Jump to content

TSPY_ZBOT.CJA


Recommended Posts

I think that i am infected with this. I seached the url of the fake chase bank log on page and got a hit from trend micro and thats what it said. See

http://threatinfo.trendmicro.com/vinfo/gra...JA&VSect=Td

Fake page

https://mfasa.chase.com/auth/fcc/login

Help

Malwarebytes and spybot dont find anything but a couple of related files i.e. partiel fix

Link to post
Share on other sites

Hello The Winner

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    %SYSTEMDRIVE%\*.exe

    /md5start

    eventlog.dll

    scecli.dll

    netlogon.dll

    cngaudit.dll

    sceclt.dll

    ntelogon.dll

    logevent.dll

    iaStor.sys

    nvstor.sys

    atapi.sys

    IdeChnDr.sys

    viasraid.sys

    AGP440.sys

    vaxscsi.sys

    nvatabus.sys

    viamraid.sys

    nvata.sys

    nvgts.sys

    iastorv.sys

    ViPrt.sys

    eNetHook.dll

    ahcix86.sys

    KR10N.sys

    nvstor32.sys

    ahcix86s.sys

    nvrd32.sys

    /md5stop

    %systemroot%\*. /mp /s

    CREATERESTOREPOINT

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • Sections

  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Link to post
Share on other sites

Thanks for the help. I could not download the rootkit scanner as this error occured

internet explorer cannot download j9ovmqqi.exe from www2.gmer.net. an internal error occured in the microsoft internet extensions.

Results of the otl scan are:

OTL logfile created on: 1/12/2010 9:40:29 AM - Run 1

OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Kevin Lineberger\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 92.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 233.75 Gb Total Space | 218.82 Gb Free Space | 93.61% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: KEVIN-ODAMRQIFP

Current User Name: Kevin Lineberger

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Kevin Lineberger\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe (Linksys)

PRC - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe (GEMTEKS)

PRC - C:\WINDOWS\system32\ati2evxx.exe ()

PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)

PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe (HP)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Kevin Lineberger\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (WMP54GSSVC) -- File not found

SRV - (avg9wd) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

SRV - (gusvc) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)

SRV - (gupdate1c99aa7edb6a71a) Google Update Service (gupdate1c99aa7edb6a71a) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)

SRV - (TermService) -- C:\WINDOWS\system32\termsrv32.dll (Microsoft Corporation)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

SRV - (ATI Smart) -- C:\WINDOWS\system32\ati2sgag.exe ()

SRV - (Ati HotKey Poller) -- C:\WINDOWS\system32\ati2evxx.exe ()

SRV - (NetSvc) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe (Intel® Corporation)

SRV - (SoundMAX Agent Service (default)) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)

========== Driver Services (SafeList) ==========

DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)

DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)

DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)

DRV - (AegisP) AEGIS Protocol (IEEE 802.1x) -- C:\WINDOWS\system32\drivers\AegisP.sys (Meetinghouse Data Communications)

DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)

DRV - (BCM42RLY) -- C:\WINDOWS\system32\bcm42rly.sys (Broadcom Corporation)

DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)

DRV - (atinrvxx) -- C:\WINDOWS\system32\drivers\atinrvxx.sys (ATI Technologies Inc.)

DRV - (MVDCODEC) -- C:\WINDOWS\system32\drivers\atinmdxx.sys (ATI Technologies Inc.)

DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

DRV - (GTNDIS5) -- C:\WINDOWS\system32\GTNDIS5.sys (Printing Communications Assoc., Inc. (PCAUSA))

DRV - (smwdm) -- C:\WINDOWS\system32\drivers\smwdm.sys (Analog Devices, Inc.)

DRV - (E1000) Intel® -- C:\WINDOWS\system32\drivers\e1000325.sys (Intel Corporation)

DRV - (NAL) -- C:\WINDOWS\system32\drivers\iqvw32.sys (Intel Corporation )

DRV - (aeaudio) -- C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Electronics Corporation)

DRV - (EIO) -- C:\WINDOWS\system32\drivers\EIO.sys (ASUSTeK Computer Inc.)

DRV - (MidiSyn) -- C:\WINDOWS\system32\drivers\MidiSyn.sys (Analog Devices Inc)

DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)

DRV - (HCF_MSFT) -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys (Conexant)

DRV - (aslm75) -- C:\WINDOWS\system32\drivers\ASLM75.SYS ()

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

O1 HOSTS File: (371817 bytes) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 127.0.0.1 1-2005-search.com

O1 - Hosts: 12818 more lines...

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()

O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()

O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)

O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe (HP)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O15 - HKLM\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKCU\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)

O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} http://support.asus.com/common/asusTek_sys_ctrl.cab (asusTek_sysctrl Class)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1209649555875 (WUWebControl Class)

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} http://www.charter.net/files/charter/securitysuite/fscax.cab (F-Secure Online Scanner 3.3)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.196.252.60 24.196.252.61

O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)

O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)

O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O20 - AppInit_DLLs: (boponase.dll) - File not found

O20 - AppInit_DLLs: (hagebuzi.dll) - File not found

O20 - AppInit_DLLs: (c:\windows\system32\kogigaha.dll) - C:\WINDOWS\System32\kogigaha.dll File not found

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll ()

O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)

O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)

O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)

O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: lumekikom - {656688b4-7be8-4ea5-8ee7-39d3185590e7} - CLSID or File not found.

O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

O21 - SSODL: tebusuhil - {38e6f374-2362-49c6-89ee-4749ad5cb9fc} - CLSID or File not found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {38e6f374-2362-49c6-89ee-4749ad5cb9fc} - mujuzedij - Reg Error: Key error. File not found

O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {656688b4-7be8-4ea5-8ee7-39d3185590e7} - kupuhivus - Reg Error: Key error. File not found

O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O24 - Desktop WallPaper: C:\Documents and Settings\Kevin Lineberger\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Kevin Lineberger\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/05/01 07:08:48 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - comfile [open] -- "%1" %*

O35 - exefile [open] -- "%1" %*

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (16892003295952896)

========== Files/Folders - Created Within 30 Days ==========

[2010/01/12 09:36:39 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kevin Lineberger\Desktop\OTL.exe

[2010/01/11 14:24:58 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Kevin Lineberger\Recent

[2009/12/02 10:52:52 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2009/12/02 10:52:52 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[2009/12/02 10:52:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2009/12/02 10:52:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2009/10/21 13:17:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp

[2009/03/02 22:24:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google

[2009/03/01 14:57:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

[2008/06/16 00:55:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/12 09:36:12 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin Lineberger\Desktop\OTL.exe

[2010/01/12 09:32:28 | 00,456,772 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/01/12 09:32:27 | 00,549,548 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/01/12 09:32:27 | 00,083,604 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/01/12 09:28:27 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job

[2010/01/12 09:28:26 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/01/12 09:28:04 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/01/12 09:27:59 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/01/12 09:27:55 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/01/12 07:31:15 | 06,815,744 | ---- | M] () -- C:\Documents and Settings\Kevin Lineberger\ntuser.dat

[2010/01/12 07:31:09 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Kevin Lineberger\ntuser.ini

[2010/01/12 07:31:00 | 03,233,556 | -H-- | M] () -- C:\Documents and Settings\Kevin Lineberger\Local Settings\Application Data\IconCache.db

[2010/01/12 07:19:00 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/01/11 18:19:41 | 47,719,466 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm

[2010/01/11 18:19:25 | 00,138,669 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg

[2010/01/11 15:25:31 | 00,000,613 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/01/11 15:25:31 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/01/11 15:25:31 | 00,000,211 | RHS- | M] () -- C:\boot.ini

[2010/01/08 14:01:36 | 00,002,473 | ---- | M] () -- C:\Documents and Settings\Kevin Lineberger\Desktop\Word.lnk

[2010/01/08 11:44:41 | 00,014,976 | ---- | M] () -- C:\Documents and Settings\Kevin Lineberger\My Documents\cc_20100108_114357.reg

[2010/01/08 11:42:04 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Kevin Lineberger\Desktop\CCleaner.lnk

[2010/01/08 11:37:00 | 00,371,817 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/01/02 12:42:39 | 00,371,233 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100108-113659.backup

[2009/12/21 19:22:06 | 00,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk

[2009/12/15 07:19:47 | 00,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/08 11:44:02 | 00,014,976 | ---- | C] () -- C:\Documents and Settings\Kevin Lineberger\My Documents\cc_20100108_114357.reg

[2009/12/21 19:22:06 | 00,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk

[2009/11/28 10:23:22 | 00,000,267 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2009/07/18 08:38:44 | 00,014,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\kbdhid.sys

[2009/07/18 07:40:03 | 00,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll

[2009/07/18 07:40:03 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll

[2008/06/14 10:48:50 | 00,077,312 | ---- | C] () -- C:\Documents and Settings\Kevin Lineberger\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/05/03 13:04:27 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll

[2008/05/03 13:04:19 | 00,004,254 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI

[2008/05/01 15:12:51 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2008/05/01 08:27:45 | 00,126,976 | R--- | C] () -- C:\WINDOWS\System32\e1000msg.dll

[2008/05/01 07:56:00 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

[2008/05/01 07:50:54 | 00,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS

[2008/05/01 07:47:23 | 00,003,571 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini

[2008/05/01 07:47:22 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS

[2003/12/02 08:55:14 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll

[1999/01/22 21:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2009/12/22 06:07:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar

[2009/12/02 10:55:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9

[2009/12/02 09:39:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\f-secure

[2009/06/18 07:25:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters

[2009/10/21 13:14:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2008/05/01 14:54:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Kevin Lineberger\Application Data\VCOM

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >

[2008/05/01 09:18:39 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

[2008/05/12 10:11:21 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

[2008/05/01 09:18:39 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys

[2008/05/12 10:11:21 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys

[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys

[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

[2004/08/04 01:07:41 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

[2001/08/17 12:58:00 | 00,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >

[2002/08/29 03:50:10 | 10,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys

[2008/05/01 09:18:39 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys

[2008/05/12 10:11:21 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys

[2008/05/01 09:18:39 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys

[2008/05/12 10:11:21 | 23,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys

[2002/08/29 00:27:50 | 00,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys

[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

[2004/08/04 00:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >

[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll

[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

[2004/08/04 02:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >

[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll

[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

[2004/08/04 02:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >

[2004/08/04 02:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll

[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29

< End of report >

OTL Extras logfile created on: 1/12/2010 9:40:29 AM - Run 1

OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Kevin Lineberger\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 92.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 233.75 Gb Total Space | 218.82 Gb Free Space | 93.61% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: KEVIN-ODAMRQIFP

Current User Name: Kevin Lineberger

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [File Finder...] -- C:\Program Files\VCOM\PowerDesk\pdfind.exe /PATH:%1 (Avanquest Publishing USA, Inc.)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"65533:TCP" = 65533:TCP:*:Enabled:Services

"52344:TCP" = 52344:TCP:*:Enabled:Services

"2479:TCP" = 2479:TCP:*:Enabled:Services

"3246:TCP" = 3246:TCP:*:Enabled:Services

"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

"65533:TCP" = 65533:TCP:*:Enabled:Services

"52344:TCP" = 52344:TCP:*:Enabled:Services

"2479:TCP" = 2479:TCP:*:Enabled:Services

"3246:TCP" = 3246:TCP:*:Enabled:Services

"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\WINDOWS\system32\logonui.exe" = C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui -- (Microsoft Corporation)

"C:\Program Files\Google\Update\GoogleUpdate.exe" = C:\Program Files\Google\Update\GoogleUpdate.exe:*:Enabled:GoogleUpdate -- (Google Inc.)

"C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe" = C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe:*:Enabled:WMP54GSv1_1 -- (Linksys)

"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium

"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{4EF69D40-4DC9-485E-95D3-B1C22F218FC8}" = upapp

"{5721A8EA-A30F-4F66-9046-3F40C43AE1DC}" = Driver Detective

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{8A5F34E2-37CF-4AD4-808C-2D413786E31A}" = Microsoft Visual C Runtime

"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender

"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel® PROSet

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{B93251B5-9209-4DAB-867C-AA98D91584CD}" = PowerDesk 6

"{C084BC61-E537-11DE-8616-005056806466}" = Google Earth

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{EAE4A00B-D290-4B65-8287-B82A80FC0619}" = Linksys Wireless-G PCI Network Adapter with SpeedBooster

"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"All ATI Software" = ATI - Software Uninstall Utility

"ASUS Probe V2.21.07" = ASUS Probe V2.21.07

"AsusUpdate" = AsusUpdate

"ATI Display Driver" = ATI Display Driver

"AVG9Uninstall" = AVG Free 9.0

"CCleaner" = CCleaner

"Google Chrome" = Google Chrome

"Google Updater" = Google Updater

"hp deskjet 5550 series" = hp deskjet 5550 series (Remove only)

"hp print screen utility" = hp print screen utility

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"PROSet" = Intel® PRO Network Adapters and Drivers

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 1/5/2010 9:22:05 AM | Computer Name = KEVIN-ODAMRQIFP | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting

module sdhelper.dll, version 1.6.2.14, fault address 0x000018b5.

Error - 1/6/2010 1:44:07 PM | Computer Name = KEVIN-ODAMRQIFP | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 7.0.6000.16945, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/7/2010 7:19:10 AM | Computer Name = KEVIN-ODAMRQIFP | Source = Google Update | ID = 20

Description =

Error - 1/7/2010 9:00:00 PM | Computer Name = KEVIN-ODAMRQIFP | Source = Application Hang | ID = 1002

Description = Hanging application WINWORD.EXE, version 9.0.0.2717, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 1/7/2010 9:00:00 PM | Computer Name = KEVIN-ODAMRQIFP | Source = MsiInstaller | ID = 11706

Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source

could be found for product Microsoft Office 2000 Premium. The Windows installer

cannot continue.

Error - 1/9/2010 9:17:14 AM | Computer Name = KEVIN-ODAMRQIFP | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The server name or address could not be resolved

Error - 1/9/2010 9:39:19 AM | Computer Name = KEVIN-ODAMRQIFP | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 7.0.6000.16945, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/9/2010 3:07:55 PM | Computer Name = KEVIN-ODAMRQIFP | Source = Application Error | ID = 1000

Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting

module ntdll.dll, version 5.1.2600.5755, fault address 0x00037453.

Error - 1/11/2010 8:26:39 AM | Computer Name = KEVIN-ODAMRQIFP | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting

module unknown, version 0.0.0.0, fault address 0x0328191f.

Error - 1/12/2010 8:27:57 AM | Computer Name = KEVIN-ODAMRQIFP | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 7.0.6000.16945, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]

Error - 1/11/2010 3:38:25 PM | Computer Name = KEVIN-ODAMRQIFP | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service netman with

arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 1/11/2010 3:38:25 PM | Computer Name = KEVIN-ODAMRQIFP | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/11/2010 3:39:10 PM | Computer Name = KEVIN-ODAMRQIFP | Source = Service Control Manager | ID = 7001

Description = The DHCP Client service depends on the NetBios over Tcpip service

which failed to start because of the following error: %%31

Error - 1/11/2010 3:39:10 PM | Computer Name = KEVIN-ODAMRQIFP | Source = Service Control Manager | ID = 7001

Description = The DNS Client service depends on the TCP/IP Protocol Driver service

which failed to start because of the following error: %%31

Error - 1/11/2010 3:39:10 PM | Computer Name = KEVIN-ODAMRQIFP | Source = Service Control Manager | ID = 7001

Description = The TCP/IP NetBIOS Helper service depends on the AFD Networking Support

Environment service which failed to start because of the following error: %%31

Error - 1/11/2010 3:39:10 PM | Computer Name = KEVIN-ODAMRQIFP | Source = Service Control Manager | ID = 7001

Description = The IPSEC Services service depends on the IPSEC driver service which

failed to start because of the following error: %%31

Error - 1/11/2010 3:39:10 PM | Computer Name = KEVIN-ODAMRQIFP | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 1/11/2010 4:21:52 PM | Computer Name = KEVIN-ODAMRQIFP | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service netman with

arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 1/11/2010 4:22:16 PM | Computer Name = KEVIN-ODAMRQIFP | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/11/2010 4:23:30 PM | Computer Name = KEVIN-ODAMRQIFP | Source = sr | ID = 1

Description = The System Restore filter encountered the unexpected error '0xC0000001'

while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring

the volume.

< End of report >

Link to post
Share on other sites

A tad bit of history. I started getting a pop up error message after letting ccleaner fix some reg errors after getting wacked with and removing some fake spyware removal garbage. The error was something like

ms outlook is not the default mail client and cant retrieve the message or something along those lines

computer would freeze up from time to time and always would lock up if left alone. upon restart twice i got a blue screen memory dump page

i finaly gave in and switched from express to outlook as default and the message quit and the computer started acting a lot better but would still lock up every now and again

Went to pay a credit card bill at chase. logged on and a fake page popped up wanting all kinds of additional info. I called chase and they confirmed it was not them and they had no record of me logging in at all. I do not get that page on my laptop and can take care of buisness

Link to post
Share on other sites

Well after scaning temp internet files for hours (looks like every page anyone ever went to) it finialy hung on afstrack[1] and locked up. items in the scan window did not change but after the first few miniutes so i re ran and stoped the scan when it got to the temp files and saved. Here are the results:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-01-12 19:44:05

Windows 5.1.2600 Service Pack 3

Running: eim2hf6r.exe; Driver: C:\DOCUME~1\KEVINL~1\LOCALS~1\Temp\fwtyqpob.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI \Device\00000042 8A359898

Device \Driver\ACPI \Device\00000043 8A359898

Device \Driver\ACPI \Device\00000053 8A359898

Device \Driver\ACPI \Device\00000046 8A359898

Device \Driver\ACPI \Device\00000054 8A359898

Device \Driver\ACPI \Device\00000060 8A359898

Device \Driver\ACPI \Device\00000047 8A359898

Device \Driver\ACPI \Device\00000048 8A359898

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI \Device\00000049 8A359898

Device \Driver\ACPI \Device\00000057 8A359898

Device \Driver\ACPI \Device\00000063 8A359898

Device \Driver\ACPI \Device\00000058 8A359898

Device \Driver\ACPI \Device\00000064 8A359898

Device \Driver\ACPI \Device\00000065 8A359898

Device \Driver\ACPI \Device\00000059 8A359898

Device \Driver\ACPI \Device\0000004a 8A359898

Device \Driver\ACPI \Device\0000004b 8A359898

Device \Driver\ACPI \Device\0000005a 8A359898

Device \Driver\ACPI \Device\0000004e 8A359898

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI \Device\0000005f 8A359898

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Well after a few beers i couldnt stant it so i went on a killing spree of temp files in help assitant (what does ccleaner do anyway) and ran the scan again only diff was a new thing popped up in the window in red

module (no name)(***hdden***) f76f7000-ff76ff700

Then it went on to scan everything that was supposed to be deleted so i stopped it once again

Mean little bugger

Link to post
Share on other sites

Hmm strange.

Let's give this a go.

Download Dr.Web CureIt to the desktop.

  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb_green_arrow.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    drweb_check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    drweb_move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Link to post
Share on other sites

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\ACPI -> 0x89e63368

NDIS: Linksys Wireless-G PCI Network Adapter with SpeedBooster #2 -> SendCompleteHandler -> 0x89c65220

Warning: possible MBR rootkit infection !

copy of MBR has been found in sector 0x01D37F8B2

malicious code @ sector 0x01D37F8B5 !

PE file found in sector at 0x01D37F8CB !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Link to post
Share on other sites

You are welcome.

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Link to post
Share on other sites

I guess i am going th give the thing to my retired dad and let him reformat the disk.

a few questions before i go

could this be the reason i could not load the anti virus suite from my cable provider?

can i copy over my work files ( excell, word) to an external drive and they be safe?

What should i use for protection in the event i still cant load the cable package

Cable support said if it wont load they can not help with a work around (Charter) Free avg obviously don't cut it

Any other advice for a dumd ass wore out carpenter

Thanks again

Link to post
Share on other sites

Yes you can backup your documents.

could this be the reason i could not load the anti virus suite from my cable provider?
Yes.

You can use any of the free below antivirus:

These are free.

This is antivirus and antispyware.

Microsoft Security Essentials

This is just antivirus protection.

Antivir

====================

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.