Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection with Antispyware Protection


  • This topic is locked This topic is locked
24 replies to this topic

#1 LaChilindrina

LaChilindrina

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 18 March 2011 - 12:51 PM

Hello bleepingcomputer whizzes,

I'm running Windows XP and tonight had something called Antispyware Protection install itself on my PC. Keeps popping up warnings about malicious content, etc... and has disabled all other programs e.g. if I attempt to open anything I get a warning message saying for example "File firefox.exe is infected byW32/Blaster.worm Please activate Spyware Protection to protect your computer"

I followed the steps in this page on your site:

http://www.bleepingcomputer.com/virus-removal/remove-spyware-protection

...and ran a full scan in safe mode with MBAM which identified and removed 48 infections. Rebooted and went back into normal operating mode and found that the problem had not gone away. I still can't open any files or programs in normal mode.

Here is my DDS text log:

a.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Owner at 1:11:37.98 on Sat 19/03/2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.511.321 [GMT 10.5:30]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.worldcarousel.com.au/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {2e5a65bb-b055-c0dd-0118-09975f2ee086} - c:\program files\uqbjlwd\procweb.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [ShUiAct] c:\windows\system32\ncbubulq.exe
uRun: [Spyware Protection] c:\documents and settings\owner\application data\defender.exe
mRun: [KillCopy] c:\program files\killsoft\killcopy\kcresume.exe /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [OmniPage] c:\program files\caere\omnipagepro90\opware32.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [DSLSTATEXE] c:\program files\d-link\dsl-200\dslstat.exe icon
mRun: [DSLAGENTEXE] c:\program files\d-link\dsl-200\dslagent.exe
mExplorerRun: [901w4OBFS4] c:\docume~1\owner\locals~1\temp\wJQs.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\7cmxlb1l.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://gogolbordello.com/tour/future/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d3c2ec9&v=6.010.006.004&i=23&tp=ab&iy=&ychte=au&lng=en-US&q=
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: AVG Security Toolbar em:version=6.010.006.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg8\toolbar\firefox\avg@igeared
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-21 335240]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-2-19 27784]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-25 297752]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg8\toolbar\ToolbarBroker.exe [2011-1-24 517448]
.
=============== Created Last 30 ================
.
2011-03-18 13:33:06 -------- d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2011-03-18 13:33:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-18 13:32:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-18 13:32:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-18 13:32:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-18 10:02:00 1409 ----a-w- c:\windows\QTFont.for
2011-03-17 12:15:34 1001984 ----a-w- c:\docume~1\owner\applic~1\defender.exe
2011-03-16 11:16:53 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2011-03-10 12:57:08 186880 -c----w- c:\windows\system32\dllcache\encdec.dll
2011-03-10 12:57:07 270848 -c----w- c:\windows\system32\dllcache\sbe.dll
2011-03-10 12:56:43 677888 -c----w- c:\windows\system32\dllcache\lhmstsc.exe
2011-03-10 12:56:41 2067456 -c----w- c:\windows\system32\dllcache\lhmstscx.dll
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 22:15:52 667136 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15:52 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-12-20 22:15:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 15:30:29 369664 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 1:12:03.81 ===============


I ran the GMER scan but couldn't save it because the resolution in safe mode was so big I couldn't see the save button. Aaargh, I waited up until 4am for the scan to complete then couldn't use it...I can only run it in safe mode as the virus is preventing me from running it in normal mode.

FYI, I'm registering to your site and posting via a MAC laptop since I can't currently open Firefox (or anything else) on my PC.

I hope this is enough information for you. Thank you so much, your site is really easy to follow and I thought as a result I'd be able to kill this infection pretty fast but it's obviously doing a good job of concealing itself.

All the best,
La Chilindrina

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:19 PM

Posted 19 March 2011 - 08:06 AM

Hi LaChilindrina and :welcome:



I will be handling your log to help you get cleaned up.
Please give me some time to look it over and I will get back to you as soon as possible.



Regards,
Georgi :hello:

cXfZ4wS.png


#3 LaChilindrina

LaChilindrina
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 19 March 2011 - 08:36 AM

That's great, thanks so much :cool:

#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:19 PM

Posted 20 March 2011 - 09:28 AM

Hello LaChilindrina ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.


Sorry If I wasn't able to reply fast, we have different timezone.


Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.





STEP 1



Please boot your PC in Normal Mode.


Try to download the already renamed rkill file RKill by Grinler from one of the 3 links below and save it to your desktop.
  • WiNlOgOn.exe
    uSeRiNiT.exe
    eXplorer.exe
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on one of the renamed Rkill files on your desktop to run it.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply



STEP 2



Run Scan with Malwarebytes



I see you have Malwarebytes' Anti-Malware installed on your computer.
Please start the application by double-click on it's icon.
Once the program has loaded go to the UPDATE tab and check for updates.
When the update is complete, select the Scanner tab
Select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to a convenient location and post the results in your next reply.
Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



STEP 3


When you are back in Normal Mode, you may need to execute one of the renamed RKILL files again.
Then please do this:



We need to run an OTL Custom Scan



  • Please download OTL from the link below:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
  • Copy and Paste the following code into the Posted Image textbox.
    netsvcs
    
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



Regards,
Georgi

cXfZ4wS.png


#5 LaChilindrina

LaChilindrina
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 20 March 2011 - 07:25 PM

Hi Georgi,

Thanks so much for your detailed reply. You rock!

I'm currently at work but will take advantage of us both (I think) being currently awake on opposite sides of the globe to ask you some questions about things in your instructions that may be difficult to do.


STEP 1



Please boot your PC in Normal Mode.

- This I can do but I'm not sure if anything will work in normal mode.


Try to download the already renamed rkill file RKill by Grinler from one of the 3 links below and save it to your desktop.

WiNlOgOn.exe
uSeRiNiT.exe
eXplorer.exe

- I doubt I'll be able to download anything in normal mode but can download it from the laptop to a flash drive so that should be cool.

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.

- including Malwarebytes I assume?

Double-click on one of the renamed Rkill files on your desktop to run it.

A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.

If nothing happens or if the tool does not run, please let me know in your next reply


Run Scan with Malwarebytes



I see you have Malwarebytes' Anti-Malware installed on your computer.
Please start the application by double-click on it's icon.
Once the program has loaded go to the UPDATE tab and check for updates.

-this may be difficult as last time I checked I wasn't able to connect to the internet at all. It's an old computer connected to a DSL d-Link modem and I have to open a connection window in order to connect. The virus/malware prevents me from opening that window the same as it prevents me from opening pretty much anything...

When the update is complete, select the Scanner tab
Select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to a convenient location and post the results in your next reply.
Exit MBAM when done.


So, I could do most of your instructions in safe mode except check for updates to Malwarebytes, predicting how my computer is going to respind when I try all this at home tonight.

What would you advise?

Thanks a million :)

#6 LaChilindrina

LaChilindrina
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 21 March 2011 - 08:32 AM

Hi again Georgi,

OK, I booted the PC in normal mode and I actually can connect to the internet.
However, I cannot open anything in normal mode as I get the warnings like "File firefox.exe is infected byW32/Blaster.worm Please activate Spyware Protection to protect your computer" and the program fails to open. Same goes when I tried to open Malwarebytes.

So....although I could get the Rkill file onto my computer via a flash drive (I haven't done that but it'd be possible), I wouldn't be able to open it at all in normal mode.

That's as far as I've got because I want to follow your instructions closely.

I should be able to open and run programs in safe mode but last time I tried was unable to connect to the internet in safe mode....

How should I proceed? :unsure:


Thanks again!!

#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:19 PM

Posted 21 March 2011 - 10:06 AM

Hi LaChilindrina,


Since we are going to use a USB flash drive to transport files and logs back and forth we should disinfect the both computers to avoid re-infection.


Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Please run it on both computers (the clean and the infected one).



Next please try to boot in Normal Mode and then download and run one of the renamed RKILL files.
If fails to download either WiNlOgOn.exe or uSeRiNiT.exe or eXplorer.exe you should download it to a clean computer and copy it to the infected one via a USB flash drive.
Before we begin, you should disable your anti-malware softwares you have installed (yes...including Malwarebytes too).
Once it is downloaded, double-click on the WiNlOgOn.exe icon in order to automatically attempt to stop any processes associated with Spyware Protection and other Rogue programs.
Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.
If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Spyware Protection when it terminates programs that may potentially remove it.
If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Spyware Protection . So, please try running RKill until the malware is no longer running.
Do not reboot your computer after running RKill as the malware programs will start again.


Next please run a scan with Malwarebytes.
Do not forget to update it first.


If that is unsuccessful please boot in Safe Mode with Networking and repeat the steps above.

Finally boot in Normal Mode and run one of the renamed RKILL files again...

Then please run a scan with OTL as I mentioned in my previous post and post the logs.

If fails to download OTL.exe please download it from a clean PC.



Regards,
Georgi

cXfZ4wS.png


#8 LaChilindrina

LaChilindrina
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 21 March 2011 - 06:06 PM

Thanks Georgi, I'm going to try all of that tonight.

Only problem is I won't be able to update Malwarebytes because I can't connect to the internet in safe mode and in normal mode can't even open the program.

Any suggestions? Can I download it again to the clean computer, update it there and then transfer it to the infected computer?

#9 LaChilindrina

LaChilindrina
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 22 March 2011 - 05:11 AM

Hi again Georgi,

Things are looking better, for now the symptoms have gone....
Rkill successfully stopped the annoying warnings and let me open files again.

I did two scans with Malwarebytes - one in safe mode and then another after I was able to get the updates in normal mode.
Here are the log files:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

22/03/2011 6:49:34 PM
mbam-log-2011-03-22 (18-49-34).txt

Scan type: Full scan (C:\|)
Objects scanned: 234428
Time elapsed: 22 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Owner\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6129

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

22/03/2011 7:18:42 PM
mbam-log-2011-03-22 (19-18-42).txt

Scan type: Quick scan
Objects scanned: 161476
Time elapsed: 14 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spyware Protection (Rogue.Installer.Gen) -> Value: Spyware Protection -> Quarantined and deleted successfully.





I successfully ran the OTL scan and here are the logs:


OTL logfile created on: 22/03/2011 7:52:25 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

511.00 Mb Total Physical Memory | 210.00 Mb Available Physical Memory | 41.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 67.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 103.85 Gb Free Space | 69.68% Space Free | Partition Type: NTFS
Drive F: | 955.73 Mb Total Space | 930.19 Mb Free Space | 97.33% Space Free | Partition Type: FAT

Computer Name: OWNER-63C4CDBD4 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/22 19:51:30 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2011/03/16 22:39:51 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/10/25 19:08:25 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2010/10/25 19:08:18 | 002,048,352 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/09/19 11:15:27 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2008/08/13 15:28:37 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/04/14 10:42:30 | 000,420,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntvdm.exe
PRC - [2008/04/14 10:42:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2004/04/30 21:26:29 | 000,356,352 | ---- | M] (GlobespanVirata, Inc.) -- C:\Program Files\D-Link\DSL-200\DslStat.exe
PRC - [2004/04/30 21:26:29 | 000,016,384 | ---- | M] () -- C:\Program Files\D-Link\DSL-200\dslagent.exe
PRC - [1998/10/12 19:13:46 | 000,044,032 | ---- | M] (Caere Corporation) -- C:\Program Files\Caere\OmniPagePro90\OPware32.exe


========== Modules (SafeList) ==========

MOD - [2011/03/22 19:51:30 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2010/08/24 02:42:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [1998/10/12 19:13:40 | 000,140,288 | ---- | M] (Caere Corporation) -- C:\Program Files\Caere\OmniPagePro90\OPHOOK32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (LVPrcSrv)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2010/10/25 19:08:25 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2010/10/06 11:31:48 | 000,517,448 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG8\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2008/08/13 15:28:37 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)


========== Driver Services (SafeList) ==========

DRV - [2009/09/19 11:15:27 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/09/19 11:15:27 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2008/04/14 05:15:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2005/11/25 14:39:06 | 000,203,776 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vinyl97.sys -- (VIAudio) Vinyl AC'97 Audio Controller (WDM)
DRV - [2005/09/01 11:03:04 | 000,127,488 | ---- | M] (Ahead Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\imagesrv.sys -- (imagesrv)
DRV - [2005/09/01 11:03:04 | 000,005,888 | ---- | M] (Ahead Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\imagedrv.sys -- (imagedrv)
DRV - [2004/04/30 21:26:16 | 000,150,369 | ---- | M] (GlobespanVirata Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gwausb.sys -- (wanusb) D-Link DSL-200 USB ADSL Modem(WAN)
DRV - [2002/06/03 11:18:32 | 000,040,832 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\es1371mp.sys -- (es1371) Creative AudioPCI (ES1371,ES1373) (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.worldcarousel.com.au/
IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..browser.startup.homepage: "http://gogolbordello.com/tour/future/"
FF - prefs.js..extensions.enabledItems: avg@igeared:6.010.006.004
FF - prefs.js..keyword.URL: "http://search.avg.com/route/?d=4d3c2ec9&v=6.010.006.004&i=23&tp=ab&iy=&ychte=au&lng=en-US&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2010/01/10 11:31:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2011/01/24 00:06:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/16 22:40:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/16 22:40:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.9\extensions\\Components: C:\PROGRA~1\Mozilla Thunderbird\components [2008/01/28 13:51:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.9\extensions\\Plugins: C:\PROGRA~1\Mozilla Thunderbird\plugins [2008/01/28 13:51:04 | 000,000,000 | ---D | M]

[2009/02/18 22:17:37 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2011/03/18 23:58:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\7cmxlb1l.default\extensions
[2011/03/18 20:35:54 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\7cmxlb1l.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/02/18 22:17:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/24 00:06:03 | 000,000,000 | ---D | M] ("urn:mozilla:install-manifest" em:id="avg@igeared" em:name="AVG Security Toolbar" em:version="6.010.006.004" em:displayname="AVG Security Toolbar" em:iconURL="chrome://tavgp/skin/logo.ico" em:creator="AVG Technologies" em:description="AVG Security Toolbar" em:homepageURL="http://www.avg.com" >) -- C:\PROGRAM FILES\AVG\AVG8\TOOLBAR\FIREFOX\AVG@IGEARED
[2007/03/09 12:35:00 | 000,365,056 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npupd62.dll

O1 HOSTS File: ([2001/08/23 22:30:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {2E5A65BB-B055-C0DD-0118-09975F2EE086} - File not found
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-725345543-413027322-1801674531-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-725345543-413027322-1801674531-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe ()
O4 - HKLM..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe (GlobespanVirata, Inc.)
O4 - HKLM..\Run: [KillCopy] C:\Program Files\KillSoft\KillCopy\kcresume.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\OPware32.exe (Caere Corporation)
O4 - HKU\S-1-5-21-725345543-413027322-1801674531-1003..\Run: [Picasa Media Detector] File not found
O4 - HKU\S-1-5-21-725345543-413027322-1801674531-1003..\Run: [ShUiAct] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 901w4OBFS4 = C:\DOCUME~1\Owner\LOCALS~1\Temp\wJQs.exe
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-725345543-413027322-1801674531-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\NPJPI150_11.dll (Sun Microsystems, Inc.)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab (MsnMessengerSetupDownloadControl Class)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/23 09:32:03 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/03/22 18:15:50 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2011/03/22 18:15:52 | 000,000,000 | RHSD | M] - F:\autorun.inf -- [ FAT ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/03/22 19:51:29 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/03/22 18:22:10 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/03/22 18:22:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/22 18:22:07 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/03/22 18:15:50 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2011/03/19 00:03:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2011/03/19 00:02:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/03/19 00:02:56 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/18 23:59:25 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
[2011/03/18 23:36:03 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/03/16 21:46:53 | 000,135,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shsvcs.dll
[2011/03/10 23:26:43 | 000,677,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lhmstsc.exe
[2011/03/10 23:26:41 | 002,067,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lhmstscx.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/22 19:51:30 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/03/22 19:47:08 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/22 19:47:01 | 000,000,264 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2011/03/22 19:46:35 | 000,043,573 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/03/22 19:45:49 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2011/03/22 19:45:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/22 19:45:15 | 536,399,872 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/22 19:31:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/03/22 18:22:10 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/21 23:50:54 | 072,857,291 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm.prepare
[2011/03/19 01:10:58 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/03/18 23:59:21 | 000,000,275 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to iExplore.exe.lnk
[2011/03/18 20:32:00 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2011/03/18 20:31:59 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/03/16 21:44:56 | 072,547,756 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2011/03/11 01:19:05 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/07 19:01:15 | 000,000,202 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/03/05 07:10:46 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/03/04 18:17:19 | 000,000,264 | ---- | M] () -- C:\WINDOWS\tasks\OGADaily.job
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/22 18:51:55 | 536,399,872 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/22 18:22:10 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/22 18:16:28 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Flash_Disinfector.exe
[2011/03/19 01:10:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/03/19 01:10:36 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/03/19 01:10:34 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Defogger.exe
[2011/03/19 01:10:29 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe
[2011/03/18 23:59:21 | 000,000,275 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to iExplore.exe.lnk
[2011/03/18 20:32:00 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2011/03/18 20:31:59 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2011/03/10 23:27:08 | 000,186,880 | ---- | C] () -- C:\WINDOWS\System32\dllcache\encdec.dll
[2011/03/10 23:27:07 | 000,270,848 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sbe.dll
[2010/01/15 00:11:35 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/12/31 18:04:42 | 000,691,560 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/12/31 18:04:42 | 000,528,744 | ---- | C] () -- C:\WINDOWS\System32\OGAVerify.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\WINWGPX.EXE
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\winsystem.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\winlogonpc.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\vcatchpi.dll
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\thun32.dll
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\thun.dll
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\temp#01.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\taack.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\taack.dat
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysreq.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\ssvchost.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\ssvchost.com
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\ssurf022.dll
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sncntr.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\Rundl1.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\regm64.dll
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\regc64.dll
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\psoft1.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\psof1.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\ps1.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\newsd32.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\netode.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\mwin32.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\mtr2.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\msvchost.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\mssecu.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\mssecu.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\msnbho.dll
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\msgp.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\iTunesMusic.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\hxiwlgpm.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\hxiwlgpm.dat
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\hoproxy.dll
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\h@tkeysh@@k.dll
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\dpcproxy.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\bsva-egihsg52.exe
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\bdn.com
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\bdn.com
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\awtoolb.dll
[2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\anticipator.dll
[2008/07/28 13:13:05 | 000,037,376 | ---- | C] () -- C:\WINDOWS\System32\CoInst.dll
[2008/07/28 13:13:03 | 000,017,154 | ---- | C] () -- C:\WINDOWS\wwdslcfg.ini
[2008/07/28 13:12:20 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\GsiDi32.dll
[2008/06/19 21:30:50 | 000,000,455 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/05/21 18:00:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OPPRIN~1.INI
[2008/05/20 17:11:20 | 000,008,575 | ---- | C] () -- C:\WINDOWS\System32\D125UFW.INI
[2008/05/19 16:04:01 | 000,000,021 | ---- | C] () -- C:\WINDOWS\phbase.ini
[2008/05/19 16:03:55 | 000,000,021 | ---- | C] () -- C:\WINDOWS\Ps_setup.ini
[2008/05/18 21:24:08 | 000,086,016 | ---- | C] () -- C:\WINDOWS\OPDIRDEL.exe
[2008/05/18 20:53:03 | 000,000,571 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2008/05/18 20:52:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OP70.INI
[2008/05/16 12:58:04 | 000,012,632 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2008/03/01 20:00:58 | 000,050,948 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2008/02/08 15:29:48 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/10/11 13:18:34 | 000,036,624 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Comma Separated Values (Windows).ADR
[2006/08/23 17:22:23 | 000,000,055 | ---- | C] () -- C:\WINDOWS\festo.ini
[2006/08/22 20:57:05 | 000,000,327 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/07/20 20:01:15 | 000,015,872 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/05/21 03:02:24 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\PDFreDirectMonNT.dll
[2006/04/19 18:14:17 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2006/03/24 17:15:58 | 000,000,202 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/03/24 11:06:56 | 000,160,963 | ---- | C] () -- C:\WINDOWS\System32\drivers\gtipdsp.bin
[2006/03/24 11:03:10 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS6e.DLL
[2006/03/23 18:01:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/03/23 17:47:50 | 000,000,204 | ---- | C] () -- C:\WINDOWS\MYOBP.INI
[2006/03/23 17:47:50 | 000,000,121 | ---- | C] () -- C:\WINDOWS\SwDrvs.ini
[2006/03/23 17:47:50 | 000,000,039 | ---- | C] () -- C:\WINDOWS\MYOB.INI
[2006/03/23 17:45:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\drvxl32.INI
[2006/03/23 17:45:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\drvwd32.INI
[2006/03/23 16:54:19 | 000,107,132 | ---- | C] () -- C:\WINDOWS\UninstallFirefox.exe
[2006/03/23 16:53:52 | 000,007,106 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/03/23 14:05:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/03/23 13:27:20 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2006/03/23 10:05:17 | 000,020,992 | ---- | C] () -- C:\WINDOWS\System32\kc.exe
[2006/03/23 09:35:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/03/23 09:28:17 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/03/23 04:53:33 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/03/23 04:50:10 | 000,247,904 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/12/10 03:06:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/12/10 03:06:00 | 001,519,616 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2005/12/10 03:06:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/12/10 03:06:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2005/12/10 03:06:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/12/10 03:06:00 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/12/10 03:06:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/12/10 03:06:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2005/12/10 03:06:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2005/12/10 03:06:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/12/10 03:06:00 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/06/17 11:41:14 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2004/08/04 10:37:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/02 23:50:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 22:30:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 22:30:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 22:30:00 | 000,444,456 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 22:30:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 22:30:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 22:30:00 | 000,072,332 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 22:30:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 22:30:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 22:30:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 22:30:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2000/01/31 08:02:00 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wh2Robo.dll

< End of report >


OTL Extras logfile created on: 22/03/2011 7:52:25 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

511.00 Mb Total Physical Memory | 210.00 Mb Available Physical Memory | 41.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 67.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 103.85 Gb Free Space | 69.68% Space Free | Partition Type: NTFS
Drive F: | 955.73 Mb Total Space | 930.19 Mb Free Space | 97.33% Space Free | Partition Type: FAT

Computer Name: OWNER-63C4CDBD4 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Gigabyte\BIOS\gwf32.exe" = C:\Program Files\Gigabyte\BIOS\gwf32.exe:*:Enabled:gwflash -- ()
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
"C:\Program Files\Grisoft\AVG7\avginet.exe" = C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe" = C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe
"C:\Program Files\Grisoft\AVG7\avgcc.exe" = C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"@BIOS" = @BIOS
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{2245AADD-C4F3-4342-9023-4C8C5C388367}" = MYOB Accounting v14
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{42CFD768-94A5-4C0D-A49A-88B536BAC551}" = FileNet Desktop eForms
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{5B09BD67-4C99-46A1-8161-B7208CE18121}" = QuickTime
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7CCEBC24-62DB-4280-A8EC-BFA49F167920}" = Software Update for Web Folders
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{B148AB4B-C8FA-474B-B981-F2943C5B5BCD}" = OGA Notifier 1.7.0105.35.0
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FBE569CA-BFEB-4E57-A674-F94D938E1AEF}" = e-tax 2010
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ArcSoft PhotoBase" = ArcSoft PhotoBase
"AVG8Uninstall" = AVG Free 8.5
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CCleaner" = CCleaner (remove only)
"CSCLIB" = Canon Camera Support Core Library
"D-Link DSL-200 ADSL Modem" = D-Link DSL-200 ADSL Modem
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"EOS Utility" = Canon Utilities EOS Utility
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"InstallShield_{2245AADD-C4F3-4342-9023-4C8C5C388367}" = MYOB Accounting v14
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.6.15)" = Mozilla Firefox (3.6.15)
"Mozilla Thunderbird (2.0.0.9)" = Mozilla Thunderbird (2.0.0.9)
"MSNINST" = MSN
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NeoAudio_is1" = NeoAudio
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NeroVision!UninstallKey" = Nero Digital
"NVIDIA Drivers" = NVIDIA Drivers
"OmniPagePro9.0DeinstKey" = OmniPage Pro 9.0
"PDF reDirect" = PDF reDirect (remove only)
"PhotoRecord" = Canon PhotoRecord
"PhotoStitch" = Canon Utilities PhotoStitch
"Picasa 3" = Picasa 3
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureDC" = Canon Utilities RemoteCapture DC
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"VIA Audio Driver Setup Program" = VIA Audio Driver Setup Program
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/02/2009 8:30:41 AM | Computer Name = OWNER-63C4CDBD4 | Source = Application Hang | ID = 1002
Description = Hanging application Picasa3.exe, version 3.1.70.73, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 16/02/2009 6:10:21 AM | Computer Name = OWNER-63C4CDBD4 | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.8.20081.21709, faulting
module unknown, version 0.0.0.0, fault address 0x0000000d.

Error - 16/02/2009 8:47:41 AM | Computer Name = OWNER-63C4CDBD4 | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.8.20081.21709, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 16/02/2009 8:53:19 AM | Computer Name = OWNER-63C4CDBD4 | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.8.20081.21709, faulting
module unknown, version 0.0.0.0, fault address 0x0341ea22.

Error - 16/02/2009 8:53:29 AM | Computer Name = OWNER-63C4CDBD4 | Source = Application Error | ID = 1001
Description = Fault bucket 1146619150.

Error - 8/06/2009 3:55:37 AM | Computer Name = OWNER-63C4CDBD4 | Source = Application Hang | ID = 1002
Description = Hanging application i_view32.exe, version 4.2.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 14/09/2009 4:07:42 AM | Computer Name = OWNER-63C4CDBD4 | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: C:\Program Files\PC Drivers HeadQuarters\Driver Detective\DriversHQ.DriverDetective.Client.exe
. Error code = 0x80131047

[ System Events ]
Error - 23/05/2010 2:35:41 AM | Computer Name = OWNER-63C4CDBD4 | Source = Service Control Manager | ID = 7000
Description = The Logitech Process Monitor service failed to start due to the following
error: %%2

Error - 12/09/2010 5:32:03 AM | Computer Name = OWNER-63C4CDBD4 | Source = Service Control Manager | ID = 7000
Description = The Logitech Process Monitor service failed to start due to the following
error: %%2

Error - 12/09/2010 5:32:54 AM | Computer Name = OWNER-63C4CDBD4 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 9/10/2010 5:13:33 AM | Computer Name = OWNER-63C4CDBD4 | Source = Service Control Manager | ID = 7000
Description = The Logitech Process Monitor service failed to start due to the following
error: %%2

Error - 25/10/2010 4:21:23 AM | Computer Name = OWNER-63C4CDBD4 | Source = Service Control Manager | ID = 7000
Description = The Logitech Process Monitor service failed to start due to the following
error: %%2

Error - 25/10/2010 4:22:56 AM | Computer Name = OWNER-63C4CDBD4 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 2/11/2010 4:46:04 AM | Computer Name = OWNER-63C4CDBD4 | Source = Service Control Manager | ID = 7000
Description = The Logitech Process Monitor service failed to start due to the following
error: %%2

Error - 9/01/2011 3:10:16 AM | Computer Name = OWNER-63C4CDBD4 | Source = Service Control Manager | ID = 7000
Description = The Logitech Process Monitor service failed to start due to the following
error: %%2

Error - 9/01/2011 7:15:29 AM | Computer Name = OWNER-63C4CDBD4 | Source = Service Control Manager | ID = 7000
Description = The Logitech Process Monitor service failed to start due to the following
error: %%2

Error - 23/01/2011 9:19:53 AM | Computer Name = OWNER-63C4CDBD4 | Source = Service Control Manager | ID = 7000
Description = The Logitech Process Monitor service failed to start due to the following
error: %%2


< End of report >



So, let me know what you find!

Thanks so much for all the help :thumbup2:

#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:19 PM

Posted 22 March 2011 - 03:05 PM

Hi LaChilindrina, :)



Sorry for the delay...I was swamped with work today.


Very good, finally an improvement! :)
Thanks for the logs.



Could you please check if System Restore is turned on.



  • Click Start, right-click My Computer, and then click Properties.
  • In the System Properties dialog box, click the System Restore tab.
  • Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
  • Click Apply and close the windows.



STEP 1



We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :OTL
    IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    O2 - BHO: (no name) - {2E5A65BB-B055-C0DD-0118-09975F2EE086} - File not found
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O3 - HKU\S-1-5-21-725345543-413027322-1801674531-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKU\S-1-5-21-725345543-413027322-1801674531-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    O4 - HKU\S-1-5-21-725345543-413027322-1801674531-1003..\Run: [Picasa Media Detector] File not found
    O4 - HKU\S-1-5-21-725345543-413027322-1801674531-1003..\Run: [ShUiAct] File not found
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 901w4OBFS4 = C:\DOCUME~1\Owner\LOCALS~1\Temp\wJQs.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\WINWGPX.EXE
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\winsystem.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\winlogonpc.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\vcatchpi.dll
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\thun32.dll
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\thun.dll
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\temp#01.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\taack.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\taack.dat
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysreq.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\ssvchost.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\ssvchost.com
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\ssurf022.dll
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sncntr.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\Rundl1.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\regm64.dll
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\regc64.dll
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\psoft1.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\psof1.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\ps1.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\newsd32.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\netode.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\mwin32.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\mtr2.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\msvchost.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\mssecu.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\mssecu.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\msnbho.dll
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\msgp.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\iTunesMusic.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\hxiwlgpm.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\hxiwlgpm.dat
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\hoproxy.dll
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\h@tkeysh@@k.dll
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\dpcproxy.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\bsva-egihsg52.exe
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\bdn.com
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\bdn.com
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\awtoolb.dll
    [2008/10/05 23:29:39 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\anticipator.dll
    :commands
    [reboot]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.





STEP 2



We need to run an OTL Custom Scan again.
I want to be sure that nothing reappeared.



  • Please reopen Posted Image on your desktop.
  • OTL should now start. Change the following settings:
  • Click on Scan All Users checkbox given at the top.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized





STEP 3



Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



Regards,
Georgi

cXfZ4wS.png


#11 LaChilindrina

LaChilindrina
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 22 March 2011 - 06:14 PM

No worries Georgi, will do all of that tonight and post the logs.

The plot thickens!!!
But at least the computer is functioning well enough that I can now do these scans, etc...

Thank you for being so thorough :thumbsup:

#12 LaChilindrina

LaChilindrina
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 23 March 2011 - 04:27 AM

OK, here goes.
I hope this is the right log for the OTL Fix. Because the comptuer rebooted I had to later search for the log...


========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-725345543-413027322-1801674531-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E5A65BB-B055-C0DD-0118-09975F2EE086}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E5A65BB-B055-C0DD-0118-09975F2EE086}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_USERS\S-1-5-21-725345543-413027322-1801674531-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
Registry value HKEY_USERS\S-1-5-21-725345543-413027322-1801674531-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry value HKEY_USERS\S-1-5-21-725345543-413027322-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Picasa Media Detector deleted successfully.
Registry value HKEY_USERS\S-1-5-21-725345543-413027322-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run\\ShUiAct deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\901w4OBFS4 deleted successfully.
C:\WINDOWS\system32\WINWGPX.EXE moved successfully.
C:\WINDOWS\system32\winsystem.exe moved successfully.
C:\WINDOWS\system32\winlogonpc.exe moved successfully.
C:\WINDOWS\system32\vcatchpi.dll moved successfully.
C:\WINDOWS\system32\thun32.dll moved successfully.
C:\WINDOWS\system32\thun.dll moved successfully.
C:\WINDOWS\system32\temp#01.exe moved successfully.
C:\WINDOWS\system32\taack.exe moved successfully.
C:\WINDOWS\system32\taack.dat moved successfully.
C:\WINDOWS\system32\sysreq.exe moved successfully.
C:\WINDOWS\system32\ssvchost.exe moved successfully.
C:\WINDOWS\system32\ssvchost.com moved successfully.
C:\WINDOWS\system32\ssurf022.dll moved successfully.
C:\WINDOWS\system32\sncntr.exe moved successfully.
C:\WINDOWS\system32\Rundl1.exe moved successfully.
C:\WINDOWS\system32\regm64.dll moved successfully.
C:\WINDOWS\system32\regc64.dll moved successfully.
C:\WINDOWS\system32\psoft1.exe moved successfully.
C:\WINDOWS\system32\psof1.exe moved successfully.
C:\WINDOWS\system32\ps1.exe moved successfully.
C:\WINDOWS\system32\newsd32.exe moved successfully.
C:\WINDOWS\system32\netode.exe moved successfully.
C:\WINDOWS\system32\mwin32.exe moved successfully.
C:\WINDOWS\system32\mtr2.exe moved successfully.
C:\WINDOWS\system32\msvchost.exe moved successfully.
C:\WINDOWS\system32\mssecu.exe moved successfully.
C:\WINDOWS\mssecu.exe moved successfully.
C:\WINDOWS\system32\msnbho.dll moved successfully.
C:\WINDOWS\system32\msgp.exe moved successfully.
C:\WINDOWS\iTunesMusic.exe moved successfully.
C:\WINDOWS\system32\hxiwlgpm.exe moved successfully.
C:\WINDOWS\system32\hxiwlgpm.dat moved successfully.
C:\WINDOWS\system32\hoproxy.dll moved successfully.
C:\WINDOWS\system32\h@tkeysh@@k.dll moved successfully.
C:\WINDOWS\system32\dpcproxy.exe moved successfully.
C:\WINDOWS\system32\bsva-egihsg52.exe moved successfully.
C:\WINDOWS\system32\bdn.com moved successfully.
C:\WINDOWS\bdn.com moved successfully.
C:\WINDOWS\system32\awtoolb.dll moved successfully.
C:\WINDOWS\system32\anticipator.dll moved successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.22.3 log created on 03232011_190031




Here's the results from the OTL custom scan. I only got one OTL text report, didn't get the Extras text report at all:


OTL logfile created on: 23/03/2011 7:36:03 PM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

511.00 Mb Total Physical Memory | 101.00 Mb Available Physical Memory | 20.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 103.81 Gb Free Space | 69.65% Space Free | Partition Type: NTFS
Drive F: | 955.73 Mb Total Space | 930.19 Mb Free Space | 97.33% Space Free | Partition Type: FAT

Computer Name: OWNER-63C4CDBD4 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/22 19:51:30 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2011/03/16 22:39:51 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/10/25 19:08:25 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2010/10/25 19:08:18 | 002,048,352 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/09/19 11:15:27 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2008/08/13 15:28:37 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/04/14 10:42:30 | 000,420,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntvdm.exe
PRC - [2008/04/14 10:42:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2004/04/30 21:26:29 | 000,356,352 | ---- | M] (GlobespanVirata, Inc.) -- C:\Program Files\D-Link\DSL-200\DslStat.exe
PRC - [2004/04/30 21:26:29 | 000,016,384 | ---- | M] () -- C:\Program Files\D-Link\DSL-200\dslagent.exe
PRC - [1998/10/12 19:13:46 | 000,044,032 | ---- | M] (Caere Corporation) -- C:\Program Files\Caere\OmniPagePro90\OPware32.exe


========== Modules (SafeList) ==========

MOD - [2011/03/22 19:51:30 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2010/08/24 02:42:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [1998/10/12 19:13:40 | 000,140,288 | ---- | M] (Caere Corporation) -- C:\Program Files\Caere\OmniPagePro90\OPHOOK32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (LVPrcSrv)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2010/10/25 19:08:25 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2010/10/06 11:31:48 | 000,517,448 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG8\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2008/08/13 15:28:37 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)


========== Driver Services (SafeList) ==========

DRV - [2009/09/19 11:15:27 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/09/19 11:15:27 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2008/04/14 05:15:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2005/11/25 14:39:06 | 000,203,776 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vinyl97.sys -- (VIAudio) Vinyl AC'97 Audio Controller (WDM)
DRV - [2005/09/01 11:03:04 | 000,127,488 | ---- | M] (Ahead Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\imagesrv.sys -- (imagesrv)
DRV - [2005/09/01 11:03:04 | 000,005,888 | ---- | M] (Ahead Software AG) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\imagedrv.sys -- (imagedrv)
DRV - [2004/04/30 21:26:16 | 000,150,369 | ---- | M] (GlobespanVirata Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gwausb.sys -- (wanusb) D-Link DSL-200 USB ADSL Modem(WAN)
DRV - [2002/06/03 11:18:32 | 000,040,832 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\es1371mp.sys -- (es1371) Creative AudioPCI (ES1371,ES1373) (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.worldcarousel.com.au/
IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-725345543-413027322-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..browser.startup.homepage: "http://gogolbordello.com/tour/future/"
FF - prefs.js..extensions.enabledItems: avg@igeared:6.010.006.004
FF - prefs.js..keyword.URL: "http://search.avg.com/route/?d=4d3c2ec9&v=6.010.006.004&i=23&tp=ab&iy=&ychte=au&lng=en-US&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2010/01/10 11:31:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2011/01/24 00:06:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/16 22:40:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/16 22:40:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.9\extensions\\Components: C:\PROGRA~1\Mozilla Thunderbird\components [2008/01/28 13:51:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.9\extensions\\Plugins: C:\PROGRA~1\Mozilla Thunderbird\plugins [2008/01/28 13:51:04 | 000,000,000 | ---D | M]

[2009/02/18 22:17:37 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2011/03/22 19:59:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\7cmxlb1l.default\extensions
[2011/03/18 20:35:54 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\7cmxlb1l.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/02/18 22:17:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/24 00:06:03 | 000,000,000 | ---D | M] ("urn:mozilla:install-manifest" em:id="avg@igeared" em:name="AVG Security Toolbar" em:version="6.010.006.004" em:displayname="AVG Security Toolbar" em:iconURL="chrome://tavgp/skin/logo.ico" em:creator="AVG Technologies" em:description="AVG Security Toolbar" em:homepageURL="http://www.avg.com" >) -- C:\PROGRAM FILES\AVG\AVG8\TOOLBAR\FIREFOX\AVG@IGEARED
[2007/03/09 12:35:00 | 000,365,056 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npupd62.dll

O1 HOSTS File: ([2001/08/23 22:30:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe ()
O4 - HKLM..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe (GlobespanVirata, Inc.)
O4 - HKLM..\Run: [KillCopy] C:\Program Files\KillSoft\KillCopy\kcresume.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\OPware32.exe (Caere Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-725345543-413027322-1801674531-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKU\S-1-5-21-725345543-413027322-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\NPJPI150_11.dll (Sun Microsystems, Inc.)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab (MsnMessengerSetupDownloadControl Class)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/23 09:32:03 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/03/22 18:15:50 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2011/03/22 18:15:52 | 000,000,000 | RHSD | M] - F:\autorun.inf -- [ FAT ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/23 19:00:31 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/03/22 19:51:29 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/03/22 18:22:10 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/03/22 18:22:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/22 18:22:07 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/03/22 18:15:50 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2011/03/19 00:03:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2011/03/19 00:02:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/03/19 00:02:56 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/18 23:59:25 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
[2011/03/18 23:36:03 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/03/16 21:46:53 | 000,135,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shsvcs.dll
[2011/03/10 23:26:43 | 000,677,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lhmstsc.exe
[2011/03/10 23:26:41 | 002,067,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lhmstscx.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/23 19:04:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/23 19:04:30 | 000,000,264 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2011/03/23 19:03:38 | 000,043,573 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/03/23 19:03:00 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2011/03/23 19:02:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/23 19:02:29 | 536,399,872 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/23 18:25:47 | 072,923,229 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2011/03/22 19:51:30 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/03/22 19:31:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/03/22 18:22:10 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/19 01:10:58 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/03/18 23:59:21 | 000,000,275 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to iExplore.exe.lnk
[2011/03/18 20:32:00 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2011/03/18 20:31:59 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/03/11 01:19:05 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/07 19:01:15 | 000,000,202 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/03/05 07:10:46 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/03/04 18:17:19 | 000,000,264 | ---- | M] () -- C:\WINDOWS\tasks\OGADaily.job
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/22 18:51:55 | 536,399,872 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/22 18:22:10 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/22 18:16:28 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Flash_Disinfector.exe
[2011/03/19 01:10:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/03/19 01:10:36 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/03/19 01:10:34 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Defogger.exe
[2011/03/19 01:10:29 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe
[2011/03/18 23:59:21 | 000,000,275 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to iExplore.exe.lnk
[2011/03/18 20:32:00 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2011/03/18 20:31:59 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2011/03/10 23:27:08 | 000,186,880 | ---- | C] () -- C:\WINDOWS\System32\dllcache\encdec.dll
[2011/03/10 23:27:07 | 000,270,848 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sbe.dll
[2010/01/15 00:11:35 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/12/31 18:04:42 | 000,691,560 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/12/31 18:04:42 | 000,528,744 | ---- | C] () -- C:\WINDOWS\System32\OGAVerify.exe
[2008/07/28 13:13:05 | 000,037,376 | ---- | C] () -- C:\WINDOWS\System32\CoInst.dll
[2008/07/28 13:13:03 | 000,017,154 | ---- | C] () -- C:\WINDOWS\wwdslcfg.ini
[2008/07/28 13:12:20 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\GsiDi32.dll
[2008/06/19 21:30:50 | 000,000,455 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/05/21 18:00:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OPPRIN~1.INI
[2008/05/20 17:11:20 | 000,008,575 | ---- | C] () -- C:\WINDOWS\System32\D125UFW.INI
[2008/05/19 16:04:01 | 000,000,021 | ---- | C] () -- C:\WINDOWS\phbase.ini
[2008/05/19 16:03:55 | 000,000,021 | ---- | C] () -- C:\WINDOWS\Ps_setup.ini
[2008/05/18 21:24:08 | 000,086,016 | ---- | C] () -- C:\WINDOWS\OPDIRDEL.exe
[2008/05/18 20:53:03 | 000,000,571 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2008/05/18 20:52:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OP70.INI
[2008/05/16 12:58:04 | 000,012,632 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2008/03/01 20:00:58 | 000,050,948 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2008/02/08 15:29:48 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/10/11 13:18:34 | 000,036,624 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Comma Separated Values (Windows).ADR
[2006/08/23 17:22:23 | 000,000,055 | ---- | C] () -- C:\WINDOWS\festo.ini
[2006/08/22 20:57:05 | 000,000,327 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/07/20 20:01:15 | 000,015,872 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/05/21 03:02:24 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\PDFreDirectMonNT.dll
[2006/04/19 18:14:17 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2006/03/24 17:15:58 | 000,000,202 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/03/24 11:06:56 | 000,160,963 | ---- | C] () -- C:\WINDOWS\System32\drivers\gtipdsp.bin
[2006/03/24 11:03:10 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS6e.DLL
[2006/03/23 18:01:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/03/23 17:47:50 | 000,000,204 | ---- | C] () -- C:\WINDOWS\MYOBP.INI
[2006/03/23 17:47:50 | 000,000,121 | ---- | C] () -- C:\WINDOWS\SwDrvs.ini
[2006/03/23 17:47:50 | 000,000,039 | ---- | C] () -- C:\WINDOWS\MYOB.INI
[2006/03/23 17:45:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\drvxl32.INI
[2006/03/23 17:45:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\drvwd32.INI
[2006/03/23 16:54:19 | 000,107,132 | ---- | C] () -- C:\WINDOWS\UninstallFirefox.exe
[2006/03/23 16:53:52 | 000,007,106 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/03/23 14:05:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/03/23 13:27:20 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2006/03/23 10:05:17 | 000,020,992 | ---- | C] () -- C:\WINDOWS\System32\kc.exe
[2006/03/23 09:35:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/03/23 09:28:17 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/03/23 04:53:33 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/03/23 04:50:10 | 000,247,904 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/12/10 03:06:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/12/10 03:06:00 | 001,519,616 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2005/12/10 03:06:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/12/10 03:06:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2005/12/10 03:06:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/12/10 03:06:00 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/12/10 03:06:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/12/10 03:06:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2005/12/10 03:06:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2005/12/10 03:06:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/12/10 03:06:00 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/06/17 11:41:14 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2004/08/04 10:37:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/02 23:50:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 22:30:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 22:30:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 22:30:00 | 000,444,456 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 22:30:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 22:30:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 22:30:00 | 000,072,332 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 22:30:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 22:30:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 22:30:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 22:30:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2000/01/31 08:02:00 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wh2Robo.dll

< End of report >


And here's the Rootkit Unhooker report:


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 3956736 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 81.98 )
0xF8294000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3538944 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 81.98 )
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2192768 bytes
0x804D7000 RAW 2192768 bytes
0x804D7000 WMIxWDM 2192768 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF86AB000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF6D53000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF8014000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF6E60000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB95B8000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xF6CDC000 C:\WINDOWS\System32\Drivers\avgldx86.sys 331776 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xBF3D8000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB9257000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF81A6000 C:\WINDOWS\system32\drivers\vinyl97.sys 204800 bytes (VIA Technologies, Inc., Vinyl AC'97 Codec Combo WDM Driver)
0xF8072000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF8807000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB9A13000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF867E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB7824000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF6DEB000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF6E38000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF87B1000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF6D2D000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF6BF5000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF825C000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF81D8000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6CB9000 C:\WINDOWS\system32\DRIVERS\gwausb.sys 143360 bytes (GlobespanVirata Inc., USB ADSL Driver)
0xF8239000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF6E16000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EF000 ACPI_HAL 131840 bytes
0x806EF000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF8761000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF8835000 imagesrv.sys 131072 bytes (Ahead Software AG, Nero Image Server)
0xF87D7000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF8664000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF8799000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF6BDD000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF8781000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF8738000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF817B000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB99D6000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF8192000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF8280000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF6EB9000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF874F000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF87F6000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF80A2000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF8A56000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF8A86000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF8A36000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF8A66000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF89A6000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF8926000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF88A6000 viamraid.sys 61440 bytes (VIA Technologies inc,.ltd, VIA RAID DRIVER FOR WIN 2000/XP/2003IA32)
0xF88C6000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF8A96000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF8AA6000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF8896000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF8AC6000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF8A76000 C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys 45056 bytes (VIA Technologies, Inc. , NDIS 5.0 miniport driver)
0xF8956000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF8A46000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF8886000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF8AB6000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF88E6000 uagp35.sys 45056 bytes (Microsoft Corporation, MS AGPv3.5 Filter)
0xF8A16000 C:\WINDOWS\system32\DRIVERS\amdk7.sys 40960 bytes (Microsoft Corporation, Processor Device Driver)
0xF8A26000 C:\WINDOWS\system32\drivers\es1371mp.sys 40960 bytes (Creative Technology Ltd., ENSONIQ AudioPCI 97 WDM Audio Miniport)
0xF8916000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB9983000 C:\WINDOWS\system32\DRIVERS\secdrv.sys 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0xF8AE6000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF88B6000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF8876000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF8AD6000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF8946000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB92E8000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF88D6000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF8966000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF8BEE000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF8B8E000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF8B96000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF8AF6000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF8C06000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF8BF6000 C:\WINDOWS\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xF8BA6000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF8B9E000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF8B86000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF8BDE000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF8BCE000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF8BE6000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF8AFE000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF8BBE000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF8BC6000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF8BAE000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF8C16000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF8620000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xBA4F8000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF8D72000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF8C86000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF80BB000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF8640000 C:\WINDOWS\system32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xF863C000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF8D32000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF8DA0000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8D7C000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF8DAA000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8D9E000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8D7E000 imagedrv.sys 8192 bytes (Ahead Software AG, NERO IMAGEDRIVE SCSI miniport)
0xF8D76000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8DA2000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8D98000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF8DA4000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8D9A000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8D9C000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8D7A000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF8D78000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8FC2000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8F56000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8E8E000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================
0xE1900038 LDT (IN GDT of Core 1) Modification, Base+0x9A0, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x82000000 LDT (IN GDT of Core 1) Modification, Base+0xAC0, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x448B54EC LDT (IN GDT of Core 1) Modification, Base+0xB88, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x308C3424 LDT (IN GDT of Core 1) Modification, Base+0xBB8, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x0045F709 LDT (IN GDT of Core 1) Modification, Base+0xC30, DPL_USER, Rpl : 1, Type: CallGate32, Core [1]
0xCCCC9000 LDT (IN GDT of Core 1) Modification, Base+0xD00, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x82280000 LDT (IN GDT of Core 1) Modification, Base+0xEB8, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x835C0000 LDT (IN GDT of Core 1) Modification, Base+0xED8, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x00B70007 LDT (IN GDT of Core 1) Modification, Base+0x538, DPL_USER, Rpl : 3, Type: CallGate32, Core [1]
0x82A082C8 LDT (IN GDT of Core 1) Modification, Base+0x6B0, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x83010000 LDT (IN GDT of Core 1) Modification, Base+0xCB0, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x83B40000 LDT (IN GDT of Core 1) Modification, Base+0xCB8, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x830181E6 LDT (IN GDT of Core 1) Modification, Base+0xCD8, DPL_SYSTEM, Rpl : 2, Type: CallGate32, Core [1]
0x83DC0000 LDT (IN GDT of Core 1) Modification, Base+0xCE0, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x83C80000 LDT (IN GDT of Core 1) Modification, Base+0xD28, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x00700000 LDT (IN GDT of Core 1) Modification, Base+0x060, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x00460000 LDT (IN GDT of Core 1) Modification, Base+0x068, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x83E80000 LDT (IN GDT of Core 1) Modification, Base+0x0C8, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x83448315 LDT (IN GDT of Core 1) Modification, Base+0x2C8, DPL_SYSTEM, Rpl : 1, Type: CallGate32, Core [1]
0x005B0000 LDT (IN GDT of Core 1) Modification, Base+0x650, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x83C4E2D9 LDT (IN GDT of Core 1) Modification, Base+0xA70, DPL_SYSTEM, Rpl : 1, Type: CallGate32, Core [1]
0x8220832D LDT (IN GDT of Core 1) Modification, Base+0xB58, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x83C00000 LDT (IN GDT of Core 1) Modification, Base+0x4E8, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x83040000 LDT (IN GDT of Core 1) Modification, Base+0xC08, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x8388831A LDT (IN GDT of Core 1) Modification, Base+0xC90, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0x83E8831A LDT (IN GDT of Core 1) Modification, Base+0xCF0, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0xE2B00038 LDT (IN GDT of Core 1) Modification, Base+0x480, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x832082CA LDT (IN GDT of Core 1) Modification, Base+0x548, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0x82A88336 LDT (IN GDT of Core 1) Modification, Base+0x408, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x82A882E1 LDT (IN GDT of Core 1) Modification, Base+0x010, DPL_SYSTEM, Rpl : 1, Type: CallGate32, Core [1]
0x824882C2 LDT (IN GDT of Core 1) Modification, Base+0x178, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x8348831A LDT (IN GDT of Core 1) Modification, Base+0xC50, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x8380831A LDT (IN GDT of Core 1) Modification, Base+0xC88, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x83B8831A LDT (IN GDT of Core 1) Modification, Base+0xCC0, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x83C0831A LDT (IN GDT of Core 1) Modification, Base+0xCC8, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x83E40A00 LDT (IN GDT of Core 1) Modification, Base+0xCE8, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x83EC831A LDT (IN GDT of Core 1) Modification, Base+0xCF0, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x83B00000 LDT (IN GDT of Core 1) Modification, Base+0xE28, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x83E4831A LDT (IN GDT of Core 1) Modification, Base+0xE30, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]


Cheers and awaiting the next chapter!!

#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:19 PM

Posted 23 March 2011 - 11:43 AM

Hi LaChilindrina, :)



Yes these are the correct logs. Great work.
They look clean to me.
However before I set you free I want to be sure there is no more active malware on your computer.



I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image



And finally we should do some updating tasks to increase your security...so please stay with me. :)



Regards,
Georgi


Edit: typo.

Edited by B-boy/StyLe/, 23 March 2011 - 01:02 PM.

cXfZ4wS.png


#14 LaChilindrina

LaChilindrina
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 24 March 2011 - 04:06 AM

Hi Georgi,

I did the scan and it found just one threat:


C:\old data\WINDOWS\warnhp.html Win32/Oleloa.H trojan cleaned by deleting - quarantined


We are getting there!

#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:19 PM

Posted 26 March 2011 - 06:11 AM

Hi LaChilindrina,



Sorry for the delay again.

Nicely done. We are almost done here... :thumbsup:



I suggest you to uninstall LimeWire as well !



Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case LimeWire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Also, please take a look here:

How cyber criminals infect victims via P2P with pirated software





Registry Editor / Cleaner Warning !!



The following is referring to CCleaner.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.


For more information about why you should avoid using a such programs please take a look here => Registry Cleaners and System Tweaking Tools





Let's do some updates here:





Your antivirus software is out of date.
I would highly recommend removing the full AVG Anti-Virus 8.5. Then re-start your computer and install the newest available version.



Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

AVG Anti-Virus 8.5

Additional instructions can be found here if needed.


Due to tight integration of most of all antivirus & Security software you may find several issue while uninstalling antivirus software. Its advisable to use proper uninstall tool provided by respective antivirus company.

The AVG removal tool will help you to uninstall the AVG program without any trouble ...The utility will remove all parts of an AVG installation on your system, including registry items, installation and user files on your hard disk, etc.

You can download if from here => AVG Remover(32bit) 2011. Simply double-click on it's icon and it will open automatically. Follow the prompts.



:exclame: :exclame: :exclame: Restart your computer, then download and install the latest version of AVG from here.





We need to uninstall Adobe Flash Player 9 ActiveX because it's outdated:



Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Adobe Flash Player 9 ActiveX

Additional instructions can be found here if needed.


Next, please download and install the latest version from here: Adobe Flash Player 10.2.152.32 Final for (Internet Explorer)


Extra note: :exclame: :exclame: :exclame: Please make sure that your browser is closed before you proceed with the installation process.





Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader X to your PC's desktop.

* Uninstall Adobe Reader 7.0.9 via Start => Control Panel > Add/Remove Programs
* Install the new downloaded updated software.


Note: Note that the McAfee Security scan is prechecked. You may wish to uncheck it before downloading.
Posted Image


Note: Adobe Reader X is a large program and if you prefer a smaller program you can get Foxit Reader 4 x instead.

Foxit Reader 4x offer 5 levels of security. Click Me for more information.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.





Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment 6u24 and save it to your desktop.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6


  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.





You will need to run DDS again to provide fresh dds.txt log.
I want to be sure that nothing reappeared.
Copy/paste both DDS.txt and Attach.txt reports in your next reply.



How are things now ? Any problems left ?



Regards,
Georgi

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users