Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit infection


  • Please log in to reply
14 replies to this topic

#1 RMislander

RMislander

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 13 March 2011 - 04:10 AM

Hi, I am new to this site and came here because I was looking for assistance on how to remove a rootkit from my computer.

I ran AVG and Malwarebytes. The latter detected the rootkit, but seems unable to remove it. I ran combofix on advice from another site before I came here and read that I shouldn't run it unless told to do so. Anyway, it's already been run and a log was generated. What should I do next? Any help would be greatly appreciated!




Edit: after running Combofix, I ran Malwarebytes again and it detected no malicious items, when before there was one malicious item. Does this mean that Combofix took care of the problem?

Edited by RMislander, 13 March 2011 - 06:28 AM.


BC AdBot (Login to Remove)

 


#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:10 PM

Posted 16 March 2011 - 07:03 PM

Hi, Welcome to Bleeping Computer,

Combofix is a very powerful tool and what it can fix on one system it can damage another, this forum and sUbs will not be responsible if you ran CF on your own and it damaged your system.


Lets do this.

C:\ComboFix.txt <--You can find the log from Combofix here, post it please



Then run this program


Download DDS from one of the links below to your desktop

Link 1
Link 2

  • Double click the tool to run it.
  • A black Screen will open, just read the contents and do nothing.
  • When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
  • Copy/Paste the contents of 'DDS.txt' into your post.
  • 'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files)

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 RMislander

RMislander
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 17 March 2011 - 10:20 AM

Yes of course, if my computer is damaged in some way because of Combofix, that's my own fault, but hopefully this isn't the case.

Attached are the Combofix log and the other two logs from the program you suggested.

ComboFix 11-03-12.01 - Rich 03/13/2011 17:27:18.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.894.238 [GMT 9:00]
Running from: d:\data downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Rich\AppData\Roaming\install
c:\users\Rich\AppData\Roaming\scgdfgasfbh.bat
c:\windows\system32\drivers\str.sys
c:\windows\system32\JRSKD24.SYS
c:\windows\system32\shimg.dll
c:\windows\system32\swt-win32-3232.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_JRSKD24
-------\Service_JRSKD24
.
.
((((((((((((((((((((((((( Files Created from 2011-02-13 to 2011-03-13 )))))))))))))))))))))))))))))))
.
.
2011-03-13 08:37 . 2011-03-13 08:42 -------- d-----w- c:\users\Rich\AppData\Local\temp
2011-03-13 08:37 . 2011-03-13 08:37 -------- d-----w- c:\users\Friend\AppData\Local\temp
2011-03-13 08:37 . 2011-03-13 08:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-13 08:21 . 2011-03-13 08:22 -------- d-----w- C:\32788R22FWJFW
2011-03-11 17:36 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{55D82813-1A2E-486D-80C3-47B01379A06E}\mpengine.dll
2011-02-28 22:44 . 2011-02-28 22:44 -------- d-----w- c:\program files\Common Files\Skype
2011-02-17 16:57 . 2011-02-17 16:57 -------- d-----w- c:\program files\Amazon
2011-02-16 12:23 . 2006-01-04 10:16 290816 ----a-w- c:\windows\system32\WINHTTP5.DLL
2011-02-16 12:23 . 2011-02-16 12:23 -------- d-----w- c:\users\Rich\AppData\Roaming\nprotect
2011-02-16 12:23 . 2011-02-16 12:23 -------- d-----w- c:\program files\Common Files\INCA Shared
2011-02-16 12:22 . 2011-02-16 12:22 -------- d-----w- c:\users\Rich\AppData\Roaming\ClientKeeper
2011-02-16 12:22 . 2011-02-16 12:22 137128 ----a-r- c:\windows\system32\CKAgent.exe
2011-02-16 12:22 . 2011-02-16 12:22 126048 ----a-w- c:\windows\system32\kcrtx86.sys
2011-02-16 12:22 . 2011-02-16 12:22 19496 ----a-r- c:\windows\system32\JRSUKD25.SYS
2011-02-16 12:22 . 2010-11-11 02:14 214952 ----a-w- c:\windows\system32\npKeyPro.dll
2011-02-16 12:22 . 2009-11-26 08:01 434428 ----a-w- c:\windows\system32\CKCSP.dll
2011-02-16 12:22 . 2010-11-11 02:14 529920 ----a-w- c:\windows\system32\XecureCK.dll
2011-02-16 12:22 . 2010-11-11 02:13 149416 ----a-w- c:\windows\system32\JRSoftcp.dll
2011-02-16 12:22 . 2010-11-11 02:13 173992 ----a-w- c:\windows\system32\CKApp.dll
2011-02-16 12:18 . 2011-02-16 12:18 -------- d-----w- c:\program files\NPKI
2011-02-16 12:18 . 2011-02-16 12:18 -------- d--h--w- c:\windows\yessign
2011-02-16 12:18 . 2011-02-16 12:18 -------- d-----w- C:\XecureSSL
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 08:11 . 2009-10-04 15:13 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 07:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Rich\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Rich\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Rich\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Google Update"="c:\users\Rich\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-02-11 133104]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-13 149280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
.
c:\users\Rich\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Rich\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 02:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Rich^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
path=c:\users\Rich\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\?????????]
??????????????e [?]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cafwc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\capfasem
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QOELOADER
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Task List
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2006-12-04 21:05 1261568 ----a-w- c:\program files\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2006-12-13 18:55 3166208 ----a-w- c:\program files\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-07-12 01:12 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-02-11 11:11 133104 ----atw- c:\users\Rich\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 02:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2007-01-12 08:48 275800 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2006-12-08 08:24 614400 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2006-12-01 05:37 4186112 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\supertintin_skype]
2008-08-04 06:57 757760 ----a-w- c:\program files\Supertintin for Skype\supertintin_skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
2007-03-12 23:30 517768 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-10-23 03:00 815104 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2010-02-22 22:52 2633976 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000]
2006-12-05 06:38 707360 ----a-w- c:\windows\vVX1000.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"????r"=
"Aim6"=
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 jeohuwziab;jeohuwziab;c:\users\Rich\AppData\Local\Temp\DAT7D0C.tmp.exe [x]
R3 kcrtx86;kcrtx86;c:\windows\system32\kcrtx86.sys [2011-02-16 126048]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
R3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\DRIVERS\SMSCirda.sys [2006-10-18 31232]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-03 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;c:\windows\system32\libusbd-nt.exe [2005-03-09 18944]
S2 nPStarterSVC;nProtect Starter;c:\windows\system32\nPStarterSVC.exe [2009-02-17 250145]
S2 SBKUPNT;SBKUPNT;c:\windows\system32\Drivers\SBKUPNT.SYS [2001-07-13 14976]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-09 33792]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1664092079-4046628799-4227632575-1000Core.job
- c:\users\Rich\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-11 11:11]
.
2011-03-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1664092079-4046628799-4227632575-1000UA.job
- c:\users\Rich\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-11 11:11]
.
2011-03-07 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2011-01-20 09:08]
.
2011-03-13 c:\windows\Tasks\User_Feed_Synchronization-{83D01C09-653A-4451-A4EA-B99D06229C61}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15003&l=dis
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {51B1D5ED-67DC-43F0-A3F8-8502F1A5E404} - hxxp://update.nprotect.net/nprotect2007/kiup/ie80/npstarter_0707017.cab
DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38} - hxxp://ck.softforum.co.kr/CKKeyPro/ibk/CKKeyPro3026_32k.cab
FF - ProfilePath - c:\users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\lq22b17p.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
FF - Ext: FaviconizeTab: faviconizetab@espion.just-size.jp - %profile%\extensions\faviconizetab@espion.just-size.jp
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: IE Tab Plus: ietab@ip.cn - %profile%\extensions\ietab@ip.cn
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-RAM Idle Professional - c:\program files\RAM Idle LE\RAM_XP.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-13 17:41
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\Rich\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\npnj5Agent.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\conime.exe
c:\windows\System32\wsqmcons.exe
.
**************************************************************************
.
Completion time: 2011-03-13 17:51:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-13 08:51
.
Pre-Run: 20,404,092,928 bytes free
Post-Run: 21,162,393,600 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - D68068105F9733544B97F0FFBC0EFFDB




.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Rich at 22:47:43.09 on Thu 03/17/2011
Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_17
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Windows\system32\libusbd-nt.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\Explorer.EXE
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\Rich\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conime.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Users\Rich\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\system32\taskeng.exe
D:\Data downloads\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com?o=15003&l=dis
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Sopcast Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Sopcast Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\users\rich\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {51B1D5ED-67DC-43F0-A3F8-8502F1A5E404} - hxxp://update.nprotect.net/nprotect2007/kiup/ie80/npstarter_0707017.cab
DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38} - hxxp://ck.softforum.co.kr/CKKeyPro/ibk/CKKeyPro3026_32k.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\rich\appdata\roaming\mozilla\firefox\profiles\lq22b17p.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\softforum\xecureweb\activex\npxwebplugin.dll
FF - plugin: c:\program files\softforum\xecureweb\activex\npxwebplugin_file.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\rich\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\rich\appdata\roaming\mozilla\firefox\profiles\lq22b17p.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\users\rich\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\rich\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
FF - Ext: FaviconizeTab: faviconizetab@espion.just-size.jp - %profile%\extensions\faviconizetab@espion.just-size.jp
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: IE Tab Plus: ietab@ip.cn - %profile%\extensions\ietab@ip.cn
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
.
============= SERVICES / DRIVERS ===============
.
R? jeohuwziab;jeohuwziab
R? kcrtx86;kcrtx86
R? SASENUM;SASENUM
R? SBSDWSCService;SBSD Security Center Service
R? SMSCIRDA;SMSC Infrared Device Driver
S? AVGIDSAgent;AVGIDSAgent
S? AVGIDSDriver;AVGIDSDriver
S? AVGIDSEH;AVGIDSEH
S? AVGIDSFilter;AVGIDSFilter
S? AVGIDSShim;AVGIDSShim
S? Avgldx86;AVG AVI Loader Driver
S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
S? Avgrkx86;AVG Anti-Rootkit Driver
S? Avgtdix;AVG TDI Driver
S? avgwd;AVG WatchDog
S? libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1
S? libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
S? SBKUPNT;SBKUPNT
.
=============== Created Last 30 ================
.
2011-03-15 03:54:54 -------- d--h--w- C:\$AVG
2011-03-13 13:56:37 -------- d-----w- c:\users\rich\appdata\roaming\AVG10
2011-03-13 13:51:21 -------- d--h--w- c:\progra~2\Common Files
2011-03-13 13:39:43 -------- d-----w- c:\windows\system32\drivers\AVG
2011-03-13 13:39:43 -------- d-----w- c:\progra~2\AVG10
2011-03-13 13:23:50 -------- d-----w- c:\progra~2\MFAData
2011-03-13 13:13:01 -------- d-----w- c:\users\rich\appdata\roaming\PMS
2011-03-13 08:51:23 -------- d-----w- c:\users\rich\appdata\local\temp
2011-03-13 08:42:10 -------- d-sh--w- C:\$RECYCLE.BIN
2011-03-13 08:22:43 98816 ----a-w- c:\windows\sed.exe
2011-03-13 08:22:43 89088 ----a-w- c:\windows\MBR.exe
2011-03-13 08:22:43 256512 ----a-w- c:\windows\PEV.exe
2011-03-13 08:22:43 161792 ----a-w- c:\windows\SWREG.exe
2011-03-13 08:22:35 -------- d-----w- C:\ComboFix
2011-03-11 17:36:42 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{55d82813-1a2e-486d-80c3-47b01379a06e}\mpengine.dll
2011-02-17 16:57:02 -------- d-----w- c:\program files\Amazon
2011-02-16 12:23:28 290816 ----a-w- c:\windows\system32\WINHTTP5.DLL
2011-02-16 12:23:21 -------- d-----w- c:\users\rich\appdata\roaming\nprotect
2011-02-16 12:23:12 -------- d-----w- c:\program files\common files\INCA Shared
2011-02-16 12:22:33 -------- d-----w- c:\users\rich\appdata\roaming\ClientKeeper
2011-02-16 12:22:26 137128 ----a-r- c:\windows\system32\CKAgent.exe
2011-02-16 12:22:06 126048 ----a-w- c:\windows\system32\kcrtx86.sys
2011-02-16 12:22:05 434428 ----a-w- c:\windows\system32\CKCSP.dll
2011-02-16 12:22:05 19496 ----a-r- c:\windows\system32\JRSUKD25.SYS
2011-02-16 12:18:35 -------- d--h--w- c:\windows\yessign
2011-02-16 12:18:35 -------- d-----w- C:\XecureSSL
2011-02-16 12:18:35 -------- d-----w- c:\program files\NPKI
.
==================== Find3M ====================
.
2011-02-02 08:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 22:52:10.40 ===============

Attached Files

  • Attached File  Logs.zip   11.47KB   3 downloads

Edited by ken545, 17 March 2011 - 10:43 AM.


#4 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:10 PM

Posted 17 March 2011 - 10:52 AM

Hi,

That was just a standard warning about running Combofix, I am surprised it ran as you have AVG installed and there where some problems running CF with it installed.

Heads up on this

AskToolbar.dll
* It promotes its toolbars on sites targeted at kids.
* It promotes its toolbars through ads that appear to be part of other companies' sites.
* It promotes its toolbars through other companies' spyware.
* It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
* It solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
* It makes confusing changes to user's browsers - increasing Ask's revenues while taking users to pages they didn't intend to visit.

uTorrent.exe

File Sharing is not recommended as your downloading that file from an unknown source, malware writers are aware of this and using this as one of the latest methods to infect you.

You can uninstall both those programs via Programs and Features in the Control Panel

Please just copy and paste and future logs into the thread in lew of attaching them, its easier for us to analyze.

I am looking over your logs and will be back soon

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#5 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:10 PM

Posted 17 March 2011 - 11:05 AM

While I am looking over your logs lets run this rootkit scanner

Scan With RootKitUnHooker

  • Please choose one link and download Rootkit Unhooker and save it to your desktop.
    Link 1
    Link 2
    Link 3
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers and Stealth
  • Uncheck the rest. then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished and then click File > Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in your next reply.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#6 RMislander

RMislander
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 17 March 2011 - 01:38 PM

Sorry about the logs. I wasn't sure what info from my computer was being posted, and if I should be concerned what was being posted for public viewing.

Also:

1) I did not find the asktoolbar program under Programs and Features as you had recommended.
2) When I first tried to run Combofix, it would not allow me even after I had shut off AVG, so I uninstalled AVG, ran Combofix, then reinstalled AVG. So you're right, Combofix wouldn't run unless AVG was gone.


The report is pasted below:


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6000
Number of processors #2
==============================================
>Drivers
==============================================
0x8C0CF000 C:\Windows\system32\DRIVERS\atikmdag.sys 7540736 bytes (ATI Technologies Inc., ATI Radeon Kernel Mode Driver)
0x82000000 C:\Windows\system32\ntkrnlpa.exe 3805184 bytes (Microsoft Corporation, NT Kernel & System)
0x82000000 PnpManager 3805184 bytes
0x82000000 RAW 3805184 bytes
0x82000000 WMIxWDM 3805184 bytes
0x94E00000 Win32k 2097152 bytes
0x94E00000 C:\Windows\System32\win32k.sys 2097152 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8CE6D000 C:\Windows\system32\drivers\RTKVHDA.sys 1650688 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x84EF8000 C:\Windows\System32\Drivers\Ntfs.sys 1081344 bytes (Microsoft Corporation, NT File System Driver)
0x81E68000 C:\Windows\system32\drivers\ndis.sys 1064960 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x8D0FD000 C:\Windows\system32\DRIVERS\HSX_DPV.sys 1060864 bytes (Conexant Systems, Inc., HSF_DP driver)
0x8071F000 C:\Windows\system32\CI.dll 921600 bytes (Microsoft Corporation, Code Integrity Module)
0x9AB22000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x8D46B000 C:\Windows\System32\drivers\tcpip.sys 872448 bytes (Microsoft Corporation, TCP/IP Driver)
0x8D049000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 737280 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0x8C032000 C:\Windows\System32\drivers\dxgkrnl.sys 643072 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x97172000 C:\Windows\system32\drivers\spsys.sys 581632 bytes (Microsoft Corporation, security processor)
0x8C931000 C:\Windows\system32\DRIVERS\athr.sys 528384 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver)
0x806A4000 C:\Windows\system32\drivers\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0x84E8E000 C:\Windows\System32\Drivers\ksecdd.sys 434176 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x97797000 C:\Windows\system32\drivers\HTTP.sys 430080 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x97BAF000 C:\Windows\System32\DRIVERS\srv.sys 331776 bytes (Microsoft Corporation, Server driver)
0x81FB6000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8D423000 C:\Windows\system32\DRIVERS\avgtdix.sys 294912 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0x8D707000 C:\Windows\system32\drivers\afd.sys 290816 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x8042A000 C:\Windows\system32\drivers\acpi.sys 274432 bytes (Microsoft Corporation, ACPI Driver for NT)
0x8C89B000 C:\Windows\system32\DRIVERS\storport.sys 262144 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x8CA74000 C:\Windows\system32\DRIVERS\HSXHWAZL.sys 249856 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0x8C9C3000 C:\Windows\system32\DRIVERS\USBPORT.SYS 249856 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8D637000 C:\Windows\system32\DRIVERS\avgldx86.sys 245760 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0x8047A000 C:\Windows\system32\CLFS.SYS 241664 bytes (Microsoft Corporation, Common Log File System Driver)
0x8D68A000 C:\Windows\system32\DRIVERS\rdbss.sys 241664 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x976E0000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x81E04000 C:\Windows\system32\drivers\NETIO.SYS 233472 bytes (Microsoft Corporation, Network I/O Subsystem)
0x84E58000 C:\Windows\system32\drivers\volsnap.sys 221184 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x823A1000 ACPI_HAL 212992 bytes
0x823A1000 C:\Windows\system32\hal.dll 212992 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x8CBCC000 C:\Windows\system32\DRIVERS\usbhub.sys 212992 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x8D74E000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x81F85000 C:\Windows\system32\drivers\fltmgr.sys 200704 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x9AC0E000 C:\Windows\System32\Drivers\RDPWD.SYS 188416 bytes (Microsoft Corporation, RDP Terminal Stack Driver)
0x8CAD6000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8C8DB000 C:\Windows\system32\DRIVERS\msiscsi.sys 176128 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x81E3D000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x96225000 C:\Windows\system32\DRIVERS\nwifi.sys 176128 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x8C007000 C:\Windows\system32\DRIVERS\SynTP.sys 176128 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0x8C824000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x8062D000 C:\Windows\system32\DRIVERS\pcmcia.sys 172032 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0x9ACFC000 C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys 163840 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Driver.)
0x8E1D8000 C:\Windows\System32\Drivers\fastfat.SYS 163840 bytes (Microsoft Corporation, Fast FAT File System Driver)
0x8CAB1000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x84E0D000 C:\Windows\System32\drivers\ecache.sys 151552 bytes (Microsoft Corporation, Special Memory Device Cache)
0x8067F000 C:\Windows\system32\drivers\pci.sys 151552 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x976AA000 C:\Windows\System32\DRIVERS\srv2.sys 147456 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x8C861000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x851CE000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8D6C5000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys 135168 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x8CE4C000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x97737000 C:\Windows\system32\drivers\mrxdav.sys 131072 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x80607000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x95FA2000 C:\Windows\system32\DRIVERS\irda.sys 122880 bytes (Microsoft Corporation, IRDA Protocol Driver)
0x97719000 C:\Windows\system32\DRIVERS\mrxsmb.sys 122880 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x95F45000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x97004000 C:\Windows\System32\DRIVERS\srvnet.sys 110592 bytes (Microsoft Corporation, Server Network driver)
0x97625000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8CE13000 C:\Windows\System32\drivers\fwpkclnt.sys 102400 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x8CA0F000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x8C919000 C:\Windows\system32\DRIVERS\sdbus.sys 98304 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0x8D673000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Client MUP Surrogate Driver)
0x8C884000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x8D40D000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x8D034000 C:\Windows\system32\DRIVERS\tdx.sys 86016 bytes (Microsoft Corporation, TDI Translation Driver)
0x8CB77000 C:\Windows\system32\DRIVERS\WUDFRd.sys 86016 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
0x97611000 C:\Windows\System32\drivers\mpsdrv.sys 81920 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8D010000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8C906000 C:\Windows\system32\DRIVERS\ESM7SK.sys 77824 bytes (ENE Technology Inc., ENE PCI SmartMedia / XD Card Reader Driver)
0x8920B000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x8C84E000 C:\Windows\system32\DRIVERS\raspptp.sys 77824 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x9701F000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8D6F4000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x8921E000 C:\Windows\system32\DRIVERS\HDAudBus.sys 73728 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x976CE000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 73728 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x8D614000 C:\Windows\system32\DRIVERS\USBSTOR.SYS 73728 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0x8E1AD000 C:\Windows\system32\DRIVERS\WUDFPf.sys 73728 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x851EF000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x97600000 C:\Acer\Empowering Technology\eRecovery\int15.sys 69632 bytes
0x8C9B2000 C:\Windows\system32\DRIVERS\Rtnicxp.sys 69632 bytes (Realtek Semiconductor Corporation , Realtek 10/100 NDIS 5.1 Driver )
0x85B14000 C:\Windows\system32\DRIVERS\EMS7SK.sys 65536 bytes (ENE Technology Inc., ENE PCI Memory Stick Card Reader Driver)
0x81F75000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x85B54000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 65536 bytes (Microsoft Corporation, Hid Class Library)
0x85AB4000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x80665000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x85B34000 C:\Windows\System32\Drivers\NDProxy.SYS 65536 bytes (Microsoft Corporation, NDIS Proxy)
0x85086000 C:\Windows\system32\DRIVERS\amdk8.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x8926C000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x84E32000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x84E41000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x89230000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8923F000 C:\Windows\system32\DRIVERS\termdd.sys 61440 bytes (Microsoft Corporation, Terminal Server Driver)
0x8040A000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x95810000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x8C806000 C:\Windows\system32\drivers\libusb0.sys 57344 bytes
0x8D002000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8CA01000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x80657000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x8800D000 C:\Windows\system32\DRIVERS\usbehci.sys 57344 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8DE84000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x8CA67000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x88000000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x8801B000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x8046D000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x85A56000 C:\Windows\system32\DRIVERS\avgmfx86.sys 49152 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0x8D5F4000 C:\Windows\System32\DRIVERS\tssecsrv.sys 49152 bytes (Microsoft Corporation, TS Security Filter Driver)
0x8D540000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8816C000 C:\Windows\system32\DRIVERS\AVGIDSShim.Sys 45056 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Loader Driver.)
0x88156000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x880F3000 C:\Windows\system32\DRIVERS\ESD7SK.sys 45056 bytes (ENE Technology Inc., ENE PCI Secure Digital / MMC Card Reader Driver)
0x880DD000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x880E8000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x88114000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x88109000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x88135000 C:\Windows\System32\drivers\tcpipreg.sys 45056 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x880FE000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x88161000 C:\Windows\system32\drivers\tdtcp.sys 45056 bytes (Microsoft Corporation, TCP Transport Driver)
0x880D2000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x893F6000 C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys 40960 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Filter Driver.)
0x80675000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x89374000 C:\Windows\system32\DRIVERS\DKbFltr.sys 40960 bytes (Dritek System Inc., Dritek PS2 Keyboard Filter Driver)
0x88038000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8937E000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x8939C000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x89392000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x893E2000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x8936A000 C:\Windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0x851C5000 C:\Windows\system32\DRIVERS\AVGIDSEH.Sys 36864 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Helper Driver.)
0x84E04000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x88054000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x88042000 C:\Windows\system32\DRIVERS\hidusb.sys 36864 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA2EF2000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x804BD000 C:\Windows\system32\PSHED.dll 36864 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x81F6C000 C:\Windows\System32\Drivers\PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0x88066000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x95800000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x88093000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8809C000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x80421000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x80625000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x804B5000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8D7C8000 C:\Windows\System32\Drivers\dump_atapi.sys 32768 bytes
0x804C6000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x8D790000 C:\Windows\system32\DRIVERS\mouhid.sys 32768 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x80419000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x85E77000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x85E7F000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x84E50000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x85E97000 C:\Windows\system32\DRIVERS\xaudio.sys 32768 bytes (Conexant Systems, Inc., Modem Audio Device Driver)
0x85E2A000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x85E31000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x85E07000 C:\Users\Rich\AppData\Local\Temp\mbr.sys 28672 bytes
0x85E23000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x80400000 C:\Windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x881A0000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0x80602000 C:\Windows\system32\DRIVERS\avgrkx86.sys 20480 bytes (AVG Technologies CZ, s.r.o., AVG Anti-Rootkit Driver)
0x8CA57000 C:\Windows\System32\Drivers\ASPI32.SYS 16384 bytes (Adaptec, ASPI for WIN32 Kernel Driver)
0x8935C000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x85F1F000 C:\PROGRA~1\LAUNCH~1\DPortIO.sys 16384 bytes (Dritek System Inc., General Port I/O)
0x98414000 C:\Windows\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0x9AAEA000 C:\Windows\system32\Drivers\SBKUPNT.SYS 16384 bytes
0x80407000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x9768C000 C:\Program Files\321Studios\Shared\CDRPDACC.SYS 8192 bytes (Arrowkey, CD Device Access)
0x85F98000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x85FA2000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0x8CB0B000 C:\Windows\System32\Drivers\PQNTDrv.SYS 4096 bytes (PowerQuest Corporation, PowerQuest Boot Mode Driver.)
==============================================
>Stealth
==============================================
0x009C0000 Hidden Image-->IERYETF.dll [ EPROCESS 0x8E9E9AD8 ] PID: 2744, 28672 bytes
0x009B0000 Hidden Image-->ServiceInterface.dll [ EPROCESS 0x8E9E9AD8 ] PID: 2744, 28672 bytes
0x008C0000 Hidden Image-->MobilityInterface.dll [ EPROCESS 0x96FD6020 ] PID: 2100, 45056 bytes

#7 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:10 PM

Posted 17 March 2011 - 05:02 PM

Hi,

When you post logs they can be viewed by members of this forum and by the public if there just browsing around. Unless this computer is a work computer that belongs to a corporation there really is not much that anyone can use.

No rootkit, but let me ask you this as your logs are a bit complicated.

What can you tell me about ClientKeeper Pro, it looks like CF removed things related to this, did you knowingly install this program and do you use it, just trying to determine if its good or bad


Please download ATF Cleaner by Atribune to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.






Please download Malwarebytes from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    Posted Image
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please







OTL by OldTimer
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Click the "Scan All Users" checkbox.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#8 RMislander

RMislander
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 18 March 2011 - 08:33 AM

Ok here are the logs:

Malwarebytes:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6093

Windows 6.0.6000
Internet Explorer 7.0.6000.17037

3/18/2011 12:05:21 PM
mbam-log-2011-03-18 (12-05-21).txt

Scan type: Quick scan
Objects scanned: 154624
Time elapsed: 7 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Extras:

OTL Extras logfile created on: 3/18/2011 12:14:26 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = D:\Data downloads
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 358.00 Mb Available Physical Memory | 40.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 33.00% Paging File free
Paging file location(s): c:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 52.14 Gb Total Space | 19.81 Gb Free Space | 38.00% Space Free | Partition Type: NTFS
Drive D: | 51.84 Gb Total Space | 35.13 Gb Free Space | 67.76% Space Free | Partition Type: NTFS
Drive E: | 465.65 Gb Total Space | 235.30 Gb Free Space | 50.53% Space Free | Partition Type: FAT32
Drive F: | 955.23 Mb Total Space | 95.31 Mb Free Space | 9.98% Space Free | Partition Type: FAT

Computer Name: RICH-PC | User Name: Rich | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1664092079-4046628799-4227632575-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0A0D8875-955C-4B79-8B29-8414EBAEE804}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{3FA2BD43-95E0-41D9-9EA9-171E39AEC509}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{86E64BE0-FD5A-479C-8269-940F3233D759}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{89A9EC69-53E1-49F7-AF42-139267EE130D}" = lport=2869 | protocol=6 | dir=in | app=system |
"{8F3DF854-EFEA-4F14-9E09-3CC5EA5659F7}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{9488C187-F9F3-4905-9066-96744C15FB76}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{A3A2A887-CDA3-4208-8A4F-226F4D8C799B}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02C8D5BF-22EF-4CDC-9918-3C386EBC227A}" = protocol=17 | dir=in | app=c:\program files\microsoft lifecam\lifeexp.exe |
"{087C6233-10E3-4382-AE5A-3568F1191CA7}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{0AA66A80-760C-4FEE-809D-EE832E3E9599}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{0ABDDBC1-FA6B-42BF-A8B8-E064F1F74E6B}" = protocol=17 | dir=in | app=c:\program files\aim6\aim6.exe |
"{0B0CB2E5-ADD1-4AA2-8C8A-85023EA21BCB}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{0BC1B1F0-AD02-449A-8020-47A3895F16E9}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{0DBA6623-5A21-40AD-8ED9-28646B490CB2}" = protocol=6 | dir=in | app=c:\users\rich\appdata\local\google\google talk plugin\googletalkplugin.dll |
"{14D836D1-45EF-4F22-91C8-C841E0C892BD}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{1DB164F1-225E-42C3-BD97-1E3C9343B240}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgemcx.exe |
"{1E48ADC4-E35F-4804-A18F-18658A22BD80}" = protocol=6 | dir=in | app=c:\users\rich\appdata\local\google\google talk plugin\googletalkplugin.exe |
"{1F738D1C-04AF-40B0-BB8F-07110C93989B}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{224D7C5A-5B44-49A1-B816-A5F3B0D1D929}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{23F4D38A-2BAC-4B17-A23A-4E04029CC120}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{34968731-0B84-4AC0-A7A4-A281E3707DC0}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{437E073B-0C8F-47BC-85C2-3D5AE45051B3}" = dir=in | app=c:\program files\skype\plugin manager\skypepm.exe |
"{43D93BB6-C0A7-464E-88E8-13FF2FEAF64C}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgemcx.exe |
"{49D6BE38-83B2-4AFA-ABBD-EFBF620BF0F2}" = protocol=6 | dir=in | app=c:\program files\aim6\aim6.exe |
"{4A6AEEAA-8E90-4E57-9FF4-783F8BE3285B}" = protocol=6 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"{4D30BBE8-3978-486B-BB6D-4BABB56A4AF7}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{4D4EC56E-C15D-4EC3-A683-80A5B6496C19}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{51AB7515-9F63-456A-BF22-08EC3E5E3520}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{52CA356F-349B-418C-A0F7-03615F28D517}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{5B1F98FA-DF2C-49FB-8889-8074BDC10A42}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{5EAD75CB-7305-45F7-8202-55AD6E8ADDF7}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{660617B9-3A67-40D4-8F38-8407B12EEC15}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{69ED6AB9-B004-4F2E-AEB2-D78AC359785F}" = protocol=17 | dir=in | app=c:\users\rich\appdata\local\google\google talk plugin\googletalkplugin.exe |
"{6AFA85B8-7256-4587-B3C5-1455BAB4E9E5}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{6E951CE8-A0A9-4A04-BEEE-754E8FB52BD5}" = protocol=17 | dir=in | app=c:\users\rich\appdata\local\google\google talk plugin\googletalkplugin.exe |
"{7375F174-0AAF-4C52-BC6A-7B13F330A88C}" = dir=in | app=c:\program files\msn messenger\livecall.exe |
"{784174ED-06BD-40A2-B557-4AE52CDD33C3}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{7E8991D6-6D4B-45C3-A139-4445355DA809}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{7E98EAAC-899F-4B7C-A7FA-548E61BDE9D8}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{85F06963-6C2E-4DFB-8907-9431AD1D0926}" = protocol=17 | dir=in | app=c:\program files\acer arcade deluxe\acer arcade deluxe\mce deluxe suite.exe |
"{8691DE3A-F0CF-4F70-9C05-C900FD1F4679}" = protocol=6 | dir=in | app=c:\users\rich\appdata\roaming\dropbox\bin\dropbox.exe |
"{8B195179-BEFB-412B-9E65-3BC11D9D6834}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{8E5290A2-1D35-4EAB-AE78-B689A527B43F}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgnsx.exe |
"{91D0AFF1-F0EC-421E-AF34-97C20631AAD0}" = dir=in | app=c:\program files\msn messenger\msnmsgr.exe |
"{927248FD-E49B-4655-A7C9-99CFC38C9A01}" = protocol=6 | dir=in | app=c:\program files\acer arcade deluxe\acer arcade deluxe\mce deluxe suite.exe |
"{9CF61C96-5F18-45A1-AC52-2E2EC081062F}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{9D6C18D6-7739-45BB-AB56-906FE577468C}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{A0B1B379-B49C-4BA6-8428-F97C88E988B0}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{A1E6CDE9-394B-45E3-B795-E63AAE736B34}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{A6E5D8AD-D798-4A33-AC5F-28B954AA50CB}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{A7DD02FF-8436-4659-A524-FB42077D4789}" = protocol=17 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"{AB5DACDB-90D6-4F3F-9BF1-B4BBCBBBD9E1}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{AF1BB234-3555-4DF9-84A9-40B76085E4A8}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{AF6293C7-8E2D-445C-AFF3-F4DD5403DE8A}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{B02CDFCF-88A2-44DC-89B0-D705465E60F5}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{B0C8302B-BD77-44D0-B5C7-5C90086E9348}" = protocol=6 | dir=in | app=c:\program files\microsoft lifecam\lifeexp.exe |
"{B3E8C1E8-84AD-4028-91CB-210F0EDF59F4}" = protocol=17 | dir=in | app=c:\users\rich\appdata\local\google\google talk plugin\googletalkplugin.dll |
"{B73211AD-D95F-48CF-BFD6-5E7A8A2671AF}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{B798D9D1-EAC4-4231-B502-91D2E0270059}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{B8E82E21-FB73-4F3F-AC18-251E299B4439}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{BAB7F9EC-1F86-4F24-814A-3D45C916D8AF}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{C095D859-F05F-4A00-BECD-189DBD3284DC}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{C21D8BCA-B0CA-4473-849B-0F2764719E60}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{C8684A98-4ECF-4F7F-8DD6-76F7D300C7BD}" = protocol=17 | dir=in | app=c:\users\rich\appdata\local\google\google talk plugin\googletalkplugin.dll |
"{CA420B67-6974-48C9-AF5C-912FCA4FF7C1}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{CE3CDF76-AA89-4899-9405-62C612504942}" = protocol=6 | dir=in | app=c:\users\rich\appdata\local\google\google talk plugin\googletalkplugin.exe |
"{CED83BA6-5A5B-4D08-B78C-5CB82F12DF0A}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgnsx.exe |
"{D138401D-C16A-4CBD-92E5-9EF9D5FFF958}" = protocol=6 | dir=in | app=c:\users\rich\appdata\local\google\google talk plugin\googletalkplugin.dll |
"{E36A1DA8-4C15-43DA-9966-6FB2E7CC475A}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{E4BC5090-B940-4536-962F-A2C830C2395F}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{E66A6A23-C7EC-4895-8A45-D1D081BE0808}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{E873AE8F-E7C4-4C13-A401-52C18F281CBD}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{EA9A23FB-78BC-448B-961B-52F0D2CA8247}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{EAF61A77-7E75-4B6F-9A2A-95AFFD1F1C07}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{EEA54EA2-4E41-44B5-9E10-668003CD1E8F}" = protocol=17 | dir=in | app=c:\users\rich\appdata\roaming\dropbox\bin\dropbox.exe |
"{F1226031-24DD-4004-B668-50D8BD460089}" = protocol=17 | dir=in | app=c:\program files\microsoft lifecam\lifecam.exe |
"{F4B28DE8-BA84-4C75-9FCC-D9F1177E80D5}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{F5B8C377-F75F-4AD8-AA83-BAF7583E6CD8}" = protocol=17 | dir=in | app=c:\program files\skype\phone\skype.exe |
"{F769A91E-DFB5-48CD-BBBC-6742834A2EA3}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{F9509BF7-007D-4B1F-9434-35F3D47DEBED}" = protocol=6 | dir=in | app=c:\program files\microsoft lifecam\lifecam.exe |
"TCP Query User{00090499-287A-46FA-8055-A784F99AC876}C:\program files\sopcast\adv\sopadver.exe" = protocol=6 | dir=in | app=c:\program files\sopcast\adv\sopadver.exe |
"TCP Query User{4F6C68F5-98F8-41EA-A765-58120CC7D221}C:\program files\corel\dvd9\windvd.exe" = protocol=6 | dir=in | app=c:\program files\corel\dvd9\windvd.exe |
"TCP Query User{6FE54E95-8859-4F6A-BF7B-267E4ADAECCE}C:\program files\veoh networks\veohwebplayer\veohwebplayer.exe" = protocol=6 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"TCP Query User{A4BB70AE-D001-40D6-A220-45EB9094B722}C:\program files\sopcast\sopcast.exe" = protocol=6 | dir=in | app=c:\program files\sopcast\sopcast.exe |
"TCP Query User{A9E513DD-19C5-44D0-BB94-47ACD82AF8E5}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{CFC74275-2D44-4F0B-9898-BF8F6FD4C6FD}D:\program files\mirc\mirc.exe" = protocol=6 | dir=in | app=d:\program files\mirc\mirc.exe |
"UDP Query User{5597C35D-B27B-498C-8D5E-9A1C7C293F3C}C:\program files\sopcast\adv\sopadver.exe" = protocol=17 | dir=in | app=c:\program files\sopcast\adv\sopadver.exe |
"UDP Query User{59E587B1-65A4-471E-8D54-9FC083EAC032}C:\program files\corel\dvd9\windvd.exe" = protocol=17 | dir=in | app=c:\program files\corel\dvd9\windvd.exe |
"UDP Query User{5AC360F3-D2DF-4F2F-B82A-A0598C29EF35}C:\program files\sopcast\sopcast.exe" = protocol=17 | dir=in | app=c:\program files\sopcast\sopcast.exe |
"UDP Query User{65B7A43F-1650-45C8-B510-6A3D5BE4BC64}C:\program files\veoh networks\veohwebplayer\veohwebplayer.exe" = protocol=17 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"UDP Query User{9B94077C-0BCC-4EC2-A727-135707790FF9}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{AD961F49-2E81-4514-BD95-68F239569F57}D:\program files\mirc\mirc.exe" = protocol=17 | dir=in | app=d:\program files\mirc\mirc.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{005F78AF-110D-398A-8430-BE98950A1E22}" = Google Talk Plugin
"{02FDBC93-87BE-4339-8048-77B8389DE16B}" =
"{06C32EA0-4A22-4919-979A-8700715865B8}" = Microsoft LifeCam
"{11316260-6666-467B-AC34-183FCB5D4335}" = Acer Mobility Center Plug-In
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{330DAC67-5B62-452A-A0E4-6B4A5923940F}_is1" = MotioninJoy ds3 driver version 0.4.0002
"{4160DC5B-4C56-D0C3-C5FD-F5BDAD3C882B}" = ATI Catalyst Install Manager
"{67ADE9AF-5CD9-4089-8825-55DE4B366799}" = NTI Backup NOW! 4.7
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PartitionMagic
"{6DCED63C-9502-431F-BED0-4A86353C6755}" = Default
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{94389919-B0AA-4882-9BE8-9F0B004ECA35}" = Acer Tour
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A276502A-8979-44FB-8090-90CF72F22ABC}" = AVG 2011
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5855C09-9CBA-B631-0905-9B39647CC862}" = ATI Catalyst Control Center Ex
"{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}" = LiveUpdate Notice (Symantec Corporation)
"{E1180142-3B31-4DCC-9D27-7AC2D37662BF}" = LightScribe 1.4.124.1
"{E35AF511-B618-4D02-B559-0F2147341D3B}" = AVG 2011
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype 5.1
"{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}" = Acer Arcade Deluxe
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"÷" = ÷
"Ace Utilities_is1" = Ace Utilities
"Acer Assist" = Acer Assist
"Acer Registration" = Acer Registration
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AIM_6" = AIM 6
"AVG" = AVG 2011
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118" = HDAUDIO Soft Data Fax Modem with SmartCP
"CompuApps SwissKnife V3" = CompuApps SwissKnife V3
"DVD X Rescue" = DVD X Rescue
"ENTERPRISE" = Microsoft Office Enterprise 2007
"InstallShield_{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PowerQuest PartitionMagic 8.0 Demo
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"mIRC" =
"Mozilla Firefox (3.6.15)" = Mozilla Firefox (3.6.15)
"PS3 Media Server" = PS3 Media Server
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Smart Defrag_is1" = Smart Defrag
"SmartUndelete_is1" = SmartUndelete
"Supertintin for Skype_is1" = Supertintin 1.1.0.0804
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"uTorrent" = Torrent
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VLC media player 1.1.5
"WinRAR archiver" = WinRAR archiver
"XecureWeb Control" = XecureWeb Control
"XP Codec Pack" = XP Codec Pack
"XPayMPI" = XPayMPI 2.0.2.2

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1664092079-4046628799-4227632575-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Google Chrome" = Google Chrome
"uTorrent" = Torrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/17/2008 7:48:59 PM | Computer Name = Rich-PC | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Initialization of the COM subsystem failed.
Error code: 0x8007041D

Error - 11/17/2008 11:33:49 PM | Computer Name = Rich-PC | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Initialization of the COM subsystem failed.
Error code: 0x8007041D

Error - 11/18/2008 10:51:20 AM | Computer Name = Rich-PC | Source = UmxAgent | ID = 108
Description =

Error - 11/20/2008 10:49:19 AM | Computer Name = Rich-PC | Source = UmxAgent | ID = 108
Description =

Error - 11/21/2008 7:21:36 PM | Computer Name = Rich-PC | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Initialization of the COM subsystem failed.
Error code: 0x8007041D

Error - 11/23/2008 10:23:02 PM | Computer Name = Rich-PC | Source = SideBySide | ID = 16842814
Description = Activation context generation failed for "C:\Program Files\Apple Software
Update\Plugins\EXEInstallPlugin.dll.Manifest".Error in manifest or policy file
"C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest" on
line 2. The required attribute version is missing from element assemblyIdentity.

Error - 11/23/2008 10:23:02 PM | Computer Name = Rich-PC | Source = SideBySide | ID = 16842814
Description = Activation context generation failed for "C:\Program Files\Apple Software
Update\Plugins\MSIInstallPlugin.dll.Manifest".Error in manifest or policy file
"C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest" on
line 2. The required attribute version is missing from element assemblyIdentity.

Error - 11/25/2008 7:34:59 PM | Computer Name = Rich-PC | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Initialization of the COM subsystem failed.
Error code: 0x8007041D

Error - 11/26/2008 12:18:27 PM | Computer Name = Rich-PC | Source = Application Error | ID = 1000
Description = Faulting application mirc.exe, version 6.3.0.0, time stamp 0x46c4bd97,
faulting module winevent.dll_unloaded, version 0.0.0.0, time stamp 0x4421d4a6,
exception code 0xc0000005, fault offset 0x6f9c11d0, process id 0x5b0, application
start time 0x01c94fe109fe39d6.

Error - 11/27/2008 5:58:53 AM | Computer Name = Rich-PC | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Initialization of the COM subsystem failed.
Error code: 0x8007041D

[ OSession Events ]
Error - 2/11/2010 12:25:45 AM | Computer Name = Rich-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 17432
seconds with 60 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 3/13/2011 10:09:23 AM | Computer Name = Rich-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 3/13/2011 10:09:23 AM | Computer Name = Rich-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 3/13/2011 9:44:45 PM | Computer Name = Rich-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 3/16/2011 10:42:46 PM | Computer Name = Rich-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 3/17/2011 10:10:24 PM | Computer Name = Rich-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 3/17/2011 10:17:19 PM | Computer Name = Rich-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot
4, function 0. Please contact your system vendor for technical assistance.

Error - 3/17/2011 10:17:19 PM | Computer Name = Rich-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot
5, function 0. Please contact your system vendor for technical assistance.

Error - 3/17/2011 10:18:08 PM | Computer Name = Rich-PC | Source = volmgr | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 3/17/2011 10:18:14 PM | Computer Name = Rich-PC | Source = R300 | ID = 43015
Description = I2c return failed

Error - 3/17/2011 10:18:14 PM | Computer Name = Rich-PC | Source = R300 | ID = 43015
Description = I2c return failed


< End of report >


OTL


OTL logfile created on: 3/18/2011 12:14:26 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = D:\Data downloads
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 358.00 Mb Available Physical Memory | 40.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 33.00% Paging File free
Paging file location(s): c:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 52.14 Gb Total Space | 19.81 Gb Free Space | 38.00% Space Free | Partition Type: NTFS
Drive D: | 51.84 Gb Total Space | 35.13 Gb Free Space | 67.76% Space Free | Partition Type: NTFS
Drive E: | 465.65 Gb Total Space | 235.30 Gb Free Space | 50.53% Space Free | Partition Type: FAT32
Drive F: | 955.23 Mb Total Space | 95.31 Mb Free Space | 9.98% Space Free | Partition Type: FAT

Computer Name: RICH-PC | User Name: Rich | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - D:\Data downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Users\Rich\AppData\Roaming\Dropbox\bin\Dropbox.exe ()
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (Symantec Corporation)
PRC - C:\Program Files\Microsoft LifeCam\MSCamS32.exe (Microsoft Corporation)
PRC - C:\Acer\Mobility Center\MobilityService.exe ()
PRC - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (Acer Inc.)
PRC - C:\Windows\System32\libusbd-nt.exe (http://libusb-win32.sourceforge.net)


========== Modules (SafeList) ==========

MOD - D:\Data downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (LiveUpdate Notice Ex) -- File not found
SRV - (jeohuwziab) -- File not found
SRV - (CLTNetCnService) -- File not found
SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
SRV - (avgwd) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (LiveUpdate Notice Service) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE (Symantec Corporation)
SRV - (Automatic LiveUpdate Scheduler) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (Symantec Corporation)
SRV - (MSCamSvc) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe (Microsoft Corporation)
SRV - (MobilityService) -- C:\Acer\Mobility Center\MobilityService.exe ()
SRV - (eRecoveryService) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe (Acer Inc.)
SRV - (libusbd) -- C:\Windows\System32\libusbd-nt.exe (http://libusb-win32.sourceforge.net)


========== Driver Services (SafeList) ==========

DRV - (kcrtx86) -- C:\Windows\System32\kcrtx86.sys (Kings Information & Network)
DRV - (Avgldx86) -- C:\Windows\System32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgtdix) -- C:\Windows\System32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSEH) -- C:\Windows\system32\DRIVERS\AVGIDSEH.Sys (AVG Technologies CZ, s.r.o. )
DRV - (Avgmfx86) -- C:\Windows\System32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgrkx86) -- C:\Windows\system32\DRIVERS\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSShim) -- C:\Windows\System32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSDriver) -- C:\Windows\System32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSFilter) -- C:\Windows\System32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
DRV - (taphss) -- C:\Windows\System32\drivers\taphss.sys (AnchorFree Inc)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (RTL8023xp) -- C:\Windows\System32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (VX1000) -- C:\Windows\System32\drivers\VX1000.sys (Microsoft Corporation)
DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.)
DRV - (DritekPortIO) -- C:\Program Files\Launch Manager\DPortIO.sys (Dritek System Inc.)
DRV - (irsir) -- C:\Windows\System32\drivers\irsir.sys (Microsoft Corporation)
DRV - (ESDCR) -- C:\Windows\System32\drivers\ESD7SK.sys (ENE Technology Inc.)
DRV - (ESMCR) -- C:\Windows\System32\drivers\ESM7SK.sys (ENE Technology Inc.)
DRV - (EMSCR) -- C:\Windows\System32\drivers\EMS7SK.sys (ENE Technology Inc.)
DRV - (SMSCIRDA) -- C:\Windows\System32\drivers\smscirda.sys (SMSC)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)
DRV - (libusb0) -- C:\Windows\System32\drivers\libusb0.sys ()
DRV - (int15) -- C:\Acer\Empowering Technology\eRecovery\int15.sys ()
DRV - (CDRPDACC) -- C:\Program Files\321Studios\Shared\CDRPDACC.SYS (Arrowkey)
DRV - (PQNTDrv) -- C:\Windows\System32\drivers\PQNTDRV.sys (PowerQuest Corporation)
DRV - (SBKUPNT) -- C:\Windows\System32\drivers\SBKUPNT.SYS ()
DRV - (ASPI32) -- C:\Windows\System32\drivers\ASPI32.SYS (Adaptec)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com [binary data]
IE - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=15003&l=dis
IE - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
IE - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.7.2
FF - prefs.js..extensions.enabledItems: faviconizetab@espion.just-size.jp:1.0.1
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.07103010
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.76
FF - prefs.js..extensions.enabledItems: en-US@dictionaries.addons.mozilla.org:5.0.1
FF - prefs.js..extensions.enabledItems: ietab@ip.cn:1.95.20100930
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.14.2
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1178
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\ [2011/03/13 22:41:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/10 10:29:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/10 10:29:51 | 000,000,000 | ---D | M]

[2009/03/05 00:03:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rich\AppData\Roaming\Mozilla\Extensions
[2011/03/18 11:38:12 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\lq22b17p.default\extensions
[2010/07/13 22:47:41 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\lq22b17p.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/11/09 01:13:43 | 000,000,000 | ---D | M] (Flashblock) -- C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\lq22b17p.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2010/11/09 01:14:10 | 000,000,000 | ---D | M] ("StumbleUpon") -- C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\lq22b17p.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2010/12/29 14:44:40 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\lq22b17p.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/11/09 01:14:04 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\lq22b17p.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/11/09 01:14:08 | 000,000,000 | ---D | M] (United States English Spellchecker) -- C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\lq22b17p.default\extensions\en-US@dictionaries.addons.mozilla.org
[2010/01/11 01:05:41 | 000,000,000 | ---D | M] (FaviconizeTab) -- C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\lq22b17p.default\extensions\faviconizetab@espion.just-size.jp
[2011/03/18 12:09:44 | 000,000,000 | ---D | M] (IE Tab Plus) -- C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\lq22b17p.default\extensions\ietab@ip.cn
[2008/08/08 20:17:16 | 000,000,000 | ---D | M] (Move Media Player) -- C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\lq22b17p.default\extensions\moveplayer@movenetworks.com
[2009/03/05 00:15:49 | 000,001,591 | ---- | M] () -- C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\lq22b17p.default\searchplugins\dictionary.xml
[2008/07/02 22:55:21 | 000,001,108 | ---- | M] () -- C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\lq22b17p.default\searchplugins\wikipedia-en.xml
[2011/03/16 01:28:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/03/13 22:41:45 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG10\FIREFOX
[2007/04/17 02:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2011/03/13 17:41:33 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Sopcast Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Sopcast Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\..\Toolbar\ShellBrowser: (no name) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No CLSID value found.
O3 - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\..\Toolbar\WebBrowser: (Sopcast Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Users\Rich\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Rich\AppData\Roaming\Dropbox\bin\Dropbox.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {51B1D5ED-67DC-43F0-A3F8-8502F1A5E404} http://update.nprotect.net/nprotect2007/kiup/ie80/npstarter_0707017.cab (Reg Error: Key error.)
O16 - DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38} http://ck.softforum.co.kr/CKKeyPro/ibk/CKKeyPro3026_32k.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 168.126.63.1 168.126.63.2
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Users\Rich\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Rich\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/15 12:54:54 | 000,000,000 | -H-D | C] -- C:\$AVG
[2011/03/13 22:56:37 | 000,000,000 | ---D | C] -- C:\Users\Rich\AppData\Roaming\AVG10
[2011/03/13 22:51:21 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2011/03/13 22:50:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG 2011
[2011/03/13 22:39:43 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG10
[2011/03/13 22:39:43 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\AVG
[2011/03/13 22:23:50 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2011/03/13 22:13:01 | 000,000,000 | ---D | C] -- C:\Users\Rich\AppData\Roaming\PMS
[2011/03/13 17:51:23 | 000,000,000 | ---D | C] -- C:\Users\Rich\AppData\Local\temp
[2011/03/13 17:42:10 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/03/13 17:37:28 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/03/13 17:22:43 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/03/13 17:22:43 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/03/13 17:22:43 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/03/13 17:22:43 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/03/13 17:22:35 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/03/13 17:21:54 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2011/03/13 17:21:00 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/03/13 16:21:16 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/01 07:44:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2011/02/18 01:57:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Amazon
[2011/02/18 01:57:02 | 000,000,000 | ---D | C] -- C:\Program Files\Amazon
[2011/02/16 21:23:28 | 000,290,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WINHTTP5.DLL
[2011/02/16 21:23:21 | 000,000,000 | ---D | C] -- C:\Users\Rich\AppData\Roaming\nprotect
[2011/02/16 21:23:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\INCA Shared
[2011/02/16 21:22:33 | 000,000,000 | ---D | C] -- C:\Users\Rich\AppData\Roaming\ClientKeeper
[2011/02/16 21:22:26 | 000,137,128 | R--- | C] (SoftForum Co., Ltd.) -- C:\Windows\System32\CKAgent.exe
[2011/02/16 21:22:06 | 000,126,048 | ---- | C] (Kings Information & Network) -- C:\Windows\System32\kcrtx86.sys
[2011/02/16 21:22:05 | 000,434,428 | ---- | C] (SoftForum Corporation) -- C:\Windows\System32\CKCSP.dll
[2011/02/16 21:22:05 | 000,019,496 | R--- | C] (Soft Security Corporation) -- C:\Windows\System32\JRSUKD25.SYS
[2011/02/16 21:18:35 | 000,000,000 | -H-D | C] -- C:\Windows\yessign
[2011/02/16 21:18:35 | 000,000,000 | ---D | C] -- C:\XecureSSL
[2011/02/16 21:18:35 | 000,000,000 | ---D | C] -- C:\Program Files\NPKI
[2007/04/19 23:59:04 | 000,016,384 | ---- | C] ( ) -- C:\Windows\System32\ClearEvent.exe
[2004/11/25 04:25:52 | 000,335,872 | ---- | C] ( ) -- C:\Windows\System32\drvc.dll

========== Files - Modified Within 30 Days ==========

[2011/03/18 12:16:02 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1664092079-4046628799-4227632575-1000UA.job
[2011/03/18 12:15:17 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{83D01C09-653A-4451-A4EA-B99D06229C61}.job
[2011/03/18 11:18:28 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/03/18 11:18:28 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/03/18 11:18:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/03/18 11:16:25 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/03/18 11:15:06 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1664092079-4046628799-4227632575-1000Core.job
[2011/03/18 03:39:40 | 000,008,192 | ---- | M] () -- C:\Users\Rich\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/18 00:10:14 | 000,011,750 | ---- | M] () -- C:\Users\Rich\Desktop\Logs.zip
[2011/03/17 11:44:44 | 000,634,752 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/03/17 11:44:44 | 000,109,470 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/03/17 11:08:18 | 000,002,003 | ---- | M] () -- C:\Users\Rich\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/03/17 11:08:17 | 000,002,041 | ---- | M] () -- C:\Users\Rich\Desktop\Google Chrome.lnk
[2011/03/17 09:41:16 | 108,891,276 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/03/13 23:09:25 | 000,000,034 | ---- | M] () -- C:\Windows\System32\npconf.md5
[2011/03/13 22:50:25 | 000,000,834 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2011/03/13 22:13:03 | 000,000,833 | ---- | M] () -- C:\Users\Public\Desktop\PS3 Media Server.lnk
[2011/03/13 17:41:33 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/02/16 21:22:26 | 000,137,128 | R--- | M] (SoftForum Co., Ltd.) -- C:\Windows\System32\CKAgent.exe
[2011/02/16 21:22:06 | 000,126,048 | ---- | M] (Kings Information & Network) -- C:\Windows\System32\kcrtx86.sys
[2011/02/16 21:22:05 | 000,019,496 | R--- | M] (Soft Security Corporation) -- C:\Windows\System32\JRSUKD25.SYS

========== Files Created - No Company Name ==========

[2011/03/18 00:10:14 | 000,011,750 | ---- | C] () -- C:\Users\Rich\Desktop\Logs.zip
[2011/03/17 09:41:16 | 108,891,276 | ---- | C] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/03/13 22:50:25 | 000,000,834 | ---- | C] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2011/03/13 22:13:03 | 000,000,833 | ---- | C] () -- C:\Users\Public\Desktop\PS3 Media Server.lnk
[2011/03/13 17:22:43 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/03/13 17:22:43 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/03/13 17:22:43 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/03/13 17:22:43 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/03/13 17:22:43 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/02/16 21:23:23 | 000,000,034 | ---- | C] () -- C:\Windows\System32\npconf.md5
[2010/02/21 20:12:36 | 000,040,960 | ---- | C] () -- C:\Windows\System32\ps3sixaxis_en.exe
[2009/05/22 13:57:58 | 000,014,976 | ---- | C] () -- C:\Windows\System32\drivers\SBKUPNT.SYS
[2009/05/22 13:57:58 | 000,013,312 | ---- | C] () -- C:\Windows\System32\DEVLOAD.EXE
[2009/05/22 13:57:56 | 000,000,543 | ---- | C] () -- C:\Windows\SWISV3.INI
[2009/05/22 13:57:54 | 000,000,287 | ---- | C] () -- C:\Windows\SKNIFE.INI
[2009/05/22 13:57:36 | 000,002,799 | ---- | C] () -- C:\Windows\SKLANG.INI
[2009/04/30 01:57:20 | 000,000,088 | RHS- | C] () -- C:\ProgramData\832860F1E3.sys
[2009/04/30 01:57:19 | 000,002,828 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2009/03/05 12:25:19 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2009/02/12 10:47:43 | 000,000,965 | ---- | C] () -- C:\Users\Rich\AppData\Roaming\WizzTonesnewinst.ini
[2009/01/24 18:18:11 | 000,033,792 | ---- | C] () -- C:\Windows\System32\drivers\libusb0.sys
[2008/07/15 03:09:11 | 000,000,681 | ---- | C] () -- C:\Windows\mozver.dat
[2008/06/27 11:22:48 | 000,651,264 | ---- | C] () -- C:\Windows\System32\ISPPopUpDlg.exe
[2008/04/14 12:11:44 | 000,233,472 | ---- | C] () -- C:\Windows\System32\KvpUpCom.dll
[2008/02/27 13:45:46 | 000,000,032 | ---- | C] () -- C:\ProgramData\ezsid.dat
[2008/02/20 11:09:26 | 000,172,032 | ---- | C] () -- C:\Windows\System32\ggCUD2R.dll
[2008/02/16 23:35:00 | 000,348,160 | ---- | C] () -- C:\Windows\System32\ggDllMathR.dll
[2008/02/16 23:33:00 | 000,024,576 | ---- | C] () -- C:\Windows\System32\ggCUDNR.dll
[2008/02/16 23:32:00 | 000,102,400 | ---- | C] () -- C:\Windows\System32\ggCUDR.dll
[2008/02/13 15:45:00 | 000,028,672 | ---- | C] () -- C:\Windows\System32\gValidR.dll
[2007/12/26 11:51:00 | 000,040,960 | ---- | C] () -- C:\Windows\System32\FileGTR.dll
[2007/08/29 13:01:58 | 000,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI
[2007/08/20 14:24:25 | 000,000,172 | ---- | C] () -- C:\Users\Rich\AppData\Local\RAExpertHistory.xml
[2007/08/20 14:18:30 | 000,000,172 | ---- | C] () -- C:\Users\Rich\AppData\Local\rahistory.xml
[2007/07/29 02:33:34 | 000,008,194 | ---- | C] () -- C:\ProgramData\LUUnInstall.LiveUpdate
[2007/07/01 20:12:14 | 003,145,728 | ---- | C] () -- C:\Windows\System32\libavcodec.dll
[2007/07/01 19:59:22 | 000,517,632 | ---- | C] () -- C:\Windows\System32\ff_x264.dll
[2007/06/17 20:43:56 | 000,405,504 | ---- | C] () -- C:\Windows\System32\libmplayer.dll
[2007/06/12 20:21:26 | 000,208,896 | ---- | C] () -- C:\Windows\System32\ff_theora.dll
[2007/06/08 04:10:48 | 000,020,480 | ---- | C] () -- C:\Windows\System32\ac3config.exe
[2007/05/23 10:32:48 | 000,000,120 | ---- | C] () -- C:\Users\Rich\AppData\Roaming\FixVTS.ini
[2007/05/18 17:43:32 | 000,020,480 | ---- | C] () -- C:\Windows\System32\KVPSetupEx.exe
[2007/05/10 08:15:34 | 000,028,672 | ---- | C] () -- C:\Windows\System32\ISP_crgen.dll
[2007/05/01 23:58:31 | 000,008,192 | ---- | C] () -- C:\Users\Rich\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/04/20 03:29:10 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ0.DAT
[2007/04/20 01:06:37 | 000,000,335 | ---- | C] () -- C:\Windows\nsreg.dat
[2007/04/19 23:59:04 | 000,016,384 | ---- | C] () -- C:\Windows\System32\LauncheRyAgentUser.exe
[2007/04/19 23:58:22 | 000,069,632 | ---- | C] () -- C:\Windows\System32\drivers\int15.sys
[2007/04/19 23:58:22 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
[2007/04/19 23:47:54 | 000,000,037 | ---- | C] () -- C:\Windows\Acer.ini
[2007/02/07 12:57:20 | 000,086,016 | ---- | C] () -- C:\Windows\System32\MSNSpook.dll
[2007/01/24 17:57:18 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2007/01/24 17:56:53 | 000,000,092 | ---- | C] () -- C:\Windows\CLEANUP.INI
[2007/01/10 02:05:50 | 000,026,112 | ---- | C] () -- C:\Windows\System32\ff_wmv9.dll
[2006/11/15 00:03:01 | 000,323,584 | ---- | C] () -- C:\Windows\AEITAddInRdr.dll
[2006/11/15 00:03:01 | 000,001,730 | ---- | C] () -- C:\Windows\Abcpy.ini
[2006/11/14 23:59:23 | 000,198,144 | ---- | C] () -- C:\Windows\System32\_psisdecd.dll
[2006/11/14 23:57:30 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2006/11/14 23:49:22 | 000,319,488 | ---- | C] () -- C:\Windows\System32\SysMonitor.exe
[2006/11/14 23:39:33 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2006/11/14 23:38:29 | 000,005,495 | R--- | C] () -- C:\Windows\0x0409.ini
[2006/11/14 23:38:06 | 000,356,352 | ---- | C] () -- C:\Windows\EMCRI.dll
[2006/11/14 21:39:51 | 000,000,101 | ---- | C] () -- C:\Windows\Alaunch.ini
[2006/11/14 21:39:50 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2006/11/14 21:39:50 | 000,138,101 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2006/11/14 21:39:37 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2006/11/03 01:10:16 | 000,080,912 | ---- | C] () -- C:\Windows\System32\sherlock2.exe
[2006/11/02 21:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 21:47:37 | 000,374,080 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 21:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 19:33:01 | 000,634,752 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 19:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 19:33:01 | 000,109,470 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 19:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 19:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 17:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 17:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 16:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 16:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 16:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 16:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2006/04/19 15:14:32 | 000,015,498 | ---- | C] () -- C:\Windows\VX1000.ini
[2006/03/18 22:16:04 | 000,540,178 | ---- | C] () -- C:\Windows\System32\x264vfw.dll
[2005/06/29 18:45:44 | 000,708,096 | ---- | C] () -- C:\Windows\System32\INIcrypto20.dll
[2004/10/04 02:50:54 | 000,129,024 | ---- | C] () -- C:\Windows\System32\ff_mpeg2enc.dll
[2001/12/27 08:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/09/14 14:35:00 | 000,077,824 | ---- | C] () -- C:\Windows\System32\zipdll.dll
[2001/09/04 15:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/31 08:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/24 14:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

========== LOP Check ==========

[2007/04/20 01:08:18 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\acccore
[2007/04/20 00:04:16 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Acer
[2011/03/13 22:56:37 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\AVG10
[2010/10/10 00:49:48 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\avidemux
[2007/07/16 11:22:42 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\BitTorrent
[2011/02/16 21:22:33 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\ClientKeeper
[2011/03/18 11:23:26 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Dropbox
[2011/01/20 21:03:20 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\IObit
[2007/04/20 00:04:07 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Leadertech
[2010/02/21 19:44:05 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\MotioninJoy
[2010/02/02 14:04:53 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\Neverball
[2011/02/16 21:23:21 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\nprotect
[2011/03/13 22:13:01 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\PMS
[2007/05/26 09:33:06 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\RipIt4Me
[2010/02/21 18:19:59 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\smc
[2011/03/18 03:24:55 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\uTorrent
[2009/02/12 19:32:39 | 000,000,000 | ---D | M] -- C:\Users\Rich\AppData\Roaming\WizzTones
[2011/03/18 11:16:28 | 000,032,612 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/03/18 12:15:17 | 000,000,416 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{83D01C09-653A-4451-A4EA-B99D06229C61}.job

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2011/03/07 09:17:44 | 000,016,958 | ---- | M] ()(C:\Users\Rich\AppData\Roaming\????.ico) -- C:\Users\Rich\AppData\Roaming\미니약관.ico
[2011/03/07 09:15:59 | 000,016,958 | ---- | C] ()(C:\Users\Rich\AppData\Roaming\????.ico) -- C:\Users\Rich\AppData\Roaming\미니약관.ico

========== Alternate Data Streams ==========

@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:E965A533

< End of report >

#9 RMislander

RMislander
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 18 March 2011 - 08:40 AM

The logs above are for Malwarebytes and OTL.

As for Clientkeeper Pro, I don't know what that is. I never installed it (not intentionally at least), and I couldn't locate it in the Programs and Features sections, along with the Ask Toolbar.

I'm glad there's no rootkit either like before; I guess Combofix took care of that.


By the way, I didn't mention this before, but I really do appreciate your help and assistance; it's been a great relief ensuring that everything's cleared up on my computer.

#10 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:10 PM

Posted 18 March 2011 - 10:31 AM

Client Keeper Pro appears legit, did you buy this computer used , maybe someone else installed it.



You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see. If the site says this file has already been checked, have them check it again

c:\windows\system32\CKAgent.exe
c:\windows\system32\JRSUKD25.SYS
c:\windows\system32\kcrtx86.sys


If the site is busy you can try this one
http://virusscan.jotti.org/en

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#11 RMislander

RMislander
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 18 March 2011 - 11:32 AM

I ran the files you suggested on both of the virus sites you posted.

All of them showed no problems except for http://virusscan.jotti.org/en, which showed that c:\windows\system32\CKAgent.exe is a trojan.

And no, it was a brand new computer, though others have used it in the past, so maybe it was installed then.

#12 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:10 PM

Posted 18 March 2011 - 11:41 AM

This is strange as that program appears to be ok. Go to C:\ Program Files and look for it and see if there is an uninstall option

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#13 RMislander

RMislander
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 18 March 2011 - 11:53 AM

No there is not.


"Arcavirus" determined that it was a trojan, while every other program on that site cleared it, as well as every program on VirusTotal. Could it be a mistake?

Edited by RMislander, 18 March 2011 - 11:55 AM.


#14 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:10 PM

Posted 18 March 2011 - 01:09 PM

Hi,

I am looking at AVG installed along with some markers for Symantec, did you try to uninstall Symantec at one time. You should only have one, more than one AV is overkill and can severely hamper system performance.

In general, how is your computer running, any redirects of unwanted pop up windows ?

This should get rid of ASK


Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://aumha.org/downloads/erunt.zip
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Inside the new folder, double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: to restore your registry, go to the backup folder and start ERDNT.exe







Open OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    
    :processes
    killallprocesses
    
    :OTL
    SRV - (jeohuwziab) -- File not found
    SRV - (CLTNetCnService) -- File not found
    IE - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=15003&l=dis
    IE - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    FF - prefs.js..browser.search.defaultengine: "Ask.com"
    FF - prefs.js..browser.search.defaultenginename: "Ask.com"
    FF - prefs.js..browser.search.order.1: "Ask.com"
    O2 - BHO: (Sopcast Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    O3 - HKLM\..\Toolbar: (Sopcast Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    O3 - HKU\S-1-5-21-1664092079-4046628799-4227632575-1000\..\Toolbar\WebBrowser: (Sopcast Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
    [2011/03/13 17:22:35 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2011/03/13 17:21:54 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
    
    
    :Services
    
    :Reg
    
    :Files
    
    
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top. <--Not run Scan
  • Let the program run unhindered, reboot when it is done
  • Then post the results of the log it produces.
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#15 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:02:10 PM

Posted 26 March 2011 - 06:24 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users