Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All kinds of problems. Redirects, Rootkit, Freezes, Unresponsive Programs, Disabled Internet


  • This topic is locked This topic is locked
48 replies to this topic

#1 AugustAPC

AugustAPC

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 23 February 2012 - 02:00 AM

I followed the instructions in the preparation guide, but was only able to exctract a small portion of the data requested.
I've been experiencing the following:

- Mozilla Firefox won't work (The proxy server is refusing connections.)
- TDSSKiller finds a rootkit.
- Redirects from Google (In Internet Explorer)
- Many programs freeze before completion (including dds so I could not generate any logs from it.)

As I've said, dds would freeze at 80% so I cannot provide any logs from it.

When these problems all started, this icon showed up on my desktop. Posted Image

When I tried to run GMER I got this error:
Posted Image

The program still opened, though many options were greyed out. This is what was available:
Posted Image

I ran the scan with what was allowed, and will post the document in the attachments.

I should also add that I've tried many anti-virus programs including combofix (I know, I'm sorry.) ComboFix would freeze before the scan actually tookplace, but said it found a rootkit. There were many problems found and cured by Malwarebytes, which included a hidden desktop.

That's all the information I have, to my knowledge. I'm in some serious need of help here, and any suggestions would be greatly appreciated. Thanks.

Attached Files

  • Attached File  ark.txt   14.23KB   1 downloads

Edited by AugustAPC, 23 February 2012 - 02:01 AM.


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:03 PM

Posted 23 February 2012 - 02:45 AM

Hello AugustAPC! Welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :)

I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)

    • Because of this, you must reply within 3 days failure to reply will result in the topic being closed! I like chocolate chip cookies.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system or even taking your computer into a repair shop.

    • Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data and have means of backing up your data available.

____________________________________________________

Could you please post the TDSSKiller log file that you have? It can be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.



NEXT:



Running aswMBR.exe

Download aswMBR.exe (4.5mb) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image



NEXT:


Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT:


Running OTL

We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Copy and Paste the following code into the Posted Image textbox.
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    "%WinDir%\$NtUninstallKB*$." /30
    C:\Program Files\Common Files\ComObjects\*.* /s
    %systemroot%\*. /mp /s
    %systemroot%\*. /rp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %SYSTEMDRIVE%\*.exe
    /md5start
    volsnap.sys
    atapi.sys
    explorer.exe
    winlogon.exe
    wininit.exe
    tdx.sys
    /md5stop
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. TDSSKiller log file.
3. aswMBR log file.[/b]
4. Farbar Service Scanner log.
5. OTL.txt & Extras.txt logs.
6. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.


Please let me know how the above scans go.

Kindest Regards,
Agent ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 AugustAPC

AugustAPC
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 23 February 2012 - 03:51 AM

Such a fast reply! I'm greatly appreciative.

TDSSKiller Log:

2012/02/23 03:06:37.0531 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2012/02/23 03:06:37.0671 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2012/02/23 03:06:37.0828 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2012/02/23 03:06:38.0078 nv (ba1b732c1a70cfea0c1b64f2850bf44f) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2012/02/23 03:06:38.0500 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2012/02/23 03:06:38.0593 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2012/02/23 03:06:38.0703 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2012/02/23 03:06:38.0781 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2012/02/23 03:06:38.0875 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2012/02/23 03:06:39.0125 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2012/02/23 03:06:39.0296 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2012/02/23 03:06:39.0406 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2012/02/23 03:06:39.0875 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2012/02/23 03:06:40.0015 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2012/02/23 03:06:40.0109 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2012/02/23 03:06:40.0218 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2012/02/23 03:06:40.0625 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2012/02/23 03:06:40.0781 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2012/02/23 03:06:40.0875 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2012/02/23 03:06:40.0968 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2012/02/23 03:06:41.0093 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2012/02/23 03:06:41.0218 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2012/02/23 03:06:41.0343 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2012/02/23 03:06:41.0468 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2012/02/23 03:06:41.0578 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2012/02/23 03:06:41.0781 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2012/02/23 03:06:42.0171 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2012/02/23 03:06:42.0312 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2012/02/23 03:06:42.0421 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2012/02/23 03:06:42.0515 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2012/02/23 03:06:42.0687 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2012/02/23 03:06:42.0890 smwdm (31fd0707c7dbe715234f2823b27214fe) C:\WINDOWS\system32\drivers\smwdm.sys
2012/02/23 03:06:43.0093 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2012/02/23 03:06:43.0234 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2012/02/23 03:06:43.0343 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2012/02/23 03:06:43.0515 ssudmdm (6c0cc5868f99064516fb9f82563a02ea) C:\WINDOWS\system32\DRIVERS\ssudmdm.sys
2012/02/23 03:06:43.0593 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2012/02/23 03:06:43.0671 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2012/02/23 03:06:44.0000 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2012/02/23 03:06:44.0156 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2012/02/23 03:06:44.0312 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2012/02/23 03:06:44.0406 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2012/02/23 03:06:44.0546 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2012/02/23 03:06:44.0718 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2012/02/23 03:06:44.0921 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2012/02/23 03:06:45.0125 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
2012/02/23 03:06:45.0250 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2012/02/23 03:06:45.0343 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2012/02/23 03:06:45.0437 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2012/02/23 03:06:45.0546 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2012/02/23 03:06:45.0640 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2012/02/23 03:06:45.0734 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2012/02/23 03:06:45.0875 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2012/02/23 03:06:46.0000 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2012/02/23 03:06:46.0125 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2012/02/23 03:06:46.0328 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2012/02/23 03:06:46.0531 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2012/02/23 03:06:46.0640 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2012/02/23 03:06:46.0781 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2012/02/23 03:06:46.0890 xusb21 (a640c90b007762939507c28a021be3b3) C:\WINDOWS\system32\DRIVERS\xusb21.sys
2012/02/23 03:06:47.0125 \HardDisk0\MBR - detected Rootkit.Win32.BackBoot.gen (1)
2012/02/23 03:06:47.0140 ================================================================================
2012/02/23 03:06:47.0140 Scan finished
2012/02/23 03:06:47.0140 ================================================================================
2012/02/23 03:06:47.0156 Detected object count: 1
2012/02/23 03:06:49.0234 Rootkit.Win32.BackBoot.gen(\HardDisk0\MBR) - User select action: Skip
2012/02/23 03:06:53.0046 Deinitialize success


aswMBR log:

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-23 03:09:06
-----------------------------
03:09:06.656 OS Version: Windows 5.1.2600 Service Pack 3
03:09:06.656 Number of processors: 1 586 0x209
03:09:06.656 ComputerName: GUSTAFSO-8C30D0 UserName:
03:09:08.031 Initialize success
03:09:08.140 AVAST engine defs: 12022300
03:09:23.515 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
03:09:23.515 Disk 0 Vendor: ST380011A 3.16 Size: 76293MB BusType: 3
03:09:23.531 Disk 0 MBR read successfully
03:09:23.531 Disk 0 MBR scan
03:09:23.531 Disk 0 Windows XP default MBR code
03:09:23.531 Disk 0 MBR hidden
03:09:23.531 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
03:09:23.546 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 76253 MB offset 64260
03:09:23.562 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 8 MB offset 156232125
03:09:23.562 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
03:09:23.578 Disk 0 scanning sectors +156249984
03:09:25.734 Disk 0 scanning C:\WINDOWS\system32\drivers
03:09:39.578 Service scanning
03:09:40.296 Service .mrxsmb \? **LOCKED** 123
03:10:05.156 Modules scanning
03:10:19.765 Disk 0 trace - called modules:
03:10:19.796 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87793fa9]<<
03:10:19.796 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87745ab8]
03:10:19.796 3 CLASSPNP.SYS[f77e1fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x877a6d98]
03:10:19.796 \Driver\atapi[0x877a0630] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x87793fa9
03:10:20.250 AVAST engine scan C:\WINDOWS
03:10:25.703 AVAST engine scan C:\WINDOWS\system32
03:14:28.828 AVAST engine scan C:\WINDOWS\system32\drivers
03:14:47.687 AVAST engine scan C:\Documents and Settings\Austin Gustafson
03:23:19.296 AVAST engine scan C:\Documents and Settings\All Users
03:24:22.078 Scan finished successfully
03:24:37.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Austin Gustafson\Desktop\MBR.dat"
03:24:37.031 The log file has been saved successfully to "C:\Documents and Settings\Austin Gustafson\Desktop\aswMBR.txt"


Farbar log:

Farbar Service Scanner Version: 22-02-2012
Ran by Austin Gustafson (administrator) on 23-02-2012 at 03:29:33
Running from "C:\Documents and Settings\Austin Gustafson\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
IE proxy is enabled.



Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswFW(9) aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x09000000050000000100000002000000030000000400000009000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****


OTL logfile created on: 2/23/2012 3:35:04 AM - Run 1
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\Austin Gustafson\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 475.50 Mb Available Physical Memory | 46.48% Memory free
2.40 Gb Paging File | 1.95 Gb Available in Paging File | 81.21% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 30.38 Gb Free Space | 40.80% Space Free | Partition Type: NTFS

Computer Name: GUSTAFSO-8C30D0 | User Name: Austin Gustafson | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/23 03:32:49 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Austin Gustafson\Desktop\OTL.exe
PRC - [2012/02/20 21:46:30 | 000,420,352 | ---- | M] () -- C:\Program Files\cacaoweb\cacaoweb.exe
PRC - [2012/01/21 00:30:11 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
PRC - [2011/11/28 13:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/11/28 13:01:23 | 000,127,192 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\afwServ.exe
PRC - [2011/11/28 13:01:23 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/07/28 18:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/01/15 20:46:12 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2010/01/15 20:46:10 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/02/23 02:07:44 | 001,714,688 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12022300\algo.dll
MOD - [2012/02/22 18:04:16 | 001,714,176 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12022201\algo.dll
MOD - [2012/02/20 21:46:30 | 000,420,352 | ---- | M] () -- C:\Program Files\cacaoweb\cacaoweb.exe
MOD - [2011/07/28 18:09:42 | 000,096,112 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2011/07/28 18:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010/02/10 18:10:10 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2010/02/05 12:17:14 | 000,970,752 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll
MOD - [2008/02/03 02:08:12 | 001,722,368 | ---- | M] () -- C:\Program Files\TUGZip\Plugins\TzArchive10.tgp
MOD - [2007/03/13 02:34:20 | 000,162,304 | ---- | M] () -- C:\WINDOWS\system32\ztvunrar36.dll
MOD - [2006/05/14 16:03:54 | 000,655,360 | ---- | M] () -- C:\Program Files\TUGZip\TzShell.dll
MOD - [2005/02/18 02:15:22 | 000,077,824 | ---- | M] () -- C:\Program Files\TUGZip\Plugins\TzImage10.tgp


========== Win32 Services (SafeList) ==========

SRV - [2012/01/21 00:30:11 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/11/28 13:01:23 | 000,127,192 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\afwServ.exe -- (avast! Firewall)
SRV - [2011/11/28 13:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/02/17 13:43:33 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)


========== Driver Services (SafeList) ==========

DRV - [2012/01/21 00:30:08 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2012/01/21 00:30:08 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2011/11/28 12:54:38 | 000,111,320 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswFW.sys -- (aswFW)
DRV - [2011/11/28 12:53:53 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/11/28 12:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/11/28 12:53:22 | 000,195,416 | ---- | M] (AVAST Software) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\aswNdis2.sys -- (aswNdis2)
DRV - [2011/11/28 12:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/11/28 12:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/11/28 12:52:02 | 000,111,320 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/11/28 12:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/11/28 12:48:49 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/08/24 23:43:54 | 000,181,432 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssudmdm.sys -- (ssudmdm) SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.)
DRV - [2011/08/24 23:43:54 | 000,077,624 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssudbus.sys -- (dg_ssudbus) SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.)
DRV - [2011/05/10 06:40:58 | 000,012,112 | ---- | M] (ALWIL Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aswNdis.sys -- (aswNdis)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = E5 3A 33 08 0F D5 8A 4F 90 47 84 3C 7A 7F 40 6D [binary data]
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = E5 3A 33 08 0F D5 8A 4F 90 47 84 3C 7A 7F 40 6D [binary data]
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = E5 3A 33 08 0F D5 8A 4F 90 47 84 3C 7A 7F 40 6D [binary data]

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = E5 3A 33 08 0F D5 8A 4F 90 47 84 3C 7A 7F 40 6D [binary data]

IE - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=Z136&install_date=20111022
IE - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = E5 3A 33 08 0F D5 8A 4F 90 47 84 3C 7A 7F 40 6D [binary data]
IE - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://us.mg4.mail.yahoo.com/dc/launch"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..keyword.URL: "http://www.bing.com/search?pc=Z136&form=ZGAADF&install_date=20111022&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 49677
FF - prefs.js..network.proxy.type: 1


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\esnipsxpi@logia.esnips: C:\Program Files\Logia\eSnipsDownloader\ext
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2010/09/23 18:35:59 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/12/04 04:28:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012/02/14 18:10:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/17 04:46:46 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/17 17:38:10 | 000,000,000 | ---D | M]

[2010/02/05 13:02:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Austin Gustafson\Application Data\Mozilla\Extensions
[2012/01/17 02:50:32 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Austin Gustafson\Application Data\Mozilla\Firefox\Profiles\l2hqcyhh.default\extensions
[2010/06/23 23:51:54 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Austin Gustafson\Application Data\Mozilla\Firefox\Profiles\l2hqcyhh.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/12 16:32:57 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Austin Gustafson\Application Data\Mozilla\Firefox\Profiles\l2hqcyhh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/09/18 21:52:09 | 000,000,000 | ---D | M] (cacaoweb) -- C:\Documents and Settings\Austin Gustafson\Application Data\Mozilla\Firefox\Profiles\l2hqcyhh.default\extensions\cacaoweb@cacaoweb.org
[2011/11/09 19:28:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/12/04 04:28:21 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2012/02/14 18:10:02 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 &lt;video&gt;) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\DIVXHTML5
[2012/02/17 04:46:44 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/09/15 03:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/02/15 18:35:42 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml.old
[2010/05/29 05:35:12 | 000,002,029 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\esnips.xml
[2012/02/15 18:35:42 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2011/12/24 11:14:58 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {35065594-9169-4A34-B167-FC4865038E53} - No CLSID value found.
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKU\S-1-5-21-1757981266-606747145-1417001333-1003..\Run: [cacaoweb] C:\Program Files\cacaoweb\cacaoweb.exe ()
O4 - Startup: C:\Documents and Settings\Austin Gustafson\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\..Trusted Domains: microsoft.com ([www.update] http in Trusted sites)
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1288273749000 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{84427DA0-3E60-4434-A20D-072958FA2AF7}: DhcpNameServer = 75.75.75.75 75.75.76.76
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/02/04 14:42:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - StartUpReg: AIM - hkey= - key= - C:\Program Files\AIM7\aim.exe (AOL Inc.)
MsConfig - StartUpReg: Malwarebytes' Anti-Malware - hkey= - key= - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
MsConfig - StartUpReg: SUPERAntiSpyware - hkey= - key= - C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: !SASCORE - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com)
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PEVSystemStart - Service
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: procexp90.Sys - Driver
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0213C6AF-5562-4D09-884C-2ADCFC8C2F35} - Microsoft .NET Framework 1.1 Security Update (KB2656353)
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: {F8FC1717-F4C0-64EB-1490-F3892C6F381C} - Internet Explorer
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\System32\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: VIDC.FPS1 - C:\WINDOWS\System32\frapsvid.dll (Beepa P/L)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.XVID - xvidvfw.dll File not found
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/02/23 03:32:49 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Austin Gustafson\Desktop\OTL.exe
[2012/02/23 03:08:33 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Austin Gustafson\Desktop\aswMBR.exe
[2012/02/23 00:32:54 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Austin Gustafson\Desktop\dds.scr
[2012/02/22 22:13:38 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/02/22 20:55:08 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/02/22 20:55:08 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/02/22 20:55:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/02/22 20:08:18 | 004,417,295 | R--- | C] (Swearware) -- C:\Documents and Settings\Austin Gustafson\Desktop\ComboFix.exe
[2012/02/22 16:22:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Austin Gustafson\Application Data\Luebgo
[2012/02/22 16:22:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Austin Gustafson\Application Data\Imiqo
[2012/02/22 02:17:36 | 000,000,000 | ---D | C] -- C:\spoolerlogs
[2012/02/22 02:17:05 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Austin Gustafson\Recent
[2012/02/22 01:39:47 | 000,000,000 | ---D | C] -- C:\Program Files\495B7
[2012/02/22 01:39:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Austin Gustafson\Application Data\40E49
[2012/02/22 01:39:27 | 000,000,000 | ---D | C] -- C:\Program Files\LP
[2012/02/15 16:11:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\PCHealth
[2012/02/15 16:03:08 | 000,000,000 | ---D | C] -- C:\401e2f68b6a80c2561
[2012/02/14 18:11:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Austin Gustafson\Application Data\DDMSettings
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Austin Gustafson\Desktop\*.tmp files -> C:\Documents and Settings\Austin Gustafson\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/23 03:32:49 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Austin Gustafson\Desktop\OTL.exe
[2012/02/23 03:28:26 | 000,337,133 | ---- | M] () -- C:\Documents and Settings\Austin Gustafson\Desktop\FSS.exe
[2012/02/23 03:24:37 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Austin Gustafson\Desktop\MBR.dat
[2012/02/23 03:08:31 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Austin Gustafson\Desktop\aswMBR.exe
[2012/02/23 03:03:49 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/23 03:03:06 | 000,000,300 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1757981266-606747145-1417001333-1003.job
[2012/02/23 03:03:00 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2012/02/23 03:02:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/23 03:02:45 | 1072,746,496 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/23 01:31:30 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Austin Gustafson\Desktop\gmer.zip
[2012/02/23 00:32:55 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Austin Gustafson\Desktop\dds.scr
[2012/02/23 00:32:10 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Austin Gustafson\defogger_reenable
[2012/02/23 00:31:08 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Austin Gustafson\Desktop\Defogger.exe
[2012/02/22 20:08:22 | 004,417,295 | R--- | M] (Swearware) -- C:\Documents and Settings\Austin Gustafson\Desktop\ComboFix.exe
[2012/02/22 18:42:32 | 000,000,444 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{6BB85787-60F0-4AEF-A0F0-185A1124AF71}.job
[2012/02/22 02:17:49 | 000,000,794 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Internet Security.lnk
[2012/02/21 02:55:00 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1757981266-606747145-1417001333-1003.job
[2012/02/20 14:24:19 | 000,036,087 | ---- | M] () -- C:\Documents and Settings\Austin Gustafson\.recently-used.xbel
[2012/02/18 01:04:18 | 000,119,296 | ---- | M] () -- C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/15 22:56:55 | 000,503,338 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/02/15 22:56:55 | 000,088,758 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/15 16:07:36 | 001,996,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/11 11:41:09 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/02/11 00:54:04 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/02/01 06:36:42 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Austin Gustafson\Desktop\*.tmp files -> C:\Documents and Settings\Austin Gustafson\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/23 03:28:26 | 000,337,133 | ---- | C] () -- C:\Documents and Settings\Austin Gustafson\Desktop\FSS.exe
[2012/02/23 03:24:37 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Austin Gustafson\Desktop\MBR.dat
[2012/02/23 01:32:15 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Austin Gustafson\Desktop\gmer.exe
[2012/02/23 01:31:30 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Austin Gustafson\Desktop\gmer.zip
[2012/02/23 01:28:42 | 1072,746,496 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/23 00:32:10 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Austin Gustafson\defogger_reenable
[2012/02/23 00:31:11 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Austin Gustafson\Desktop\Defogger.exe
[2012/02/22 20:55:09 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/02/22 20:55:08 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/02/22 20:55:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/02/22 20:55:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/02/22 20:55:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/02/22 02:17:49 | 000,000,794 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Internet Security.lnk
[2012/02/20 14:24:19 | 000,036,087 | ---- | C] () -- C:\Documents and Settings\Austin Gustafson\.recently-used.xbel
[2012/02/15 14:54:14 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/15 14:54:14 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/01 06:36:42 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/24 10:30:34 | 000,005,706 | -HS- | C] () -- C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\0wlk5xre04d18lg1o0jsco
[2011/12/24 10:30:34 | 000,005,706 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0wlk5xre04d18lg1o0jsco
[2011/12/21 13:02:29 | 000,014,718 | -HS- | C] () -- C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\yesvxn3d7poh3shx8ydb3q070q2y
[2011/12/21 13:02:29 | 000,014,718 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\yesvxn3d7poh3shx8ydb3q070q2y
[2011/11/01 16:49:06 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Austin Gustafson\Application Data\d7b16ab7
[2011/11/01 03:24:04 | 000,000,996 | ---- | C] () -- C:\Documents and Settings\Austin Gustafson\Application Data\c014e2b2
[2011/11/01 03:01:51 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Austin Gustafson\Application Data\376c9548
[2011/10/24 05:10:32 | 000,097,656 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/10/22 00:45:06 | 000,723,294 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2011/10/22 00:45:06 | 000,136,185 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2011/09/16 10:54:44 | 000,974,848 | ---- | C] () -- C:\WINDOWS\System32\cis-2.4.dll
[2011/09/16 10:54:44 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\issacapi_bs-2.3.dll
[2011/09/16 10:54:44 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\issacapi_pe-2.3.dll
[2011/09/16 10:54:44 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\issacapi_se-2.3.dll
[2011/08/26 20:01:40 | 000,023,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/08/17 08:02:55 | 000,001,152 | ---- | C] () -- C:\WINDOWS\System32\windrv.sys
[2011/05/08 02:55:37 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Udegaciri.dat
[2011/05/08 02:55:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Fpajivolupu.bin
[2011/03/29 21:16:09 | 000,015,458 | -HS- | C] () -- C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\n7vfa728rt04h57dq4uioig1uffne748l0l
[2011/03/29 21:16:09 | 000,015,458 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\n7vfa728rt04h57dq4uioig1uffne748l0l
[2010/10/28 10:56:57 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2010/10/10 05:57:20 | 000,018,296 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/09/28 17:33:03 | 000,778,752 | ---- | C] () -- C:\WINDOWS\System32\RGSS102E.dll
[2010/09/28 17:33:02 | 000,781,312 | ---- | C] () -- C:\WINDOWS\System32\RGSS102J.dll
[2010/09/28 17:33:02 | 000,771,584 | ---- | C] () -- C:\WINDOWS\System32\RGSS100J.dll
[2010/06/10 16:27:28 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/06/06 18:28:52 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/04/15 22:00:05 | 000,003,634 | -HS- | C] () -- C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\188FmQ8
[2010/04/15 22:00:05 | 000,003,634 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\188FmQ8
[2010/03/21 10:36:07 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\fusioncache.dat
[2010/02/23 22:39:56 | 000,000,056 | ---- | C] () -- C:\WINDOWS\kgt2k.INI
[2010/02/23 17:45:09 | 000,000,063 | ---- | C] () -- C:\WINDOWS\wininit.ini

========== Custom Scans ==========


< "%WinDir%\$NtUninstallKB*$." /30 >

< C:\Program Files\Common Files\ComObjects\*.* /s >

< %systemroot%\*. /mp /s >

< %systemroot%\*. /rp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/10/28 01:46:33 | 000,524,288 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2010/10/28 05:04:04 | 000,262,144 | ---- | M] () -- C:\WINDOWS\System32\config\security.sav
[2010/10/28 01:46:33 | 024,903,680 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2010/10/28 01:46:33 | 008,388,608 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2011/11/28 12:48:49 | 000,030,808 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aavmker4.sys
[2011/11/28 12:51:50 | 000,020,568 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys
[2011/11/28 12:54:38 | 000,111,320 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aswFW.sys
[2011/11/28 12:51:59 | 000,105,176 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aswmon.sys
[2011/11/28 12:52:02 | 000,111,320 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aswmon2.sys
[2011/11/28 12:53:22 | 000,195,416 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aswNdis2.sys
[2011/11/28 12:52:19 | 000,034,392 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aswRdr.sys
[2011/11/28 12:53:53 | 000,435,032 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aswSnx.sys
[2011/11/28 12:53:35 | 000,314,456 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aswSP.sys
[2011/11/28 12:52:16 | 000,052,952 | ---- | M] (AVAST Software) -- C:\WINDOWS\system32\drivers\aswTdi.sys
[2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys

< %SYSTEMDRIVE%\*.exe >
[2011/05/08 12:05:25 | 011,079,040 | ---- | M] (SUPERAntiSpyware.com) -- C:\SUPERAntiSpyware.exe
[2010/10/28 08:36:10 | 001,317,464 | ---- | M] (Kaspersky Lab ZAO) -- C:\tdsskiller.exe


< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/14 04:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 04:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 18:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 23:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 23:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 05:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EXPLORER.EXE >
[2008/04/13 18:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2004/08/04 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: VOLSNAP.SYS >
[2008/04/13 23:11:02 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\ServicePackFiles\i386\volsnap.sys
[2008/04/13 23:11:02 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\drivers\volsnap.sys
[2004/08/04 05:00:00 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=EE4660083DEBA849FF6C485D944B379B -- C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys

< MD5 for: WINLOGON.EXE >
[2004/08/04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/13 18:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/14 04:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/14 04:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/02/17 04:46:37 | 000,834,840 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/02/17 04:46:37 | 000,834,840 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/02/17 04:46:37 | 000,834,840 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/02/17 04:46:44 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/02/17 04:46:44 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/02/17 04:46:44 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/12/16 07:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/12/16 07:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/12/16 07:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/02/17 04:46:37 | 000,834,840 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/02/17 04:46:37 | 000,834,840 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/02/17 04:46:37 | 000,834,840 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/02/17 04:46:44 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/02/17 04:46:44 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/02/17 04:46:44 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/12/16 07:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/12/16 07:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/12/16 07:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< >

< >

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction
[C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 -> Junction
[C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35] -> C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 -> Junction

< End of report >


OTL Extras logfile created on: 2/23/2012 3:35:04 AM - Run 1
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\Austin Gustafson\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 475.50 Mb Available Physical Memory | 46.48% Memory free
2.40 Gb Paging File | 1.95 Gb Available in Paging File | 81.21% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 30.38 Gb Free Space | 40.80% Space Free | Partition Type: NTFS

Computer Name: GUSTAFSO-8C30D0 | User Name: Austin Gustafson | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1757981266-606747145-1417001333-1003\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1"
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\explorer.exe" = %windir%\explorer.exe -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\cacaoweb\cacaoweb.exe" = C:\Program Files\cacaoweb\cacaoweb.exe:*:Enabled:cacaoweb -- ()
"%windir%\explorer.exe" = %windir%\explorer.exe -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1CAC7A41-583B-4483-9FA5-3E5465AFF8C2}" = Microsoft Default Manager
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 22
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{394BE3D9-7F57-4638-A8D1-1D88671913B7}" = Microsoft AppLocale
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{61EDBE71-5D3E-4AB7-AD95-E53FEAF68C17}" = Bing Rewards Client Installer
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{69995C7A-062A-4A90-A4DF-8C22895DF522}" = iTunes
"{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}" = Apple Application Support
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{729E66B3-1B80-4A3F-8D19-342A89631E0A}_is1" = Wav to Mp3 Converter
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B2BCB83-71BB-451C-AE72-A6D8508BB567}" = OpenOffice.org 3.2
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.0
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CAAB0192-5704-469F-A0BE-2D842D70E93B}_is1" = Sothink FLV Player
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{D9D1A2FD-56B2-4F21-B959-745FE43CAB8C}" = Vegas Pro 9.0
"{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb" = Microsoft Windows Application Compatibility Database
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe® Flash® Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"AIM_7" = AIM 7
"AOL Instant Messenger" = AOL Instant Messenger
"Ashampoo Burning Studio 6 FREE_is1" = Ashampoo Burning Studio 6 FREE
"avast" = avast! Internet Security
"CCleaner" = CCleaner
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"DivX Setup" = DivX Setup
"Fraps" = Fraps
"ie8" = Windows Internet Explorer 8
"IrfanView" = IrfanView (remove only)
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 5.6.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox 10.0.2 (x86 en-US)" = Mozilla Firefox 10.0.2 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"PROSet" = Intel® PRO Network Connections Drivers
"RGSS-RTP Standard_is1" = RGSS-RTP Standard
"RPG Maker XP_is1" = RPG Maker XP
"TUGZip_is1" = TUGZip 3.5
"uTorrent" = µTorrent
"VirtuallTek Fighter Factory Ultimate_is1" = Fighter Factory Ultimate
"VirtuallTek Fighter Factory_is1" = Fighter Factory 1.0.12.2005 (Update Pack 3)
"VLC media player" = VLC media player 1.0.3
"Warcraft III" = Warcraft III
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.8
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1757981266-606747145-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/15/2012 4:59:27 PM | Computer Name = GUSTAFSO-8C30D0 | Source = Application Hang | ID = 1002
Description = Hanging application soffice.bin, version 3.2.9476.500, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/15/2012 5:04:18 PM | Computer Name = GUSTAFSO-8C30D0 | Source = Bonjour Service | ID = 100
Description = 236: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 2/15/2012 5:04:18 PM | Computer Name = GUSTAFSO-8C30D0 | Source = Bonjour Service | ID = 100
Description = 212: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 2/15/2012 5:04:18 PM | Computer Name = GUSTAFSO-8C30D0 | Source = Bonjour Service | ID = 100
Description = 228: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 2/15/2012 5:05:11 PM | Computer Name = GUSTAFSO-8C30D0 | Source = HotFixInstaller | ID = 5000
Description = EventType visualstudio8setup, P1 microsoft .net framework 2.0-kb2633880,
P2 1033, P3 1601, P4 msi, P5 f, P6 9.0.40215.0, P7 install, P8 x86, P9 xp, P10
0.

Error - 2/15/2012 5:43:00 PM | Computer Name = GUSTAFSO-8C30D0 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 9.0.1.4371, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/16/2012 8:51:41 AM | Computer Name = GUSTAFSO-8C30D0 | Source = .NET Runtime Optimization Service | ID = 1103
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Tried to start a service that wasn't the latest version of CLR Optimization service.
Will shutdown

Error - 2/22/2012 2:27:36 AM | Computer Name = GUSTAFSO-8C30D0 | Source = Application Error | ID = 1000
Description = Faulting application 0.732085083615885267f76.exe, version 0.0.0.0,
faulting module unknown, version 0.0.0.0, fault address 0x3e7407ff.

Error - 2/22/2012 11:38:35 PM | Computer Name = GUSTAFSO-8C30D0 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x00c08fcd.

Error - 2/22/2012 11:39:31 PM | Computer Name = GUSTAFSO-8C30D0 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x00c08fcd.

[ System Events ]
Error - 2/23/2012 2:29:57 AM | Computer Name = GUSTAFSO-8C30D0 | Source = Service Control Manager | ID = 7024
Description = The Workstation service terminated with service-specific error 2250
(0x8CA).

Error - 2/23/2012 2:29:57 AM | Computer Name = GUSTAFSO-8C30D0 | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Workstation service which
failed to start because of the following error: %%1066

Error - 2/23/2012 4:03:04 AM | Computer Name = GUSTAFSO-8C30D0 | Source = Workstation | ID = 5727
Description = Could not load RDR device driver.

Error - 2/23/2012 4:03:36 AM | Computer Name = GUSTAFSO-8C30D0 | Source = Service Control Manager | ID = 7024
Description = The Workstation service terminated with service-specific error 2250
(0x8CA).

Error - 2/23/2012 4:03:36 AM | Computer Name = GUSTAFSO-8C30D0 | Source = Service Control Manager | ID = 7001
Description = The Alerter service depends on the Workstation service which failed
to start because of the following error: %%1066

Error - 2/23/2012 4:03:36 AM | Computer Name = GUSTAFSO-8C30D0 | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Workstation service which
failed to start because of the following error: %%1066

Error - 2/23/2012 4:03:50 AM | Computer Name = GUSTAFSO-8C30D0 | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 2/23/2012 4:03:52 AM | Computer Name = GUSTAFSO-8C30D0 | Source = Workstation | ID = 5727
Description = Could not load RDR device driver.

Error - 2/23/2012 4:03:52 AM | Computer Name = GUSTAFSO-8C30D0 | Source = Service Control Manager | ID = 7024
Description = The Workstation service terminated with service-specific error 2250
(0x8CA).

Error - 2/23/2012 4:03:52 AM | Computer Name = GUSTAFSO-8C30D0 | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Workstation service which
failed to start because of the following error: %%1066


< End of report >



Okay, I think I got everything here. I tried to follow your instructions exactly. I refrained from using the "fix" options on those scanners, not sure if I was supposed to. Also attached all the logs sans the TDDSKiller one. No change with the computer as of yet. Have we done anything to change it yet? Haha.

Attached Files


Edited by AugustAPC, 23 February 2012 - 03:59 AM.


#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:03 PM

Posted 23 February 2012 - 09:27 AM

Hi AugustAPC!

Such a fast reply! I'm greatly appreciative.

Not a problem!

Okay, I think I got everything here. I tried to follow your instructions exactly. I refrained from using the "fix" options on those scanners, not sure if I was supposed to. Also attached all the logs sans the TDDSKiller one.

You ran the scans properly.

No change with the computer as of yet. Have we done anything to change it yet?

Not yet, no, but sometimes things can change between when somebody posts there logs, and when I respond to it.


Do you have access to a USB device that we could load a tool onto?



OTL Fix

We need to run an OTL Fix

Note: If you have MalwareBytes Anti-Malware 1.6 or higher installed and are using the Pro version or trial version, please temporarily disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :Processes
    KILLALLPROCESSES
    :OTL
    IE - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
    IE - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 49677
    FF - prefs.js..network.proxy.type: 1
    O3 - HKU\S-1-5-21-1757981266-606747145-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {35065594-9169-4A34-B167-FC4865038E53} - No CLSID value found.
    O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab (Reg Error: Key error.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    [2012/02/22 16:22:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Austin Gustafson\Application Data\Luebgo
    [2012/02/22 16:22:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Austin Gustafson\Application Data\Imiqo
    [2012/02/22 01:39:47 | 000,000,000 | ---D | C] -- C:\Program Files\495B7
    [2012/02/22 01:39:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Austin Gustafson\Application Data\40E49
    [2012/02/22 01:39:27 | 000,000,000 | ---D | C] -- C:\Program Files\LP
    [2011/12/24 10:30:34 | 000,005,706 | -HS- | C] () -- C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\0wlk5xre04d18lg1o0jsco
    [2011/12/24 10:30:34 | 000,005,706 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0wlk5xre04d18lg1o0jsco
    [2011/12/21 13:02:29 | 000,014,718 | -HS- | C] () -- C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\yesvxn3d7poh3shx8ydb3q070q2y
    [2011/12/21 13:02:29 | 000,014,718 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\yesvxn3d7poh3shx8ydb3q070q2y
    [2011/11/01 16:49:06 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Austin Gustafson\Application Data\d7b16ab7
    [2011/11/01 03:24:04 | 000,000,996 | ---- | C] () -- C:\Documents and Settings\Austin Gustafson\Application Data\c014e2b2
    [2011/11/01 03:01:51 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Austin Gustafson\Application Data\376c9548
    [2011/05/08 02:55:37 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Udegaciri.dat
    [2011/05/08 02:55:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Fpajivolupu.bin
    [2011/03/29 21:16:09 | 000,015,458 | -HS- | C] () -- C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\n7vfa728rt04h57dq4uioig1uffne748l0l
    [2011/03/29 21:16:09 | 000,015,458 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\n7vfa728rt04h57dq4uioig1uffne748l0l
    [2010/04/15 22:00:05 | 000,003,634 | -HS- | C] () -- C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\188FmQ8
    [2010/04/15 22:00:05 | 000,003,634 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\188FmQ8
    
    :Reg
    
    :Files
    type "C:\ComboFix.txt" /c
    dir /s /a "C:\401e2f68b6a80c2561" /c
    dir /s /a "C:\Documents and Settings\Austin Gustafson\Application Data\DDMSettings" /c
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    [EMPTYJAVA]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



OTL Custom Scan

We need to create a new OTL Report
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Click on the NONE button at the top.
  • In the custom scan box paste the following:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services|.mrxsmb /RS
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services|.mrxsmb /RS
    
  • Push the Posted Image button.
  • One report will open, copy and paste it in a reply here:
  • OTL.txt <-- Will be opened


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. Do you have a USB device, we can put one of our tools on?
3. OTL Fix log.
4. New OTL log.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 AugustAPC

AugustAPC
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 23 February 2012 - 10:15 PM

I do have a 4gb Flash Drive I can use for whatever purpose. I see no noticable changes in the computer's behavior. Firefox still will not work and I'm still getting redirected on google.

Here are the reports.


All processes killed
========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1757981266-606747145-1417001333-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
HKU\S-1-5-21-1757981266-606747145-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Prefs.js: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 removed from extensions.enabledItems
Prefs.js: "127.0.0.1" removed from network.proxy.http
Prefs.js: 49677 removed from network.proxy.http_port
Prefs.js: 1 removed from network.proxy.type
Registry value HKEY_USERS\S-1-5-21-1757981266-606747145-1417001333-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{35065594-9169-4A34-B167-FC4865038E53} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35065594-9169-4A34-B167-FC4865038E53}\ not found.
Starting removal of ActiveX control {41564D57-9980-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\wmvadvd.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{41564D57-9980-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41564D57-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{41564D57-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41564D57-9980-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
C:\Documents and Settings\Austin Gustafson\Application Data\Luebgo folder moved successfully.
C:\Documents and Settings\Austin Gustafson\Application Data\Imiqo folder moved successfully.
C:\Program Files\495B7 folder moved successfully.
C:\Documents and Settings\Austin Gustafson\Application Data\40E49 folder moved successfully.
C:\Program Files\LP\DF44 folder moved successfully.
C:\Program Files\LP folder moved successfully.
C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\0wlk5xre04d18lg1o0jsco moved successfully.
C:\Documents and Settings\All Users\Application Data\0wlk5xre04d18lg1o0jsco moved successfully.
C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\yesvxn3d7poh3shx8ydb3q070q2y moved successfully.
C:\Documents and Settings\All Users\Application Data\yesvxn3d7poh3shx8ydb3q070q2y moved successfully.
C:\Documents and Settings\Austin Gustafson\Application Data\d7b16ab7 moved successfully.
C:\Documents and Settings\Austin Gustafson\Application Data\c014e2b2 moved successfully.
C:\Documents and Settings\Austin Gustafson\Application Data\376c9548 moved successfully.
C:\WINDOWS\Udegaciri.dat moved successfully.
C:\WINDOWS\Fpajivolupu.bin moved successfully.
C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\n7vfa728rt04h57dq4uioig1uffne748l0l moved successfully.
C:\Documents and Settings\All Users\Application Data\n7vfa728rt04h57dq4uioig1uffne748l0l moved successfully.
C:\Documents and Settings\Austin Gustafson\Local Settings\Application Data\188FmQ8 moved successfully.
C:\Documents and Settings\All Users\Application Data\188FmQ8 moved successfully.
========== REGISTRY ==========
========== FILES ==========
< type "C:\ComboFix.txt" /c >
C:\Documents and Settings\Austin Gustafson\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Austin Gustafson\Desktop\cmd.txt deleted successfully.
< dir /s /a "C:\401e2f68b6a80c2561" /c >
Volume in drive C has no label.
Volume Serial Number is 40E4-95B7
Directory of C:\401e2f68b6a80c2561
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
02/15/2012 04:03 PM <DIR> 1025
02/15/2012 04:03 PM <DIR> 1028
02/15/2012 04:03 PM <DIR> 1029
02/15/2012 04:03 PM <DIR> 1030
02/15/2012 04:03 PM <DIR> 1031
02/15/2012 04:03 PM <DIR> 1032
02/15/2012 04:03 PM <DIR> 1033
02/15/2012 04:03 PM <DIR> 1035
02/15/2012 04:03 PM <DIR> 1036
02/15/2012 04:03 PM <DIR> 1037
02/15/2012 04:03 PM <DIR> 1038
02/15/2012 04:03 PM <DIR> 1040
02/15/2012 04:03 PM <DIR> 1041
02/15/2012 04:03 PM <DIR> 1042
02/15/2012 04:03 PM <DIR> 1043
02/15/2012 04:03 PM <DIR> 1044
02/15/2012 04:03 PM <DIR> 1045
02/15/2012 04:03 PM <DIR> 1046
02/15/2012 04:03 PM <DIR> 1049
02/15/2012 04:03 PM <DIR> 1053
02/15/2012 04:03 PM <DIR> 1055
02/15/2012 04:03 PM <DIR> 2052
02/15/2012 04:03 PM <DIR> 2070
02/15/2012 04:03 PM <DIR> 3076
02/15/2012 04:03 PM <DIR> 3082
10/30/2011 10:45 PM 15,616 DHtmlHeader.html
10/30/2011 10:45 PM 7,306 header.bmp
10/30/2011 10:54 PM 322,648 HotFixInstaller.exe
10/30/2011 10:54 PM 2,748,416 NDP20SP2-KB2633880.msp
10/30/2011 10:45 PM 3,580 ParameterInfo.xml
10/30/2011 10:45 PM 110,348 watermark.bmp
6 File(s) 3,207,914 bytes
Directory of C:\401e2f68b6a80c2561\1025
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 76,237 eula.rtf
10/30/2011 10:54 PM 12,888 HotFixInstallerUI.dll
2 File(s) 89,125 bytes
Directory of C:\401e2f68b6a80c2561\1028
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 37,119 eula.rtf
10/30/2011 10:54 PM 11,864 HotFixInstallerUI.dll
2 File(s) 48,983 bytes
Directory of C:\401e2f68b6a80c2561\1029
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 74,519 eula.rtf
10/30/2011 10:54 PM 13,400 HotFixInstallerUI.dll
2 File(s) 87,919 bytes
Directory of C:\401e2f68b6a80c2561\1030
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 76,465 eula.rtf
10/30/2011 10:54 PM 13,400 HotFixInstallerUI.dll
2 File(s) 89,865 bytes
Directory of C:\401e2f68b6a80c2561\1031
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 116,656 eula.rtf
10/30/2011 10:54 PM 13,912 HotFixInstallerUI.dll
2 File(s) 130,568 bytes
Directory of C:\401e2f68b6a80c2561\1032
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 78,951 eula.rtf
10/30/2011 10:54 PM 13,912 HotFixInstallerUI.dll
2 File(s) 92,863 bytes
Directory of C:\401e2f68b6a80c2561\1033
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 100,363 eula.rtf
10/30/2011 10:54 PM 13,400 HotFixInstallerUI.dll
2 File(s) 113,763 bytes
Directory of C:\401e2f68b6a80c2561\1035
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 75,533 eula.rtf
10/30/2011 10:54 PM 13,400 HotFixInstallerUI.dll
2 File(s) 88,933 bytes
Directory of C:\401e2f68b6a80c2561\1036
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 127,060 eula.rtf
10/30/2011 10:54 PM 13,912 HotFixInstallerUI.dll
2 File(s) 140,972 bytes
Directory of C:\401e2f68b6a80c2561\1037
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 59,647 eula.rtf
10/30/2011 10:54 PM 12,888 HotFixInstallerUI.dll
2 File(s) 72,535 bytes
Directory of C:\401e2f68b6a80c2561\1038
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 67,624 eula.rtf
10/30/2011 10:54 PM 13,400 HotFixInstallerUI.dll
2 File(s) 81,024 bytes
Directory of C:\401e2f68b6a80c2561\1040
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 115,589 eula.rtf
10/30/2011 10:54 PM 13,400 HotFixInstallerUI.dll
2 File(s) 128,989 bytes
Directory of C:\401e2f68b6a80c2561\1041
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 104,768 eula.rtf
10/30/2011 10:54 PM 12,376 HotFixInstallerUI.dll
2 File(s) 117,144 bytes
Directory of C:\401e2f68b6a80c2561\1042
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 147,711 eula.rtf
10/30/2011 10:54 PM 12,376 HotFixInstallerUI.dll
2 File(s) 160,087 bytes
Directory of C:\401e2f68b6a80c2561\1043
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 76,257 eula.rtf
10/30/2011 10:54 PM 13,400 HotFixInstallerUI.dll
2 File(s) 89,657 bytes
Directory of C:\401e2f68b6a80c2561\1044
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 73,305 eula.rtf
10/30/2011 10:54 PM 13,400 HotFixInstallerUI.dll
2 File(s) 86,705 bytes
Directory of C:\401e2f68b6a80c2561\1045
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 73,386 eula.rtf
10/30/2011 10:54 PM 13,912 HotFixInstallerUI.dll
2 File(s) 87,298 bytes
Directory of C:\401e2f68b6a80c2561\1046
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 97,721 eula.rtf
10/30/2011 10:55 PM 13,400 HotFixInstallerUI.dll
2 File(s) 111,121 bytes
Directory of C:\401e2f68b6a80c2561\1049
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 141,033 eula.rtf
10/30/2011 10:55 PM 13,400 HotFixInstallerUI.dll
2 File(s) 154,433 bytes
Directory of C:\401e2f68b6a80c2561\1053
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 76,556 eula.rtf
10/30/2011 10:55 PM 13,400 HotFixInstallerUI.dll
2 File(s) 89,956 bytes
Directory of C:\401e2f68b6a80c2561\1055
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 77,193 eula.rtf
10/30/2011 10:55 PM 13,400 HotFixInstallerUI.dll
2 File(s) 90,593 bytes
Directory of C:\401e2f68b6a80c2561\2052
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 102,032 eula.rtf
10/30/2011 10:55 PM 11,864 HotFixInstallerUI.dll
2 File(s) 113,896 bytes
Directory of C:\401e2f68b6a80c2561\2070
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 76,519 eula.rtf
10/30/2011 10:55 PM 13,400 HotFixInstallerUI.dll
2 File(s) 89,919 bytes
Directory of C:\401e2f68b6a80c2561\3076
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 37,119 eula.rtf
10/30/2011 10:54 PM 11,864 HotFixInstallerUI.dll
2 File(s) 48,983 bytes
Directory of C:\401e2f68b6a80c2561\3082
02/15/2012 04:03 PM <DIR> .
02/15/2012 04:03 PM <DIR> ..
10/30/2011 10:45 PM 94,271 eula.rtf
10/30/2011 10:55 PM 13,912 HotFixInstallerUI.dll
2 File(s) 108,183 bytes
Total Files Listed:
56 File(s) 5,721,428 bytes
77 Dir(s) 32,531,963,904 bytes free
C:\Documents and Settings\Austin Gustafson\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Austin Gustafson\Desktop\cmd.txt deleted successfully.
< dir /s /a "C:\Documents and Settings\Austin Gustafson\Application Data\DDMSettings" /c >
Volume in drive C has no label.
Volume Serial Number is 40E4-95B7
Directory of C:\Documents and Settings\Austin Gustafson\Application Data\DDMSettings
02/14/2012 06:11 PM <DIR> .
02/14/2012 06:11 PM <DIR> ..
02/20/2012 10:11 PM 106 settings.ddi
1 File(s) 106 bytes
Total Files Listed:
1 File(s) 106 bytes
2 Dir(s) 32,531,980,288 bytes free
C:\Documents and Settings\Austin Gustafson\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Austin Gustafson\Desktop\cmd.txt deleted successfully.
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
Are you sure (Y/N)?processed file: C:\WINDOWS\system32\drivers\etc\hosts
C:\Documents and Settings\Austin Gustafson\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Austin Gustafson\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Austin Gustafson\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Austin Gustafson\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Austin Gustafson
->Temp folder emptied: 1334397978 bytes
->Temporary Internet Files folder emptied: 28927214 bytes
->Java cache emptied: 20881 bytes
->FireFox cache emptied: 5908240 bytes
->Flash cache emptied: 15786 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 16181 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 634842 bytes
->Java cache emptied: 2059 bytes
->Flash cache emptied: 55387 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 4597225 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 240640 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 6630307 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 125511248 bytes
RecycleBin emptied: 768994 bytes

Total Files Cleaned = 1,438.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Austin Gustafson
->Flash cache emptied: 0 bytes

User: Default User

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: Administrator

User: All Users

User: Austin Gustafson
->Java cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.33.2 log created on 02232012_220417

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\_avast_\Webshlock.txt not found!

Registry entries deleted on Reboot...



OTL logfile created on: 2/23/2012 10:14:06 PM - Run 2
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\Austin Gustafson\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 518.88 Mb Available Physical Memory | 50.72% Memory free
2.40 Gb Paging File | 2.00 Gb Available in Paging File | 83.35% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 31.33 Gb Free Space | 42.07% Space Free | Partition Type: NTFS

Computer Name: GUSTAFSO-8C30D0 | User Name: Austin Gustafson | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========


< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services|.mrxsmb /RS >
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.mrxsmb\\Type: 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.mrxsmb\\Start: 3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.mrxsmb\\ImagePath: \?

< HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services|.mrxsmb /RS >

< >

< >

< End of report >

Edited by AugustAPC, 23 February 2012 - 10:17 PM.


#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:03 PM

Posted 24 February 2012 - 02:26 AM

Hi AugustAPC!

I do have a 4gb Flash Drive I can use for whatever purpose.

Okay, perfect!! Make sure that you have a copy of the data on it saved to another location, as we'll be reformatting the flash drive before we utilize it.

Let me fill you in on what's going on right now. Your logs seem indicate that you're infected with an infection that messes with the Boot partition, and the infection has created a malicious boot partition, and set it as default, so that it uses that partition to boot from. What we will be doing in xPUD is fixing this issue in there. But before we fix it, we need to run a few different things, to ensure that the commands we need to utilize will work properly.

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • You'll need to ensure that you select the xpud-0.9.2.iso as the source.
  • It will install a little bootable OS on your USB
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Download xPUDtestdisk.exe and save it to the USB device
  • Double click xPUDtestdisk.exe to extract the contents to your USB device
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Press Tool at the top
  • Choose Open Terminal
  • Type in: dd if=/dev/sda of=MBRbackup.zip bs=512 count=1 and hit Enter.

MBRbackup.zip should be created on your flash drive, please attach it to your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 AugustAPC

AugustAPC
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 24 February 2012 - 11:01 PM

Okay... so... I had some problems here.
I'm pretty certain I did the first part correctly. I selected the ISO option and loaded the xpud-0.9.2 and then downloaded the xPUDtestdisk to the flash drive and extracted it.

When I did the second part, things seemed to be going as planned, until I got to the mnt file. There was no sdb1 in there, only sda1, 2 and 3. I figured since you mentioned 1 and 2 were my HDD, that 3 may have been the USB... but apparently not. Anyway, I created two MBRbackup.zip files, one resides in the mnt directory, and the other is the sda3 file. I'm not sure if that's a problem for them to be in there... I could go back and delete them.

But anyway, I could not access the USB from that menu... as far as I know, because it wasn't in the mnt file. I suppose I could say the MBRbackup.zip to the C Drive, and access it that way... but I don't know if that would help at all.

I tried following the steps twice, to make sure I didn't do anything wrong and I still couldn't find the USB from the xPUD screen.

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:03 PM

Posted 25 February 2012 - 09:43 AM

Hi AugustaPC!

Sorry to hear you hit a roadblock.

I've had this happen to another user on a previous occassion.

I need you to do this for me:

While booted into xPUD please press Tool and select the Terminal window. Type in: fdisk -l and let me know what that displays.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 AugustAPC

AugustAPC
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 25 February 2012 - 11:02 AM

Okay, haha. I'm not sure if this is a good or a bad thing, but when I went in to do what you told me to, the USB decided to show up this time. Very odd. I didn't even redo the Flash Drive, so I know I didn't do anything differently.

Anyway, I followed your previous steps, since this time we actually got he USB to make itself known.

I've attached the file you requested.

Also, I was curious. When exiting that screen, am I supposed to have the save settings checked? Or am I just supposed to click the shut down option?

Attached Files



#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:03 PM

Posted 26 February 2012 - 01:39 AM

Hi AugustAPC!

That's definitely interesting.

Also, I was curious. When exiting that screen, am I supposed to have the save settings checked? Or am I just supposed to click the shut down option?

You can continue using the Shutdown option.

The infection has modified your partitions. We will attempt to rectify that. As a first step I would like you to check that the command we are using is recognizing your hard drive correctly.

Please boot from the flash drive once more. Go to File then mnt and select the flash drive (most likely sdb1). Then press Tool and select the command line again. Type in: parted -l > logfile.txt and let me know if it shows any warnings.

Please also post the contents of the logfile.txt in your next reply.

Kindest Regards,
ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 AugustAPC

AugustAPC
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 26 February 2012 - 02:52 AM

The USB was recognized again, so that's slightly reassuring, lol. I'd like to once again express my gratitude for your help. I'll surely be donating to your cause once this ordeal is wrapped up, though I can't offer a great deal. Anyway, I've posted the contents of the file, as well as attached it. Do you feel that this virus is fixable?


Model: ATA ST380011A (scsi)
Disk /dev/sda: 80.0GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 32.3kB 32.9MB 32.9MB primary fat16
2 32.9MB 80.0GB 80.0GB primary ntfs
3 80.0GB 80.0GB 9144kB primary ntfs boot, hidden


Model: General USB Flash Disk (scsi)
Disk /dev/sdb: 4058MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 28.7kB 4058MB 4058MB primary fat32 boot

Attached Files



#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:03 PM

Posted 26 February 2012 - 03:08 AM

Hi AugustAPC!

You're very welcome! I'm glad to be able to help you out with the issues you're experiencing with your computer.

Yes, I do think this problem is fixable.

Lets run the next part of the fix.

What we need to do now is disable the malicious partition. We will need to boot back up into xPUD to accomplish this.

You're going to want to boot back up into xPUD again.

In xPUD please press Tool at the top. Click on: Open Terminal

You'll want to type this bolded command in followed by ENTER: parted /dev/sda set 2 boot on

After you enter that command, please exit out of xPUD and boot back up normally.

Then please provide me with an update on how things are running

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 AugustAPC

AugustAPC
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 26 February 2012 - 03:42 AM

Well, I don't see that much change. Perhaps the computer is running a bit faster, but Mozilla still will not connect. It still gives me the proxy error. When I input the command it said that sda3 was unmounted, then shortly after said, error: sda3 is unmounted (or something close to that).

I still have the foreign Internet Security icon on my desktop.

Ah... I just did a 5 google searches and clicked about 12 links. I haven't experienced any redirects. That's a good sign!

I look forward to your next set of instructions :)

#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:03 PM

Posted 26 February 2012 - 07:28 AM

Hi!

Great! Glad to hear that!

What we need to do now is remove that malicious partition. We will need to boot back up into xPUD to accomplish this.

You're going to want to boot back up into xPUD again.

In xPUD please press Tool at the top. Click on: Open Terminal

You'll want to type this bolded command in followed by ENTER: parted /dev/sda rm 3

After you enter that command, please exit out of xPUD and boot back up normally.

Then do me a favor and run a new scan with aswMBR and post that for me to review.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 AugustAPC

AugustAPC
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 26 February 2012 - 08:29 PM

Alright, had some problems.
When I entered the string you said to, I got this response.

"Information: You may need to update /etc/fstab." It also said sda3 was unmounted, I think.

When I tried to run aswMBR, it was working for about 4 minutes, then it gave me this error.

Posted Image

I tried to run it a second time and the same thing happened.

Edited by AugustAPC, 26 February 2012 - 08:30 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users