WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93095 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Facebook youtube video virus

Started by ladyixnay , Mar 14 2010 07:11 PM

This topic is locked

18 replies to this topic

#1 ladyixnay

Authentic Member

Authentic Member
87 posts

Posted 14 March 2010 - 07:11 PM

Someone received a message containing a video (
m
[I removed the http so not to have anyone click it 3509110419/freefilms/) when you open it, it automatically sends it to all of the people on your friends list. One of my computers was infected by it and cant get to anything on it now. If anyone has any info on this I would appreciate it. It involved a fake site spelled yuotube. Thanks.

Okay here is how it happened... My mother-in-law was on my husbands pc, and she had a message in her e-mail that she had a message from a neice on facebook, so she went to facebook and the message title was something like Y O U T U B E with the spaces, she opened it and clicked the link that Imentioned above, then a window popped up saying that there was not a (something) flashplayer installed, then a fake security warning came up saying it was microsoft and was scanning and finding virus'. After that I got on my pc, and apparently once you click the link it auto-sends to all the people on your friends list without your consent. I went to facebook, clicked her message and deleted it, I seem to be fine, husbands pc is messed.

Edited by ladyixnay, 14 March 2010 - 07:55 PM.

Advertisements

Register to Remove

#2 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 15 March 2010 - 01:24 AM

Hi ladyixnay, welcome to the forum.

To make cleaning this machine easier

Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please do not run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask before continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

Go HERE to get a randomly named copy of GMER. Scroll down to the Download section and click Download EXE. Save it to your desktop.

Before scanning with GMER, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click on the file you downloaded. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Next

Download OTL to your desktop.

Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output
Check the boxes beside LOP Check and Purity Check.
In the window under Custom Scans/Fixes copy and paste the following

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Please post back with

GMER log
both OTL logs

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#3 ladyixnay

Authentic Member

Authentic Member
87 posts

Posted 15 March 2010 - 08:48 PM

The infected PC is now getting redirects, and cannot load your site or several others.

Edited by ladyixnay, 15 March 2010 - 08:49 PM.

#4 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 16 March 2010 - 02:22 AM

Hi ladyixnay,

Ok we'll do this a bit differently.

We'll use your other computer to get the tools and transfer them to the infected computer.

If you have a CD to use it would be best. If you are going to use a USB flash drive or jumpdrive to transfer the tools then use this utility (Flash_Disinfector) on the clean computer and the USB device first.

On the clean computer

When running this tool on the clean computer make sure your jump drive is attached. When attaching the jump drive, please hold down the shift key while attaching the drive.

Download Flash_Disinfector.exe by sUBs and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Download OTL to your jumpdrive or CD.

Next

Create this file to be transfered to the infected computer.

Open a new Notepad session

Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.
Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

In the notepad

Click File, Save as..., and set the Save in to your jump drive or CD
In the filename box, type (including quotation marks) as the filename: "OTLScript.txt"
Click save

Next

Go HERE to get a randomly named copy of GMER. Scroll down to the Download section and click Download EXE. Save it to your jump drive or CD.

On the infected computer

Tranfer OTL to your computer's desktop

Open the text file you created
Right click the text and select Select all
Right click again and select copy

Double click OTL.exe to run it. When it opens, right click in the window beneath Custom Scans/fixes and select paste. The text you copied from the notepad should appear in the window. Click Run Scan and wait for the tool to finish.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please transfer these to the USB device or CD.

Please run GMER with the previously posted instructions. When the scan has completed please transfer the resulting log to your flash drive or CD also.

Please post back with

both OTL logs
GMER log

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#5 ladyixnay

Authentic Member

Authentic Member
87 posts

Posted 19 March 2010 - 06:10 PM

You said to ... "Download Flash_Disinfector.exe by sUBs and save it to your desktop." When I click that link, it goes to a page that says - Page not found. I found it through another link, will post said logs when it is done, thanks :-)

Edited by ladyixnay, 19 March 2010 - 07:15 PM.

#6 ladyixnay

Authentic Member

Authentic Member
87 posts

Posted 19 March 2010 - 08:06 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-19 21:53:32
Windows 5.1.2600 Service Pack 3
Running: 7h6o8dyx.exe; Driver: C:\DOCUME~1\Dad\LOCALS~1\Temp\pxtdypob.sys

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF78B587E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF78B5BFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip imapioko.sys (Applet Application Extension/PGWARE LLC)
AttachedDevice \Driver\Tcpip \Device\Tcp imapioko.sys (Applet Application Extension/PGWARE LLC)
AttachedDevice \Driver\Tcpip \Device\Udp imapioko.sys (Applet Application Extension/PGWARE LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp imapioko.sys (Applet Application Extension/PGWARE LLC)

---- EOF - GMER 1.0.15 ----

-----------------------------------------------------------------

OTL logfile created on: 3/19/2010 8:50:44 PM - Run 3
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Dad\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 559.00 Mb Available Physical Memory | 55.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 18.38 Gb Free Space | 49.33% Space Free | Partition Type: NTFS
Drive D: | 14.32 Gb Total Space | 6.05 Gb Free Space | 42.27% Space Free | Partition Type: NTFS
Drive E: | 1.02 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JEFF
Current User Name: Dad
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/19 21:28:04 | 000,555,520 | R--- | M] (OldTimer Tools) -- C:\Documents and Settings\Dad\Desktop\OTL.exe
PRC - [2010/02/10 14:48:08 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/02/10 14:48:08 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/02/10 14:48:04 | 002,033,432 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/02/10 14:47:58 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/02/04 11:52:57 | 001,228,208 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/02/04 11:52:57 | 000,814,160 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/11/27 14:31:50 | 000,323,392 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2002/10/16 21:56:00 | 000,176,128 | ---- | M] (Executive Software International, Inc.) -- C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

========== Modules (SafeList) ==========

MOD - [2010/03/19 21:28:04 | 000,555,520 | R--- | M] (OldTimer Tools) -- C:\Documents and Settings\Dad\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2010/02/10 14:47:58 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/02/04 11:52:57 | 001,228,208 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/02/09 09:10:48 | 000,120,320 | ---- | M] (EMC Corporation) [Auto | Running] -- C:\WINDOWS\system32\erokosvc.dll -- (cpqoko6)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2002/10/16 21:56:00 | 000,176,128 | ---- | M] (Executive Software International, Inc.) [Auto | Running] -- C:\Program Files\Executive Software\DiskeeperLite\DKService.exe -- (Diskeeper)

========== Driver Services (SafeList) ==========

DRV - [2010/02/04 11:53:02 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/04/08 15:29:52 | 000,056,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xusb21.sys -- (xusb21)
DRV - [2009/02/09 09:10:48 | 000,032,768 | ---- | M] (PGWARE LLC) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\imapioko.sys -- (apto6ko)
DRV - [2008/09/18 00:55:00 | 006,132,576 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/10/30 22:06:52 | 000,067,456 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GA311ND5.SYS -- (RTL8023)
DRV - [2003/09/17 16:57:22 | 000,008,440 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LANPkt.sys -- (LANPkt)
DRV - [2003/08/15 03:55:08 | 000,011,237 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\diag69xp.sys -- (Diag69xp)
DRV - [2003/06/30 18:11:52 | 000,043,136 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2001/08/22 09:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://amyost.homestead.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://amyost.homestead.com/"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/22 13:42:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/25 12:18:49 | 000,000,000 | ---D | M]

[2009/01/06 22:30:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\Mozilla\Extensions
[2010/03/19 15:40:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\3zqtl4ny.default\extensions
[2009/09/01 16:12:51 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\3zqtl4ny.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/12/12 14:23:54 | 000,002,158 | ---- | M] () -- C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\3zqtl4ny.default\searchplugins\MySpace.xml
[2010/03/19 15:40:17 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/09/03 20:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll

O1 HOSTS File: ([2009/07/02 10:21:33 | 000,316,719 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10868 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://pcpitstop.com...t/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1233743462062 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (kgehwv.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/06 02:52:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/03/19 20:33:02 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/03/19 20:33:02 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/01/06 02:52:20 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 30 Days ==========

[2010/03/19 21:28:04 | 000,555,520 | R--- | C] (OldTimer Tools) -- C:\Documents and Settings\Dad\Desktop\OTL.exe
[2010/03/19 20:33:02 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2010/03/15 22:14:00 | 000,891,248 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Dad\Desktop\avg_free_stb_all_9_40_cnet.exe
[2010/03/15 16:13:25 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/03/15 16:11:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Application Data\AVG8
[2010/03/15 16:11:27 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/03/15 16:04:22 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/03/15 16:04:22 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/03/15 16:04:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/03/15 16:01:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/14 21:32:33 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/02/17 23:30:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RPG Maker VX
[2010/02/17 23:30:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RPGXP
[2010/02/17 23:28:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RPGVX 102 XWareM2
[2010/02/17 23:28:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RPG_Maker_VX_102_ENU_SSG
[2010/02/17 23:27:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RPGVX
[2010/02/17 20:53:04 | 097,364,760 | ---- | C] (Lavasoft ) -- C:\Documents and Settings\Dad\My Documents\Ad-AwareInstaller.exe
[2010/02/17 20:52:18 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/19 21:28:04 | 000,555,520 | R--- | M] (OldTimer Tools) -- C:\Documents and Settings\Dad\Desktop\OTL.exe
[2010/03/19 21:27:18 | 000,293,376 | R--- | M] () -- C:\Documents and Settings\Dad\Desktop\7h6o8dyx.exe
[2010/03/19 21:27:04 | 000,132,597 | R--- | M] () -- C:\Documents and Settings\Dad\Desktop\Flash_Disinfector.exe
[2010/03/19 20:48:34 | 006,553,600 | -H-- | M] () -- C:\Documents and Settings\Dad\NTUSER.DAT
[2010/03/19 20:41:36 | 000,000,304 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Shortcut to OTLscript.lnk
[2010/03/19 17:52:06 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/03/19 14:10:11 | 000,192,339 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/03/19 14:09:51 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/19 14:09:35 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/03/19 14:09:33 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/19 14:09:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/15 22:30:10 | 000,000,640 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/15 22:30:10 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/15 22:30:10 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/03/15 22:14:36 | 000,891,248 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Dad\Desktop\avg_free_stb_all_9_40_cnet.exe
[2010/03/15 16:13:22 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/03/15 02:48:54 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Dad\ntuser.ini
[2010/03/14 19:51:42 | 000,001,179 | ---- | M] () -- C:\WINDOWS\fs1235.dat1
[2010/03/14 19:31:08 | 000,000,001 | ---- | M] () -- C:\WINDOWS\lgo
[2010/03/14 19:31:07 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\010112010146111103.xxe
[2010/03/14 19:25:00 | 000,000,001 | ---- | M] () -- C:\WINDOWS\ligh
[2010/03/14 19:24:51 | 000,068,096 | -H-- | M] () -- C:\WINDOWS\bill103.exe
[2010/03/14 09:06:43 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 09:06:43 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/14 09:06:42 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/10 17:43:09 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\Dad\My Documents\Adobe Reader 9.lnk
[2010/03/10 16:22:50 | 000,123,376 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\marilyn quiz aspie.pdf
[2010/03/09 21:03:56 | 000,451,261 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\wings-2010-03-1024x768.jpg
[2010/03/07 23:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2010/03/05 01:37:41 | 000,000,889 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Shortcut to Wow.lnk
[2010/02/28 01:01:08 | 000,123,760 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Jeffery Quiz.pdf
[2010/02/23 17:13:58 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/19 21:27:18 | 000,293,376 | R--- | C] () -- C:\Documents and Settings\Dad\Desktop\7h6o8dyx.exe
[2010/03/19 21:27:04 | 000,132,597 | R--- | C] () -- C:\Documents and Settings\Dad\Desktop\Flash_Disinfector.exe
[2010/03/19 20:41:36 | 000,000,304 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\Shortcut to OTLscript.lnk
[2010/03/19 17:54:36 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/03/15 16:13:22 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/03/14 19:32:24 | 000,001,179 | ---- | C] () -- C:\WINDOWS\fs1235.dat1
[2010/03/14 19:31:08 | 000,000,001 | ---- | C] () -- C:\WINDOWS\lgo
[2010/03/14 19:31:07 | 000,000,002 | ---- | C] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\010112010146111103.xxe
[2010/03/14 19:25:00 | 000,000,001 | ---- | C] () -- C:\WINDOWS\ligh
[2010/03/14 19:24:51 | 000,068,096 | -H-- | C] () -- C:\WINDOWS\bill103.exe
[2010/03/10 16:22:50 | 000,123,376 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\marilyn quiz aspie.pdf
[2010/03/09 21:03:49 | 000,451,261 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\wings-2010-03-1024x768.jpg
[2010/02/28 01:01:08 | 000,123,760 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\Jeffery Quiz.pdf
[2010/02/17 23:28:10 | 001,070,080 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\RPGVX.exe
[2010/02/17 23:28:10 | 000,946,176 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\RPGVXENU.dll
[2010/02/17 23:28:10 | 000,508,028 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\RPGVX.chm
[2010/02/17 23:28:10 | 000,001,704 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\RPG Maker VX.lnk
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/04/30 03:59:05 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/04/21 21:28:15 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\DA304519A8.sys
[2009/04/21 21:28:08 | 000,001,890 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/03/29 11:07:57 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2009/03/21 10:14:13 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2009/03/01 18:33:20 | 000,230,752 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2009/03/01 18:33:20 | 000,118,176 | ---- | C] () -- C:\WINDOWS\patchw.dll
[2009/02/25 00:41:19 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/02/25 00:41:19 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/02/17 18:00:06 | 000,000,088 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\A8194530DA.sys
[2009/02/17 18:00:05 | 000,001,890 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2009/01/10 04:17:49 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2009/01/10 04:17:49 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2009/01/10 04:17:49 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2009/01/09 02:44:53 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/06 03:08:02 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/01/06 03:08:02 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/01/06 03:08:02 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/01/06 03:08:02 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/01/06 03:07:13 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2009/01/06 03:07:12 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/01/06 05:46:14 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/01/06 05:46:14 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/01/06 05:46:14 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/01/06 05:46:14 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/01/05 21:37:49 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/01/05 21:37:49 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/01/05 21:37:49 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8C8C964A
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0A096EB2
< End of report >

#7 ladyixnay

Authentic Member

Authentic Member
87 posts

Posted 19 March 2010 - 08:07 PM

OTL logfile created on: 3/19/2010 8:50:44 PM - Run 3
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Dad\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 559.00 Mb Available Physical Memory | 55.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 18.38 Gb Free Space | 49.33% Space Free | Partition Type: NTFS
Drive D: | 14.32 Gb Total Space | 6.05 Gb Free Space | 42.27% Space Free | Partition Type: NTFS
Drive E: | 1.02 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JEFF
Current User Name: Dad
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/19 21:28:04 | 000,555,520 | R--- | M] (OldTimer Tools) -- C:\Documents and Settings\Dad\Desktop\OTL.exe
PRC - [2010/02/10 14:48:08 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/02/10 14:48:08 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/02/10 14:48:04 | 002,033,432 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/02/10 14:47:58 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/02/04 11:52:57 | 001,228,208 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/02/04 11:52:57 | 000,814,160 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/11/27 14:31:50 | 000,323,392 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2002/10/16 21:56:00 | 000,176,128 | ---- | M] (Executive Software International, Inc.) -- C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

========== Modules (SafeList) ==========

MOD - [2010/03/19 21:28:04 | 000,555,520 | R--- | M] (OldTimer Tools) -- C:\Documents and Settings\Dad\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2010/02/10 14:47:58 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/02/04 11:52:57 | 001,228,208 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/02/09 09:10:48 | 000,120,320 | ---- | M] (EMC Corporation) [Auto | Running] -- C:\WINDOWS\system32\erokosvc.dll -- (cpqoko6)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2002/10/16 21:56:00 | 000,176,128 | ---- | M] (Executive Software International, Inc.) [Auto | Running] -- C:\Program Files\Executive Software\DiskeeperLite\DKService.exe -- (Diskeeper)

========== Driver Services (SafeList) ==========

DRV - [2010/02/04 11:53:02 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/04/08 15:29:52 | 000,056,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xusb21.sys -- (xusb21)
DRV - [2009/02/09 09:10:48 | 000,032,768 | ---- | M] (PGWARE LLC) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\imapioko.sys -- (apto6ko)
DRV - [2008/09/18 00:55:00 | 006,132,576 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/10/30 22:06:52 | 000,067,456 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GA311ND5.SYS -- (RTL8023)
DRV - [2003/09/17 16:57:22 | 000,008,440 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LANPkt.sys -- (LANPkt)
DRV - [2003/08/15 03:55:08 | 000,011,237 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\diag69xp.sys -- (Diag69xp)
DRV - [2003/06/30 18:11:52 | 000,043,136 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2001/08/22 09:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://amyost.homestead.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://amyost.homestead.com/"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/22 13:42:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/25 12:18:49 | 000,000,000 | ---D | M]

[2009/01/06 22:30:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\Mozilla\Extensions
[2010/03/19 15:40:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\3zqtl4ny.default\extensions
[2009/09/01 16:12:51 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\3zqtl4ny.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/12/12 14:23:54 | 000,002,158 | ---- | M] () -- C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\3zqtl4ny.default\searchplugins\MySpace.xml
[2010/03/19 15:40:17 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/09/03 20:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll

O1 HOSTS File: ([2009/07/02 10:21:33 | 000,316,719 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10868 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://pcpitstop.com...t/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1233743462062 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (kgehwv.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/06 02:52:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/03/19 20:33:02 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/03/19 20:33:02 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/01/06 02:52:20 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 30 Days ==========

[2010/03/19 21:28:04 | 000,555,520 | R--- | C] (OldTimer Tools) -- C:\Documents and Settings\Dad\Desktop\OTL.exe
[2010/03/19 20:33:02 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2010/03/15 22:14:00 | 000,891,248 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Dad\Desktop\avg_free_stb_all_9_40_cnet.exe
[2010/03/15 16:13:25 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/03/15 16:11:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Application Data\AVG8
[2010/03/15 16:11:27 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/03/15 16:04:22 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/03/15 16:04:22 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/03/15 16:04:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/03/15 16:01:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/14 21:32:33 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/02/17 23:30:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RPG Maker VX
[2010/02/17 23:30:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RPGXP
[2010/02/17 23:28:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RPGVX 102 XWareM2
[2010/02/17 23:28:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RPG_Maker_VX_102_ENU_SSG
[2010/02/17 23:27:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RPGVX
[2010/02/17 20:53:04 | 097,364,760 | ---- | C] (Lavasoft ) -- C:\Documents and Settings\Dad\My Documents\Ad-AwareInstaller.exe
[2010/02/17 20:52:18 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/19 21:28:04 | 000,555,520 | R--- | M] (OldTimer Tools) -- C:\Documents and Settings\Dad\Desktop\OTL.exe
[2010/03/19 21:27:18 | 000,293,376 | R--- | M] () -- C:\Documents and Settings\Dad\Desktop\7h6o8dyx.exe
[2010/03/19 21:27:04 | 000,132,597 | R--- | M] () -- C:\Documents and Settings\Dad\Desktop\Flash_Disinfector.exe
[2010/03/19 20:48:34 | 006,553,600 | -H-- | M] () -- C:\Documents and Settings\Dad\NTUSER.DAT
[2010/03/19 20:41:36 | 000,000,304 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Shortcut to OTLscript.lnk
[2010/03/19 17:52:06 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/03/19 14:10:11 | 000,192,339 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/03/19 14:09:51 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/19 14:09:35 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/03/19 14:09:33 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/19 14:09:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/15 22:30:10 | 000,000,640 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/15 22:30:10 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/15 22:30:10 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/03/15 22:14:36 | 000,891,248 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Dad\Desktop\avg_free_stb_all_9_40_cnet.exe
[2010/03/15 16:13:22 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/03/15 02:48:54 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Dad\ntuser.ini
[2010/03/14 19:51:42 | 000,001,179 | ---- | M] () -- C:\WINDOWS\fs1235.dat1
[2010/03/14 19:31:08 | 000,000,001 | ---- | M] () -- C:\WINDOWS\lgo
[2010/03/14 19:31:07 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\010112010146111103.xxe
[2010/03/14 19:25:00 | 000,000,001 | ---- | M] () -- C:\WINDOWS\ligh
[2010/03/14 19:24:51 | 000,068,096 | -H-- | M] () -- C:\WINDOWS\bill103.exe
[2010/03/14 09:06:43 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 09:06:43 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/14 09:06:42 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/10 17:43:09 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\Dad\My Documents\Adobe Reader 9.lnk
[2010/03/10 16:22:50 | 000,123,376 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\marilyn quiz aspie.pdf
[2010/03/09 21:03:56 | 000,451,261 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\wings-2010-03-1024x768.jpg
[2010/03/07 23:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2010/03/05 01:37:41 | 000,000,889 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Shortcut to Wow.lnk
[2010/02/28 01:01:08 | 000,123,760 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Jeffery Quiz.pdf
[2010/02/23 17:13:58 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/19 21:27:18 | 000,293,376 | R--- | C] () -- C:\Documents and Settings\Dad\Desktop\7h6o8dyx.exe
[2010/03/19 21:27:04 | 000,132,597 | R--- | C] () -- C:\Documents and Settings\Dad\Desktop\Flash_Disinfector.exe
[2010/03/19 20:41:36 | 000,000,304 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\Shortcut to OTLscript.lnk
[2010/03/19 17:54:36 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/03/15 16:13:22 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/03/14 19:32:24 | 000,001,179 | ---- | C] () -- C:\WINDOWS\fs1235.dat1
[2010/03/14 19:31:08 | 000,000,001 | ---- | C] () -- C:\WINDOWS\lgo
[2010/03/14 19:31:07 | 000,000,002 | ---- | C] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\010112010146111103.xxe
[2010/03/14 19:25:00 | 000,000,001 | ---- | C] () -- C:\WINDOWS\ligh
[2010/03/14 19:24:51 | 000,068,096 | -H-- | C] () -- C:\WINDOWS\bill103.exe
[2010/03/10 16:22:50 | 000,123,376 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\marilyn quiz aspie.pdf
[2010/03/09 21:03:49 | 000,451,261 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\wings-2010-03-1024x768.jpg
[2010/02/28 01:01:08 | 000,123,760 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\Jeffery Quiz.pdf
[2010/02/17 23:28:10 | 001,070,080 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\RPGVX.exe
[2010/02/17 23:28:10 | 000,946,176 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\RPGVXENU.dll
[2010/02/17 23:28:10 | 000,508,028 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\RPGVX.chm
[2010/02/17 23:28:10 | 000,001,704 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\RPG Maker VX.lnk
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/04/30 03:59:05 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/04/21 21:28:15 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\DA304519A8.sys
[2009/04/21 21:28:08 | 000,001,890 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/03/29 11:07:57 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2009/03/21 10:14:13 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2009/03/01 18:33:20 | 000,230,752 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2009/03/01 18:33:20 | 000,118,176 | ---- | C] () -- C:\WINDOWS\patchw.dll
[2009/02/25 00:41:19 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/02/25 00:41:19 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/02/17 18:00:06 | 000,000,088 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\A8194530DA.sys
[2009/02/17 18:00:05 | 000,001,890 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2009/01/10 04:17:49 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2009/01/10 04:17:49 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2009/01/10 04:17:49 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2009/01/09 02:44:53 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/06 03:08:02 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/01/06 03:08:02 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/01/06 03:08:02 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/01/06 03:08:02 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/01/06 03:07:13 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2009/01/06 03:07:12 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/01/06 05:46:14 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/01/06 05:46:14 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/01/06 05:46:14 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/01/06 05:46:14 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/01/05 21:37:49 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/01/05 21:37:49 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/01/05 21:37:49 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8C8C964A
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0A096EB2
< End of report >

#8 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 20 March 2010 - 03:44 AM

Hi ladyixnay,

I'll have to update that FDD link, thanks.

Let's remove what we can see then try to download a program directly to the infected computer.

On the clean computer create this fix in a notepad and transfer it to the infected computer.

Open a new Notepad session

Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.
Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE,
please note the fix starts with the :

:Services
:OTL
DRV - [2009/02/09 09:10:48 | 000,032,768 | ---- | M] (PGWARE LLC) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\imapioko.sys -- (apto6ko)
SRV - [2009/02/09 09:10:48 | 000,120,320 | ---- | M] (EMC Corporation) [Auto | Running] -- C:\WINDOWS\system32\erokosvc.dll -- (cpqoko6)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O20 - AppInit_DLLs: (kgehwv.dll) - File not found
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2010/03/14 19:51:42 | 000,001,179 | ---- | M] () -- C:\WINDOWS\fs1235.dat1
[2010/03/14 19:31:08 | 000,000,001 | ---- | M] () -- C:\WINDOWS\lgo
[2010/03/14 19:31:07 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\010112010146111103.xxe
[2010/03/14 19:25:00 | 000,000,001 | ---- | M] () -- C:\WINDOWS\ligh
[2010/03/14 19:24:51 | 000,068,096 | -H-- | M] () -- C:\WINDOWS\bill103.exe

:Commands
[emptytemp]
[Reboot]

In the notepad

Click File, Save as..., and set the Save in to your flashdrive
In the filename box, type including the "" marks) "Otlfix.txt"
Click save

On the infected computer,

Next, Double click on OTL.exe

Under the Custom Scans/Fixes box at the bottom, paste in the text from the Otlfix notepad you previously made.

Then click the Run Fix button at the top

Let the program run unhindered
Please save the resulting log to be posted in your next reply.

Next

Download and save to your desktop Malwarebytes Anti-Malware

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output
UNCheck the boxes beside LOP Check and Purity Check.
In the Extra Registry section, change it to All
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (you didn't post it in your last reply).

You should be able to post from the infected computer.

Please post back with

OTL fix log
MBAM log
both OTL logs from the OTL scan.

How is the computer?

Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#9 ladyixnay

Authentic Member

Authentic Member
87 posts

Posted 20 March 2010 - 09:49 AM

OTL logfile created on: 3/20/2010 11:45:00 AM - Run 4
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Dad\Desktop\gmer
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 657.00 Mb Available Physical Memory | 64.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 18.50 Gb Free Space | 49.65% Space Free | Partition Type: NTFS
Drive D: | 14.32 Gb Total Space | 6.05 Gb Free Space | 42.27% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JEFF
Current User Name: Dad
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Dad\Desktop\gmer\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe (Executive Software International, Inc.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Dad\Desktop\gmer\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (avg9wd) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (Diskeeper) -- C:\Program Files\Executive Software\DiskeeperLite\DKService.exe (Executive Software International, Inc.)

========== Driver Services (SafeList) ==========

DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (xusb21) -- C:\WINDOWS\system32\drivers\xusb21.sys (Microsoft Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (RTL8023) -- C:\WINDOWS\system32\drivers\GA311ND5.SYS (Realtek Semiconductor Corporation )
DRV - (LANPkt) -- C:\WINDOWS\system32\drivers\LANPkt.sys (Windows ® 2000 DDK provider)
DRV - (Diag69xp) -- C:\WINDOWS\system32\drivers\diag69xp.sys (Realtek Semiconductor Corporation)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (OMCI) -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS (Dell Computer Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://amyost.homestead.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://amyost.homestead.com/"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/22 13:42:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/25 12:18:49 | 000,000,000 | ---D | M]

[2009/01/06 22:30:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\Mozilla\Extensions
[2010/03/19 15:40:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\3zqtl4ny.default\extensions
[2009/09/01 16:12:51 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\3zqtl4ny.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/12/12 14:23:54 | 000,002,158 | ---- | M] () -- C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\3zqtl4ny.default\searchplugins\MySpace.xml
[2010/03/19 15:40:17 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/09/03 20:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll

O1 HOSTS File: ([2009/07/02 10:21:33 | 000,316,719 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10868 more lines...
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://pcpitstop.com...t/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1233743462062 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/06 02:52:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/03/19 20:33:02 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/03/19 20:33:02 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/20 11:26:37 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/03/20 11:23:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Desktop\gmer
[2010/03/19 20:33:02 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2010/03/15 22:14:00 | 000,891,248 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Dad\Desktop\avg_free_stb_all_9_40_cnet.exe
[2010/03/15 16:13:25 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/03/15 16:11:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Application Data\AVG8
[2010/03/15 16:11:27 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/03/15 16:04:22 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/03/15 16:04:22 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/03/15 16:04:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/03/15 16:01:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/14 21:32:33 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys

========== Files - Modified Within 30 Days ==========

[2010/03/20 11:43:12 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/03/20 11:42:43 | 000,192,339 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/03/20 11:42:16 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/20 11:42:00 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/03/20 11:41:58 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/20 11:41:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/20 11:41:27 | 006,553,600 | -H-- | M] () -- C:\Documents and Settings\Dad\NTUSER.DAT
[2010/03/15 22:30:10 | 000,000,640 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/15 22:30:10 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/15 22:30:10 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/03/15 22:14:36 | 000,891,248 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Dad\Desktop\avg_free_stb_all_9_40_cnet.exe
[2010/03/15 16:13:22 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/03/15 02:48:54 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Dad\ntuser.ini
[2010/03/14 09:06:43 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 09:06:43 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/14 09:06:42 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/10 17:43:09 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\Dad\My Documents\Adobe Reader 9.lnk
[2010/03/10 16:22:50 | 000,123,376 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\marilyn quiz aspie.pdf
[2010/03/09 21:03:56 | 000,451,261 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\wings-2010-03-1024x768.jpg
[2010/03/07 23:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2010/03/05 01:37:41 | 000,000,889 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Shortcut to Wow.lnk
[2010/02/28 01:01:08 | 000,123,760 | ---- | M] () -- C:\Documents and Settings\Dad\Desktop\Jeffery Quiz.pdf
[2010/02/23 17:13:58 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

========== Files Created - No Company Name ==========

[2010/03/19 17:54:36 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/03/15 16:13:22 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/03/10 16:22:50 | 000,123,376 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\marilyn quiz aspie.pdf
[2010/03/09 21:03:49 | 000,451,261 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\wings-2010-03-1024x768.jpg
[2010/02/28 01:01:08 | 000,123,760 | ---- | C] () -- C:\Documents and Settings\Dad\Desktop\Jeffery Quiz.pdf
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/04/30 03:59:05 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/04/21 21:28:15 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\DA304519A8.sys
[2009/04/21 21:28:08 | 000,001,890 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/03/29 11:07:57 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2009/03/21 10:14:13 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2009/03/01 18:33:20 | 000,230,752 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2009/03/01 18:33:20 | 000,118,176 | ---- | C] () -- C:\WINDOWS\patchw.dll
[2009/02/25 00:41:19 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/02/25 00:41:19 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/02/17 18:00:06 | 000,000,088 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\A8194530DA.sys
[2009/02/17 18:00:05 | 000,001,890 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2009/01/10 04:17:49 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2009/01/10 04:17:49 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2009/01/10 04:17:49 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2009/01/09 02:44:53 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Dad\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/06 03:08:02 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/01/06 03:08:02 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/01/06 03:08:02 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/01/06 03:08:02 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/01/06 03:07:13 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2009/01/06 03:07:12 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8C8C964A
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0A096EB2
< End of report >

#10 ladyixnay

Authentic Member

Authentic Member
87 posts

Posted 20 March 2010 - 09:50 AM

OTL Extras logfile created on: 3/20/2010 11:45:00 AM - Run 4
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Dad\Desktop\gmer
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 657.00 Mb Available Physical Memory | 64.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 18.50 Gb Free Space | 49.65% Space Free | Partition Type: NTFS
Drive D: | 14.32 Gb Total Space | 6.05 Gb Free Space | 42.27% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JEFF
Current User Name: Dad
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (All) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\WINDOWS\system32\ieframe.DLL (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 17
"{2D87E961-577B-492B-AD54-1368680FB9A7}" = Bing Maps 3D
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3F60446-48FB-48A8-B5FC-BB3430AEF806}" = Diskeeper Lite
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}" = EVGA Display Driver
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DBD40476-78A4-4738-86B4-A5FB8807946D}" = NETGEAR GA311 Gigabit Adapter
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG9Uninstall" = AVG Free 9.0
"Diablo II" = Diablo II
"Download Manager" = Download Manager 2.3.8
"ENTERPRISE" = Microsoft Office Enterprise 2007
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"InstallShield_{DBD40476-78A4-4738-86B4-A5FB8807946D}" = NETGEAR GA311 Smart Wizard Utility
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"RPG Maker VX 1.02" = RPG Maker VX 1.02
"RPG Maker VX RTP =XWareM2 Group=_is1" = RPG Maker VX RTP
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xvid_is1" = Xvid 1.1.3 final uninstall
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"BitTorrent DNA" = DNA

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/11/2009 9:14:51 AM | Computer Name = JEFF | Source = | ID = 0
Description =

Error - 9/11/2009 10:23:00 AM | Computer Name = JEFF | Source = | ID = 0
Description =

Error - 9/12/2009 10:57:52 AM | Computer Name = JEFF | Source = | ID = 0
Description =

Error - 9/13/2009 2:40:37 PM | Computer Name = JEFF | Source = | ID = 0
Description =

Error - 9/13/2009 9:56:55 PM | Computer Name = JEFF | Source = | ID = 0
Description =

Error - 9/13/2009 9:56:55 PM | Computer Name = JEFF | Source = | ID = 0
Description =

Error - 9/13/2009 9:56:55 PM | Computer Name = JEFF | Source = | ID = 0
Description =

Error - 9/14/2009 6:05:12 PM | Computer Name = JEFF | Source = | ID = 0
Description =

Error - 11/27/2009 2:39:07 PM | Computer Name = JEFF | Source = MsiInstaller | ID = 11500
Description = Product: Java™ 6 Update 17 -- Error 1500.Another installation is
in progress. You must complete that installation before continuing this one.

Error - 11/27/2009 2:57:13 PM | Computer Name = JEFF | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
. Error code = 0x800706be

[ System Events ]
Error - 3/19/2010 10:03:27 PM | Computer Name = JEFF | Source = Service Control Manager | ID = 7023
Description = The captcha service terminated with the following error: %%126

Error - 3/20/2010 10:47:03 AM | Computer Name = JEFF | Source = Service Control Manager | ID = 7023
Description = The captcha service terminated with the following error: %%126

Error - 3/20/2010 11:26:37 AM | Computer Name = JEFF | Source = Service Control Manager | ID = 7034
Description = The Diskeeper service terminated unexpectedly. It has done this 1
time(s).

Error - 3/20/2010 11:26:37 AM | Computer Name = JEFF | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/20/2010 11:26:37 AM | Computer Name = JEFF | Source = Service Control Manager | ID = 7034
Description = The Yahoo! Updater service terminated unexpectedly. It has done this
1 time(s).

Error - 3/20/2010 11:26:37 AM | Computer Name = JEFF | Source = Service Control Manager | ID = 7031
Description = The AVG Free WatchDog service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 0 milliseconds:
Restart the service.

Error - 3/20/2010 11:26:38 AM | Computer Name = JEFF | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 3/20/2010 11:31:25 AM | Computer Name = JEFF | Source = Service Control Manager | ID = 7023
Description = The captcha service terminated with the following error: %%126

Error - 3/20/2010 11:42:09 AM | Computer Name = JEFF | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 3/20/2010 11:42:15 AM | Computer Name = JEFF | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IntelIde

< End of report >

Advertisements

Register to Remove

#11 ladyixnay

Authentic Member

Authentic Member
87 posts

Posted 20 March 2010 - 09:52 AM

NOTE: I am posting from infected pc, malwarebytes was already on here and would NOT update, but it did this time :-D Malwarebytes' Anti-Malware 1.44 Database version: 3888 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 3/20/2010 11:40:08 AM mbam-log-2010-03-20 (11-40-08).txt Scan type: Quick Scan Objects scanned: 120468 Time elapsed: 4 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cpqoko6 (Worm.KoobFace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\captcha (Worm.KoobFace) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\tapisrvs (Worm.KoobFace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\captcha (Worm.KoobFace) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\erokosvc.dll (Worm.KoobFace) -> Quarantined and deleted successfully.

#12 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 20 March 2010 - 01:48 PM

Hi ladyixnay,

bittorrent and DNA
You have bittorrent and DNA, P2P/file sharing programs installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links:
http://www.microsoft...protection.mspx

http://www.internetw...cles/art053.htm

I would recommend that you uninstall bittorrent and DNA, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Please open Windows Explorer (right click your start button and click explore)

Navigate to this folder C:\_OTL\MovedFiles
In the right hand panel look for a file with a name that consists of numbers and has a .log extention. Yours wll be similar to 03202010 1040XX.log
It will open with notepad, please post it's contents in your next reply.

Please give me an update on the computer's behavior and post the requested log.

Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#13 ladyixnay

Authentic Member

Authentic Member
87 posts

Posted 20 March 2010 - 06:42 PM

So far so good on the PC. I looked for the Bittorrent and DNA in "add remove programs" and could not find it. I will do a search for them later (when I have more time) In the meantime I am posting the log... All processes killed ========== SERVICES/DRIVERS ========== ========== OTL ========== Error: Unable to stop service apto6ko! Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\apto6ko deleted successfully. C:\WINDOWS\system32\drivers\imapioko.sys moved successfully. Error: Unable to stop service cpqoko6! Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cpqoko6 deleted successfully. C:\WINDOWS\system32\erokosvc.dll moved successfully. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:kgehwv.dll deleted successfully. C:\WINDOWS\002871_.tmp deleted successfully. C:\WINDOWS\SET3.tmp deleted successfully. C:\WINDOWS\SET4.tmp deleted successfully. C:\WINDOWS\SET8.tmp deleted successfully. C:\WINDOWS\System32\CONFIG.TMP deleted successfully. C:\WINDOWS\fs1235.dat1 moved successfully. C:\WINDOWS\lgo moved successfully. C:\Documents and Settings\Dad\Local Settings\Application Data\010112010146111103.xxe moved successfully. C:\WINDOWS\ligh moved successfully. C:\WINDOWS\bill103.exe moved successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Dad ->Temp folder emptied: 2581860 bytes ->Temporary Internet Files folder emptied: 4159544 bytes ->Java cache emptied: 80045156 bytes ->FireFox cache emptied: 43206257 bytes ->Flash cache emptied: 585102 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: LocalService ->Temp folder emptied: 66016 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 5929815 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10949450 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 141.00 mb OTL by OldTimer - Version 3.1.37.3 log created on 03202010_112637 Files\Folders moved on Reboot... Registry entries deleted on Reboot...

Edited by ladyixnay, 20 March 2010 - 06:43 PM.

#14 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 20 March 2010 - 06:54 PM

Hi ladyixnay,

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post the combofix log.

Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#15 ladyixnay

Authentic Member

Authentic Member
87 posts

Posted 20 March 2010 - 07:43 PM

ComboFix 10-03-20.01 - Dad 03/20/2010 21:30:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.386 [GMT -4:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\patchw.dll
c:\windows\system32\SIntf16.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CAPTCHA

((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.

2010-03-20 17:14 . 2010-03-20 17:14 360584 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-20 17:14 . 2010-03-20 17:14 333192 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-20 17:14 . 2010-03-20 17:14 28424 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-20 17:14 . 2010-03-20 17:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-20 17:12 . 2010-03-20 17:09 1658136 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-03-20 17:12 . 2010-03-20 17:09 1007896 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-20 17:12 . 2010-03-20 17:09 800536 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-03-20 17:12 . 2010-03-20 17:09 613656 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-03-20 17:10 . 2010-03-20 17:14 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-20 17:10 . 2010-03-20 17:14 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-20 17:10 . 2010-03-20 17:14 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-20 17:10 . 2010-03-20 17:10 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-20 16:28 . 2010-03-20 16:28 -------- d-sh--w- c:\documents and settings\Dad\UserData
2010-03-20 16:22 . 2010-03-20 16:23 885736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-03-20 16:22 . 2010-03-20 16:22 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-20 16:22 . 2010-03-20 16:22 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-20 16:22 . 2010-03-20 16:22 210552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-03-20 16:22 . 2010-03-20 16:22 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-03-20 16:22 . 2010-03-20 16:22 565392 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-03-20 16:22 . 2010-03-20 16:22 221920 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2010-03-20 16:21 . 2010-03-20 16:21 430496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-03-20 16:21 . 2010-03-20 16:21 167312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-03-20 16:21 . 2010-03-20 16:21 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-03-20 16:21 . 2010-03-20 16:21 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-03-20 16:20 . 2010-03-20 16:21 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-03-20 16:20 . 2010-03-20 16:20 329560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-03-20 16:20 . 2010-03-20 16:20 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-03-20 16:20 . 2010-03-20 16:20 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-03-20 16:18 . 2010-03-20 16:18 966104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-03-20 16:17 . 2010-03-20 16:18 848160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-03-20 16:17 . 2010-03-20 16:17 855352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-03-20 16:16 . 2010-03-20 16:17 1597440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-03-20 16:16 . 2010-03-20 16:16 818256 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-03-20 16:16 . 2010-03-20 16:16 1263728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-03-20 15:26 . 2010-03-20 15:26 -------- dc----w- C:\_OTL
2010-03-19 21:54 . 2010-02-04 15:52 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-15 20:13 . 2010-03-15 20:13 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-15 20:13 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-15 01:32 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 17:09 . 2010-02-10 18:47 -------- dc----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-15 01:31 . 2010-02-02 13:33 -------- d-----w- c:\program files\Lavasoft
2010-03-15 01:31 . 2009-01-14 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-11 07:39 . 2009-02-10 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-18 00:52 . 2010-02-18 00:52 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-10 18:47 . 2009-01-14 22:58 -------- d-----w- c:\program files\AVG
2010-01-25 16:19 . 2009-07-03 17:10 -------- dc----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-24 23:40 . 2010-01-24 23:40 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-24 23:40 . 2010-01-24 23:40 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-01-23 17:31 . 2010-01-23 17:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-23 17:31 . 2010-01-23 17:31 -------- d-----w- c:\documents and settings\Dad\Application Data\Office Genuine Advantage
2010-01-22 17:39 . 2010-01-22 17:36 -------- d-----w- c:\program files\Virtual Earth 3D
2010-01-22 17:36 . 2009-01-06 09:35 70496 -c--a-w- c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-21 16:44 . 2009-12-20 16:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-10 22:43 . 2009-01-11 21:52 5115824 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 21:07 . 2009-01-06 22:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-01-06 22:32 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 18:17 . 2009-02-17 22:00 1890 -csha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-04 18:17 . 2009-02-17 22:00 1890 -csha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-01-04 18:06 . 2009-02-17 22:00 88 -csh--r- c:\documents and settings\All Users\Application Data\A8194530DA.sys
2010-01-04 18:06 . 2009-02-17 22:00 88 -csh--r- c:\documents and settings\All Users\Application Data\A8194530DA.sys
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-04-22 01:30 . 2009-04-22 01:28 56 -csh--r- c:\windows\system32\DA304519A8.sys
2009-04-30 16:00 . 2009-04-22 01:28 1890 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-20 17:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GA311 Smart Wizard Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GA311 Smart Wizard Utility.lnk
backup=c:\windows\pss\GA311 Smart Wizard Utility.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/14/2010 9:32 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/20/2010 1:10 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/20/2010 1:10 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/20/2010 1:14 PM 308064]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [9/17/2003 4:57 PM 8440]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1263728]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [8/15/2003 3:55 AM 11237]
S3 jfdcd;jfdcd;\??\c:\docume~1\Dad\LOCALS~1\Temp\jfdcd.sys --> c:\docume~1\Dad\LOCALS~1\Temp\jfdcd.sys [?]
S3 XDva226;XDva226;\??\c:\windows\system32\XDva226.sys --> c:\windows\system32\XDva226.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-03-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 16:17]

2010-03-21 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://amyost.homestead.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\3zqtl4ny.default\
FF - prefs.js: browser.startup.homepage - hxxp://amyost.homestead.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-igndlm.exe - c:\program files\Download Manager\DLM.exe
MSConfigStartUp-CTFMON - (no file)
AddRemove-Download Manager - c:\program files\Download Manager\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-20 21:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4076)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Executive Software\DiskeeperLite\DKService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-03-20 21:40:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-21 01:40

Pre-Run: 19,219,238,912 bytes free
Post-Run: 19,379,134,464 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C2F9AE5FB0FC2BDCF1A7770F70D7088C

Body Background

skin color theme