4,5,6
- - End Of File - - DB69A5BC7392F83EB297466884C29131









MBAm Log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5743

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/13/2011 9:51:14 PM
mbam-log-2011-02-13 (21-51-14).txt

Scan type: Quick scan
Objects scanned: 153002
Time elapsed: 3 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)








Eset LOg

C:\Documents and Settings\WILLIAM NIELSEN\Desktop\spywareIEmonster removal\SpyHunter-Scanner-Install.exe probably a variant of Win32/TrojanDownloader.Agent.CKPTBCX trojan cleaned by deleting - quarantined
C:\Documents and Settings\WILLIAM NIELSEN\Desktop\spywareIEmonster removal\JAN2011HELPS\SmitfraudFix.exe multiple threats deleted - quarantined
C:\Documents and Settings\WILLIAM NIELSEN\Desktop\spywareIEmonster removal\JAN2011HELPS\VirtumundoBeGone.exe Win32/PrcView application deleted - quarantined
C:\Documents and Settings\WILLIAM NIELSEN\Desktop\spywareIEmonster removal\JAN2011HELPS\SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\Documents and Settings\WILLIAM NIELSEN\Desktop\spywareIEmonster removal\JAN2011HELPS\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
C:\Documents and Settings\WILLIAM NIELSEN\My Documents\downloaded demos\nfs_carbon_demo_eu.exe Win32/TrojanDownloader.Horst.BC trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINNT\system32\Process.exe.vir Win32/PrcView application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINNT\system32\pyatwpke.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINNT\system32\tafrqanf.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\System Volume Information\_restore{02BBDF72-5D0E-4625-BBC0-8D62913B28C8}\RP1602\A0171901.exe Win32/PrcView application cleaned by deleting - quarantined
C:\System Volume Information\_restore{02BBDF72-5D0E-4625-BBC0-8D62913B28C8}\RP1602\A0171904.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
C:\System Volume Information\_restore{02BBDF72-5D0E-4625-BBC0-8D62913B28C8}\RP1605\A0172659.exe Win32/PrcView application deleted - quarantined
C:\System Volume Information\_restore{02BBDF72-5D0E-4625-BBC0-8D62913B28C8}\RP1618\A0174562.exe probably a variant of Win32/TrojanDownloader.Agent.CKPTBCX trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{02BBDF72-5D0E-4625-BBC0-8D62913B28C8}\RP1618\A0174563.exe multiple threats deleted - quarantined
C:\System Volume Information\_restore{02BBDF72-5D0E-4625-BBC0-8D62913B28C8}\RP1618\A0174564.exe Win32/PrcView application deleted - quarantined
C:\System Volume Information\_restore{02BBDF72-5D0E-4625-BBC0-8D62913B28C8}\RP1618\A0174565.exe Win32/PrcView application cleaned by deleting - quarantined
C:\System Volume Information\_restore{02BBDF72-5D0E-4625-BBC0-8D62913B28C8}\RP1618\A0174566.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined





Hopes this helps out. I don't know about computer performance yet as it is just past 3 AM PST. I just got up to check my glucose, so i'm back off to bed. I'll check and reply to that after work and reply on our next session.

Thanks again!
hYlAnDeR~TFC~
[OF/FA] Orion Faction-Retired
Game Squad Fleet Admiral~Retired

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:34 AM

Posted 14 February 2011 - 12:45 PM

Hello,

We need to get rid of some old java that could lead to getting you infected again.

Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 7


Additional instructions can be found here if needed.


Lets get a Antivirus and firewall on your machine now.
For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Note: Install only one Antivirus and one firewall. Having more that one could have performance along with other issues.

How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 hYlAnDeR~TFC

hYlAnDeR~TFC
  • Topic Starter

  • Members
  • 257 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 14 February 2011 - 10:28 PM

Fireman,

Happy Valentines Day!

Well, I just got back from a nice Mexican Restaurant with the Mrs., totally overate, so will have to take some extra insulin to compensate for the eventual glucose overload.

Anyways, I uninstalled the requested J2SE proggies per your recommendation. I decided to utilize Spyware Blaster as my primary and only anti-spyware/virus/trojan detector and scanner. It seems to be something easy enough yet powerful enough to provide the protection I need. Unless, of course you recommend a better one or have another suggestion. They all appear to be pretty comparable. I also decided on ZoneAlarm for my firewall. I have heard about it from someone else some time ago. I am not too familiar with the other ones on the list, but ZoneAlarm appears to be something that will also provide good protection. I saved the link for ESETScan to periodically run once a month or so, and I also kept the free version of Malware Bytes, which of course does not run active, but can be used for scanning and finding things from time to time if needed. I may eventually purchase the full version of MalwareBytes and swap it for the Spyware Blaster because I have heard many good things about them as a company; unless you think I'm setup pretty good for now. I called StopZilla and got a refund from them. I will also be calling SpyZooka and request a refund from them as well.

My system appears to be running very smoothly now. Granted, Zone Alarm is still migrating itself into my system and it will take a few boots to feel the full effectiveness from it. But, I can honestly say that both my internet browsing and online gaming have greatly improved. I also feel alot safer now and am almost ready to perhaps use my Paypal Account once again with my special security key code card that they just sent me.

Are there any further steps, scans or removals we need to complete at this point, or do you think you can give my system a clean bill of health?

Also, what exactly were the types of viruses that invaded my machine and how serious or dangerous were they? Just curious. I simply cannot recall exactly happened or what I could have downloaded or opened in email that could have caused such havoc.

At any rate, I am truly grateful for all the help you have done and would again like to make a donation to the cause. Could you please provide me a physical mailing address where I can send it? Thanks.

Also, I would like to know where or to whom I can forward my appreciation for the outstanding customer service and expert advise you have given me to help me with my system.

Thanks again and warmest regards,

William
hYlAnDeR~TFC~
[OF/FA] Orion Faction-Retired
Game Squad Fleet Admiral~Retired

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:34 AM

Posted 14 February 2011 - 10:42 PM

Hello,

Also, what exactly were the types of viruses that invaded my machine and how serious or dangerous were they? Just curious. I simply cannot recall exactly happened or what I could have downloaded or opened in email that could have caused such havoc.


They can come from many different ways. Emails, A site you may have browsed, something you download could have been loaded with it, and of course even sometimes known good sites like facebook and yahoo even get hacked and can infect you nothing is impregnable. The type of infection you had was moderately powerful but easy to remove.

At any rate, I am truly grateful for all the help you have done and would again like to make a donation to the cause. Could you please provide me a physical mailing address where I can send it? Thanks.


Send me a pm I can tell you.

Also, I would like to know where or to whom I can forward my appreciation for the outstanding customer service and expert advise you have given me to help me with my system.


Grinler is the sites owner and admin.


1.
Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on Posted Image then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    Posted Image

    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

2.
Congratulations! You now appear clean! :cool:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.



Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 hYlAnDeR~TFC

hYlAnDeR~TFC
  • Topic Starter

  • Members
  • 257 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 14 February 2011 - 11:09 PM

I get an error message when trying to start/run/ Combix /Uninstall, error message states "Windows cannot find 'combofix'. the name is typed correctly. Not sure what to do to recognize or fix this?
hYlAnDeR~TFC~
[OF/FA] Orion Faction-Retired
Game Squad Fleet Admiral~Retired

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:34 AM

Posted 14 February 2011 - 11:17 PM

Hello,

Download this Combofix Uninstaller and run it.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 hYlAnDeR~TFC

hYlAnDeR~TFC
  • Topic Starter

  • Members
  • 257 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 14 February 2011 - 11:51 PM

Okay,

Uninstall of Combofix successful. Updated software, drivers and Windows XP updates are installing as I type. Ran OTC and rebooted. Zone Alarm and Spyware Blaster on line and working.

It is incredible how fast my computer is now working, Especially the boot up and reboot. Navigating web pages with ease now and working between various applications is quick and smooth!

I did have an additional question that is outside the current topic, and that is is there any chance that the viruses I acquired caused any damage to my hard drive or Windows software? The reason I ask is because last week, when I was attempting to get assistance from StopZilla via remote access to my computer, they ran "eventvwr" and under the systems and applications tab, there were literally hundreds of warnings and errors listed. The StopZilla tech was telling me that my computer was seriously damaged and that they were unable to assist me in removing the spyware that their product guaranteed to protect me from, and subsequently they advised me that the infections, viruses and damage to my system could only be fixed by paying them a certain amount of money for them and a Certified Microsoft technician to do the job? I am not saying this necessarily to speak negatively about StopZilla, but it is a bit concerning to me that the free support that I thought I had purchased with their product was really for naught and they left me with the impression that my system was basically beyond help. So, if there is any "real" damages caused to my system hard drive and/or Windows software, how would I go about finding this out? If this is another topic for another forum, please let me know so I can address my concerns there, but if you can help me with that that would be great too!

Thanks again for all your help, I will PM you for the donation addy and will forward additional appreciation and thanks to the webmaster!

Best Regards,

William
hYlAnDeR~TFC~
[OF/FA] Orion Faction-Retired
Game Squad Fleet Admiral~Retired

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:34 AM

Posted 15 February 2011 - 12:13 AM

Hello,


There was no damage done to your hard disk. I haven't seen any signs that it has affected any software. Those error you where receiving where due to the fact of all the stuff you had running along with the malware preventing certain things to run.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 hYlAnDeR~TFC

hYlAnDeR~TFC
  • Topic Starter

  • Members
  • 257 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 15 February 2011 - 12:37 AM

Whew! That is great to hear. Just got back online, that last Windows update took a very long time to reboot.

Anyways, thanks again!

I guess we can go ahead and close this ticket.
hYlAnDeR~TFC~
[OF/FA] Orion Faction-Retired
Game Squad Fleet Admiral~Retired




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users