Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with: Trojan Horse Crypt.ANVH and Exploit Phoenix Exploit Kit (Type 769)


  • This topic is locked This topic is locked
27 replies to this topic

#1 Eckabeb

Eckabeb

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 26 January 2012 - 10:09 PM

Hi. For the past week I've been having redirecting issues on Google links and as of today it takes multiple reloads before I can get to the Google site/applications. I scanned my PC with AVG Free 2012 and I'm told I have Trojan Horse Crypt.ANVH, which is whitelisted by AVG. Late last night I started getting messages about Exploit Phoenix Exploit Kit (Type 769) which was located in svc.host. SVC.HOST randomly goes from 90k mem usage to 500k- 1million usage. I'm also getting tons of random cookies (which I think the trojan is the cause?) just from being connected to the internet, though I won't have any applications open at the time. :( When I ran Gmer like the Welcome Guide said to, the application kept freezing in the middle of scanning, so I had to download the .EXE file instead of the .ZIP, but that didn't work either (1st try: froze computer. 2nd try: computer froze then randomly rebooted). I am currently rerunning Gmer under the name iexplorer.exe, but I want to get this post up as soon as possible to get this fixed. I'll post the data, if I can get it, from Gmer when it pops up down below. One last thing -phew- My windows firewall, when I double-click to activate it, gives me a message "Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?". When I click yes, I then get the message "Windows cannot start the Windows Firewall/ ICS service." If I click No, nothing happens. And that's it I believe. :( I hope y'all can help (if you can get through my wall of text first)!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_26
Run by Ecky at 15:22:35 on 2012-01-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.586 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\WINDOWS\system32\WTClient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\Steam\steam.exe
C:\Documents and Settings\Ecky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\VERIZONDM\bin\sprtsvc.exe
C:\Program Files\Ventrilo\Ventrilo.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\Program Files\VERIZONDM\bin\tgsrvc.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Ecky\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?o=13170&l=dis
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: SearchHook Class: {bc86e1ab-eda5-4059-938f-ce307b0c6f0a} - c:\program files\devicevm\browser configuration utility\AddressBarSearch.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Google Update] "c:\documents and settings\ecky\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [PlayNC Launcher]
mRun: [BCU] "c:\program files\devicevm\browser configuration utility\BCU.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [WTClient] WTClient.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{DE7B0285-2CA2-4652-BC39-997B340764A3} : DhcpNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.0.6\ViProtocol.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 94.63.240.131 www.google.com
Hosts: 94.63.240.132 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ecky\application data\mozilla\firefox\profiles\3v9eamco.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4dd1c4d4&v=7.008.031.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\ecky\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\ecky\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\ecky\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extentions.y2layers.installId - e2f01f55-4826-42dc-8aa5-cff118b37b1c
FF - user.js: extentions.y2layers.defaultEnableAppsList - BestVideoDownloader,BestVideoDownloader,
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-10-9 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-10-9 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-3-14 64512]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-9 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-10-9 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-10-9 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2010-3-23 219360]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2010-3-23 68136]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-8-15 1361288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-3-14 2152152]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\verizondm\bin\sprtsvc.exe [2010-9-29 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\verizondm\bin\tgsrvc.exe [2010-9-29 185640]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-3-31 450848]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\10.0.6\ToolbarUpdater.exe [2012-1-19 909152]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-10-9 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-10-9 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-9 16720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-3-23 1684736]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 1025352]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys --> c:\windows\system32\drivers\bcmwlhigh5.sys [?]
S3 cpuz135;cpuz135;\??\c:\docume~1\ecky\locals~1\temp\cpuz135\cpuz135_x32.sys --> c:\docume~1\ecky\locals~1\temp\cpuz135\cpuz135_x32.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-3-14 15232]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\npf.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-01-25 08:54:53 -------- d-----w- c:\program files\CCleaner
2012-01-24 06:14:26 -------- dc-h--w- c:\documents and settings\all users\application data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-01-22 19:15:45 -------- d-----w- C:\cmdcons
2012-01-22 19:13:08 98816 ----a-w- c:\windows\sed.exe
2012-01-22 19:13:08 518144 ----a-w- c:\windows\SWREG.exe
2012-01-22 19:13:08 256000 ----a-w- c:\windows\PEV.exe
2012-01-22 19:13:08 208896 ----a-w- c:\windows\MBR.exe
2012-01-22 19:12:56 -------- d-s---w- C:\ComboFix
2012-01-21 20:49:31 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-21 20:49:31 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-21 20:49:31 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-21 20:49:31 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-07 01:20:51 -------- d-----w- c:\program files\Ventrilo
2012-01-06 01:17:22 -------- d-----w- c:\documents and settings\all users\application data\Valve
2012-01-04 06:23:43 -------- d-----w- c:\documents and settings\ecky\local settings\application data\Logitech® Webcam Software
2012-01-04 06:16:28 -------- d-----w- C:\My Games
2012-01-04 06:15:45 -------- d-----w- c:\program files\NVIDIA Corporation
2012-01-03 01:37:18 -------- d-----w- c:\documents and settings\ecky\application data\Doublefine
2011-12-29 17:46:05 -------- d-----w- c:\program files\iPod
2011-12-29 17:46:03 -------- d-----w- c:\program files\iTunes
.
==================== Find3M ====================
.
2012-01-26 18:54:18 17488 ----a-w- c:\windows\gdrv.sys
2011-12-21 04:06:43 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-21 08:25:56 6908648 ----a-w- c:\windows\system32\SpoonUninstall.exe
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3750528AS rev.CC38 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-9
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4EF49F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4f6738]; MOV EAX, [0x8a4f68ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\Harddisk0\DR0[0x8A680030]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\00000075[0x8A5B14C0]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF196] -> [0x8A5AC940]
\Driver\atapi[0x8A607ED8] -> IRP_MJ_CREATE -> 0x8A4EF49F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A4EF2C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:23:39.98 ===============

Edited by Eckabeb, 26 January 2012 - 10:12 PM.


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:28 AM

Posted 27 January 2012 - 09:26 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

It appears you're infected with an infection known as ZeroAccess.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:


NEXT:



Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure SKIP is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: Do not choose Cure or Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


NEXT:



Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. TDSSKiller log.
3. Farbar Service Scanner log.
4. OTL.txt & Extras.txt logs.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.


Please let me know how the above scans go.

Kindest Regards,
Agent ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 Eckabeb

Eckabeb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 27 January 2012 - 03:31 PM

1. Thanks for replying so quickly, Agent ST! Haha. I ran TDSSkiller and chose skip for everything, but it never told me to reboot. I got the message "There are unprocessed malware objects" instead. I did not reboot.

2. TDSkiller log
14:02:02.0859 4584 TDSS rootkit removing tool 2.7.7.0 Jan 24 2012 16:44:27
14:02:03.0390 4584 ============================================================
14:02:03.0390 4584 Current date / time: 2012/01/27 14:02:03.0390
14:02:03.0390 4584 SystemInfo:
14:02:03.0390 4584
14:02:03.0390 4584 OS Version: 5.1.2600 ServicePack: 3.0
14:02:03.0390 4584 Product type: Workstation
14:02:03.0390 4584 ComputerName: ECKABEB
14:02:03.0390 4584 UserName: Ecky
14:02:03.0390 4584 Windows directory: C:\WINDOWS
14:02:03.0390 4584 System windows directory: C:\WINDOWS
14:02:03.0390 4584 Processor architecture: Intel x86
14:02:03.0390 4584 Number of processors: 2
14:02:03.0390 4584 Page size: 0x1000
14:02:03.0390 4584 Boot type: Normal boot
14:02:03.0390 4584 ============================================================
14:02:22.0171 4584 Drive \Device\Harddisk0\DR0 - Size: 0xAEA88D5E00 (698.63 Gb), SectorSize: 0x200, Cylinders: 0x16440, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
14:02:23.0968 4584 Initialize success
14:02:55.0312 0820 ============================================================
14:02:55.0312 0820 Scan started
14:02:55.0312 0820 Mode: Manual; SigCheck; TDLFS;
14:02:55.0312 0820 ============================================================
14:02:58.0984 0820 Abiosdsk - ok
14:02:59.0187 0820 abp480n5 - ok
14:02:59.0640 0820 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:03:17.0734 0820 ACPI - ok
14:03:18.0687 0820 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:03:19.0109 0820 ACPIEC - ok
14:03:19.0671 0820 adpu160m - ok
14:03:21.0421 0820 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:03:21.0781 0820 aec - ok
14:03:22.0640 0820 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
14:03:23.0171 0820 AFD - ok
14:03:23.0765 0820 Aha154x - ok
14:03:24.0765 0820 aic78u2 - ok
14:03:25.0609 0820 aic78xx - ok
14:03:26.0578 0820 AliIde - ok
14:03:28.0890 0820 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
14:03:31.0578 0820 Ambfilt - ok
14:03:31.0796 0820 amsint - ok
14:03:32.0343 0820 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
14:03:32.0531 0820 Arp1394 - ok
14:03:32.0718 0820 asc - ok
14:03:33.0031 0820 asc3350p - ok
14:03:33.0203 0820 asc3550 - ok
14:03:33.0531 0820 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:03:33.0656 0820 AsyncMac - ok
14:03:33.0890 0820 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:03:34.0140 0820 atapi - ok
14:03:34.0359 0820 Atdisk - ok
14:03:37.0156 0820 ati2mtag (0a8b257db810be78ac9fd1860b4ba22b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
14:03:42.0765 0820 ati2mtag - ok
14:03:43.0156 0820 AtiHdmiService (fac04a8e09c8d70594382656d99772a3) C:\WINDOWS\system32\drivers\AtiHdmi.sys
14:03:43.0328 0820 AtiHdmiService - ok
14:03:43.0578 0820 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:03:43.0765 0820 Atmarpc - ok
14:03:44.0156 0820 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:03:44.0281 0820 audstub - ok
14:03:44.0531 0820 AVGIDSDriver (2d18221aab3db2d408d6c55c0f23090a) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
14:03:44.0593 0820 AVGIDSDriver - ok
14:03:44.0828 0820 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
14:03:44.0843 0820 AVGIDSEH - ok
14:03:45.0156 0820 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
14:03:45.0171 0820 AVGIDSFilter - ok
14:03:45.0421 0820 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
14:03:45.0437 0820 AVGIDSShim - ok
14:03:45.0734 0820 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
14:03:45.0859 0820 Avgldx86 - ok
14:03:46.0203 0820 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
14:03:46.0234 0820 Avgmfx86 - ok
14:03:46.0437 0820 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
14:03:46.0500 0820 Avgrkx86 - ok
14:03:46.0859 0820 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
14:03:47.0109 0820 Avgtdix - ok
14:03:47.0343 0820 BCMH43XX - ok
14:03:47.0578 0820 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:03:47.0718 0820 Beep - ok
14:03:48.0093 0820 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
14:03:48.0218 0820 Bridge - ok
14:03:48.0250 0820 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
14:03:48.0312 0820 BridgeMP - ok
14:03:48.0640 0820 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:03:48.0812 0820 cbidf2k - ok
14:03:49.0250 0820 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
14:03:49.0437 0820 CCDECODE - ok
14:03:49.0640 0820 cd20xrnt - ok
14:03:49.0906 0820 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:03:50.0187 0820 Cdaudio - ok
14:03:50.0484 0820 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:03:50.0656 0820 Cdfs - ok
14:03:50.0875 0820 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:03:51.0187 0820 Cdrom - ok
14:03:51.0406 0820 Changer - ok
14:03:51.0625 0820 CmdIde - ok
14:03:51.0812 0820 Cpqarray - ok
14:03:52.0093 0820 cpuz135 - ok
14:03:52.0281 0820 dac2w2k - ok
14:03:52.0484 0820 dac960nt - ok
14:03:52.0750 0820 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:03:53.0031 0820 Disk - ok
14:03:53.0546 0820 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:03:54.0218 0820 dmboot - ok
14:03:54.0468 0820 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:03:54.0671 0820 dmio - ok
14:03:55.0078 0820 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:03:55.0234 0820 dmload - ok
14:03:55.0531 0820 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:03:55.0781 0820 DMusic - ok
14:03:56.0125 0820 dpti2o - ok
14:03:56.0312 0820 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:03:56.0437 0820 drmkaud - ok
14:03:56.0656 0820 EagleXNt - ok
14:03:56.0984 0820 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:03:57.0234 0820 Fastfat - ok
14:03:57.0453 0820 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:03:57.0625 0820 Fdc - ok
14:03:57.0906 0820 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
14:03:58.0015 0820 FilterService - ok
14:03:58.0281 0820 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:03:58.0484 0820 Fips - ok
14:03:58.0781 0820 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
14:03:59.0000 0820 Flpydisk - ok
14:03:59.0375 0820 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
14:03:59.0609 0820 FltMgr - ok
14:03:59.0812 0820 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:04:00.0015 0820 Fs_Rec - ok
14:04:00.0281 0820 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:04:00.0484 0820 Ftdisk - ok
14:04:00.0546 0820 gdrv (d556cb79967e92b5cc69686d16c1d846) C:\WINDOWS\gdrv.sys
14:04:00.0593 0820 gdrv - ok
14:04:00.0843 0820 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
14:04:00.0937 0820 GEARAspiWDM - ok
14:04:01.0296 0820 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:04:01.0468 0820 Gpc - ok
14:04:01.0703 0820 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
14:04:01.0750 0820 hamachi - ok
14:04:02.0125 0820 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:04:02.0359 0820 HDAudBus - ok
14:04:02.0671 0820 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:04:02.0828 0820 hidusb - ok
14:04:03.0156 0820 hpn - ok
14:04:03.0500 0820 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
14:04:03.0750 0820 HTTP - ok
14:04:03.0953 0820 i2omgmt - ok
14:04:04.0296 0820 i2omp - ok
14:04:04.0546 0820 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:04:04.0718 0820 i8042prt - ok
14:04:05.0187 0820 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:04:05.0328 0820 Imapi - ok
14:04:05.0531 0820 ini910u - ok
14:04:07.0843 0820 IntcAzAudAddService (512cc914475348d774d1bb9f866396a5) C:\WINDOWS\system32\drivers\RtkHDAud.sys
14:04:13.0156 0820 IntcAzAudAddService - ok
14:04:13.0375 0820 IntelIde - ok
14:04:13.0656 0820 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:04:13.0828 0820 intelppm - ok
14:04:14.0109 0820 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
14:04:14.0250 0820 Ip6Fw - ok
14:04:14.0484 0820 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:04:14.0640 0820 IpFilterDriver - ok
14:04:14.0843 0820 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:04:15.0062 0820 IpInIp - ok
14:04:15.0312 0820 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:04:15.0500 0820 IpNat - ok
14:04:15.0734 0820 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:04:16.0046 0820 IPSec - ok
14:04:16.0328 0820 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:04:16.0406 0820 IRENUM - ok
14:04:16.0609 0820 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:04:16.0796 0820 isapnp - ok
14:04:17.0156 0820 JRAID (a324485106f133e751f4b7f47c4be3ea) C:\WINDOWS\system32\DRIVERS\jraid.sys
14:04:17.0328 0820 JRAID - ok
14:04:17.0578 0820 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:04:17.0703 0820 Kbdclass - ok
14:04:17.0937 0820 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:04:18.0187 0820 kbdhid - ok
14:04:18.0546 0820 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:04:18.0796 0820 kmixer - ok
14:04:19.0250 0820 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
14:04:19.0421 0820 KSecDD - ok
14:04:19.0593 0820 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
14:04:19.0671 0820 Lavasoft Kernexplorer - ok
14:04:19.0921 0820 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
14:04:20.0171 0820 Lbd - ok
14:04:20.0359 0820 lbrtfdc - ok
14:04:20.0609 0820 lvpopflt (9fb982de1c8dd769f8ed681dd878b12f) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
14:04:20.0656 0820 lvpopflt - ok
14:04:20.0953 0820 LVPr2Mon (8be71d7edb8c7494913722059f760dd0) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
14:04:21.0093 0820 LVPr2Mon - ok
14:04:21.0468 0820 LVRS (7521c0c58ee91be90b6cc33e792d10c7) C:\WINDOWS\system32\DRIVERS\lvrs.sys
14:04:21.0656 0820 LVRS - ok
14:04:23.0531 0820 LVUVC (37e57c48af530df01cdd4e8a2ad77b51) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
14:04:27.0078 0820 LVUVC - ok
14:04:27.0328 0820 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:04:27.0500 0820 mnmdd - ok
14:04:27.0781 0820 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:04:27.0921 0820 Modem - ok
14:04:28.0859 0820 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
14:04:30.0156 0820 Monfilt - ok
14:04:30.0390 0820 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:04:30.0515 0820 Mouclass - ok
14:04:30.0765 0820 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:04:30.0890 0820 mouhid - ok
14:04:31.0406 0820 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:04:31.0671 0820 MountMgr - ok
14:04:31.0921 0820 mraid35x - ok
14:04:32.0968 0820 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:04:33.0375 0820 MRxDAV - ok
14:04:34.0625 0820 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:04:34.0843 0820 Msfs - ok
14:04:35.0625 0820 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:04:35.0828 0820 MSKSSRV - ok
14:04:36.0515 0820 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:04:36.0656 0820 MSPCLOCK - ok
14:04:36.0828 0820 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:04:37.0078 0820 MSPQM - ok
14:04:37.0546 0820 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:04:37.0718 0820 mssmbios - ok
14:04:38.0609 0820 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
14:04:38.0734 0820 MSTEE - ok
14:04:38.0968 0820 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
14:04:39.0312 0820 Mup - ok
14:04:39.0703 0820 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
14:04:39.0921 0820 NABTSFEC - ok
14:04:40.0453 0820 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:04:40.0656 0820 NDIS - ok
14:04:40.0859 0820 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
14:04:41.0000 0820 NdisIP - ok
14:04:41.0531 0820 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:04:41.0656 0820 NdisTapi - ok
14:04:41.0906 0820 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:04:42.0031 0820 Ndisuio - ok
14:04:42.0234 0820 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:04:42.0390 0820 NdisWan - ok
14:04:42.0640 0820 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
14:04:42.0812 0820 NDProxy - ok
14:04:43.0250 0820 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:04:43.0390 0820 NetBIOS - ok
14:04:43.0812 0820 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:04:44.0250 0820 NetBT - ok
14:04:44.0531 0820 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
14:04:44.0671 0820 NIC1394 - ok
14:04:44.0906 0820 NPF - ok
14:04:45.0312 0820 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:04:45.0468 0820 Npfs - ok
14:04:45.0828 0820 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:04:46.0359 0820 Ntfs - ok
14:04:46.0593 0820 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:04:46.0718 0820 Null - ok
14:04:46.0906 0820 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:04:47.0078 0820 NwlnkFlt - ok
14:04:47.0296 0820 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:04:47.0437 0820 NwlnkFwd - ok
14:04:47.0640 0820 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
14:04:47.0812 0820 ohci1394 - ok
14:04:48.0265 0820 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:04:48.0421 0820 Parport - ok
14:04:48.0671 0820 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:04:48.0812 0820 PartMgr - ok
14:04:49.0250 0820 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:04:49.0375 0820 ParVdm - ok
14:04:49.0640 0820 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:04:49.0796 0820 PCI - ok
14:04:49.0968 0820 PCIDump - ok
14:04:50.0312 0820 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:04:50.0421 0820 PCIIde - ok
14:04:50.0671 0820 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:04:50.0859 0820 Pcmcia - ok
14:04:51.0218 0820 PDCOMP - ok
14:04:51.0515 0820 PDFRAME - ok
14:04:51.0703 0820 PDRELI - ok
14:04:51.0921 0820 PDRFRAME - ok
14:04:52.0234 0820 perc2 - ok
14:04:52.0421 0820 perc2hib - ok
14:04:52.0640 0820 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:04:52.0765 0820 PptpMiniport - ok
14:04:53.0125 0820 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:04:53.0296 0820 PSched - ok
14:04:53.0500 0820 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:04:53.0656 0820 Ptilink - ok
14:04:53.0812 0820 ql1080 - ok
14:04:54.0078 0820 Ql10wnt - ok
14:04:54.0250 0820 ql12160 - ok
14:04:54.0406 0820 ql1240 - ok
14:04:54.0593 0820 ql1280 - ok
14:04:54.0781 0820 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:04:54.0906 0820 RasAcd - ok
14:04:55.0328 0820 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:04:55.0453 0820 Rasl2tp - ok
14:04:55.0671 0820 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:04:55.0890 0820 RasPppoe - ok
14:04:56.0187 0820 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:04:56.0296 0820 Raspti - ok
14:04:56.0578 0820 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:04:56.0843 0820 Rdbss - ok
14:04:57.0390 0820 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:04:57.0546 0820 RDPCDD - ok
14:04:57.0828 0820 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:04:58.0125 0820 rdpdr - ok
14:04:58.0468 0820 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
14:04:58.0656 0820 RDPWD - ok
14:04:58.0921 0820 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:04:59.0125 0820 redbook - ok
14:04:59.0328 0820 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
14:04:59.0421 0820 ROOTMODEM - ok
14:04:59.0703 0820 RTLE8023xp (79b4fe884c18dd82d5449f6b6026d092) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
14:04:59.0875 0820 RTLE8023xp - ok
14:05:00.0296 0820 SCDEmu (20b2751cd4c8f3fd989739ca661b9f30) C:\WINDOWS\system32\drivers\SCDEmu.sys
14:05:00.0375 0820 SCDEmu ( UnsignedFile.Multi.Generic ) - warning
14:05:00.0375 0820 SCDEmu - detected UnsignedFile.Multi.Generic (1)
14:05:00.0609 0820 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:05:00.0687 0820 Secdrv - ok
14:05:00.0875 0820 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
14:05:01.0062 0820 serenum - ok
14:05:01.0406 0820 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
14:05:01.0562 0820 Serial - ok
14:05:01.0828 0820 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:05:01.0953 0820 Sfloppy - ok
14:05:02.0203 0820 Simbad - ok
14:05:02.0406 0820 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
14:05:02.0562 0820 SLIP - ok
14:05:02.0734 0820 Sparrow - ok
14:05:02.0968 0820 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:05:03.0171 0820 splitter - ok
14:05:03.0468 0820 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:05:03.0546 0820 sr - ok
14:05:03.0843 0820 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
14:05:04.0437 0820 Srv - ok
14:05:04.0703 0820 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
14:05:04.0875 0820 streamip - ok
14:05:05.0234 0820 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:05:05.0343 0820 swenum - ok
14:05:05.0546 0820 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:05:05.0703 0820 swmidi - ok
14:05:05.0937 0820 symc810 - ok
14:05:06.0218 0820 symc8xx - ok
14:05:06.0390 0820 sym_hi - ok
14:05:06.0656 0820 sym_u3 - ok
14:05:06.0875 0820 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:05:07.0046 0820 sysaudio - ok
14:05:07.0046 0820 Tablet2k - ok
14:05:07.0359 0820 TClass2k (9b10f2be724d8e978e21a5da498ff5c1) C:\WINDOWS\system32\DRIVERS\TClass2k.sys
14:05:07.0468 0820 TClass2k - ok
14:05:07.0796 0820 Tcpip (68f06fe0021b01e670af37b8c5964fdf) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:05:08.0109 0820 Tcpip ( UnsignedFile.Multi.Generic ) - warning
14:05:08.0109 0820 Tcpip - detected UnsignedFile.Multi.Generic (1)
14:05:08.0390 0820 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:05:08.0562 0820 TDPIPE - ok
14:05:08.0812 0820 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:05:09.0062 0820 TDTCP - ok
14:05:09.0296 0820 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:05:09.0437 0820 TermDD - ok
14:05:09.0656 0820 TosIde - ok
14:05:10.0000 0820 UCTblHid (915a53a87cf9b3bc27359846ecd6a547) C:\WINDOWS\system32\DRIVERS\UCTblHid.sys
14:05:10.0156 0820 UCTblHid - ok
14:05:10.0437 0820 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:05:10.0593 0820 Udfs - ok
14:05:10.0765 0820 ultra - ok
14:05:11.0125 0820 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:05:11.0500 0820 Update - ok
14:05:11.0812 0820 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
14:05:11.0906 0820 USBAAPL - ok
14:05:12.0234 0820 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
14:05:12.0421 0820 usbaudio - ok
14:05:12.0734 0820 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:05:12.0890 0820 usbccgp - ok
14:05:13.0343 0820 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:05:13.0453 0820 usbehci - ok
14:05:13.0656 0820 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:05:13.0781 0820 usbhub - ok
14:05:14.0046 0820 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:05:14.0250 0820 usbscan - ok
14:05:14.0484 0820 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:05:14.0625 0820 USBSTOR - ok
14:05:14.0812 0820 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:05:14.0937 0820 usbuhci - ok
14:05:15.0343 0820 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
14:05:15.0515 0820 usbvideo - ok
14:05:15.0781 0820 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:05:15.0906 0820 VgaSave - ok
14:05:16.0109 0820 ViaIde - ok
14:05:16.0296 0820 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:05:16.0468 0820 VolSnap - ok
14:05:16.0921 0820 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:05:17.0140 0820 Wanarp - ok
14:05:17.0312 0820 WDICA - ok
14:05:17.0546 0820 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:05:17.0687 0820 wdmaud - ok
14:05:17.0921 0820 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
14:05:18.0109 0820 WS2IFSL - ok
14:05:18.0328 0820 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
14:05:18.0453 0820 WSTCODEC - ok
14:05:18.0656 0820 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:05:18.0734 0820 WudfPf - ok
14:05:18.0921 0820 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:05:18.0968 0820 WudfRd - ok
14:05:19.0125 0820 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
14:05:19.0156 0820 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
14:05:19.0156 0820 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
14:05:19.0281 0820 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
14:05:19.0281 0820 \Device\Harddisk0\DR0 - detected TDSS File System (1)
14:05:19.0281 0820 Boot (0x1200) (e2d6fae486cfce9f30b336d60cb49926) \Device\Harddisk0\DR0\Partition0
14:05:19.0281 0820 \Device\Harddisk0\DR0\Partition0 - ok
14:05:19.0281 0820 ============================================================
14:05:19.0281 0820 Scan finished
14:05:19.0281 0820 ============================================================
14:05:19.0406 4556 Detected object count: 4
14:05:19.0406 4556 Actual detected object count: 4
14:06:41.0875 4556 SCDEmu ( UnsignedFile.Multi.Generic ) - skipped by user
14:06:41.0875 4556 SCDEmu ( UnsignedFile.Multi.Generic ) - User select action: Skip
14:06:41.0890 4556 Tcpip ( UnsignedFile.Multi.Generic ) - skipped by user
14:06:41.0890 4556 Tcpip ( UnsignedFile.Multi.Generic ) - User select action: Skip
14:06:41.0890 4556 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - skipped by user
14:06:41.0890 4556 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Skip
14:06:41.0906 4556 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
14:06:41.0906 4556 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip


3. FSS
Farbar Service Scanner Version: 18-01-2012 01
Ran by Ecky (administrator) on 27-01-2012 at 14:09:48
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

netman Service is not running. Checking service configuration:
The start type of netman service is OK.
The ImagePath of netman service is OK.
The ServiceDll of netman service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys
[2009-09-20 09:41] - [2009-09-20 09:41] - 0361344 ____A (Microsoft Corporation) 68F06FE0021B01E670AF37B8C5964FDF

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll
[2008-04-14 06:00] - [2008-04-14 06:00] - 0246272 ____A (Microsoft Corporation) 19A799805B24990867B00C120D300C3A

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(8) Bridge(10) BridgeMP(9) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0A0000000400000001000000020000000300000008000000050000000600000007000000090000000A000000
IpSec Tag value is correct.

**** End of log ****

4. OTL
OTL logfile created on: 1/27/2012 2:15:59 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Ecky\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.15 Gb Available Physical Memory | 57.73% Memory free
3.85 Gb Paging File | 2.84 Gb Available in Paging File | 73.83% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.62 Gb Total Space | 362.61 Gb Free Space | 51.90% Space Free | Partition Type: NTFS

Computer Name: ECKABEB | User Name: Ecky | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/27 14:15:01 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ecky\Desktop\OTL.exe
PRC - [2012/01/21 14:49:32 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/01/19 17:02:37 | 000,909,152 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
PRC - [2012/01/19 17:02:33 | 000,939,872 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
PRC - [2011/12/03 01:22:12 | 002,415,456 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2011/11/28 01:19:04 | 001,229,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
PRC - [2011/10/10 06:23:34 | 000,973,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgemcx.exe
PRC - [2011/09/08 19:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/09/02 07:29:30 | 002,152,152 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2011/08/19 03:26:50 | 000,450,848 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe
PRC - [2011/08/15 16:18:10 | 001,361,288 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
PRC - [2011/08/15 07:49:50 | 001,191,216 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2011/08/15 05:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/12 12:19:40 | 000,680,984 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
PRC - [2011/08/12 12:18:42 | 000,205,336 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
PRC - [2011/08/12 12:18:30 | 000,265,240 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
PRC - [2011/08/02 05:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2010/09/29 06:00:24 | 000,185,640 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\VERIZONDM\bin\tgsrvc.exe
PRC - [2010/09/29 06:00:16 | 000,206,120 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\VERIZONDM\bin\sprtsvc.exe
PRC - [2009/10/30 04:19:22 | 000,032,768 | ---- | M] (Tablet Driver) -- C:\WINDOWS\system32\WTClient.exe
PRC - [2009/10/30 03:43:30 | 000,073,728 | ---- | M] (Tablet Driver) -- C:\WINDOWS\system32\drivers\WTSrv.exe
PRC - [2009/08/04 17:29:54 | 000,219,360 | ---- | M] (DeviceVM, Inc.) -- C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
PRC - [2009/08/04 17:29:52 | 000,346,320 | ---- | M] (DeviceVM, Inc.) -- C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe
PRC - [2009/07/30 17:51:02 | 000,068,136 | ---- | M] () -- C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
PRC - [2008/04/14 06:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/01/21 14:49:31 | 002,124,760 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/01/19 17:02:37 | 000,909,152 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
MOD - [2012/01/19 17:02:33 | 000,939,872 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
MOD - [2011/12/20 22:06:43 | 008,527,008 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/12/05 12:55:56 | 000,193,904 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\Extended\libMachoUniv.dll
MOD - [2011/12/05 12:54:51 | 000,210,288 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\Extended\libBase64.dll
MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/09/08 12:20:28 | 000,270,336 | ---- | M] () -- c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
MOD - [2011/08/22 15:47:44 | 000,336,408 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LWSPlugins\LWS\Applets\CameraHelper\DevManagerCore.dll
MOD - [2011/08/12 12:19:40 | 000,680,984 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
MOD - [2011/08/12 12:18:30 | 000,265,240 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
MOD - [2011/06/28 05:19:50 | 000,430,568 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\VipreBridge.dll
MOD - [2011/06/28 05:19:49 | 000,589,184 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\RPAPI.dll
MOD - [2011/06/16 09:32:06 | 000,308,560 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\Vipre.dll
MOD - [2011/06/07 03:44:50 | 000,508,776 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\thorax.aaw
MOD - [2010/05/07 18:37:40 | 000,126,808 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\ImageFormats\QJpeg4.dll
MOD - [2010/05/07 18:37:40 | 000,027,480 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\ImageFormats\QGif4.dll
MOD - [2010/05/07 18:36:54 | 000,340,824 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QTXml4.dll
MOD - [2010/05/07 18:35:56 | 007,954,776 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QTGui4.dll
MOD - [2010/05/07 18:35:44 | 002,143,576 | ---- | M] () -- C:\Program Files\Logitech\LWS\Webcam Software\QTCore4.dll
MOD - [2010/03/29 21:25:10 | 011,791,360 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\50ea744ffc3cb7f09b027fd6c5c93b2b\System.Web.ni.dll
MOD - [2010/03/29 21:24:53 | 000,970,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\cb4cb21d14767292e079366a5d3d76cd\System.Configuration.ni.dll
MOD - [2010/03/29 21:24:43 | 000,025,600 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\c2af7cfbb47c077029a2645930b4eeac\Accessibility.ni.dll
MOD - [2010/03/29 21:05:27 | 005,449,728 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\36f3953f24d4f0b767bf172331ad6f3e\System.Xml.ni.dll
MOD - [2010/03/29 21:05:21 | 012,428,800 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\9a254c455892c02355ab0ab0f0727c5b\System.Windows.Forms.ni.dll
MOD - [2010/03/29 21:05:11 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\6978f2e90f13bc720d57fa6895c911e2\System.Drawing.ni.dll
MOD - [2010/03/24 01:43:07 | 007,867,392 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aa7926460a336408c8041330ad90929d\System.ni.dll
MOD - [2010/03/24 01:42:48 | 011,485,184 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\9adb89fa22fd5b4ce433b5aca7fb1b07\mscorlib.ni.dll
MOD - [2010/03/24 01:41:10 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2010/03/16 11:22:12 | 000,014,848 | ---- | M] () -- c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\AxInterop.WBOCXLib.dll
MOD - [2010/03/15 10:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2009/10/30 04:11:50 | 000,204,800 | ---- | M] () -- C:\WINDOWS\system32\WinTab32.dll
MOD - [2009/07/30 18:15:32 | 000,503,202 | ---- | M] () -- C:\Program Files\DeviceVM\Browser Configuration Utility\sqlite3.dll
MOD - [2009/07/30 17:51:02 | 000,068,136 | ---- | M] () -- C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
MOD - [2009/03/13 11:30:44 | 000,109,096 | ---- | M] () -- C:\Program Files\GIGABYTE\EnergySaver\ycc.dll
MOD - [2008/03/29 00:42:20 | 000,159,744 | ---- | M] () -- C:\Program Files\Essentials Codec Pack\Haali\mmfinfo.dll
MOD - [2008/03/29 00:41:52 | 000,023,552 | ---- | M] () -- C:\Program Files\Essentials Codec Pack\Haali\mkunicode.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/01/19 17:02:37 | 000,909,152 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe -- (vToolbarUpdater)
SRV - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/09/02 07:29:30 | 002,152,152 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2011/08/19 03:26:50 | 000,450,848 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
SRV - [2011/08/15 16:18:10 | 001,361,288 | ---- | M] (LogMeIn Inc.) [Auto | Running] -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2011/08/02 05:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2011/05/30 10:33:54 | 001,025,352 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010/09/29 06:00:24 | 000,185,640 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\VERIZONDM\bin\tgsrvc.exe -- (tgsrvc_verizondm) SupportSoft Repair Service (verizondm)
SRV - [2010/09/29 06:00:16 | 000,206,120 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\VERIZONDM\bin\sprtsvc.exe -- (sprtsvc_verizondm) SupportSoft Sprocket Service (verizondm)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2010/01/15 06:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/10/30 03:43:30 | 000,073,728 | ---- | M] (Tablet Driver) [Auto | Running] -- C:\WINDOWS\System32\Drivers\WTSRV.EXE -- (WinTabService)
SRV - [2009/08/04 17:29:54 | 000,219,360 | ---- | M] (DeviceVM, Inc.) [Auto | Running] -- C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe -- (BCUService)
SRV - [2009/07/30 17:51:02 | 000,068,136 | ---- | M] () [Auto | Running] -- C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe -- (GEST Service)


========== Driver Services (SafeList) ==========

DRV - [2012/01/27 01:36:35 | 000,017,488 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2011/10/18 23:05:51 | 007,180,800 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2011/10/07 06:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/10/04 06:21:42 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/08/19 03:26:50 | 004,334,624 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech Webcam 250(UVC)
DRV - [2011/08/19 03:26:46 | 000,315,808 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2011/05/27 18:05:44 | 000,134,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/04/04 23:59:56 | 000,297,168 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/03/16 15:03:20 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/03/14 02:02:01 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2011/03/14 02:02:00 | 000,015,232 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2011/03/01 13:25:18 | 000,034,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/02/22 07:13:02 | 000,022,992 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2011/02/10 06:53:52 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2010/05/07 18:43:30 | 000,025,824 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2010/04/12 02:44:34 | 000,059,388 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2009/10/07 02:49:50 | 000,023,832 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2009/10/07 02:46:12 | 000,114,712 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvpopflt.sys -- (lvpopflt)
DRV - [2009/08/19 06:05:56 | 000,100,368 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2009/06/29 05:59:14 | 000,142,592 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2009/06/25 00:07:44 | 005,095,936 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/06/25 00:07:40 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2009/06/25 00:07:40 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2009/06/22 03:58:48 | 000,019,624 | ---- | M] (Tablet Driver) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\UCTblHid.sys -- (UCTblHid)
DRV - [2009/06/22 03:58:38 | 000,023,208 | ---- | M] (Tablet Driver) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TClass2k.sys -- (TClass2k)
DRV - [2009/03/18 16:35:40 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2008/11/04 12:21:04 | 000,083,296 | R--- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\jraid.sys -- (JRAID)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-602162358-162531612-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=13170&l=dis
IE - HKU\S-1-5-21-602162358-162531612-1417001333-1003\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-602162358-162531612-1417001333-1003\..\URLSearchHook: {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll (DeviceVM, Inc.)
IE - HKU\S-1-5-21-602162358-162531612-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-602162358-162531612-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: avg@igeared:6.103.018.001
FF - prefs.js..extensions.enabledItems: gencrawler@some.com:2.0
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:10.0.0.1209
FF - prefs.js..keyword.URL: "http://search.avg.com/route/?d=4dd1c4d4&v=7.008.031.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 50370
FF - prefs.js..network.proxy.type: 4


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@gamersfirst.com/LiveLauncher: C:\Program Files\GamersFirst\LIVE!\nplivelauncher.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Ecky\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Ecky\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Ecky\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Ecky\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{6F9AE03E-BCF9-4C12-9A77-3849C5EFA02C}: C:\Documents and Settings\Ecky\Local Settings\Application Data\{6F9AE03E-BCF9-4C12-9A77-3849C5EFA02C} [2011/03/02 22:45:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2011/12/22 13:51:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\avg@toolbar: C:\Documents and Settings\All Users\Application Data\AVG Secure Search\10.0.0.7\ [2012/01/19 17:02:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/21 14:49:33 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/19 02:53:18 | 000,000,000 | ---D | M]

[2010/03/22 22:01:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Ecky\Application Data\Mozilla\Extensions
[2011/12/10 11:57:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Ecky\Application Data\Mozilla\Firefox\Profiles\3v9eamco.default\extensions
[2010/11/01 21:45:05 | 000,000,000 | ---D | M] (ActiveGS) -- C:\Documents and Settings\Ecky\Application Data\Mozilla\Firefox\Profiles\3v9eamco.default\extensions\activegs@freetoolsassociation.com
[2011/12/10 11:57:34 | 000,000,000 | ---D | M] (Yontoo) -- C:\Documents and Settings\Ecky\Application Data\Mozilla\Firefox\Profiles\3v9eamco.default\extensions\plugin@yontoo.com
[2011/03/08 11:55:10 | 000,002,567 | ---- | M] () -- C:\Documents and Settings\Ecky\Application Data\Mozilla\Firefox\Profiles\3v9eamco.default\searchplugins\askcom.xml
[2012/01/26 13:01:19 | 000,002,526 | ---- | M] () -- C:\Documents and Settings\Ecky\Application Data\Mozilla\Firefox\Profiles\3v9eamco.default\searchplugins\mangafox.xml
[2011/12/20 22:03:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/07/16 22:57:03 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2011/03/14 13:44:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}-trash
[2011/12/22 13:51:57 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG2012\FIREFOX4
[2010/07/20 02:10:07 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2012/01/21 14:49:32 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/01/19 17:02:32 | 000,003,766 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
[2012/01/21 14:49:29 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/21 14:49:29 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\10.0.648.151\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Java Deployment Toolkit 6.0.240.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U24 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\10.0.648.151\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\10.0.648.151\gears.dll
CHR - plugin: Google Talk Plugin (Enabled) = C:\Documents and Settings\Ecky\Application Data\Mozilla\plugins\npgoogletalk.dll
CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Documents and Settings\Ecky\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Ecky\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: Unity Player (Enabled) = C:\Documents and Settings\Ecky\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Entanglement = C:\Documents and Settings\Ecky\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.1.1_0\
CHR - Extension: AT_KojiNishida = C:\Documents and Settings\Ecky\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mbdhmimpfmefmegcdgmbohplkcbpgpjb\2_0\
CHR - Extension: Poppit = C:\Documents and Settings\Ecky\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\
CHR - Extension: General Crawler = C:\Documents and Settings\Ecky\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ohpafaiacidobgbmohmgaglajcipekpk\2.0_0\

O1 HOSTS File: ([2012/01/20 07:51:44 | 000,000,884 | RH-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 94.63.240.131 www.google.com
O1 - Hosts: 94.63.240.132 www.bing.com
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll ()
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-162531612-1417001333-1003\..\Toolbar\ShellBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-162531612-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-162531612-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BCU] C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe (DeviceVM, Inc.)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [LogMeIn Hamachi Ui] C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
O4 - HKLM..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe (Logitech Inc.)
O4 - HKLM..\Run: [ROC_roc_dec12] C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe ()
O4 - HKLM..\Run: [StartCCC] c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe ()
O4 - HKLM..\Run: [WTClient] C:\WINDOWS\System32\WTClient.exe (Tablet Driver)
O4 - HKU\S-1-5-21-602162358-162531612-1417001333-1003..\Run: [PlayNC Launcher] File not found
O4 - HKU\S-1-5-21-602162358-162531612-1417001333-1003..\Run: [Steam] C:\Program Files\Steam\steam.exe (Valve Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-602162358-162531612-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-602162358-162531612-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DE7B0285-2CA2-4652-BC39-997B340764A3}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll ()
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Ecky\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Ecky\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/23 10:46:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{c1518a9e-2b88-11e1-910d-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{c1518a9e-2b88-11e1-910d-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c1518a9e-2b88-11e1-910d-806d6172696f}\Shell\AutoRun\command - "" = D:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/27 14:15:00 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ecky\Desktop\OTL.exe
[2012/01/27 14:00:22 | 002,058,032 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Ecky\Desktop\tdsskiller.exe
[2012/01/26 15:20:46 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Ecky\Desktop\dds.scr
[2012/01/26 12:59:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Mozilla
[2012/01/26 12:59:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Mozilla
[2012/01/26 00:18:29 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Games
[2012/01/25 03:40:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2012/01/25 02:55:31 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Ecky\Recent
[2012/01/25 02:54:53 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/01/25 02:54:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Ecky\Start Menu\Programs\Administrative Tools
[2012/01/24 15:44:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2012/01/24 15:44:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/01/24 00:14:26 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
[2012/01/22 13:15:45 | 000,000,000 | ---D | C] -- C:\cmdcons
[2012/01/22 13:13:08 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/01/22 13:13:08 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/01/22 13:13:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/01/22 13:13:08 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/01/22 13:12:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/01/22 13:12:56 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/01/22 13:12:21 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/22 03:20:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2012/01/22 03:18:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2012/01/21 16:22:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/01/21 14:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/01/21 14:24:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/01/19 21:52:01 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/01/14 22:27:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Talk
[2012/01/06 19:20:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Ventrilo
[2012/01/06 19:20:51 | 000,000,000 | ---D | C] -- C:\Program Files\Ventrilo
[2012/01/05 19:17:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Valve
[2012/01/04 00:23:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ecky\Local Settings\Application Data\Logitech® Webcam Software
[2012/01/04 00:16:28 | 000,000,000 | ---D | C] -- C:\My Games
[2012/01/04 00:15:45 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2012/01/03 17:31:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ecky\My Documents\DIgital Games Factory
[2012/01/02 19:37:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ecky\Application Data\Doublefine
[2011/12/29 11:47:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/12/29 11:46:05 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/12/29 11:46:03 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes

========== Files - Modified Within 30 Days ==========

[2012/01/27 14:15:01 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ecky\Desktop\OTL.exe
[2012/01/27 14:08:20 | 000,334,429 | ---- | M] () -- C:\Documents and Settings\Ecky\Desktop\FSS.exe
[2012/01/27 14:05:40 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/01/27 14:01:02 | 002,058,032 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Ecky\Desktop\tdsskiller.exe
[2012/01/27 13:59:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602162358-162531612-1417001333-1003UA.job
[2012/01/27 13:09:02 | 087,583,141 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/01/27 12:51:55 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2012/01/27 02:00:00 | 000,000,340 | ---- | M] () -- C:\WINDOWS\tasks\AdobeAAMUpdater-1.0-HEATHER-Ecky.job
[2012/01/27 01:37:39 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2012/01/27 01:36:35 | 000,017,488 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\gdrv.sys
[2012/01/27 01:36:31 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\tasks\OJFQS.job
[2012/01/27 01:36:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/26 20:59:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-602162358-162531612-1417001333-1003Core.job
[2012/01/26 19:55:50 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Ecky\Desktop\iexplore.exe.exe
[2012/01/26 15:20:46 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Ecky\Desktop\dds.scr
[2012/01/26 15:18:21 | 001,529,478 | ---- | M] () -- C:\Documents and Settings\Ecky\Desktop\trojan exploit firewall.bmp
[2012/01/26 15:15:31 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Ecky\defogger_reenable
[2012/01/26 15:15:03 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Ecky\Desktop\Defogger.exe
[2012/01/26 11:21:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/01/26 00:21:43 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/26 00:18:40 | 000,493,384 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/26 00:18:40 | 000,083,802 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/01/24 18:55:02 | 000,093,339 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/01/24 15:53:53 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2012/01/24 15:53:53 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2012/01/24 00:51:51 | 000,033,806 | ---- | M] () -- C:\Documents and Settings\Ecky\Desktop\backup changes to reggistry.reg
[2012/01/23 19:55:24 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/22 13:26:48 | 000,026,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\userinit.exe
[2012/01/22 13:15:57 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/01/20 07:51:44 | 000,000,884 | RH-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/01/19 17:20:55 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ventrilo.lnk
[2012/01/08 15:49:02 | 000,000,641 | ---- | M] () -- C:\Documents and Settings\Ecky\Desktop\Ruin Recruiting stuff.rtf

========== Files Created - No Company Name ==========

[2012/01/27 14:08:20 | 000,334,429 | ---- | C] () -- C:\Documents and Settings\Ecky\Desktop\FSS.exe
[2012/01/26 19:55:50 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Ecky\Desktop\iexplore.exe.exe
[2012/01/26 15:28:53 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Ecky\Desktop\gmer.exe
[2012/01/26 15:18:21 | 001,529,478 | ---- | C] () -- C:\Documents and Settings\Ecky\Desktop\trojan exploit firewall.bmp
[2012/01/26 15:15:31 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Ecky\defogger_reenable
[2012/01/26 15:15:03 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Ecky\Desktop\Defogger.exe
[2012/01/24 00:50:57 | 000,033,806 | ---- | C] () -- C:\Documents and Settings\Ecky\Desktop\backup changes to reggistry.reg
[2012/01/23 19:55:24 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/22 13:15:57 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/01/22 13:15:49 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/01/22 13:13:08 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/01/22 13:13:08 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/01/22 13:13:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/01/22 13:13:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/01/22 13:13:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/01/08 00:53:13 | 000,000,641 | ---- | C] () -- C:\Documents and Settings\Ecky\Desktop\Ruin Recruiting stuff.rtf
[2012/01/06 19:20:59 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ventrilo.lnk
[2011/12/09 01:15:28 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2011/11/21 02:26:37 | 006,908,648 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall.exe
[2011/11/21 02:26:37 | 000,017,680 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Music Converter.dat
[2011/10/25 16:01:28 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/10/15 14:32:29 | 000,138,056 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2011/10/15 14:32:11 | 000,189,248 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2011/10/15 14:32:09 | 000,075,136 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrA.exe
[2011/09/14 10:47:40 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\OVDecode.dll
[2011/08/24 23:56:40 | 000,000,096 | -H-- | C] () -- C:\WINDOWS\System32\HsInfo.dat
[2011/08/12 12:20:14 | 000,015,896 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2011/07/06 16:35:13 | 000,000,025 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2011/05/30 12:52:31 | 000,138,056 | ---- | C] () -- C:\Documents and Settings\Ecky\Application Data\PnkBstrK.sys
[2011/05/21 13:07:33 | 000,000,020 | ---- | C] () -- C:\WINDOWS\System32\KBDCZ6.DLL
[2011/04/25 21:53:24 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/04/25 21:53:24 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/03/11 15:30:44 | 000,102,400 | ---- | C] () -- C:\WINDOWS\RegBootClean.exe
[2011/03/11 12:10:00 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Ecky\Local Settings\Application Data\housecall.guid.cache
[2011/03/07 14:01:05 | 000,050,168 | ---- | C] () -- C:\WINDOWS\System32\lnasqishcnsor.exe
[2011/03/02 22:45:17 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Tmabadodexadape.dat
[2011/03/02 22:45:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Yjuhi.bin
[2011/02/09 15:28:02 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/01 12:55:23 | 000,089,600 | ---- | C] () -- C:\Documents and Settings\Ecky\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/16 17:17:07 | 000,028,418 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2010/11/15 19:23:34 | 000,118,784 | ---- | C] () -- C:\WINDOWS\ShowBmp.exe
[2010/11/15 19:23:34 | 000,014,385 | ---- | C] () -- C:\WINDOWS\Tw561a.ini
[2010/11/15 19:23:34 | 000,000,180 | ---- | C] () -- C:\WINDOWS\ap561.ini
[2010/11/15 19:23:34 | 000,000,081 | ---- | C] () -- C:\WINDOWS\Setup8a.ini
[2010/11/09 20:45:32 | 000,104,472 | ---- | C] () -- C:\WINDOWS\System32\LogiDPPApp.exe
[2010/11/09 20:45:30 | 010,898,456 | ---- | C] () -- C:\WINDOWS\System32\LogiDPP.dll
[2010/11/09 20:45:20 | 000,336,408 | ---- | C] () -- C:\WINDOWS\System32\DevManagerCore.dll
[2010/10/24 13:31:46 | 000,548,464 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/09/12 01:19:31 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/07/24 01:59:39 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2010/07/24 01:31:50 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/07/06 16:13:39 | 000,011,204 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/05/13 09:03:42 | 000,232,960 | ---- | C] () -- C:\WINDOWS\System32\MyDrawLineWindowDll.dll
[2010/05/07 18:43:30 | 000,025,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2010/04/30 12:39:36 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2010/03/23 11:49:28 | 000,073,728 | R--- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2010/03/23 11:43:26 | 000,207,400 | R--- | C] () -- C:\WINDOWS\GSetup.exe
[2010/03/23 11:43:26 | 000,000,010 | ---- | C] () -- C:\WINDOWS\GSetup.ini
[2010/03/23 11:41:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2010/03/23 11:40:05 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2010/03/23 11:40:05 | 000,239,869 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2010/03/23 11:40:05 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2010/03/23 10:51:17 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/03/23 10:43:35 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/03/23 04:33:25 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/03/23 04:21:27 | 003,407,888 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/22 22:01:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/10/30 04:11:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\WinTab32.dll
[2009/08/22 07:51:16 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\UCMfg.exe
[2008/04/14 06:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 06:00:00 | 000,493,384 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 06:00:00 | 000,456,576 | ---- | C] () -- C:\WINDOWS\System32\drivers\mrxsmb.sys
[2008/04/14 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 06:00:00 | 000,083,802 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 06:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2007/04/24 13:31:12 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\ucinst32.dll
[2004/05/10 09:33:46 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\lhtool.exe
[2002/10/29 13:53:26 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\PcHook.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

< End of report >

OTL Extras
OTL Extras logfile created on: 1/27/2012 2:15:59 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Ecky\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.15 Gb Available Physical Memory | 57.73% Memory free
3.85 Gb Paging File | 2.84 Gb Available in Paging File | 73.83% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.62 Gb Total Space | 362.61 Gb Free Space | 51.90% Space Free | Partition Type: NTFS

Computer Name: ECKABEB | User Name: Ecky | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-602162358-162531612-1417001333-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"57695:TCP" = 57695:TCP:*:Enabled:Pando Media Booster
"57695:UDP" = 57695:UDP:*:Enabled:Pando Media Booster
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"57695:TCP" = 57695:TCP:*:Enabled:Pando Media Booster
"57695:UDP" = 57695:UDP:*:Enabled:Pando Media Booster
"4530:TCP" = 4530:TCP:*:Enabled:Akamai NetSession Interface
"5000:UDP" = 5000:UDP:LocalSubNet:Enabled:Akamai NetSession Interface

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\Electronic Arts\BioWare\Star Wars - The Old Republic\swtor\retailclient\swtor.exe" = C:\Program Files\Electronic Arts\BioWare\Star Wars - The Old Republic\swtor\retailclient\swtor.exe:*:Enabled:Star Wars - The Old Republic -- (BioWare, A Division of Electronic Arts)
"C:\Program Files\Electronic Arts\BioWare\Star Wars - The Old Republic\launcher.exe" = C:\Program Files\Electronic Arts\BioWare\Star Wars - The Old Republic\launcher.exe:*:Enabled:Star Wars - The Old Republic -- (BioWare)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Documents and Settings\Ecky\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll" = C:\Documents and Settings\Ecky\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin -- (Google)
"C:\Documents and Settings\Ecky\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Ecky\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager
"C:\Documents and Settings\Ecky\Desktop\Folder for Folders\World of Warcraft\Launcher.exe" = C:\Documents and Settings\Ecky\Desktop\Folder for Folders\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"C:\WINDOWS\system32\java.exe" = C:\WINDOWS\system32\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Steam\steamapps\eckabeb\team fortress 2\hl2.exe" = C:\Program Files\Steam\steamapps\eckabeb\team fortress 2\hl2.exe:*:Disabled:hl2 -- ()
"C:\Documents and Settings\Ecky\Desktop\Folder for Folders\World of Warcraft\BackgroundDownloader.exe" = C:\Documents and Settings\Ecky\Desktop\Folder for Folders\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\CCP\EVE\bin\ExeFile.exe" = C:\Program Files\CCP\EVE\bin\ExeFile.exe:*:Enabled:CCP ExeFile -- (CCP hf.)
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\Steam\steamapps\common\terraria\TerrariaServer.exe" = C:\Program Files\Steam\steamapps\common\terraria\TerrariaServer.exe:*:Enabled:Terraria -- (Re-Logic)
"C:\Documents and Settings\Ecky\Desktop\Folder for Folders\World of Warcraft\Launcher.patch.exe" = C:\Documents and Settings\Ecky\Desktop\Folder for Folders\World of Warcraft\Launcher.patch.exe:*:Enabled:Blizzard Launcher
"C:\Program Files\Steam\steamapps\common\crimecraft\Binaries\CrimeCraft.exe" = C:\Program Files\Steam\steamapps\common\crimecraft\Binaries\CrimeCraft.exe:*:Enabled:CrimeCraft -- ()
"C:\Program Files\Steam\steamapps\common\plants vs zombies\PlantsVsZombies.exe" = C:\Program Files\Steam\steamapps\common\plants vs zombies\PlantsVsZombies.exe:*:Enabled:Plants vs. Zombies: Game of the Year -- ()
"C:\Program Files\Steam\steamapps\common\crimecraft\SteamLauncher.exe" = C:\Program Files\Steam\steamapps\common\crimecraft\SteamLauncher.exe:*:Enabled:Crimecraft: BLEEDOUT -- (Vogster Entertainment)
"C:\Program Files\Steam\steamapps\common\spiral knights\java_vm\bin\javaw.exe" = C:\Program Files\Steam\steamapps\common\spiral knights\java_vm\bin\javaw.exe:*:Enabled:Spiral Knights -- (Sun Microsystems, Inc.)
"C:\Program Files\Steam\steamapps\common\sega classics\SEGAGenesisClassics.exe" = C:\Program Files\Steam\steamapps\common\sega classics\SEGAGenesisClassics.exe:*:Enabled:SEGA Genesis & Mega Drive Classics -- ()
"C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe" = C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead -- ()
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\GamersFirst\APB Reloaded\Binaries\APB.exe" = C:\Program Files\GamersFirst\APB Reloaded\Binaries\APB.exe:*:Enabled:APB: APB.exe -- (K2 Network, Inc.)
"C:\Program Files\GamersFirst\APB Reloaded\Binaries\VivoxVoiceService.exe" = C:\Program Files\GamersFirst\APB Reloaded\Binaries\VivoxVoiceService.exe:*:Enabled:APB: VivoxVoiceService.exe -- (Vivox Inc.)
"C:\Program Files\Steam\steamapps\common\kaptain brawe\brawe.exe" = C:\Program Files\Steam\steamapps\common\kaptain brawe\brawe.exe:*:Enabled:Kaptain Brawe -- ()
"C:\Program Files\Steam\steamapps\common\amd driver updater, xp, 32 bit\Setup.exe" = C:\Program Files\Steam\steamapps\common\amd driver updater, xp, 32 bit\Setup.exe:*:Enabled:AMD Driver Updater, XP, 32 bit -- (Advanced Micro Devices, Inc.)
"C:\Program Files\Logitech\Vid HD\Vid.exe" = C:\Program Files\Logitech\Vid HD\Vid.exe:*:Enabled:Logitech Vid HD -- (Logitech Inc.)
"C:\Program Files\Steam\steamapps\common\world of goo\WorldOfGoo.exe" = C:\Program Files\Steam\steamapps\common\world of goo\WorldOfGoo.exe:*:Enabled:World of Goo -- ()
"C:\Program Files\Electronic Arts\BioWare\Star Wars - The Old Republic\swtor\retailclient\swtor.exe" = C:\Program Files\Electronic Arts\BioWare\Star Wars - The Old Republic\swtor\retailclient\swtor.exe:*:Enabled:Star Wars - The Old Republic -- (BioWare, A Division of Electronic Arts)
"C:\Program Files\Electronic Arts\BioWare\Star Wars - The Old Republic\launcher.exe" = C:\Program Files\Electronic Arts\BioWare\Star Wars - The Old Republic\launcher.exe:*:Enabled:Star Wars - The Old Republic -- (BioWare)
"C:\Program Files\AVG\AVG2012\avgnsx.exe" = C:\Program Files\AVG\AVG2012\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgdiagex.exe" = C:\Program Files\AVG\AVG2012\avgdiagex.exe:*:Enabled:AVG Diagnostics 2012 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgemcx.exe" = C:\Program Files\AVG\AVG2012\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Steam\steamapps\common\worms reloaded\WormsReloaded.exe" = C:\Program Files\Steam\steamapps\common\worms reloaded\WormsReloaded.exe:*:Enabled:Worms Reloaded -- (Team17 Software Ltd.)
"C:\Program Files\Steam\steamapps\common\portal 2\portal2.exe" = C:\Program Files\Steam\steamapps\common\portal 2\portal2.exe:*:Enabled:Portal 2 -- ()
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\Steam\steamapps\common\the binding of isaac\Isaac.exe" = C:\Program Files\Steam\steamapps\common\the binding of isaac\Isaac.exe:*:Enabled:The Binding Of Isaac -- (Edmund Mcmillen & Florian Himsl )
"C:\Program Files\Steam\steamapps\common\machinarium\machinarium.exe" = C:\Program Files\Steam\steamapps\common\machinarium\machinarium.exe:*:Enabled:Machinarium -- (Adobe Systems, Inc.)
"C:\Program Files\Steam\steamapps\common\toki tori\tokitori.exe" = C:\Program Files\Steam\steamapps\common\toki tori\tokitori.exe:*:Enabled:Toki Tori -- (Two Tribes B.V.)
"C:\Program Files\Steam\steamapps\common\dungeon defenders\Binaries\Win32\DungeonDefenders.exe" = C:\Program Files\Steam\steamapps\common\dungeon defenders\Binaries\Win32\DungeonDefenders.exe:*:Enabled:Dungeon Defenders -- (Trendy Entertainment LLC)
"C:\Program Files\Steam\steamapps\common\Assassins Creed\AssassinsCreed_Game.exe" = C:\Program Files\Steam\steamapps\common\Assassins Creed\AssassinsCreed_Game.exe:*:Enabled:Assassin's Creed -- (Ubisoft)
"C:\Program Files\Steam\steamapps\common\monday night combat\Binaries\Win32\mnc.exe" = C:\Program Files\Steam\steamapps\common\monday night combat\Binaries\Win32\mnc.exe:*:Enabled:Monday Night Combat -- (Epic Games, Inc.)
"C:\Program Files\Steam\steamapps\common\pc gamer digital edition\Freakshow.exe" = C:\Program Files\Steam\steamapps\common\pc gamer digital edition\Freakshow.exe:*:Enabled:PC Gamer -- ()
"C:\Program Files\Steam\steamapps\common\lumines\lumines.exe" = C:\Program Files\Steam\steamapps\common\lumines\lumines.exe:*:Enabled:Lumines: Advanced Pack -- ()
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Program Files\Steam\steamapps\common\costume quest\Cq.exe" = C:\Program Files\Steam\steamapps\common\costume quest\Cq.exe:*:Enabled:Costume Quest -- (Double Fine Productions)
"C:\Program Files\Steam\steamapps\common\dungeon defenders\Binaries\Win32\DunDefGame.exe" = C:\Program Files\Steam\steamapps\common\dungeon defenders\Binaries\Win32\DunDefGame.exe:*:Enabled:DunDefGame -- (Trendy Entertainment LLC)
"C:\Program Files\Steam\steamapps\common\left 4 dead 2\left4dead2.exe" = C:\Program Files\Steam\steamapps\common\left 4 dead 2\left4dead2.exe:*:Enabled:Left 4 Dead 2 -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{08610298-29AE-445B-B37D-EFBE05802967}" = LWS Pictures And Video
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{10A1D1C4-F0B0-4341-B49A-A9ED8FBDBF9D}" = Livestream Procaster
"{138A4072-9E64-46BD-B5F9-DB2BB395391F}" = LWS VideoEffects
"{140B5BC3-E263-397D-B1BB-C4095364FB6F}" = Catalyst Control Center InstallProxy
"{15634701-BACE-4449-8B25-1567DA8C9FD3}" = CameraHelperMsi
"{15FEDA5F-141C-4127-8D7E-B962D1742728}" = Adobe Photoshop CS5
"{1651216E-E7AD-4250-92A1-FB8ED61391C9}" = LWS Help_main
"{174A3B31-4C43-43DD-866F-73C9DB887B48}" = LWS Twitter
"{19A492A0-888F-44A0-9B21-D91700763F62}" = Catalyst Control Center - Branding
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21DF0294-6B9D-4741-AB6F-B2ABFBD2387E}" = LWS YouTube Plugin
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 26
"{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}" = Microsoft XNA Framework Redistributable 4.0
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3686B63F-72CD-C0FB-1348-34DB78ADFC9C}" = CCC Help English
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = Gigabyte Raid Configurer
"{3B11D799-48E0-48ED-BFD7-EA655676D8BB}" = Star Wars: The Old Republic
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = erLT
"{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA}" = NVIDIA PhysX
"{40AE01BE-A290-4FFB-8DAB-C624C17DC87E}" = Vegas Movie Studio HD Platinum 10.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup 2011
"{58288FBC-C7E8-FE33-3009-199C219D3363}" = Catalyst Control Center Graphics Previews Common
"{5B363E1D-8C36-4458-BAE4-D5081999E094}" = Browser Configuration Utility
"{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}" = NCsoft Launcher
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{6F76EC3C-34B1-436E-97FB-48C58D7BEDCD}" = LWS Gallery
"{71E66D3F-A009-44AB-8784-75E2819BA4BA}" = LWS Motion Detection
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{7ED169D4-5053-4166-93DF-53B12AE6C539}" = Energy Saver Advance B9.0730.1
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8398852A-7B61-4808-8F58-D0A40D1B2CB6}" = AVG 2012
"{83BEEFB4-8C28-4F4F-8A9D-E0D1ADCE335B}" = The Sims Medieval
"{83C8FA3C-F4EA-46C4-8392-D3CE353738D6}" = LWS Launcher
"{8937D274-C281-42E4-8CDB-A0B2DF979189}" = LWS Webcam Software
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8BBB5E4C-3F5E-4C07-BFBE-33B34600783A}" = LogMeIn Hamachi
"{8C0B406B-DF08-49EF-8702-FA45752C135F}" = Verizon Download Manager
"{92482FB3-C05B-41C6-89E7-75D985602A6E}" = System Requirements Lab
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DAEA76B-E50F-4272-A595-0124E826553D}" = LWS WLM Plugin
"{A25FF1C0-80B6-4B8B-A551-DC525697A408}" = AMD APP SDK Runtime
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A85AD707-781F-2B73-E134-38084AACB5D5}" = ATI AVIVO Codecs
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.2
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Toolbars
"{B7DBF6E8-0D17-4BE4-853B-ACD6EFBD4A1F}" = iTunes
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CCF13D13-A87B-34E8-B689-1896D0C2DBA2}" = Google Talk Plugin
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0EC7B14-C363-8FCF-728E-A94144B31518}" = AMD Catalyst Install Manager
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D40EB009-0499-459c-A8AF-C9C110766215}" = Logitech Webcam Software
"{D6F879CC-59D6-4D4B-AE9B-D761E48D25ED}" = Skype™ 5.3
"{D86F3EA6-93A3-D020-0D77-204AB1696067}" = ATI Problem Report Wizard
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{D9E52CD1-9DF1-4A8A-9BDC-1E5E53982F2B}" = Black & White® 2
"{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E171F5DA-6F17-472D-A223-92468142C5E8}" = AVG 2012
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{EED027B7-0DB6-404B-8F45-6DFEE34A0441}" = LWS Video Mask Maker
"{EFF5ECCC-20B9-68CE-A95A-A1500E4E0FF8}" = ccc-utility
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F48C6EA5-3B43-11D6-86A6-0050BA0259A2}" = ICatch (VI) PC Camera
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"{F85E4782-5B90-4845-9D7D-D11DE2F5EA5E}" = HydraVision
"{FA798C4A-FE41-AE67-932F-F00CDAAA7723}" = Catalyst Control Center
"{FF167195-9EE4-46C0-8CD7-FBA3457E88AB}" = LWS Facebook
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"APB Reloaded" = APB Reloaded
"AVG" = AVG 2012
"BitTorrent" = BitTorrent
"CCleaner" = CCleaner
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"dBpoweramp Music Converter" = dBpoweramp Music Converter
"EVE" = EVE Online (remove only)
"Fallout New Vegas_is1" = Fallout New Vegas
"GamersFirst LIVE!" = GamersFirst LIVE!
"lnasqishcnsor" = Advanced Performance Platform Revenuestreaming.
"Logitech Vid" = Logitech Vid HD
"LogMeIn Hamachi" = LogMeIn Hamachi
"lvdrivers_12.10" = Logitech Webcam Software Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
"Octodad" = Octodad
"PowerISO" = PowerISO
"PunkBusterSvc" = PunkBuster Services
"Speccy" = Speccy
"Steam App 105600" = Terraria
"Steam App 113200" = The Binding Of Isaac
"Steam App 115100" = Costume Quest
"Steam App 11900" = Lumines
"Steam App 11920" = Lumines: Advanced Pack
"Steam App 15100" = Assassin's Creed
"Steam App 200130" = Puzzler World 2
"Steam App 22000" = World of Goo
"Steam App 22600" = Worms Reloaded
"Steam App 34270" = SEGA Genesis & Mega Drive Classics
"Steam App 3590" = Plants vs. Zombies: Game of the Year
"Steam App 38700" = Toki Tori
"Steam App 38830" = Crimecraft: BLEEDOUT
"Steam App 400" = Portal
"Steam App 40700" = Machinarium
"Steam App 440" = Team Fortress 2
"Steam App 500" = Left 4 Dead
"Steam App 520" = Team Fortress 2 Beta
"Steam App 550" = Left 4 Dead 2
"Steam App 620" = Portal 2
"Steam App 63200" = Monday Night Combat
"Steam App 65080" = Kaptain Brawe
"Steam App 65800" = Dungeon Defenders
"Steam App 92500" = PC Gamer
"Steam App 99900" = Spiral Knights
"SUPER ©" = SUPER © Version 2010.bld.38 (May 2, 2010)
"Verizon High Speed Internet_is1" = Verizon High Speed Internet
"Warhammer Online - Age of Reckoning" = Warhammer Online - Age of Reckoning
"Windows Essentials Media Codec Pack" = Windows Essentials Media Codec Pack 2.2
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-602162358-162531612-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"NCsoft-Aion" = Aion

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/27/2012 2:52:51 PM | Computer Name = ECKABEB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 35678468

Error - 1/27/2012 2:52:54 PM | Computer Name = ECKABEB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 1/27/2012 2:52:54 PM | Computer Name = ECKABEB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 35680562

Error - 1/27/2012 2:52:54 PM | Computer Name = ECKABEB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 35680562

Error - 1/27/2012 2:52:56 PM | Computer Name = ECKABEB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 1/27/2012 2:52:56 PM | Computer Name = ECKABEB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 35682703

Error - 1/27/2012 2:52:56 PM | Computer Name = ECKABEB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 35682703

Error - 1/27/2012 2:52:58 PM | Computer Name = ECKABEB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 1/27/2012 2:52:58 PM | Computer Name = ECKABEB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 35684796

Error - 1/27/2012 2:52:58 PM | Computer Name = ECKABEB | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 35684796

[ System Events ]
Error - 1/27/2012 3:38:51 AM | Computer Name = ECKABEB | Source = Service Control Manager | ID = 7024
Description = The Workstation service terminated with service-specific error 2250
(0x8CA).

Error - 1/27/2012 3:38:51 AM | Computer Name = ECKABEB | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Workstation service which
failed to start because of the following error: %%1066

Error - 1/27/2012 3:40:05 AM | Computer Name = ECKABEB | Source = Workstation | ID = 5727
Description = Could not load RDR device driver.

Error - 1/27/2012 3:40:05 AM | Computer Name = ECKABEB | Source = Service Control Manager | ID = 7024
Description = The Workstation service terminated with service-specific error 2250
(0x8CA).

Error - 1/27/2012 3:40:05 AM | Computer Name = ECKABEB | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Workstation service which
failed to start because of the following error: %%1066

Error - 1/27/2012 4:14:27 AM | Computer Name = ECKABEB | Source = Service Control Manager | ID = 7034
Description = The Windows Audio service terminated unexpectedly. It has done this
1 time(s).

Error - 1/27/2012 4:15:10 AM | Computer Name = ECKABEB | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 1/27/2012 2:52:31 PM | Computer Name = ECKABEB | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 1/27/2012 3:34:37 PM | Computer Name = ECKABEB | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 1/27/2012 4:12:08 PM | Computer Name = ECKABEB | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056


< End of report >

5. My computer is not running any differently thus far. Still have cookie warnings popping up and google sites take triple-loading to work, then their links get redirected. Hope all this helps!

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:28 AM

Posted 28 January 2012 - 02:28 AM

Hi Eckabeb!

Not a problem! Glad to be able to help you out!!

It looks like TDSSKiller did find a threat, and I'd like to have you remove that now.

Please re-open TDSSKiller and run a scan.

I'd like to have you cure this item below:

14:06:41.0890 4556 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - skipped by user
14:06:41.0890 4556 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Skip

Please only cure the threat that's detected as Rootkit.Boot.Pihar.b and leave the other threats at SKIP.

OTL Fix

We need to run an OTL Fix

Note: If you have Malwarebytes 1.6 or higher installed please disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :Processes
    :OTL
    IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    IE - HKU\S-1-5-21-602162358-162531612-1417001333-1003\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 50370
    FF - prefs.js..network.proxy.type: 4
    O1 - Hosts: 94.63.240.131	www.google.com
    O1 - Hosts: 94.63.240.132	www.bing.com
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKU\S-1-5-21-602162358-162531612-1417001333-1003\..\Toolbar\ShellBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
    O3 - HKU\S-1-5-21-602162358-162531612-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKU\S-1-5-21-602162358-162531612-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
    O4 - HKU\S-1-5-21-602162358-162531612-1417001333-1003..\Run: [PlayNC Launcher] File not found
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O33 - MountPoints2\{c1518a9e-2b88-11e1-910d-806d6172696f}\Shell - "" = AutoRun
    O33 - MountPoints2\{c1518a9e-2b88-11e1-910d-806d6172696f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{c1518a9e-2b88-11e1-910d-806d6172696f}\Shell\AutoRun\command - "" = D:\setup.exe
    [2012/01/27 01:36:31 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\tasks\OJFQS.job
    [2011/03/07 14:01:05 | 000,050,168 | ---- | C] () -- C:\WINDOWS\System32\lnasqishcnsor.exe
    [2011/03/02 22:45:17 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Tmabadodexadape.dat
    [2011/03/02 22:45:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Yjuhi.bin
    @Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
    
    :Reg
    
    :Files
    net start Dhcp /c
    net start sharedaccess /c
    net start netman /c
    net start wscsvc /c
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    [EMPTYJAVA]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Running ComboFix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon.
They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks
    Posted Image
    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now


NEXT:



Please provide me with an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 Eckabeb

Eckabeb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 28 January 2012 - 08:31 PM

TDSSkiller had me restart. OTL had me restart and the notepad info came up on it's own. :D ComboFix had me restart; before that it gave me the message "You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection.", but I think we knew that already about the rootkit?


OTL Fix

All processes killed
========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
========== OTL ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-21-602162358-162531612-1417001333-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Prefs.js: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 removed from extensions.enabledItems
Prefs.js: "127.0.0.1" removed from network.proxy.http
Prefs.js: 50370 removed from network.proxy.http_port
Prefs.js: 4 removed from network.proxy.type
94.63.240.131 www.google.com removed from HOSTS file successfully
94.63.240.132 www.bing.com removed from HOSTS file successfully
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_USERS\S-1-5-21-602162358-162531612-1417001333-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-602162358-162531612-1417001333-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_USERS\S-1-5-21-602162358-162531612-1417001333-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}\ not found.
Registry value HKEY_USERS\S-1-5-21-602162358-162531612-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Run\\PlayNC Launcher deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c1518a9e-2b88-11e1-910d-806d6172696f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c1518a9e-2b88-11e1-910d-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c1518a9e-2b88-11e1-910d-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c1518a9e-2b88-11e1-910d-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c1518a9e-2b88-11e1-910d-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c1518a9e-2b88-11e1-910d-806d6172696f}\ not found.
File D:\setup.exe not found.
C:\WINDOWS\tasks\OJFQS.job moved successfully.
C:\WINDOWS\system32\lnasqishcnsor.exe moved successfully.
C:\WINDOWS\Tmabadodexadape.dat moved successfully.
C:\WINDOWS\Yjuhi.bin moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 deleted successfully.
========== REGISTRY ==========
========== FILES ==========
< net start Dhcp /c >
C:\Documents and Settings\Ecky\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Ecky\Desktop\cmd.txt deleted successfully.
< net start sharedaccess /c >
C:\Documents and Settings\Ecky\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Ecky\Desktop\cmd.txt deleted successfully.
< net start netman /c >
C:\Documents and Settings\Ecky\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Ecky\Desktop\cmd.txt deleted successfully.
< net start wscsvc /c >
C:\Documents and Settings\Ecky\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Ecky\Desktop\cmd.txt deleted successfully.
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
Are you sure (Y/N)?processed file: C:\WINDOWS\system32\drivers\etc\hosts
C:\Documents and Settings\Ecky\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Ecky\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Ecky\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Ecky\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Ecky
->Temp folder emptied: 29222037 bytes
->Temporary Internet Files folder emptied: 533875 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 107622760 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 3669 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 13838383 bytes
->Java cache emptied: 26 bytes
->Flash cache emptied: 18174 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 30715901 bytes
->Java cache emptied: 62 bytes
->FireFox cache emptied: 43751846 bytes
->Flash cache emptied: 14888 bytes

User: unlock

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 384878643 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 582.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Ecky
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: unlock

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: Ecky
->Java cache emptied: 0 bytes

User: LocalService
->Java cache emptied: 0 bytes

User: NetworkService
->Java cache emptied: 0 bytes

User: unlock

Total Java Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 01282012_173040

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

COMBOFIX LOG

CombFix had me restart (as I stated above), but I can't find the log for the scan for the life of me. D:

My computer seems to be opening webpages at normal speed again. Also, I can now use Google sites/applications and click on the links Google provides without being redirected. Also, the SVC.HOST that was giving me problems before is finally back at a stable 66k. :D This is definitely a step up. :D

Edited by Eckabeb, 28 January 2012 - 10:25 PM.


#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:28 AM

Posted 29 January 2012 - 04:52 AM

Hi!

but I think we knew that already about the rootkit?

hehe. Yes, we did know that! :)

Can you try and see if the ComboFix log is located in your C:\ drive with the name ComboFix.txt

If not, please re-run ComboFix and see if you can post that log file for me.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 Eckabeb

Eckabeb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 29 January 2012 - 10:10 PM

M'kay, a couple of restarts later while running ComboFix and I have your log. :) I think I didn't have the log before because my AVG would run again on the restarts. Un-installed AVG for now.

COMBOFIX.TXT

ComboFix 12-01-29.02 - Ecky 01/29/2012 20:37:41.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1613 [GMT -6:00]
Running from: c:\documents and settings\Ecky\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.ico
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Ecky\Local Settings\Application Data\.#
c:\documents and settings\Ecky\Local Settings\Application Data\.#\MBX@834@383E98.###
c:\documents and settings\Ecky\Local Settings\Application Data\assembly\tmp
c:\documents and settings\unlock\wrar380.exe
C:\install.exe
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\3a0e83a17bf637eb.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\828f5d5a5843e3f3.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-30 )))))))))))))))))))))))))))))))
.
.
2012-01-28 23:30 . 2012-01-28 23:30 -------- d-----w- C:\_OTL
2012-01-26 18:59 . 2012-01-26 18:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
2012-01-25 09:40 . 2012-01-25 09:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-01-25 08:54 . 2012-01-25 08:54 -------- d-----w- c:\program files\CCleaner
2012-01-24 06:14 . 2012-01-26 06:21 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-01-22 09:25 . 2012-01-22 09:25 -------- d-s---w- c:\documents and settings\LocalService\UserData
2012-01-22 09:20 . 2012-01-22 09:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-01-21 20:49 . 2012-01-21 20:49 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-21 20:49 . 2012-01-21 20:49 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-21 20:49 . 2012-01-21 20:49 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-21 20:49 . 2012-01-21 20:49 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-21 20:26 . 2012-01-21 20:26 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2012-01-07 01:20 . 2012-01-07 01:20 -------- d-----w- c:\program files\Ventrilo
2012-01-06 01:17 . 2012-01-06 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Valve
2012-01-04 06:23 . 2012-01-04 06:23 -------- d-----w- c:\documents and settings\Ecky\Local Settings\Application Data\Logitech® Webcam Software
2012-01-04 06:16 . 2012-01-04 06:16 -------- d-----w- C:\My Games
2012-01-04 06:15 . 2012-01-04 06:15 -------- d-----w- c:\program files\NVIDIA Corporation
2012-01-03 01:37 . 2012-01-03 01:37 -------- d-----w- c:\documents and settings\Ecky\Application Data\Doublefine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-30 02:55 . 2010-03-23 03:56 17488 ----a-w- c:\windows\gdrv.sys
2011-12-21 04:06 . 2011-05-22 03:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 21:24 . 2011-03-14 19:41 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-21 08:25 . 2011-11-21 08:26 6908648 ----a-w- c:\windows\system32\SpoonUninstall.exe
2012-01-21 20:49 . 2011-05-07 17:05 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-09-20 . 68F06FE0021B01E670AF37B8C5964FDF . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2009-09-20 . AB9E8F44D2F80A8060BEFB29192F4249 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\steam.exe" [2011-08-02 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-09-08 98304]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-15 1955208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"WTClient"="WTClient.exe" [2009-10-30 32768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-08-12 205336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-04-14 99840]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
2007-11-19 19:28 1966080 ------r- c:\windows\system32\xRaidSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 09:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 10:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCU]
2009-08-04 23:29 346320 ----a-w- c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-05-27 19:32 136176 ----atw- c:\documents and settings\Ecky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 07:36 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 22:36 36864 ------r- c:\windows\RaidTool\xInsIDE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2011-01-13 02:01 6129496 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2011-08-15 22:18 1955208 ----a-w- c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-08-12 18:18 205336 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service]
2009-01-25 18:17 196608 ----a-w- c:\program files\Essentials Codec Pack\WECPUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 20:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-06-25 06:07 17887232 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-06-15 20:02 15141768 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-09-08 18:12 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 19:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VERIZONDM]
2010-09-29 11:59 206120 ----a-w- c:\program files\VERIZONDM\bin\sprtcmd.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Documents and Settings\\Ecky\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Ecky\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\Ecky\\Desktop\\Folder for Folders\\World of Warcraft\\Launcher.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Steam\\steamapps\\eckabeb\\team fortress 2\\hl2.exe"=
"c:\\Documents and Settings\\Ecky\\Desktop\\Folder for Folders\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\terraria\\TerrariaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\crimecraft\\Binaries\\CrimeCraft.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\crimecraft\\SteamLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\spiral knights\\java_vm\\bin\\javaw.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\sega classics\\SEGAGenesisClassics.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\GamersFirst\\APB Reloaded\\Binaries\\APB.exe"=
"c:\\Program Files\\GamersFirst\\APB Reloaded\\Binaries\\VivoxVoiceService.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\kaptain brawe\\brawe.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\amd driver updater, xp, 32 bit\\Setup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\swtor\\retailclient\\swtor.exe"=
"c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\worms reloaded\\WormsReloaded.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\portal 2\\portal2.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the binding of isaac\\Isaac.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\machinarium\\machinarium.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\toki tori\\tokitori.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dungeon defenders\\Binaries\\Win32\\DungeonDefenders.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Assassins Creed\\AssassinsCreed_Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\monday night combat\\Binaries\\Win32\\mnc.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\pc gamer digital edition\\Freakshow.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\lumines\\lumines.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\costume quest\\Cq.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dungeon defenders\\Binaries\\Win32\\DunDefGame.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"57695:TCP"= 57695:TCP:Pando Media Booster
"57695:UDP"= 57695:UDP:Pando Media Booster
"4530:TCP"= 4530:TCP:Akamai NetSession Interface
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/14/2011 3:30 PM 64512]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [3/23/2010 11:44 AM 219360]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [3/23/2010 11:44 AM 68136]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [8/15/2011 4:18 PM 1361288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/14/2011 2:01 AM 2152152]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [9/29/2010 6:00 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [9/29/2010 6:00 AM 185640]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [3/31/2011 11:11 PM 450848]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/23/2010 11:47 AM 1684736]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh5.sys --> c:\windows\system32\DRIVERS\bcmwlhigh5.sys [?]
S3 cpuz135;cpuz135;\??\c:\docume~1\Ecky\LOCALS~1\Temp\cpuz135\cpuz135_x32.sys --> c:\docume~1\Ecky\LOCALS~1\Temp\cpuz135\cpuz135_x32.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-14 07:40]
.
2012-01-28 c:\windows\Tasks\AdobeAAMUpdater-1.0-HEATHER-Ecky.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-16 09:44]
.
2012-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-01-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-162531612-1417001333-1003Core.job
- c:\documents and settings\Ecky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 19:32]
.
2012-01-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-162531612-1417001333-1003UA.job
- c:\documents and settings\Ecky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 19:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=13170&l=dis
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Ecky\Application Data\Mozilla\Firefox\Profiles\3v9eamco.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - user.js: extentions.y2layers.installId - e2f01f55-4826-42dc-8aa5-cff118b37b1c
FF - user.js: extentions.y2layers.defaultEnableAppsList - BestVideoDownloader,BestVideoDownloader,
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
AddRemove-lnasqishcnsor - c:\windows\system32\lnasqishcnsor.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-29 20:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1232)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\System32\dimsntfy.dll
.
- - - - - - - > 'explorer.exe'(404)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\System32\Drivers\WTSRV.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\WTClient.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-01-29 21:04:58 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-30 03:04
.
Pre-Run: 390,103,134,208 bytes free
Post-Run: 389,995,380,736 bytes free
.
- - End Of File - - 23B19E5D2B0930023551573C6E5FA1D2

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:28 AM

Posted 30 January 2012 - 05:10 AM

Hi Eckabeb!

M'kay, a couple of restarts later while running ComboFix and I have your log. I think I didn't have the log before because my AVG would run again on the restarts. Un-installed AVG for now.

Okay.

I apologize if I've asked you this already, but do you happen to have your Windows XP disc? We may need to utilize it to grab a few files from it.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
File::
ClearJavaCache::
DirLook::
c:\documents and settings\NetworkService\UserData

SRPeek::
c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\sfcfiles.dll

Firefox::
FF - ProfilePath - c:\documents and settings\Ecky\Application Data\Mozilla\Firefox\Profiles\3v9eamco.default\
FF - user.js: extentions.y2layers.installId - e2f01f55-4826-42dc-8aa5-cff118b37b1c
FF - user.js: extentions.y2layers.defaultEnableAppsList - BestVideoDownloader,BestVideoDownloader,

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 Eckabeb

Eckabeb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 30 January 2012 - 02:03 PM

ComboFix restarted my pc twice before giving the log. Also, when I opened Firefox, a new tab opened to http://www.yontoo.com/InstallYontooSuccess.aspx?App=Yontoo&Source=Y2-FF-THIN&FFGuid=56527B25-4DC4-7039-C6E4-C74E5F5DF17F. I don't know what this is, but it says it installed "Yontoo"? I never noticed anything installing though. :( Also, I do not have my Windows XP cd still (maybe in the attic), but I can get my hands on one if we really need to. One more thing, how's Antartica? ;p

New ComboFix Log

ComboFix 12-01-30.02 - Ecky 01/30/2012 12:33:27.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1617 [GMT -6:00]
Running from: c:\documents and settings\Ecky\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ecky\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-30 )))))))))))))))))))))))))))))))
.
.
2012-01-28 23:30 . 2012-01-28 23:30 -------- d-----w- C:\_OTL
2012-01-26 18:59 . 2012-01-26 18:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
2012-01-25 09:40 . 2012-01-25 09:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-01-25 08:54 . 2012-01-25 08:54 -------- d-----w- c:\program files\CCleaner
2012-01-24 06:14 . 2012-01-26 06:21 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-01-22 09:25 . 2012-01-22 09:25 -------- d-s---w- c:\documents and settings\LocalService\UserData
2012-01-22 09:20 . 2012-01-22 09:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-01-21 20:49 . 2012-01-21 20:49 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-21 20:49 . 2012-01-21 20:49 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-21 20:49 . 2012-01-21 20:49 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-21 20:49 . 2012-01-21 20:49 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-21 20:26 . 2012-01-21 20:26 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2012-01-07 01:20 . 2012-01-07 01:20 -------- d-----w- c:\program files\Ventrilo
2012-01-06 01:17 . 2012-01-06 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Valve
2012-01-04 06:23 . 2012-01-04 06:23 -------- d-----w- c:\documents and settings\Ecky\Local Settings\Application Data\Logitech® Webcam Software
2012-01-04 06:16 . 2012-01-04 06:16 -------- d-----w- C:\My Games
2012-01-04 06:15 . 2012-01-04 06:15 -------- d-----w- c:\program files\NVIDIA Corporation
2012-01-03 01:37 . 2012-01-03 01:37 -------- d-----w- c:\documents and settings\Ecky\Application Data\Doublefine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-30 18:48 . 2010-03-23 03:56 17488 ----a-w- c:\windows\gdrv.sys
2011-12-21 04:06 . 2011-05-22 03:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 21:24 . 2011-03-14 19:41 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-21 08:25 . 2011-11-21 08:26 6908648 ----a-w- c:\windows\system32\SpoonUninstall.exe
2012-01-21 20:49 . 2011-05-07 17:05 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\NetworkService\UserData ----
.
2012-01-28 05:29 . 2012-01-28 05:30 2214 ----a-w- c:\documents and settings\NetworkService\UserData\HANH9Q8M\meebo[10].xml
2012-01-28 05:28 . 2012-01-28 05:28 90 ----a-w- c:\documents and settings\NetworkService\UserData\H5SQCR9R\meebo[3].xml
2012-01-27 08:06 . 2012-01-27 08:06 1786 ----a-w- c:\documents and settings\NetworkService\UserData\HANH9Q8M\meebo[11].xml
2012-01-27 07:44 . 2012-01-27 07:45 814 ----a-w- c:\documents and settings\NetworkService\UserData\FUHKX7V7\meebo[10].xml
2012-01-27 07:43 . 2012-01-27 07:45 808 ----a-w- c:\documents and settings\NetworkService\UserData\FUHKX7V7\meebo[11].xml
2012-01-26 19:27 . 2012-01-26 19:27 62 ----a-w- c:\documents and settings\NetworkService\UserData\H5SQCR9R\oXMLStore[1].xml
2012-01-26 19:11 . 2012-01-26 19:12 90 ----a-w- c:\documents and settings\NetworkService\UserData\U6ZPLBXF\meebo[9].xml
2012-01-26 19:11 . 2012-01-26 19:11 90 ----a-w- c:\documents and settings\NetworkService\UserData\H5SQCR9R\meebo[1].xml
2012-01-25 09:51 . 2012-01-25 09:52 808 ----a-w- c:\documents and settings\NetworkService\UserData\HANH9Q8M\meebo[6].xml
2012-01-25 09:50 . 2012-01-25 09:51 808 ----a-w- c:\documents and settings\NetworkService\UserData\FUHKX7V7\meebo[4].xml
2012-01-25 09:18 . 2012-01-25 09:18 808 ----a-w- c:\documents and settings\NetworkService\UserData\U6ZPLBXF\meebo[4].xml
2012-01-25 09:08 . 2012-01-25 09:08 90 ----a-w- c:\documents and settings\NetworkService\UserData\FUHKX7V7\meebo[5].xml
2012-01-25 09:07 . 2012-01-25 09:07 90 ----a-w- c:\documents and settings\NetworkService\UserData\FUHKX7V7\meebo[1].xml
2012-01-24 23:19 . 2012-01-24 23:19 90 ----a-w- c:\documents and settings\NetworkService\UserData\FUHKX7V7\meebo[9].xml
2012-01-24 23:15 . 2012-01-24 23:15 90 ----a-w- c:\documents and settings\NetworkService\UserData\U6ZPLBXF\meebo[8].xml
2012-01-24 22:06 . 2012-01-24 22:06 90 ----a-w- c:\documents and settings\NetworkService\UserData\H5SQCR9R\meebo[8].xml
2012-01-24 21:42 . 2012-01-24 21:42 90 ----a-w- c:\documents and settings\NetworkService\UserData\HANH9Q8M\meebo[9].xml
2012-01-24 21:40 . 2012-01-24 21:41 90 ----a-w- c:\documents and settings\NetworkService\UserData\HANH9Q8M\meebo[8].xml
2012-01-24 19:28 . 2012-01-24 19:28 90 ----a-w- c:\documents and settings\NetworkService\UserData\HANH9Q8M\meebo[7].xml
2012-01-24 19:26 . 2012-01-24 19:27 1976 ----a-w- c:\documents and settings\NetworkService\UserData\FUHKX7V7\meebo[8].xml
2012-01-24 19:24 . 2012-01-24 19:24 1966 ----a-w- c:\documents and settings\NetworkService\UserData\U6ZPLBXF\meebo[2].xml
2012-01-24 19:23 . 2012-01-24 19:26 96 ----a-w- c:\documents and settings\NetworkService\UserData\HANH9Q8M\meebo[4].xml
2012-01-24 06:51 . 2012-01-24 06:51 808 ----a-w- c:\documents and settings\NetworkService\UserData\H5SQCR9R\meebo[6].xml
2012-01-24 06:51 . 2012-01-24 06:51 808 ----a-w- c:\documents and settings\NetworkService\UserData\U6ZPLBXF\meebo[7].xml
2012-01-24 06:49 . 2012-01-24 06:49 808 ----a-w- c:\documents and settings\NetworkService\UserData\U6ZPLBXF\meebo[6].xml
2012-01-24 06:48 . 2012-01-24 06:48 808 ----a-w- c:\documents and settings\NetworkService\UserData\H5SQCR9R\meebo[5].xml
2012-01-24 06:44 . 2012-01-24 06:44 808 ----a-w- c:\documents and settings\NetworkService\UserData\H5SQCR9R\meebo[7].xml
2012-01-24 06:01 . 2012-01-24 06:01 90 ----a-w- c:\documents and settings\NetworkService\UserData\U6ZPLBXF\meebo[5].xml
2012-01-24 05:49 . 2012-01-24 05:49 808 ----a-w- c:\documents and settings\NetworkService\UserData\FUHKX7V7\meebo[7].xml
2012-01-24 05:32 . 2012-01-24 05:32 808 ----a-w- c:\documents and settings\NetworkService\UserData\H5SQCR9R\meebo[4].xml
2012-01-22 18:34 . 2012-01-22 18:35 90 ----a-w- c:\documents and settings\NetworkService\UserData\H5SQCR9R\meebo[2].xml
2012-01-22 18:33 . 2012-01-22 18:33 90 ----a-w- c:\documents and settings\NetworkService\UserData\FUHKX7V7\meebo[6].xml
2012-01-22 18:32 . 2012-01-22 18:32 90 ----a-w- c:\documents and settings\NetworkService\UserData\HANH9Q8M\meebo[5].xml
2012-01-22 08:19 . 2012-01-22 08:19 808 ----a-w- c:\documents and settings\NetworkService\UserData\HANH9Q8M\meebo[3].xml
2012-01-22 07:48 . 2012-01-22 07:49 808 ----a-w- c:\documents and settings\NetworkService\UserData\U6ZPLBXF\meebo[3].xml
2012-01-21 23:37 . 2012-01-21 23:37 90 ----a-w- c:\documents and settings\NetworkService\UserData\FUHKX7V7\meebo[3].xml
2012-01-21 23:36 . 2012-01-21 23:36 90 ----a-w- c:\documents and settings\NetworkService\UserData\HANH9Q8M\meebo[2].xml
2012-01-21 22:57 . 2012-01-21 22:57 90 ----a-w- c:\documents and settings\NetworkService\UserData\FUHKX7V7\meebo[2].xml
2012-01-21 22:42 . 2012-01-21 22:43 808 ----a-w- c:\documents and settings\NetworkService\UserData\HANH9Q8M\meebo[1].xml
2012-01-21 22:39 . 2012-01-21 22:39 808 ----a-w- c:\documents and settings\NetworkService\UserData\U6ZPLBXF\meebo[1].xml
2012-01-21 20:26 . 2012-01-28 05:26 32768 ----a-w- c:\documents and settings\NetworkService\UserData\index.dat
.
.
(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-09-20 . 68F06FE0021B01E670AF37B8C5964FDF . 361344 . . [5.1.2600.5512] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2009-09-20 . AB9E8F44D2F80A8060BEFB29192F4249 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-01-30_02.56.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-30 18:48 . 2012-01-30 18:48 16384 c:\windows\temp\Perflib_Perfdata_290.dat
+ 2012-01-30 18:48 . 2012-01-30 18:48 16384 c:\windows\temp\Perflib_Perfdata_104.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\steam.exe" [2011-08-02 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-09-08 98304]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-15 1955208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"WTClient"="WTClient.exe" [2009-10-30 32768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-08-12 205336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-04-14 99840]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
2007-11-19 19:28 1966080 ------r- c:\windows\system32\xRaidSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 09:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 10:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCU]
2009-08-04 23:29 346320 ----a-w- c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-05-27 19:32 136176 ----atw- c:\documents and settings\Ecky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 07:36 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 22:36 36864 ------r- c:\windows\RaidTool\xInsIDE.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2011-01-13 02:01 6129496 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2011-08-15 22:18 1955208 ----a-w- c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-08-12 18:18 205336 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service]
2009-01-25 18:17 196608 ----a-w- c:\program files\Essentials Codec Pack\WECPUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 20:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-06-25 06:07 17887232 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-06-15 20:02 15141768 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-09-08 18:12 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 19:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VERIZONDM]
2010-09-29 11:59 206120 ----a-w- c:\program files\VERIZONDM\bin\sprtcmd.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Documents and Settings\\Ecky\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Ecky\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\Ecky\\Desktop\\Folder for Folders\\World of Warcraft\\Launcher.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Steam\\steamapps\\eckabeb\\team fortress 2\\hl2.exe"=
"c:\\Documents and Settings\\Ecky\\Desktop\\Folder for Folders\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\terraria\\TerrariaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\crimecraft\\Binaries\\CrimeCraft.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\crimecraft\\SteamLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\spiral knights\\java_vm\\bin\\javaw.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\sega classics\\SEGAGenesisClassics.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\GamersFirst\\APB Reloaded\\Binaries\\APB.exe"=
"c:\\Program Files\\GamersFirst\\APB Reloaded\\Binaries\\VivoxVoiceService.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\kaptain brawe\\brawe.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\amd driver updater, xp, 32 bit\\Setup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\swtor\\retailclient\\swtor.exe"=
"c:\\Program Files\\Electronic Arts\\BioWare\\Star Wars - The Old Republic\\launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\worms reloaded\\WormsReloaded.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\portal 2\\portal2.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the binding of isaac\\Isaac.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\machinarium\\machinarium.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\toki tori\\tokitori.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dungeon defenders\\Binaries\\Win32\\DungeonDefenders.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Assassins Creed\\AssassinsCreed_Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\monday night combat\\Binaries\\Win32\\mnc.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\pc gamer digital edition\\Freakshow.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\lumines\\lumines.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\costume quest\\Cq.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dungeon defenders\\Binaries\\Win32\\DunDefGame.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"57695:TCP"= 57695:TCP:Pando Media Booster
"57695:UDP"= 57695:UDP:Pando Media Booster
"4530:TCP"= 4530:TCP:Akamai NetSession Interface
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/14/2011 3:30 PM 64512]
R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [3/23/2010 11:44 AM 219360]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [3/23/2010 11:44 AM 68136]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [8/15/2011 4:18 PM 1361288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/14/2011 2:01 AM 2152152]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [9/29/2010 6:00 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [9/29/2010 6:00 AM 185640]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [3/31/2011 11:11 PM 450848]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/23/2010 11:47 AM 1684736]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh5.sys --> c:\windows\system32\DRIVERS\bcmwlhigh5.sys [?]
S3 cpuz135;cpuz135;\??\c:\docume~1\Ecky\LOCALS~1\Temp\cpuz135\cpuz135_x32.sys --> c:\docume~1\Ecky\LOCALS~1\Temp\cpuz135\cpuz135_x32.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-14 07:40]
.
2012-01-30 c:\windows\Tasks\AdobeAAMUpdater-1.0-HEATHER-Ecky.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-16 09:44]
.
2012-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-01-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-162531612-1417001333-1003Core.job
- c:\documents and settings\Ecky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 19:32]
.
2012-01-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-162531612-1417001333-1003UA.job
- c:\documents and settings\Ecky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-28 19:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=13170&l=dis
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Ecky\Application Data\Mozilla\Firefox\Profiles\3v9eamco.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-30 12:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1220)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(3256)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\System32\Drivers\WTSRV.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\WTClient.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2012-01-30 12:56:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-30 18:56
ComboFix2.txt 2012-01-30 03:05
.
Pre-Run: 389,990,912,000 bytes free
Post-Run: 389,982,736,384 bytes free
.
- - End Of File - - 38AEC716F84CD42942384E826FEA1CD0

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:28 AM

Posted 31 January 2012 - 01:46 AM

Hi Eckabeb!

Antarctica is very cold!! :)

Also, when I opened Firefox, a new tab opened to http://www.yontoo.com/InstallYontooSuccess.aspx?App=Yontoo&Source=Y2-FF-THIN&FFGuid=56527B25-4DC4-7039-C6E4-C74E5F5DF17F. I don't know what this is, but it says it installed "Yontoo"?

Can you open up your Extensions list in Firefox and see if there is an extension listed for Yontoo and if there is go ahead and Uninstall it/Remove it from Firefox.

We may need to utilize the Windows disc later.

Lets see what these scans find, and see where we stand then.

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 Eckabeb

Eckabeb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 31 January 2012 - 03:49 AM

It looks like Mbam found the FSS I had downloaded. :P Mbam did have me restart to remove it. I am running the ESET Scanner right now; it has currently been running for an hour and a half and for the past 50 minutes ESET has been "stuck" on Application\AVG\Rescue..., which I assume is the leftover tidbits of AVG after un-installing it. I'm posting now just to update and because I don't know if ESET is supposed to take as long as it is currently; I'll check on it tomorrow (leaving ESET to run all night), and if Eset is still stuck on that file, I'll close the program and rerun it and give you the new log. I'll begin the Security Check once Eset finshes. See you sometime tomorrow, Agent ST! And have a good night! :D

MBAM Log
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.01.31.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Ecky :: ECKABEB [administrator]

1/31/2012 12:51:34 AM
mbam-log-2012-01-31 (00-51-34).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 188130
Time elapsed: 9 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Ecky\Desktop\FSS.exe (Trojan.AutoIT) -> Quarantined and deleted successfully.

(end)

Edited by Eckabeb, 31 January 2012 - 03:50 AM.


#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:28 AM

Posted 31 January 2012 - 04:27 AM

Hi Eckabeb!

Thanks for the update, and thanks for that MBAM log. I'm going to have to look into that and see what's going on with that detection of FSS.exe.

I look forward to your reply. :)

Kindest Regards,
Agent ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 Eckabeb

Eckabeb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 31 January 2012 - 01:41 PM

Eset took forever~. Haha. Goodness, you're up late. Well, here's the yummy logs! :3

Eset Log

C:\Documents and Settings\Ecky\Application Data\AVG\Rescue\PC Tuneup 2011\110706185116263.rsc multiple threats
C:\Documents and Settings\unlock\programs.rar multiple threats
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application
C:\WINDOWS\system32\drivers\mrxsmb.sys Win32/Sirefef.DA trojan
C:\_OTL\MovedFiles\01282012_173040\C_WINDOWS\system32\lnasqishcnsor.exe Win32/Adware.RON.FSV application

Security Check log

Results of screen317's Security Check version 0.99.30
Windows XP Service Pack 3 x86
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG PC Tuneup 2011
ESET Online Scanner v3
McAfee Security Scan Plus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
AVG PC Tuneup 2011
CCleaner
Java™ 6 Update 26
Java version out of date!
Adobe Flash Player 11.1.102.55
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (9.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
``````````End of Log````````````

#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:28 AM

Posted 01 February 2012 - 12:31 AM

Good Evening Eckabeb!

Eset took forever~. Haha. Goodness, you're up late. Well, here's the yummy logs! :3

Yes, I was up late. :)

It looks like ESET found a serious threat that we need to address right now.

OTL Custom Scan

We need to create a new OTL Report
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Click on the NONE button at the top.
  • In the custom scan box paste the following:
    "%WinDir%\$NtUninstallKB*$." /30
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %SYSTEMDRIVE%\*.exe
    /md5start
    volsnap.sys
    atapi.sys
    explorer.exe
    winlogon.exe
    wininit.exe
    mrxsmb.sys
    /md5stop
    
  • Push the Posted Image button.
  • One report will open, copy and paste it in a reply here:
  • OTL.txt <-- Will be opened

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 Eckabeb

Eckabeb
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 01 February 2012 - 02:57 AM

Evening Agent ST! Here's your OTL log!

OTL Custom Scan Log

OTL logfile created on: 2/1/2012 1:40:06 AM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Ecky\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.08 Gb Available Physical Memory | 54.10% Memory free
3.85 Gb Paging File | 3.11 Gb Available in Paging File | 80.94% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.62 Gb Total Space | 361.81 Gb Free Space | 51.79% Space Free | Partition Type: NTFS

Computer Name: ECKABEB | User Name: Ecky | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========


< "%WinDir%\$NtUninstallKB*$." /30 >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\system32\drivers\*.sys /90 >
[2011/12/05 21:42:18 | 007,490,560 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys
[2011/12/20 01:39:28 | 000,100,368 | ---- | M] (Advanced Micro Devices) -- C:\WINDOWS\system32\drivers\AtihdXP3.sys
[2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys

< %SYSTEMDRIVE%\*.exe >


< MD5 for: ATAPI.SYS >
[2008/04/14 06:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 06:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys

< MD5 for: EXPLORER.EXE >
[2008/04/14 06:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/14 06:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 06:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: MRXSMB.SYS >
[2008/04/14 06:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:mrxsmb.sys
[2008/04/14 06:00:00 | 000,456,576 | ---- | M] () MD5=144C61F26FDDF7461B5990410533934B -- C:\WINDOWS\system32\drivers\mrxsmb.sys

< MD5 for: VOLSNAP.SYS >
[2008/04/14 06:00:00 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\dllcache\volsnap.sys
[2008/04/14 06:00:00 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\drivers\volsnap.sys

< MD5 for: WINLOGON.EXE >
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/14 06:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/14 06:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/14 06:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< End of report >




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users