Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG 2011 and Antivirus 2011 Removal


  • This topic is locked This topic is locked
21 replies to this topic

#1 texamaggie

texamaggie

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 27 March 2011 - 12:08 PM

I am trying to complete the removal of AVG 2011 and Antivirus 2011. I am probably 80% complete but now I am unsure of two issues. The following line appears in the HJT log file:

O4 - HKLM\..\Run: [setup2ksetup2k] c:\program files\installshield installation information\{40fef622-6e0f-46b6-824b-a40c178fd4cd}\setup2ksetup2k12.0.exe

Spybot Search and Destroy continues to bring up a dialog box indicating a registry change is being made and should I all or deny. I have continued to answer "deny". The prompt continues to pop-up every few minutes.

I completed the RKill process (eXplore.exe for AVG 2011) found on the bleeping computer website. Ran in safe mode with networking.

If I need to upload the complete HJT log file, pleaselet me know. Thanks.

Here is the HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:33:22 AM, on 3/27/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe
C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\FarStone\RestoreIT_XP\VBPTASK.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Portrait Displays\Drivers\pdiSdkHelper.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT ACR] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -ACR
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SAOB Monitor] C:\Program Files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\FarStone\RestoreIT_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [setup2ksetup2k] c:\program files\installshield installation information\{40fef622-6e0f-46b6-824b-a40c178fd4cd}\setup2ksetup2k12.0.exe
O4 - HKLM\..\Run: [NVIDIAnvMoblS6.14.11.9621] c:\program files\nvidia corporation\display\mobilevideo.exe
O4 - HKLM\..\Run: [ContactSyncgoogle] C:\program files\common files\apple\mobile device support\syncservices\clients\com.google.contactsync\isregisteredgoogle3.2.0.0.exe
O4 - HKLM\..\Run: [iTunesiTunesMiniPlayerLocalizediTunes] c:\program files\itunes\itunesminiplayer.resources\en_gb.lproj\itunesminiplayerlocalizeditunes.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269352910656
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Portrait Displays SDK Service (PdiService) - Portrait Displays, Inc. - C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe

--
End of file - 9872 bytes

Please advise if I need to create this in a different forum. I am stuck and cannot move forward with the fix.

EDIT: Please be patient. There are over 210 unanswered topics in this forum at present and the current average wait time to receive help is 6 days. ~BP

Posting DDS log.


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 20:38:56.54 on Tue 03/29/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3253.2442 [GMT -5:00]
.
AV: ESET Smart Security 4.2 *Enabled/Outdated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe
C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\FarStone\RestoreIT_XP\VBPTASK.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Portrait Displays\Drivers\pdiSdkHelper.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [DT ACR] c:\program files\common files\portrait displays\shared\DT_startup.exe -ACR
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SAOB Monitor] c:\program files\acronis\onlinebackupstandalone\TrueImageMonitor.exe
mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimagehome\TrueImageMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [RestoreIT!] "c:\program files\farstone\restoreit_xp\VBPTASK.EXE" VBStart
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [farstone]
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [setup2ksetup2k] c:\program files\installshield installation information\{40fef622-6e0f-46b6-824b-a40c178fd4cd}\setup2ksetup2k12.0.exe
mRun: [NVIDIAnvMoblS6.14.11.9621] c:\program files\nvidia corporation\display\mobilevideo.exe
mRun: [ContactSyncgoogle] c:\program files\common files\apple\mobile device support\syncservices\clients\com.google.contactsync\isregisteredgoogle3.2.0.0.exe
mRun: [iTunesiTunesMiniPlayerLocalizediTunes] c:\program files\itunes\itunesminiplayer.resources\en_gb.lproj\itunesminiplayerlocalizeditunes.exe
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269352910656
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\9fhdcjko.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 aarsi3x;aarsi3x;c:\windows\system32\drivers\aarsi3x.sys [2004-11-11 197120]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [2010-11-6 752128]
R0 VVBackd5;VVBackd5;c:\windows\system32\drivers\VVBackd5.sys [2010-11-10 180074]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2010-11-6 3975088]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-8-12 810144]
R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2010-11-5 109168]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-3-23 2320920]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-11-6 163232]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-12-10 167080]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-3-23 215040]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-30 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-7-7 1684736]
S3 cpuz129;cpuz129;\??\c:\docume~1\owner\locals~1\temp\cpuz_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz_x32.sys [?]
S3 EfiInvoker;Efi Invoker Service;c:\windows\system32\drivers\invoker.sys [2009-7-8 5632]
S3 EfiVariable;Efi Variable Service;c:\windows\system32\drivers\variable.sys [2009-7-8 7680]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-7-7 14336]
S3 RTL819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\rtl819xp.sys [2010-1-30 528544]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2009-7-7 14336]
.
=============== Created Last 30 ================
.
2011-03-27 16:13:49 54016 ----a-w- c:\windows\system32\drivers\uxtuq.sys
2011-03-27 15:19:20 54016 ----a-w- c:\windows\system32\drivers\qiiup.sys
2011-03-25 19:39:52 54016 ----a-w- c:\windows\system32\drivers\gdfwgcd.sys
2011-03-24 10:10:05 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\PCHealth
2011-03-23 16:26:13 -------- d-----w- c:\docume~1\owner\applic~1\AntiVirus AntiSpyware 2011
2011-03-22 14:50:38 -------- d-sh--r- c:\docume~1\owner\applic~1\J-93219-1923-12901
2011-03-22 14:50:30 142848 ----a-w- c:\docume~1\owner\applic~1\winimg32.exe
2011-02-28 09:06:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\cLaGlBc06511
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3500418AS rev.CC38 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B652AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006c[0x8B6599E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP2T0L0-7[0x8B658940]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1a; MOV DI, 0x61a; PUSH DI; MOV CX, 0x1e6; REP MOVSB ; RET ; MOV SI, 0x7ae; MOV CL, 0x5; CMP BYTE [SI+0x4], 0x77; JZ 0x2c; ADD SI, 0x10; }
user != kernel MBR !!!
copy of MBR has been found in sector 1 !
.
============= FINISH: 20:39:11.92 ===============

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 30 March 2011 - 03:55 PM.


BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 02 April 2011 - 07:55 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 texamaggie

texamaggie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 02 April 2011 - 09:12 AM

Hello,

Yes I am still having the problem. I have been waiting before I continue with any fixes. I ran DDS and posted the results in my original post. Nothing has changed since that time as I have left the computer in the same state it was immediately after completing DDS and GMER. I attached the files to that post.

Please advise if I need to re-attach. Thank you for your assistance.

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:32 AM

Posted 03 April 2011 - 06:37 AM

Hello and welcome to Bleeping Computer. :)

*Please enable topic reply notification, follow step # 4 -> Here.

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please do not attach logs unless instructed.

*You must reply within 5 days otherwise this topic will be closed.


=================================


1. Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" is Cure (Please click on it and change it to skip).
  • Click on Report to generate a log.
  • Please post that log when you reply.



2. We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 texamaggie

texamaggie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 04 April 2011 - 07:44 PM

Here are the files as requested:



2011/04/04 19:25:24.0221 0736 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/04 19:25:24.0439 0736 ================================================================================
2011/04/04 19:25:24.0439 0736 SystemInfo:
2011/04/04 19:25:24.0439 0736
2011/04/04 19:25:24.0439 0736 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/04 19:25:24.0439 0736 Product type: Workstation
2011/04/04 19:25:24.0439 0736 ComputerName: LOWTHER
2011/04/04 19:25:24.0439 0736 UserName: Owner
2011/04/04 19:25:24.0439 0736 Windows directory: C:\WINDOWS
2011/04/04 19:25:24.0439 0736 System windows directory: C:\WINDOWS
2011/04/04 19:25:24.0439 0736 Processor architecture: Intel x86
2011/04/04 19:25:24.0439 0736 Number of processors: 4
2011/04/04 19:25:24.0439 0736 Page size: 0x1000
2011/04/04 19:25:24.0439 0736 Boot type: Normal boot
2011/04/04 19:25:24.0439 0736 ================================================================================
2011/04/04 19:25:24.0674 0736 Initialize success
2011/04/04 19:25:53.0283 1648 ================================================================================
2011/04/04 19:25:53.0283 1648 Scan started
2011/04/04 19:25:53.0283 1648 Mode: Manual;
2011/04/04 19:25:53.0283 1648 ================================================================================
2011/04/04 19:25:53.0924 1648 aarsi3x (b3e94f6babb3c27b9f33316009994016) C:\WINDOWS\system32\DRIVERS\aarsi3x.sys
2011/04/04 19:25:53.0955 1648 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/04 19:25:53.0971 1648 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/04 19:25:54.0002 1648 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/04 19:25:54.0017 1648 afcdp (927cf84b23fcac998193563bd465fd58) C:\WINDOWS\system32\DRIVERS\afcdp.sys
2011/04/04 19:25:54.0033 1648 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/04 19:25:54.0111 1648 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/04/04 19:25:54.0158 1648 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/04/04 19:25:54.0267 1648 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/04 19:25:54.0283 1648 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/04 19:25:54.0314 1648 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/04 19:25:54.0330 1648 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/04 19:25:54.0361 1648 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
2011/04/04 19:25:54.0392 1648 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/04 19:25:54.0424 1648 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/04 19:25:54.0439 1648 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/04 19:25:54.0439 1648 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/04 19:25:54.0471 1648 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/04 19:25:54.0642 1648 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/04 19:25:54.0674 1648 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/04 19:25:54.0721 1648 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/04 19:25:54.0721 1648 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/04 19:25:54.0752 1648 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/04 19:25:54.0783 1648 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/04 19:25:54.0814 1648 e1kexpress (9f7ae949202f0ef6b17dd3cc5c117ad3) C:\WINDOWS\system32\DRIVERS\e1k5132.sys
2011/04/04 19:25:54.0830 1648 eamon (1ceb779239965000b8f6adee17d4515b) C:\WINDOWS\system32\DRIVERS\eamon.sys
2011/04/04 19:25:54.0846 1648 EfiInvoker (fd8f4067854b6e6379bf89f0209be61b) C:\WINDOWS\System32\Drivers\invoker.sys
2011/04/04 19:25:54.0877 1648 EfiVariable (c4bc7cbe17975d120f2c769deb40bb47) C:\WINDOWS\System32\Drivers\variable.sys
2011/04/04 19:25:54.0892 1648 ehdrv (7d300a43a7bd8769e0f901bf9e1ae367) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
2011/04/04 19:25:54.0908 1648 epfw (15bfe00f030ea20955117bb0677e9668) C:\WINDOWS\system32\DRIVERS\epfw.sys
2011/04/04 19:25:54.0924 1648 Epfwndis (52310e0e603d7da79ecca7d764937a91) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
2011/04/04 19:25:54.0939 1648 epfwtdi (bdde7dd8fcdb1de7e879bb320b0605c0) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
2011/04/04 19:25:55.0002 1648 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/04 19:25:55.0017 1648 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/04/04 19:25:55.0033 1648 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/04 19:25:55.0049 1648 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/04/04 19:25:55.0064 1648 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/04/04 19:25:55.0080 1648 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/04 19:25:55.0111 1648 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/04 19:25:55.0127 1648 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/04/04 19:25:55.0158 1648 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/04 19:25:55.0174 1648 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/04 19:25:55.0205 1648 HECI (a88485dc6a7136c10d9a6c7e38fdfe3c) C:\WINDOWS\system32\DRIVERS\HECI.sys
2011/04/04 19:25:55.0236 1648 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/04 19:25:55.0267 1648 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/04 19:25:55.0330 1648 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/04 19:25:55.0361 1648 ialm (ecb41539f07192e9d43487a51d9905be) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/04/04 19:25:55.0439 1648 iaStor (d483687eace0c065ee772481a96e05f5) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/04/04 19:25:55.0455 1648 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/04 19:25:55.0596 1648 IntcAzAudAddService (9037c8bd3e896d7f2803a171fdeaeef4) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/04/04 19:25:55.0642 1648 IntcDAud (6fc3b9c53f1a8e19fc1761a8022da8eb) C:\WINDOWS\system32\DRIVERS\IntcDAud.sys
2011/04/04 19:25:55.0658 1648 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/04 19:25:55.0674 1648 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/04/04 19:25:55.0689 1648 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/04 19:25:55.0705 1648 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/04 19:25:55.0721 1648 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/04 19:25:55.0752 1648 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/04 19:25:55.0783 1648 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/04 19:25:55.0799 1648 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/04 19:25:55.0830 1648 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/04 19:25:55.0846 1648 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/04 19:25:55.0877 1648 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/04 19:25:55.0908 1648 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/04 19:25:55.0955 1648 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/04 19:25:55.0986 1648 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/04 19:25:56.0033 1648 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/04/04 19:25:56.0064 1648 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/04 19:25:56.0096 1648 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/04 19:25:56.0142 1648 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/04 19:25:56.0189 1648 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/04 19:25:56.0221 1648 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/04 19:25:56.0252 1648 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/04 19:25:56.0267 1648 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/04 19:25:56.0267 1648 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/04 19:25:56.0283 1648 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/04 19:25:56.0299 1648 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/04 19:25:56.0346 1648 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/04 19:25:56.0392 1648 NAL (7f16ee8322ebdf3c3b2d1a69f8030fd4) C:\WINDOWS\system32\Drivers\iqvw32.sys
2011/04/04 19:25:56.0408 1648 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/04 19:25:56.0424 1648 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/04 19:25:56.0471 1648 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/04 19:25:56.0502 1648 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/04 19:25:56.0533 1648 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/04 19:25:56.0564 1648 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/04 19:25:56.0580 1648 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/04 19:25:56.0596 1648 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/04/04 19:25:56.0658 1648 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/04 19:25:56.0689 1648 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/04 19:25:56.0705 1648 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/04 19:25:56.0767 1648 nv (dc6129d7e93e4bd101d4debe9c85350b) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/04 19:25:56.0877 1648 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\nv4_mini.sys. Real md5: dc6129d7e93e4bd101d4debe9c85350b, Fake md5: cb0ce8de9f66a297cd86eb98921b8e58
2011/04/04 19:25:56.0892 1648 nv - detected Forged file (1)
2011/04/04 19:25:56.0924 1648 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/04 19:25:56.0924 1648 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/04 19:25:56.0955 1648 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/04/04 19:25:56.0971 1648 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/04 19:25:56.0986 1648 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/04 19:25:57.0002 1648 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/04 19:25:57.0033 1648 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/04 19:25:57.0049 1648 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/04 19:25:57.0096 1648 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/04 19:25:57.0142 1648 PdiPorts (3b2f443b8e23d17d46f0e43e2fc42cfe) C:\WINDOWS\system32\Drivers\PdiPorts.sys
2011/04/04 19:25:57.0252 1648 pfc (da86016f0672ada925f589ede715f185) C:\WINDOWS\system32\drivers\pfc.sys
2011/04/04 19:25:57.0267 1648 Pivot (943f840611d33832308ec5310b616b57) C:\WINDOWS\system32\drivers\pivot.sys
2011/04/04 19:25:57.0299 1648 pivotmou (998c58295288eedfbfe95e7f6cc94df4) C:\WINDOWS\system32\drivers\pivotmou.sys
2011/04/04 19:25:57.0314 1648 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/04 19:25:57.0330 1648 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/04 19:25:57.0330 1648 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/04 19:25:57.0392 1648 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/04 19:25:57.0408 1648 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/04 19:25:57.0408 1648 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/04 19:25:57.0424 1648 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/04 19:25:57.0455 1648 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/04 19:25:57.0471 1648 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/04 19:25:57.0502 1648 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/04 19:25:57.0533 1648 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/04 19:25:57.0549 1648 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/04 19:25:57.0580 1648 RTL819xp (ee2e23cd5700c1f92f5be099b93a5d04) C:\WINDOWS\system32\DRIVERS\rtl819xp.sys
2011/04/04 19:25:57.0611 1648 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/04 19:25:57.0642 1648 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/04 19:25:57.0658 1648 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/04 19:25:57.0689 1648 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/04 19:25:57.0736 1648 snapman (85bada660d57bc5aef52b11cabd6d8f9) C:\WINDOWS\system32\DRIVERS\snapman.sys
2011/04/04 19:25:57.0783 1648 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/04 19:25:57.0799 1648 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/04 19:25:57.0814 1648 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/04 19:25:57.0861 1648 STHDA (228519217a88c2f6b0cf8c022e6d669c) C:\WINDOWS\system32\drivers\sthda.sys
2011/04/04 19:25:57.0908 1648 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/04 19:25:57.0924 1648 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/04 19:25:57.0986 1648 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/04 19:25:58.0017 1648 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/04 19:25:58.0049 1648 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/04 19:25:58.0080 1648 tdrpman273 (431801fcc97034e04a6eff81136578d7) C:\WINDOWS\system32\DRIVERS\tdrpm273.sys
2011/04/04 19:25:58.0096 1648 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/04 19:25:58.0127 1648 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/04 19:25:58.0142 1648 timounter (a34d7024bb7140ec785c86bc065d4f60) C:\WINDOWS\system32\DRIVERS\timntr.sys
2011/04/04 19:25:58.0189 1648 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/04 19:25:58.0221 1648 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/04 19:25:58.0252 1648 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/04 19:25:58.0252 1648 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/04 19:25:58.0267 1648 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/04 19:25:58.0299 1648 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/04 19:25:58.0330 1648 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/04 19:25:58.0377 1648 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/04 19:25:58.0392 1648 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/04 19:25:58.0424 1648 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/04 19:25:58.0455 1648 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/04 19:25:58.0533 1648 VVBackd5 (acaccdbb768b778f36fc3614c4980b46) C:\WINDOWS\system32\drivers\VVBackd5.sys
2011/04/04 19:25:58.0549 1648 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/04 19:25:58.0580 1648 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/04 19:25:58.0627 1648 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/04 19:25:58.0642 1648 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/04 19:25:58.0721 1648 ================================================================================
2011/04/04 19:25:58.0721 1648 Scan finished
2011/04/04 19:25:58.0721 1648 ================================================================================
2011/04/04 19:25:58.0736 2952 Detected object count: 1
2011/04/04 19:27:22.0346 2952 Forged file(nv) - User select action: Skip












OTL logfile created on: 4/4/2011 7:34:01 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 74.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 236.26 Gb Total Space | 225.04 Gb Free Space | 95.25% Space Free | Partition Type: NTFS
Drive D: | 465.76 Gb Total Space | 10.34 Gb Free Space | 2.22% Space Free | Partition Type: NTFS

Computer Name: LOWTHER | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/04 19:31:55 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2011/01/30 16:27:10 | 000,107,008 | ---- | M] () -- C:\Program Files\VideoLAN\VLC\vlc.exe
PRC - [2010/11/06 22:51:48 | 003,975,088 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
PRC - [2010/09/08 02:21:06 | 000,390,736 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2010/09/08 02:21:00 | 000,779,960 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2010/09/08 02:19:12 | 005,479,424 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2010/09/02 16:35:52 | 002,536,440 | ---- | M] (Acronis) -- C:\Program Files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe
PRC - [2010/08/12 13:16:26 | 000,810,144 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2010/08/12 13:16:12 | 002,215,064 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2009/12/09 15:50:00 | 002,320,920 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
PRC - [2009/12/09 15:49:58 | 000,268,824 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
PRC - [2009/08/24 15:17:34 | 000,114,688 | ---- | M] () -- C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
PRC - [2009/08/24 15:17:12 | 000,327,168 | ---- | M] (Portrait Displays, Inc) -- C:\Program Files\Acer Display\eDisplay Management\dthtml.exe
PRC - [2009/08/24 15:14:58 | 000,069,632 | ---- | M] () -- C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
PRC - [2009/08/24 15:14:48 | 000,114,688 | ---- | M] (Portrait Displays Inc.) -- C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
PRC - [2009/07/15 12:43:48 | 000,203,376 | ---- | M] (Portrait Displays, Inc.) -- C:\Program Files\Common Files\Portrait Displays\Drivers\pdiSDKHelper.exe
PRC - [2009/07/15 12:43:46 | 000,109,168 | ---- | M] (Portrait Displays, Inc.) -- C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
PRC - [2008/10/09 09:07:56 | 000,107,912 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/17 20:06:00 | 001,848,648 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2007/02/09 11:17:30 | 000,694,008 | ---- | M] () -- C:\Program Files\Portrait Displays\Pivot Software\Floater.exe
PRC - [2007/02/09 11:17:26 | 000,694,008 | ---- | M] () -- C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe
PRC - [2003/07/18 11:05:30 | 000,237,568 | ---- | M] (FarStone Tech. Inc.) -- C:\Program Files\FarStone\RestoreIT_XP\vbptask.exe


========== Modules (SafeList) ==========

MOD - [2011/04/04 19:31:55 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2007/02/09 11:16:08 | 000,245,760 | ---- | M] () -- C:\Program Files\Portrait Displays\Pivot Software\Winphook.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/11/29 11:41:26 | 000,058,944 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®
SRV - [2010/11/06 22:51:48 | 003,975,088 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2010/09/08 02:21:00 | 000,779,960 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2010/08/12 13:18:40 | 000,033,584 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV - [2010/08/12 13:16:26 | 000,810,144 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2009/12/09 15:50:00 | 002,320,920 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS) Intel®
SRV - [2009/12/09 15:49:58 | 000,268,824 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS) Intel®
SRV - [2009/08/24 15:17:34 | 000,114,688 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe -- (Asset Management Daemon)
SRV - [2009/08/24 15:14:58 | 000,069,632 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe -- (DTSRVC)
SRV - [2009/07/15 12:43:46 | 000,109,168 | ---- | M] (Portrait Displays, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe -- (PdiService)
SRV - [2009/03/12 11:53:46 | 000,254,036 | ---- | M] (IDT, Inc.) [Auto | Stopped] -- c:\Program Files\IDT\IntelXPV_v103\WDM\stacsv.exe -- (STacSV)
SRV - [2008/10/09 09:07:56 | 000,107,912 | ---- | M] () [Auto | Running] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)


========== Driver Services (SafeList) ==========

DRV - [2010/11/06 22:51:52 | 000,163,232 | ---- | M] (Acronis) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afcdp.sys -- (afcdp)
DRV - [2010/11/06 22:51:45 | 000,752,128 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpm273.sys -- (tdrpman273) Acronis Try&Decide and Restore Points filter (build 273)
DRV - [2010/11/06 22:51:43 | 000,600,928 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2010/11/06 22:51:35 | 000,170,464 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2010/08/04 10:50:36 | 000,140,752 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2010/08/03 12:28:36 | 000,055,256 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)
DRV - [2010/07/29 12:31:26 | 000,134,512 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)
DRV - [2010/07/29 12:31:26 | 000,115,008 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2010/07/29 12:31:26 | 000,032,608 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2010/01/30 02:32:56 | 000,528,544 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl819xp.sys -- (RTL819xp) Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)
DRV - [2010/01/12 15:24:00 | 000,030,880 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2009/12/10 08:33:34 | 000,167,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1k5132.sys -- (e1kexpress) Intel®
DRV - [2009/11/27 20:16:48 | 000,215,040 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntcDAud.sys -- (IntcDAud) Intel®
DRV - [2009/09/17 11:54:14 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2009/07/15 12:43:32 | 000,017,136 | ---- | M] (Portrait Displays, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PdiPorts.sys -- (PdiPorts)
DRV - [2009/07/08 10:26:30 | 000,007,680 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\variable.sys -- (EfiVariable)
DRV - [2009/07/08 10:26:30 | 000,005,632 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\invoker.sys -- (EfiInvoker)
DRV - [2009/04/27 18:26:00 | 005,074,944 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/03/12 11:53:46 | 001,550,613 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2008/08/05 19:10:00 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2008/02/27 12:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2007/02/09 11:17:18 | 000,017,465 | ---- | M] (Portrait Displays, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pivot.sys -- (Pivot)
DRV - [2007/02/09 11:17:16 | 000,011,323 | ---- | M] (Portrait Displays, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pivotmou.sys -- (pivotmou)
DRV - [2006/01/04 14:41:00 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2004/11/11 18:09:06 | 000,197,120 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aarsi3x.sys -- (aarsi3x)
DRV - [2004/08/17 08:46:44 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/03/04 12:30:34 | 000,180,074 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\VVBackd5.sys -- (VVBackd5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1780426037-1517342991-793028906-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1780426037-1517342991-793028906-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/06 15:31:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/10 16:50:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2010/11/06 22:13:16 | 000,000,000 | ---D | M]

[2010/11/05 17:02:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2011/04/04 03:39:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\9fhdcjko.default\extensions
[2010/11/05 18:07:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\9fhdcjko.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/04 03:39:48 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2009/07/07 15:53:10 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

O1 HOSTS File: ([2010/11/10 18:58:31 | 000,424,689 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14637 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [ContactSyncgoogle] File not found
O4 - HKLM..\Run: [DT ACR] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe ()
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [farstone] File not found
O4 - HKLM..\Run: [iTunesiTunesMiniPlayerLocalizediTunes] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVIDIAnvMoblS6.14.11.9621] File not found
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PivotSoftware] C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe ()
O4 - HKLM..\Run: [RestoreIT!] C:\Program Files\FarStone\RestoreIT_XP\VBPTASK.EXE (FarStone Tech. Inc.)
O4 - HKLM..\Run: [SAOB Monitor] C:\Program Files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [setup2ksetup2k] File not found
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKU\S-1-5-21-1780426037-1517342991-793028906-1004..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1780426037-1517342991-793028906-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269352910656 (MUWebControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/07 15:42:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/11/10 18:30:39 | 000,002,789 | ---- | M] () - C:\AutoSetup.log -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/04 19:31:55 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/04/04 19:23:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\tdsskiller
[2011/04/04 11:38:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\vlc
[2011/04/04 11:38:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[2011/04/04 11:38:23 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2011/04/04 11:35:08 | 002,307,704 | ---- | C] (W3i, LLC) -- C:\Documents and Settings\Owner\Desktop\VLC.exe
[2011/04/03 03:47:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2011/03/29 20:59:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\gmer
[2011/03/27 11:30:17 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HijackThis.exe
[2011/03/26 17:31:47 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2011/03/24 05:10:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\PCHealth
[2011/03/23 11:26:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\AntiVirus AntiSpyware 2011
[2011/03/22 09:50:38 | 000,000,000 | RHSD | C] -- C:\Documents and Settings\Owner\Application Data\J-93219-1923-12901
[2010/03/23 08:22:13 | 000,004,096 | ---- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/04 19:31:55 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/04/04 19:22:36 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2011/04/04 18:59:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/04 17:59:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/04 11:38:49 | 000,000,725 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2011/04/04 11:35:20 | 002,307,704 | ---- | M] (W3i, LLC) -- C:\Documents and Settings\Owner\Desktop\VLC.exe
[2011/03/29 20:57:55 | 000,293,019 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2011/03/29 20:37:39 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/03/27 11:30:17 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HijackThis.exe
[2011/03/27 11:16:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/27 11:13:49 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\uxtuq.sys
[2011/03/27 10:19:20 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\qiiup.sys
[2011/03/27 09:46:34 | 001,006,778 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\iExplore.exe
[2011/03/26 17:38:03 | 000,000,608 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\cc_20110326_173721.reg
[2011/03/26 17:34:28 | 000,077,776 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\cc_20110326_173353.reg
[2011/03/25 14:39:52 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\gdfwgcd.sys
[2011/03/25 14:14:43 | 000,000,209 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Vision Support.url
[2011/03/25 14:12:21 | 000,011,910 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\k746u30jl60ljh380p6
[2011/03/25 14:12:21 | 000,011,910 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\k746u30jl60ljh380p6
[2011/03/25 14:10:34 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/22 09:50:31 | 000,142,848 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\winimg32.exe
[2011/03/22 09:50:28 | 000,065,536 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\Version
[2011/03/21 04:46:04 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/03/17 05:19:55 | 000,443,918 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/17 05:19:55 | 000,072,050 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/15 02:07:53 | 000,012,986 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\2122746114
[2011/03/15 02:07:53 | 000,012,986 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2122746114
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/04 19:22:36 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2011/04/04 11:38:49 | 000,000,725 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2011/03/29 20:57:55 | 000,293,019 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2011/03/29 20:37:39 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/03/27 11:13:49 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\uxtuq.sys
[2011/03/27 10:19:20 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\qiiup.sys
[2011/03/27 09:46:34 | 001,006,778 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\iExplore.exe
[2011/03/26 17:37:27 | 000,000,608 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\cc_20110326_173721.reg
[2011/03/26 17:34:12 | 000,077,776 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\cc_20110326_173353.reg
[2011/03/25 14:39:52 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\gdfwgcd.sys
[2011/03/25 05:26:11 | 000,011,910 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\k746u30jl60ljh380p6
[2011/03/25 05:26:11 | 000,011,910 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\k746u30jl60ljh380p6
[2011/03/22 09:50:30 | 000,142,848 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\winimg32.exe
[2011/03/22 09:50:28 | 000,065,536 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\Version
[2011/03/21 04:46:04 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2011/03/15 02:05:45 | 000,012,986 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\2122746114
[2011/03/15 02:05:45 | 000,012,986 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2122746114
[2011/02/07 17:02:44 | 000,661,465 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\igxpdv32.dat
[2011/02/07 11:03:54 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\htlhjeqm.sys
[2010/11/10 18:30:38 | 000,180,074 | ---- | C] () -- C:\WINDOWS\System32\drivers\VVBackd5.sys
[2010/11/06 15:43:40 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/11/06 15:18:46 | 000,064,200 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/11/05 17:19:46 | 000,002,304 | ---- | C] () -- C:\WINDOWS\System32\Machnm32.sys
[2010/11/05 17:02:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/10/16 02:29:37 | 000,000,406 | ---- | C] () -- C:\WINDOWS\vbface.INI
[2010/10/16 02:16:27 | 000,000,832 | ---- | C] () -- C:\WINDOWS\System32\staPoMsg.dat
[2010/03/23 10:31:56 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2010/03/23 08:22:14 | 000,127,896 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng575.bin
[2010/03/23 08:22:13 | 000,874,032 | ---- | C] () -- C:\WINDOWS\System32\igkrng575.bin
[2010/03/23 08:22:12 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
[2010/01/12 11:03:34 | 002,283,526 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2009/07/07 19:22:48 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/07/07 19:22:48 | 001,657,376 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2009/07/07 19:22:48 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/07/07 19:22:48 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/07/07 19:22:47 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/07/07 19:22:47 | 001,346,080 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2009/07/07 19:22:46 | 000,449,056 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2009/07/07 19:22:45 | 000,436,768 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2009/07/07 19:22:03 | 000,000,838 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/07/07 19:19:12 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/07/07 19:19:06 | 000,443,918 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2009/07/07 19:19:06 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2009/07/07 19:19:06 | 000,072,050 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2009/07/07 19:19:06 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2009/07/07 19:19:04 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2009/07/07 19:19:04 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2009/07/07 19:19:01 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2009/07/07 19:18:52 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2009/07/07 19:18:52 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2009/07/07 19:18:34 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2009/07/07 19:18:29 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2009/07/07 15:53:36 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2009/07/07 15:45:59 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/07/07 15:41:01 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/07/07 11:35:12 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/07/07 11:34:36 | 000,243,128 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/10/07 04:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 04:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 04:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

< End of report >









OTL Extras logfile created on: 4/4/2011 7:34:01 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 74.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 236.26 Gb Total Space | 225.04 Gb Free Space | 95.25% Space Free | Partition Type: NTFS
Drive D: | 465.76 Gb Total Space | 10.34 Gb Free Space | 2.22% Space Free | Partition Type: NTFS

Computer Name: LOWTHER | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1780426037-1517342991-793028906-1004\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\Owner\Application Data\J-93219-1923-12901\mobile32.exe" = C:\Documents and Settings\Owner\Application Data\J-93219-1923-12901\mobile32.exe:*:Enabled:Mobile Device Service -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0217E1D1-BCEF-4A61-AF6D-F7740F65A066}" = Pivot Software
"{04A3A6B0-8E19-49BB-82FF-65C5A55F917D}" = Acronis True Image Home 2011
"{055FEF8E-4B86-400F-A5C6-8FAC0042DCD9}" = NVIDIA nStant Media
"{0BBBA9A9-02E8-467D-BE57-4797A50F7861}" = Intel® Network Connections 15.1.29.0
"{0DEA342C-15CB-4F52-97B6-06A9C4B9C06F}" = SDK
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX330_series" = Canon MX330 series MP Drivers
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{64FDE32B-72F5-445D-939B-8D3CD01CB388}" = ESET Smart Security
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel® Management Engine Components
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{91E30409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A586DC50-B18D-48FB-B7CC-A598200457C2}" = Acer eDisplay Management
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{DD1865F0-AD73-40FB-B23E-1822E02396FF}" = NVIDIA PhysX
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel® Graphics Media Accelerator Driver
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Belarc Advisor" = Belarc Advisor 7.2
"Canon MX330 series User Registration" = Canon MX330 series User Registration
"CANONIJPLM100" = Canon Inkjet Printer/Scanner/Fax Extended Survey Program
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CCleaner" = CCleaner
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"MP Navigator EX 2.1" = Canon MP Navigator EX 2.1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"RestoreIT!" = RestoreIT!
"Spell Checker For OE 2.1" = Spell Checker For OE 2.1
"VLC media player" = VLC media player 1.1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/2/2011 1:26:52 AM | Computer Name = LOWTHER | Source = Microsoft Office 11 | ID = 2000
Description = Accepted Safe Mode action : Microsoft Office Outlook.

Error - 4/2/2011 1:27:08 AM | Computer Name = LOWTHER | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application outlook.exe, version 11.0.8217.0, stamp 480f95d9,
faulting module mso.dll, version 11.0.8221.0, stamp 483c699a, debug? 0, fault address
0x00038270.

Error - 4/2/2011 1:27:40 AM | Computer Name = LOWTHER | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application outlook.exe, version 11.0.8217.0, stamp 480f95d9,
faulting module mso.dll, version 11.0.8221.0, stamp 483c699a, debug? 0, fault address
0x00038270.

Error - 4/2/2011 1:27:45 AM | Computer Name = LOWTHER | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application outlook.exe, version 11.0.8217.0, stamp 480f95d9,
faulting module mso.dll, version 11.0.8221.0, stamp 483c699a, debug? 0, fault address
0x0001ffa9.

Error - 4/2/2011 1:27:51 AM | Computer Name = LOWTHER | Source = Microsoft Office 11 | ID = 2000
Description = Accepted Safe Mode action : Microsoft Office Outlook.

Error - 4/2/2011 1:28:02 AM | Computer Name = LOWTHER | Source = Microsoft Office 11 | ID = 2000
Description = Accepted Safe Mode action : Microsoft Office Outlook.

Error - 4/4/2011 11:55:31 AM | Computer Name = LOWTHER | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application outlook.exe, version 11.0.8217.0, stamp 480f95d9,
faulting module mso.dll, version 11.0.8221.0, stamp 483c699a, debug? 0, fault address
0x00038270.

Error - 4/4/2011 11:55:50 AM | Computer Name = LOWTHER | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application outlook.exe, version 11.0.8217.0, stamp 480f95d9,
faulting module outllib.dll, version 11.0.8217.0, stamp 480f94f8, debug? 0, fault
address 0x00011cee.

Error - 4/4/2011 11:55:57 AM | Computer Name = LOWTHER | Source = Microsoft Office 11 | ID = 1000
Description = Faulting application outlook.exe, version 11.0.8217.0, stamp 480f95d9,
faulting module mso.dll, version 11.0.8221.0, stamp 483c699a, debug? 0, fault address
0x0001ffa9.

Error - 4/4/2011 11:56:05 AM | Computer Name = LOWTHER | Source = Microsoft Office 11 | ID = 2000
Description = Accepted Safe Mode action : Microsoft Office Outlook.

[ System Events ]
Error - 2/28/2011 9:26:49 PM | Computer Name = LOWTHER | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 2/28/2011 9:26:49 PM | Computer Name = LOWTHER | Source = Service Control Manager | ID = 7034
Description = The Google Update Service (gupdate) service terminated unexpectedly.
It has done this 1 time(s).

Error - 2/28/2011 9:26:49 PM | Computer Name = LOWTHER | Source = Service Control Manager | ID = 7034
Description = The Acronis Nonstop Backup service service terminated unexpectedly.
It has done this 1 time(s).

Error - 2/28/2011 9:26:49 PM | Computer Name = LOWTHER | Source = Service Control Manager | ID = 7034
Description = The Acronis Scheduler2 Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 2/28/2011 9:26:49 PM | Computer Name = LOWTHER | Source = Service Control Manager | ID = 7034
Description = The Portrait Displays SDK Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 2/28/2011 9:26:49 PM | Computer Name = LOWTHER | Source = Service Control Manager | ID = 7034
Description = The Machine Debug Manager service terminated unexpectedly. It has
done this 1 time(s).

Error - 2/28/2011 9:26:51 PM | Computer Name = LOWTHER | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM
Service service to connect.

Error - 2/28/2011 9:26:51 PM | Computer Name = LOWTHER | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1053

Error - 2/28/2011 9:26:54 PM | Computer Name = LOWTHER | Source = Service Control Manager | ID = 7034
Description = The Machine Debug Manager service terminated unexpectedly. It has
done this 2 time(s).

Error - 2/28/2011 9:27:46 PM | Computer Name = LOWTHER | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 2 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.


< End of report >

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:32 AM

Posted 05 April 2011 - 09:04 AM

Hi,

Let's begin removing malwares, during the process I will be giving instructions and If your unsure on how to do it... please stop and ask me first for clarification.


1. Please go to http://virscan.org/
  • Navigate the following file path into the "Suspicious files to scan" box on the top of the page:

    C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.



2. Please reopen OTL on your desktop.
  • Copy and Paste the following code into the Custom Scan/Fixes text box.

    :OTL
    O4 - HKLM..\Run: [ContactSyncgoogle] File not found
    O4 - HKLM..\Run: [farstone] File not found
    O4 - HKLM..\Run: [iTunesiTunesMiniPlayerLocalizediTunes] File not found
    O4 - HKLM..\Run: [NVIDIAnvMoblS6.14.11.9621] File not found
    O4 - HKLM..\Run: [setup2ksetup2k] File not found
    [2011/03/23 11:26:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\AntiVirus AntiSpyware 2011
    [2011/03/25 14:12:21 | 000,011,910 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\k746u30jl60ljh380p6
    [2011/03/25 14:12:21 | 000,011,910 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\k746u30jl60ljh380p6
    
    :Reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Documents and Settings\Owner\Application Data\J-93219-1923-12901\mobile32.exe"=-
    
    :Files
    C:\Documents and Settings\Owner\Application Data\J-93219-1923-12901
    
    :Commands
    [EMPTYTEMP] 
    [CREATERESTOREPOINT] 
    
  • Push the Run Fix button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • A massage box "Fix complete! Click OK to open the fix log." will pop-up.
  • Click the OK button and a report will open.
  • Copy and Paste that report in your next reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:32 AM

Posted 09 April 2011 - 08:42 AM

Do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 texamaggie

texamaggie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 09 April 2011 - 08:39 PM

Yes I do...I have been away from the computer for a few days. I am working through the steps on your last reply now. I will post results shortly. Thank you.

#9 texamaggie

texamaggie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 09 April 2011 - 08:55 PM

I am not able to get http://virscan.org/ to open. I have tried from 2 separate computers and the Website will not open. The server does not seem to be responding. I have also confirmed from an uninfected laptop and get the same result.

It appears that the link is misspelled.

Edited by texamaggie, 09 April 2011 - 09:00 PM.


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:32 AM

Posted 10 April 2011 - 12:34 AM

Hi,

You can use virustotal or jotti instead.

Virustotal -> http://www.virustotal.com/
Jotti -> http://virusscan.jotti.org/en

Edited by sempai, 10 April 2011 - 12:37 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 texamaggie

texamaggie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 11 April 2011 - 09:43 AM

Here is the 1st report:

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: nv4_mini.sys
Submission date: 2011-04-11 13:54:54 (UTC)
Current status: finished
Result: 0/ 42 (0.0%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.04.11.03 2011.04.11 -
AntiVir 7.11.6.49 2011.04.11 -
Antiy-AVL 2.0.3.7 2011.04.11 -
Avast 4.8.1351.0 2011.04.11 -
Avast5 5.0.677.0 2011.04.11 -
AVG 10.0.0.1190 2011.04.11 -
BitDefender 7.2 2011.04.11 -
CAT-QuickHeal 11.00 2011.04.11 -
ClamAV 0.97.0.0 2011.04.11 -
Commtouch 5.2.11.5 2011.04.06 -
Comodo 8303 2011.04.11 -
DrWeb 5.0.2.03300 2011.04.11 -
Emsisoft 5.1.0.5 2011.04.11 -
eSafe 7.0.17.0 2011.04.10 -
eTrust-Vet 36.1.8265 2011.04.11 -
F-Prot 4.6.2.117 2011.04.11 -
F-Secure 9.0.16440.0 2011.04.11 -
Fortinet 4.2.254.0 2011.04.09 -
GData 22 2011.04.11 -
Ikarus T3.1.1.103.0 2011.04.11 -
Jiangmin 13.0.900 2011.04.09 -
K7AntiVirus 9.96.4347 2011.04.09 -
Kaspersky 7.0.0.125 2011.04.11 -
McAfee 5.400.0.1158 2011.04.11 -
McAfee-GW-Edition 2010.1C 2011.04.11 -
Microsoft 1.6702 2011.04.11 -
NOD32 6033 2011.04.11 -
Norman 6.07.07 2011.04.10 -
Panda 10.0.3.5 2011.04.10 -
PCTools 7.0.3.5 2011.04.11 -
Prevx 3.0 2011.04.11 -
Rising 23.53.00.05 2011.04.11 -
Sophos 4.64.0 2011.04.11 -
SUPERAntiSpyware 4.40.0.1006 2011.04.10 -
Symantec 20101.3.2.89 2011.04.11 -
TheHacker 6.7.0.1.171 2011.04.10 -
TrendMicro 9.200.0.1012 2011.04.11 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.11 -
VBA32 3.12.14.3 2011.04.11 -
VIPRE 8986 2011.04.11 -
ViRobot 2011.4.11.4404 2011.04.11 -
VirusBuster 13.6.299.0 2011.04.11 -
Additional informationShow all
MD5 : cb0ce8de9f66a297cd86eb98921b8e58
SHA1 : 9cdda5b311e87c1391e2c377a50db3d32514a487
SHA256: 171a23ddbcb33e5327009e9b75d7726ecee62152ef30c438cc12d6d009f91a36





Here is the OTL Report:



All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ContactSyncgoogle deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\farstone deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\iTunesiTunesMiniPlayerLocalizediTunes deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NVIDIAnvMoblS6.14.11.9621 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\setup2ksetup2k deleted successfully.
C:\Documents and Settings\Owner\Application Data\AntiVirus AntiSpyware 2011 folder moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\k746u30jl60ljh380p6 moved successfully.
C:\Documents and Settings\All Users\Application Data\k746u30jl60ljh380p6 moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\\"DisableNotifications"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\"DisableNotifications"|dword:00000000 /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Owner\Application Data\J-93219-1923-12901\mobile32.exe deleted successfully.
========== FILES ==========
C:\Documents and Settings\Owner\Application Data\J-93219-1923-12901 folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 13425356 bytes
->Flash cache emptied: 405 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 13425356 bytes
->Flash cache emptied: 405 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 34512 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 4483259 bytes
->Temporary Internet Files folder emptied: 37726983 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 48480593 bytes
->Flash cache emptied: 3133 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 82400 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 143360 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 112.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.22.3 log created on 04112011_092940

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF6B34.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.Word\~WRS0001.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MWQ3ME2Y\page__p__2184227__fromsearch__1[2].htm not found!

Registry entries deleted on Reboot...

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:32 AM

Posted 11 April 2011 - 09:56 AM

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:32 AM

Posted 15 April 2011 - 10:40 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:32 AM

Posted 16 April 2011 - 10:26 AM

This topic has been re-opened at the request of the person who originally posted.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:32 AM

Posted 16 April 2011 - 10:28 AM

How's the computer running?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users