Jump to content

Something is preventing MB from running


Recommended Posts

Malwarebytes won't run (tried re-naming to winlogon.exe, didn't work). Also occasional pop-ups appear when I open Internet Explorer, Microsoft Outlook, or go to a new page in Int. Explorer. Als, AVG free is sometimes de-activated and prevented from updating. It seems a re-boot will sometimes correct that.

I had an infection with "Internet Security" that I thought I had removed with Malwarebytes. Most of those "fakealerts" and such have dissappeared, but now this.

Before finding this help forum, I tried several times removing and re-installing MB to get it to work (with no luck, btw, it will install ok, just won't run), so I have no MB logs to post. I do have the DDS/GMER logs and the ark.txt.

Below is the contents of the dds.txt file:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Bill & Cindy at 6:48:47.64 on Sat 02/20/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.549 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Desktop\Defogger.exe

C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: {ac6f2472-470b-4fa5-90d0-9ab55d11fda5} - kitejiru.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

uRun: [TOY5KNQ8OC] c:\docume~1\bill&c~1.wil\locals~1\temp\Ant.exe

uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe

uRun: [AdobeBridge]

uRun: [julobipiri] Rundll32.exe "wogipute.dll",s

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [norusimod] Rundll32.exe "c:\windows\system32\henijuve.dll",a

mRun: [julobipiri] Rundll32.exe "wogipute.dll",s

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mPolicies-system: EnableLUA = 0 (0x0)

IE: Convert link target to Adobe PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: buy-internetsecurity10.com

Trusted Zone: buy-is2010.com

Trusted Zone: intuit.com\ttlc

Trusted Zone: is-software-download.com

Trusted Zone: is-software-download25.com

Trusted Zone: is10-soft-download.com

Trusted Zone: buy-internetsecurity10.com

Trusted Zone: buy-is2010.com

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265383402796

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

AppInit_DLLs: nukubufa.dll c:\windows\system32\henijuve.dll

SSODL: yeharenos - {66669258-ccd3-41d2-ac4b-651ac05fb9d7} - c:\windows\system32\henijuve.dll

STS: mujuzedij: {66669258-ccd3-41d2-ac4b-651ac05fb9d7} - c:\windows\system32\henijuve.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll

LSA: Notification Packages = scecli wogipute.dll nukubufa.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-13 333192]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-13 28424]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-13 360584]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-13 285392]

S3 pbfilter;pbfilter;\??\e:\program files\peerblock\pbfilter.sys --> e:\program files\peerblock\pbfilter.sys [?]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2010-02-20 11:47:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-20 11:47:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-20 11:47:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-19 20:12:05 0 ----a-w- c:\documents and settings\bill & cindy.william-15738b9\defogger_reenable

2010-02-19 15:17:22 10 ----a-w- c:\windows\system32\kr_done1

2010-02-14 17:43:26 0 d-----w- c:\docume~1\alluse~1.win\applic~1\vsosdk

2010-02-14 17:00:40 234 ----a-w- c:\documents and settings\bill & cindy.william-15738b9\default.pls

2010-02-14 14:04:47 294912 ----a-w- c:\windows\alcupd.exe

2010-02-14 02:35:10 69 ----a-w- c:\windows\NeroDigital.ini

2010-02-14 00:13:45 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Nero

2010-02-13 15:44:29 0 d--h--w- C:\$AVG

2010-02-13 15:44:18 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-02-13 15:44:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-02-13 15:44:13 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-02-13 15:44:05 0 d-----w- c:\windows\system32\drivers\Avg

2010-02-13 13:09:55 0 d-----w- c:\documents and settings\all users.windows\Microsoft PData

2010-02-13 12:39:07 1 ----a-w- C:\s

2010-02-12 22:13:08 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Alwil Software

2010-02-12 21:22:54 19569 ----a-w- c:\windows\000001_.tmp

2010-02-12 18:23:54 0 d-----w- c:\program files\Avery

2010-02-12 18:18:25 0 d-----w- c:\program files\Avery Dennison

2010-02-11 17:51:09 0 d-----w- C:\Security

2010-02-11 17:17:01 0 d-----w- c:\docume~1\bill&c~1.wil\applic~1\Malwarebytes

2010-02-11 17:16:56 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes

2010-02-11 11:55:39 380928 ----a-w- c:\windows\system32\ac3filter.acm

2010-02-11 02:03:54 40960 ----a-w- c:\windows\system32\MMAVILNG.exe

2010-02-11 01:20:16 0 d-sh--w- c:\documents and settings\bill & cindy.william-15738b9\IECompatCache

2010-02-10 03:24:01 19133 ----a-w- c:\documents and settings\bill & cindy.william-15738b9\peerblock.dmp

2010-02-10 02:41:43 0 d-----w- c:\docume~1\bill&c~1.wil\applic~1\Office Genuine Advantage

2010-02-10 02:09:05 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll

2010-02-07 03:21:07 819200 ----a-w- c:\windows\system32\xvidcore.dll

2010-02-07 03:21:07 77824 ----a-w- c:\windows\system32\xvid.ax

2010-02-07 03:21:07 180224 ----a-w- c:\windows\system32\xvidvfw.dll

2010-02-06 22:37:29 647872 ------w- c:\windows\system32\Mscomct2.ocx

2010-02-06 22:37:28 41984 ------w- c:\windows\Ctregrun.exe

2010-02-06 22:36:24 183 ----a-w- c:\windows\setuplog

2010-02-06 22:34:52 44032 ------w- c:\windows\system32\CTSVCCDA.EXE

2010-02-06 22:34:52 25088 ------w- c:\windows\system32\CTSVCCTL.EXE

2010-02-06 22:08:43 0 d-----w- c:\windows\RegisteredPackages

2010-02-06 05:00:15 0 d-----w- c:\docume~1\bill&c~1.wil\applic~1\TheaterTek

2010-02-06 03:49:48 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-02-06 03:49:48 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-02-06 03:49:48 117760 ------w- c:\windows\system32\prntvpt.dll

2010-02-06 03:49:47 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-02-06 03:49:47 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-02-06 03:49:47 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-02-06 03:49:47 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-02-06 03:38:16 0 ----a-w- c:\windows\ativpsrm.bin

2010-02-06 03:35:34 593920 ------w- c:\windows\system32\ati2sgag.exe

2010-02-06 03:35:13 602112 ----a-w- c:\windows\system32\ati2evxx.exe

2010-02-06 03:35:13 155648 ----a-w- c:\windows\system32\ati2evxx.dll

2010-02-06 02:10:41 673546 ----a-w- c:\windows\unins000.exe

2010-02-06 02:10:41 2014 ----a-w- c:\windows\unins000.dat

2010-02-06 01:27:54 3250 ----a-w- c:\windows\system32\wbem\Outlook_01caa6cb9ac8d88a.mof

2010-02-06 01:26:59 32656 ----a-w- c:\windows\system32\msonpmon.dll

2010-02-06 00:36:17 0 d-sh--w- c:\documents and settings\bill & cindy.william-15738b9\PrivacIE

2010-02-05 23:58:31 2979 ------w- c:\windows\hpwmdl22.dat.temp

2010-02-05 23:26:53 0 d-----w- c:\docume~1\alluse~1.win\applic~1\avg9

2010-02-05 22:16:13 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-02-05 22:16:13 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-02-05 22:12:47 0 d-sh--w- c:\documents and settings\bill & cindy.william-15738b9\IETldCache

2010-02-05 22:08:21 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-02-05 22:07:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-02-05 22:07:57 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-02-05 22:07:57 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-02-05 22:07:57 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-02-05 22:07:57 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-02-05 22:07:57 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-02-05 18:38:48 0 d-----w- c:\docume~1\alluse~1.win\applic~1\WEBREG

2010-02-05 18:31:22 271704 ----a-r- c:\windows\system32\hpzids01.dll

2010-02-05 18:31:22 118272 ----a-w- c:\windows\system32\hpf3l082.dll

2010-02-05 18:30:49 966656 ----a-r- c:\windows\system32\hpwtiop4.dll

2010-02-05 18:30:49 741376 ----a-r- c:\windows\system32\hpwwiax5.dll

2010-02-05 18:30:49 364544 ----a-r- c:\windows\system32\hppldcoi.dll

2010-02-05 18:30:49 309760 ----a-r- c:\windows\system32\difxapi.dll

2010-02-05 18:30:49 294912 ----a-r- c:\windows\system32\hpovst11.dll

2010-02-05 18:30:45 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys

2010-02-05 18:30:45 6784 ----a-w- c:\windows\system32\drivers\serscan.sys

2010-02-05 18:27:34 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2010-02-05 18:27:34 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-02-05 18:27:32 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2010-02-05 18:25:48 188909 ----a-w- c:\windows\hpwins22.dat

2010-02-05 18:25:47 2979 ------w- c:\windows\hpwmdl22.dat

2010-02-05 18:16:26 0 d-----w- c:\docume~1\bill&c~1.wil\applic~1\Citrix

2010-02-05 18:11:48 0 d-----w- c:\docume~1\alluse~1.win\applic~1\TheaterTek

2010-02-05 17:34:04 1843200 ----a-w- c:\windows\system32\acXMLParser.dll

2010-02-05 17:34:00 3518464 ----a-w- c:\windows\system32\cdintf300.dll

2010-02-05 17:33:57 0 d-----w- c:\docume~1\bill&c~1.wil\applic~1\Intuit

2010-02-05 17:33:37 120 ----a-w- c:\windows\QUICKEN.INI

2010-02-05 17:33:00 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Intuit

2010-02-05 16:26:44 0 d-----w- c:\docume~1\bill&c~1.wil\applic~1\uTorrent

2010-02-05 16:02:31 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll

2010-02-05 16:02:31 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2010-02-05 16:02:31 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2010-02-05 16:02:31 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2010-02-05 16:02:31 110592 -c----w- c:\windows\system32\dllcache\services.exe

2010-02-05 16:02:30 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2010-02-05 16:02:30 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll

2010-02-05 16:02:30 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2010-02-05 15:42:56 64352 ------w- c:\windows\system32\drivers\ativmc20.cod

2010-02-05 15:33:28 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-02-05 15:33:05 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-02-05 15:32:01 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2010-02-05 15:32:01 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2010-02-05 15:31:41 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2010-02-05 15:31:06 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx

2010-02-05 15:30:18 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

2010-02-05 15:30:17 455424 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-02-05 15:30:16 353792 -c----w- c:\windows\system32\dllcache\srv.sys

2010-02-05 15:30:14 331776 -c----w- c:\windows\system32\dllcache\msadce.dll

2010-02-05 15:30:12 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2010-02-05 15:30:03 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll

2010-02-05 15:26:01 26144 ----a-w- c:\windows\system32\spupdsvc.exe

2010-02-05 14:21:39 0 d-sh--w- c:\documents and settings\bill & cindy.william-15738b9\UserData

2010-02-05 14:11:07 13736 ----a-w- c:\windows\system32\wpa.bak

2010-02-05 13:57:29 464 ------w- c:\windows\system32\nvide.nvu

2010-02-05 13:57:29 172032 ------w- c:\windows\system32\nvuide.exe

2010-02-05 13:57:26 79360 ----a-r- c:\windows\system32\drivers\nvatabus.sys

2010-02-05 13:57:26 294400 ----a-r- c:\windows\system32\idecoi.dll

2010-02-05 13:55:38 5810 ----a-r- c:\windows\system32\drivers\ASACPI.sys

2010-02-05 13:55:38 4384 ----a-w- c:\windows\Ascd_tmp.ini

2010-02-05 13:55:34 5824 ----a-w- c:\windows\system32\drivers\ASUSHWIO.SYS

2010-02-05 13:45:20 77824 ----a-w- c:\windows\SOUNDMAN.EXE

2010-02-05 13:45:20 40960 ----a-w- c:\windows\system32\ChCfg.exe

2010-02-05 13:45:20 2324160 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS

2010-02-05 13:45:20 156672 ----a-w- c:\windows\system32\RTLCPAPI.dll

2010-02-05 13:45:19 9409536 ----a-w- c:\windows\system32\RTLCPL.EXE

2010-02-05 13:45:19 141016 ----a-w- c:\windows\system32\ALSNDMGR.WAV

2010-02-05 13:45:18 200704 ----a-w- c:\windows\alcrmv.exe

2010-02-05 13:45:18 18751488 ----a-w- c:\windows\system32\ALSNDMGR.CPL

2010-02-05 13:40:33 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-02-05 13:40:33 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-02-05 13:40:28 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-02-05 04:52:47 8192 ----a-w- c:\windows\REGLOCS.OLD

2010-02-05 04:50:58 143422 -c--a-w- c:\windows\system32\dllcache\softkey.dll

2010-02-05 04:49:56 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll

2010-02-05 04:48:57 94720 -c--a-w- c:\windows\system32\dllcache\certmap.ocx

2010-02-05 04:48:24 2577 ----a-w- c:\windows\system32\CONFIG.NT

2010-02-05 04:48:24 0 ----a-w- c:\windows\control.ini

2010-02-05 04:48:09 23392 ----a-w- c:\windows\system32\nscompat.tlb

2010-02-05 04:48:09 16832 ----a-w- c:\windows\system32\amcompat.tlb

2010-02-05 04:48:08 316640 ----a-w- c:\windows\WMSysPr9.prx

2010-02-05 04:47:06 0 d-sh--w- c:\documents and settings\all users.windows\DRM

2010-02-05 04:46:42 0 d--h--w- c:\program files\WindowsUpdate

2010-02-05 04:45:58 48680 --sh--w- c:\windows\winnt256.bmp

2010-02-05 04:44:59 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2010-02-05 04:44:32 0 d-----w- c:\program files\Online Services

2010-02-05 04:43:59 347136 ----a-w- c:\windows\system32\hypertrm.dll

2010-02-05 02:28:36 0 d-----w- c:\windows\NV8961548.TMP

2010-02-05 02:27:42 0 d-----w- c:\windows\NV8961000.TMP

2010-02-04 23:32:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2010-02-04 23:32:15 60160 ----a-w- c:\windows\system32\drivers\drmk.sys

2010-02-04 23:32:15 4096 ----a-w- c:\windows\system32\ksuser.dll

2010-02-04 23:32:15 2944 ----a-w- c:\windows\system32\drivers\msmpu401.sys

2010-02-04 23:32:15 146048 ----a-w- c:\windows\system32\drivers\portcls.sys

2010-02-04 23:32:15 129536 ----a-w- c:\windows\system32\ksproxy.ax

2010-02-04 23:30:57 74240 ----a-w- c:\windows\system32\usbui.dll

2010-02-04 23:28:08 0 d-----r- c:\documents and settings\all users.windows\Documents

2010-02-04 23:26:58 14573 ----a-r- c:\windows\SET29.tmp

2010-02-04 23:26:29 8574 -c--a-w- c:\windows\system32\dllcache\IASNT4.CAT

2010-02-04 23:26:29 7382 -c--a-w- c:\windows\system32\dllcache\OEMBIOS.CAT

2010-02-04 23:26:29 7334 -c--a-w- c:\windows\system32\dllcache\wmerrenu.cat

2010-02-04 23:26:29 37484 -c--a-w- c:\windows\system32\dllcache\MW770.CAT

2010-02-04 23:26:29 13472 -c--a-w- c:\windows\system32\dllcache\HPCRDP.CAT

2010-02-04 23:26:28 797189 -c--a-w- c:\windows\system32\dllcache\NT5IIS.CAT

2010-02-04 23:26:28 399645 -c--a-w- c:\windows\system32\dllcache\MAPIMIG.CAT

2010-02-04 23:26:28 1042903 -c--a-w- c:\windows\system32\dllcache\SP2.CAT

2010-02-04 23:26:26 13753 ----a-r- c:\windows\SET8.tmp

2010-02-04 23:26:24 1086058 ----a-r- c:\windows\SET4.tmp

2010-02-04 23:26:22 1042903 ----a-r- c:\windows\SET3.tmp

2010-02-04 23:24:37 261 ----a-w- c:\windows\system32\$winnt$.inf

2010-02-04 23:17:25 0 ----a-w- c:\windows\MEMORY.DMP

2010-02-04 18:23:43 0 d-----w- C:\Inetpub

2010-02-04 15:52:56 0 d--h--w- C:\BJPrinter

2010-02-04 12:11:50 0 d-----w- c:\windows\Connection Wizard

2010-02-04 12:11:50 0 d-----w- c:\windows\Config

2010-02-02 19:56:30 0 d-----w- c:\windows\docs

2010-02-02 04:40:00 0 d-----w- c:\program files\common files\HP

2010-02-02 03:38:31 0 d-----w- c:\windows\Hewlett-Packard

2010-02-01 11:14:59 40325 ----a-w- c:\temp\AFUDOS.exe

2010-02-01 03:07:33 0 d-----w- c:\windows\hpojp8500a909

2010-02-01 02:55:24 0 d-----w- c:\program files\common files\Hewlett-Packard

2010-02-01 02:55:01 0 d-----w- c:\program files\HP

2010-01-31 03:31:40 40325 ----a-w- C:\AFUDOS.exe

2010-01-30 22:46:49 524288 ----a-w- C:\K8NE0411.ROM

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-22 05:20:58 81920 ------w- c:\windows\system32\ieencode.dll

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

1601-01-01 00:03:28 47616 --sha-w- c:\windows\system32\bonalopi.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\bufezeza.dll

1601-01-01 00:03:28 56832 --sha-w- c:\windows\system32\fikitiku.dll

1601-01-01 00:03:28 43008 --sha-w- c:\windows\system32\gipidiwu.dll

1601-01-01 00:03:28 100864 --sha-w- c:\windows\system32\henijuve.dll

1601-01-01 00:03:28 43520 --sha-w- c:\windows\system32\kadidige.dll

1601-01-01 00:03:52 56832 --sha-w- c:\windows\system32\kitejiru.dll

1601-01-01 00:03:28 92160 --sha-w- c:\windows\system32\kokaziho.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\lefikazi.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\mukuvabu.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\nesibeba.dll

1601-01-01 00:03:28 96768 --sha-w- c:\windows\system32\niwebazi.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\nozepelo.dll

1601-01-01 00:03:52 56832 --sha-w- c:\windows\system32\nukubufa.dll

1601-01-01 00:03:28 100864 --sha-w- c:\windows\system32\romopifo.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\tahidazu.dll

1601-01-01 00:03:28 43520 --sha-w- c:\windows\system32\visegobu.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\wiwuzoza.dll

1601-01-01 00:03:52 56832 --sha-w- c:\windows\system32\wogipute.dll

1601-01-01 00:03:28 47616 --sha-w- c:\windows\system32\wuyeligo.dll

============= FINISH: 6:49:40.54 ===============

attach.zip

Link to post
Share on other sites

  • Replies 55
  • Created
  • Last Reply

Top Posters In This Topic

Hey Big Bill,

Welcome to Malwarebytes! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me. :P

  • To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
  • If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
  • Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
  • Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. :lol:
  • Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Malwarebytes, and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.

I'm looking at your log now and will be back with a fix soon. Thanks for your patience and understanding. :)

Link to post
Share on other sites

Hey Big Bill,

There are indeed malware on your computer, let's run some tools to remove them. ;)

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/topic114351.html

1) Run ComboFix

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)

    [*]Under custom scans copy and paste the following

    • netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT

    [*]Now click the Run Scan button on the toolbar.

    [*]Let it run unhindered until it finishes.

    [*]When the scan is complete Notepad will open with the report file loaded in it.

    [*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

Next reply (please include in your post):

ComboFix.txt

OTS.txt

Link to post
Share on other sites

First of all, thank you so much for your time and expertise. You guys are awesome.

Now for the bad news, something has happened since my last post as I am no longer able to launch any .exe files.

I downloaded Combofix and when I double clicked it, Windows asked which program I wanted to open it with. I cannot open Outlook, Hijack This or any other program. I'm not sure why Internet Explorer opened, but every other program, Windows asks what to open it with.

Feeling pretty helpless, any suggestions?

Link to post
Share on other sites

Hey Big Bill,

First of all, thank you so much for your time and expertise. You guys are awesome.

Now for the bad news, something has happened since my last post as I am no longer able to launch any .exe files.

I downloaded Combofix and when I double clicked it, Windows asked which program I wanted to open it with. I cannot open Outlook, Hijack This or any other program. I'm not sure why Internet Explorer opened, but every other program, Windows asks what to open it with.

Feeling pretty helpless, any suggestions?

Seems like whatever virus on your computer corrupted the .exe file association. Let's fix that first. ;)

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Link to post
Share on other sites

Ok,

Since nothing but Internet Explorer was working, I googled "Windows won't run .exe files" and came up with the website "http://filext.com/faq/broken_exe_association.php" and downloaded a registry fix (attached) (oops, can't upload this file. File name,,,"WinXP_EXE_FIX.reg") . Ran the registry patch and got my ability to run programs back.

I was then able to run Combofix and have attached that log.

I attempted to run OTS.exe exactly as directed, three times. But when it gets to the "Manual File Scan / Looking in folder c:\%recle.bin%\..." the program freezes up. Windows still runs ok and I can close the program (getting the windows notification that this program is no longer responding). So, long story short, I don't have that log.

I realize I'm not supposed to make any fix attempts unless you tell me, but I got anxious and had to try something. Sorry I jumped ahead of you! ;)

I also ran the exeHelper you recommended and attached that log.

So far, everything is working except Malwarebytes won't run. And although AVG does come up, it's not being displayed in the system tray. Also, no other signs of infection as of yet.

Thanks again for your help and your patience!

exehelperlog.txt

ComboFix.txt

Link to post
Share on other sites

Hey Big Bill,

Looks like exeHelper did its work. :)

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/topic114351.html

1. Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll:

File::
c:\windows\unins000.dat
c:\windows\unins000.exe
c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext_3.exe
c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext_2.exe
c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext_1.exe
c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext.exe
c:\windows\system32\bonalopi.dll
c:\windows\system32\bufezeza.dll
c:\windows\system32\fikitiku.dll
c:\windows\system32\gipidiwu.dll
c:\windows\system32\lawariko.dll
c:\windows\system32\mukuvabu.dll
c:\windows\system32\nesibeba.dll
c:\windows\system32\niwebazi.dll
c:\windows\system32\nozepelo.dll
c:\windows\system32\reguligu.dll
c:\windows\system32\romopifo.dll
c:\windows\system32\tahidazu.dll
c:\windows\system32\visegobu.dll
c:\windows\system32\vufosesa.dll
c:\windows\system32\vufurajo.dll
c:\windows\system32\wikufalu.dll
c:\windows\system32\wiwuzoza.dll
c:\windows\system32\wuyeligo.dll
c:\windows\system32\x.dll
c:\windows\system32\xx.dll
c:\windows\system32\xxx.dll
c:\windows\system32\zayitala.dll
c:\windows\system32\zesulalu.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt .

After this please re-run OTS with the previous instructions and do a new MBAM scan (Please update MBAM before scanning).

Next reply (please include in your post):

ComboFix.txt

MBAM scan log

OTS.txt

Link to post
Share on other sites

Thanks LTAngelic;

I followed your instructions in your last post exactly and everything went according to plan.

I can't thank you enough, your expertise and knowledge is impressive. If you are a guy, I'd like to shake your hand and if you're a girl, I'd like to kiss your hand!!! :)

As you can tell from my excitement, I think you got me cleaned up pretty good! Everything is working great.

I'm posting the logs you asked for, I assume that want to verify everything is clean.

It sure would make me happy to be able to make a contribution, if you were to let me know who to, and where to!

OTS.Txt

mbam_log_2010_02_25__12_01_47_.txt

ComboFix.txt

Link to post
Share on other sites

Hey Big Bill,

Thank you very much for your heart-warming words, it really makes my day. :)

I can't thank you enough, your expertise and knowledge is impressive. If you are a guy, I'd like to shake your hand and if you're a girl, I'd like to kiss your hand!!! :)

It sure would make me happy to be able to make a contribution, if you were to let me know who to, and where to!

I'm a girl, just to let you know. *blushes*

At this point of time, I'm not able to accept any donations. But if you would really like to contribute, I would really recommend you buying the full version of Malwarebytes as a form of support for their service. Without Malwarebytes, you would not be able to post your problem here and neither can I assist you. We owe a big thank-you to the Malwarebytes CEO Marcin and all the staff who support these forums. :thumbsup:

We still have some work to do though, and I have a feeling that this cleaning up process is not easy as it seems. Please stick with me till the end so we can both benefit from this learning process. :)

Firstly, from your ComboFix log, it seems a little strange that those files I've putted in the CFScript did not come up in the log you've posted. Can you check your computer again to see if you've posted the correct log? If the script I gave you ran successfully, it should look something like this:

ComboFix 10-02-23.03 - ****** 02/23/2010 20:31:26.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2030.1554 [GMT -8:00]

Running from: c:\documents and settings\******\Desktop\combo fix\ComboFix.exe

Command switches used :: c:\documents and settings\******\Desktop\combo fix\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::

"c:\windows\Setup1.exe"

"c:\windows\system32\GTDownDE_87.ocx"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\LocalService\Application Data\PeerNetworking

c:\documents and settings\LocalService\Application Data\PeerNetworking\idstore.sst

c:\documents and settings\LocalService\Application Data\PeerNetworking\idstore.sst.new

c:\windows\Setup1.exe

There should be a "Other Deletions" section like quoted above with all the files/folders I've put into the CFScript. Please check all the ComboFix logs you have again and see if you can find the correct one.

Also, your OTL is not complete somehow from the attached copy I got. It got cut off at this point (under the section [Files - No Company Name]):

Bill's Credit Score.docx -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Bill's Credit Score.docx -> [2

Can you please post (not attach) the log from that line onwards on here? Thank you. :)

I won't continue with the fix until you've posted back again with the correct logs, I'll be waiting for your reply. Please post on here if you encounter any new problems or infections.

Link to post
Share on other sites

Hey Big Bill,

Thank you very much for your heart-warming words, it really makes my day. :)

I'm a girl, just to let you know. *blushes*

At this point of time, I'm not able to accept any donations. But if you would really like to contribute, I would really recommend you buying the full version of Malwarebytes as a form of support for their service. Without Malwarebytes, you would not be able to post your problem here and neither can I assist you. We owe a big thank-you to the Malwarebytes CEO Marcin and all the staff who support these forums. :thumbsup:

Shortly after my previous post, I discovered that I could view your profile.

You certainly are a girl, and a mighty pretty one as well! :)

I most certainly will purchase the full version of Malwarebytes, I would like to pass it on to the CEO Marcin, that at least this sale, is the result of your kindness and help!!!

I'll get to that when you're satisfied that we're done here (sticking with you to the end)!

I went back and looked for any and all copies of ComboFix.txt. The only one I found, was the one I posted. Thinking that I screwed up somewhere, I launched it again by dragging and dropping your CFscript.txt file onto it. That does launch it and it runs. However, I noticed that when it reaches stage 49, a windows "Application Error" Application Corrupt" dialogue box pops up. I click OK and ComboFix continues to run. When it's done, the same log without the (((((((((((((((( other deletions ))))))))))))))))))))))))) section is not there.

I then tried deleting Combofix and redownloading it again, same problems but the Application Corrupt dialogue pops up even more. I then checked the CFscript file to make sure it's contents exactly matched what you posted for me to copy and paste, and it does. So I deleted Combofix and again downloaded (from a different mirror), same thing. Each time I run it, the "Application Corrupt" message pops up at a different time. One time after it ran (even with error messages, it did generate a log that did have one file in the (((((((((((((((((((((((( other deletions )))))))))))))))))) section. I will post that one as all the others are the same as the first one I posted ( yes I saved them all, giving each file name a number according to it's scan).

As for the OTS log, I'm not sure why you only got part of it, wierd! But I have the full version and I will post those contents you aske for here:

Bill's Credit Score.docx -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Bill's Credit Score.docx -> [2010/02/04 11:49:09 | 000,032,443 | ---- | C] ()

You've got some nerve!.doc -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\You've got some nerve!.doc -> [2010/02/04 11:49:09 | 000,029,696 | ---- | C] ()

Caremark Website login.docx -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Caremark Website login.docx -> [2010/02/04 11:49:09 | 000,010,256 | ---- | C] ()

Blue Cross Horizon Log_in.docx -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Blue Cross Horizon Log_in.docx -> [2010/02/04 11:49:09 | 000,010,120 | ---- | C] ()

map.doc -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\map.doc -> [2010/02/04 11:49:08 | 000,361,984 | ---- | C] ()

Mkg Pats By-laws.doc -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Mkg Pats By-laws.doc -> [2010/02/04 11:49:08 | 000,051,712 | ---- | C] ()

Plant 4 project number and address.doc -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Plant 4 project number and address.doc -> [2010/02/04 11:49:08 | 000,019,456 | ---- | C] ()

Picture.doc -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Picture.doc -> [2010/02/04 11:49:08 | 000,019,456 | ---- | C] ()

How to convert PAL DVD.doc -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\How to convert PAL DVD.doc -> [2010/02/04 11:49:07 | 000,873,984 | ---- | C] ()

Directions to 516 Gardner St Muskegon.doc -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Directions to 516 Gardner St Muskegon.doc -> [2010/02/04 11:49:06 | 002,325,504 | ---- | C] ()

Hidden Camera Registration Key.doc -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Hidden Camera Registration Key.doc -> [2010/02/04 11:49:06 | 000,020,480 | ---- | C] ()

Comcast Voicemail Access number.doc -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Comcast Voicemail Access number.doc -> [2010/02/04 11:49:05 | 000,022,016 | ---- | C] ()

Cindy pics.doc -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Cindy pics.doc -> [2010/02/04 11:49:04 | 001,625,088 | ---- | C] ()

movies.mdb -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\movies.mdb -> [2010/02/04 11:49:04 | 000,544,768 | ---- | C] ()

Burning CD=.doc -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Burning CD=.doc -> [2010/02/04 11:49:04 | 000,022,016 | ---- | C] ()

Movie List.adp -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Movie List.adp -> [2010/02/04 11:49:04 | 000,016,896 | ---- | C] ()

Budget.xls -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Budget.xls -> [2010/02/04 11:49:04 | 000,015,360 | ---- | C] ()

Jenny's W-2.xlsx -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Jenny's W-2.xlsx -> [2010/02/04 11:49:04 | 000,008,572 | ---- | C] ()

Addresses.mdb -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Addresses.mdb -> [2010/02/04 11:49:03 | 000,675,840 | ---- | C] ()

Class B Certificate.jpg -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Class B Certificate.jpg -> [2010/02/04 11:49:03 | 000,396,543 | ---- | C] ()

Signature.jpg -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Signature.jpg -> [2010/02/04 11:49:03 | 000,027,601 | ---- | C] ()

Andrews Campus Map.jpg -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Andrews Campus Map.jpg -> [2010/02/04 11:49:02 | 000,787,847 | ---- | C] ()

24 2.nrg -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\24 2.nrg -> [2010/02/04 11:44:57 | 362,709,147 | ---- | C] ()

Mercy bill.pdf -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Mercy bill.pdf -> [2010/02/04 11:44:57 | 001,465,076 | ---- | C] ()

Bill's Credit Report.pdf -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Bill's Credit Report.pdf -> [2010/02/04 11:44:57 | 000,247,410 | ---- | C] ()

Healthcare Coverage2.pdf -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Healthcare Coverage2.pdf -> [2010/02/04 11:44:57 | 000,194,560 | ---- | C] ()

WINDOWSxp Reciept.pdf -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\WINDOWSxp Reciept.pdf -> [2010/02/04 11:44:57 | 000,049,378 | ---- | C] ()

Surefire batteries.pdf -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Surefire batteries.pdf -> [2010/02/04 11:44:57 | 000,043,477 | ---- | C] ()

UserImages.bmp -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\UserImages.bmp -> [2010/02/04 11:44:57 | 000,043,062 | ---- | C] ()

Tuition Reciept.pdf -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Tuition Reciept.pdf -> [2010/02/04 11:44:57 | 000,028,811 | ---- | C] ()

y.pdf -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\y.pdf -> [2010/02/04 11:44:57 | 000,025,005 | ---- | C] ()

Tax Mailing Labels.zdl -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\Tax Mailing Labels.zdl -> [2010/02/04 11:44:57 | 000,023,040 | ---- | C] ()

fall87.pdf -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\fall87.pdf -> [2010/02/04 11:44:57 | 000,021,825 | ---- | C] ()

MCC Username.pdf -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\MCC Username.pdf -> [2010/02/04 11:44:57 | 000,021,773 | ---- | C] ()

winter 87 grades.pdf -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\winter 87 grades.pdf -> [2010/02/04 11:44:57 | 000,021,425 | ---- | C] ()

fall 87.pdf -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\fall 87.pdf -> [2010/02/04 11:44:57 | 000,020,462 | ---- | C] ()

FontCache3.0.0.0.dat -> C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat -> [2010/01/31 12:39:34 | 001,269,216 | ---- | C] ()

AFUDOS.exe -> C:\AFUDOS.exe -> [2010/01/30 22:31:40 | 000,040,325 | ---- | C] ()

K8NE0411.ROM -> C:\K8NE0411.ROM -> [2010/01/30 17:46:49 | 000,524,288 | ---- | C] ()

OGACheckControl.dll -> C:\WINDOWS\System32\OGACheckControl.dll -> [2009/08/03 15:07:42 | 000,403,816 | ---- | C] ()

GlobalUserInterface.CompositeFont -> C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont -> [2006/06/29 14:58:52 | 000,030,808 | ---- | C] ()

GlobalSansSerif.CompositeFont -> C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont -> [2006/06/29 14:53:56 | 000,026,489 | ---- | C] ()

GlobalSerif.CompositeFont -> C:\WINDOWS\Fonts\GlobalSerif.CompositeFont -> [2006/04/18 15:39:28 | 000,029,779 | ---- | C] ()

GlobalMonospace.CompositeFont -> C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont -> [2006/04/18 15:39:28 | 000,026,040 | ---- | C] ()

[File - Lop Check]

Autodesk -> C:\Documents and Settings\All Users\Application Data\Autodesk -> [2007/01/17 15:37:10 | 000,000,000 | ---D | M]

Avery -> C:\Documents and Settings\All Users\Application Data\Avery -> [2010/02/12 13:18:15 | 000,000,000 | ---D | M]

AVSVideoBurner -> C:\Documents and Settings\All Users\Application Data\AVSVideoBurner -> [2009/02/10 15:22:09 | 000,000,000 | ---D | M]

Azureus -> C:\Documents and Settings\All Users\Application Data\Azureus -> [2008/05/20 05:51:55 | 000,000,000 | ---D | M]

BVRP Software -> C:\Documents and Settings\All Users\Application Data\BVRP Software -> [2009/04/08 19:59:40 | 000,000,000 | ---D | M]

Downloaded Installations -> C:\Documents and Settings\All Users\Application Data\Downloaded Installations -> [2008/10/20 11:12:43 | 000,000,000 | ---D | M]

Driver Whiz -> C:\Documents and Settings\All Users\Application Data\Driver Whiz -> [2010/01/30 12:17:04 | 000,000,000 | ---D | M]

Grisoft -> C:\Documents and Settings\All Users\Application Data\Grisoft -> [2008/05/01 18:54:01 | 000,000,000 | ---D | M]

LightScribe -> C:\Documents and Settings\All Users\Application Data\LightScribe -> [2009/01/13 21:33:41 | 000,000,000 | ---D | M]

NCH Swift Sound -> C:\Documents and Settings\All Users\Application Data\NCH Swift Sound -> [2009/02/26 16:56:23 | 000,000,000 | ---D | M]

PACE Anti-Piracy -> C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy -> [2009/02/27 18:58:19 | 000,000,000 | ---D | M]

ParetoLogic -> C:\Documents and Settings\All Users\Application Data\ParetoLogic -> [2008/10/20 11:13:05 | 000,000,000 | ---D | M]

PCPitstop -> C:\Documents and Settings\All Users\Application Data\PCPitstop -> [2008/02/04 00:45:48 | 000,000,000 | ---D | M]

Rosetta Stone -> C:\Documents and Settings\All Users\Application Data\Rosetta Stone -> [2008/06/30 15:07:04 | 000,000,000 | ---D | M]

ScanSoft -> C:\Documents and Settings\All Users\Application Data\ScanSoft -> [2008/07/10 12:40:44 | 000,000,000 | ---D | M]

TEMP -> C:\Documents and Settings\All Users\Application Data\TEMP -> [2010/01/26 22:47:56 | 000,000,000 | ---D | M]

TheaterTek -> C:\Documents and Settings\All Users\Application Data\TheaterTek -> [2009/04/25 17:12:38 | 000,000,000 | ---D | M]

Viewpoint -> C:\Documents and Settings\All Users\Application Data\Viewpoint -> [2007/04/04 17:36:43 | 000,000,000 | ---D | M]

vsosdk -> C:\Documents and Settings\All Users\Application Data\vsosdk -> [2008/03/29 21:04:12 | 000,000,000 | ---D | M]

Alwil Software -> C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software -> [2010/02/12 17:18:01 | 000,000,000 | ---D | M]

Avery -> C:\Documents and Settings\All Users.WINDOWS\Application Data\Avery -> [2010/02/12 13:18:26 | 000,000,000 | ---D | M]

avg9 -> C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9 -> [2010/02/17 06:19:12 | 000,000,000 | ---D | M]

TEMP -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP -> [2010/02/19 11:54:38 | 000,000,000 | ---D | M]

TheaterTek -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TheaterTek -> [2010/02/05 13:11:48 | 000,000,000 | ---D | M]

vsosdk -> C:\Documents and Settings\All Users.WINDOWS\Application Data\vsosdk -> [2010/02/14 12:43:26 | 000,000,000 | ---D | M]

Citrix -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Citrix -> [2010/02/05 13:16:26 | 000,000,000 | ---D | M]

TheaterTek -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Application Data\TheaterTek -> [2010/02/06 00:00:15 | 000,000,000 | ---D | M]

uTorrent -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Application Data\uTorrent -> [2010/02/25 11:08:21 | 000,000,000 | ---D | M]

Vso -> C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Vso -> [2010/02/16 17:39:34 | 000,000,000 | ---D | M]

[File - Purity Scan]

[Custom Scans]

< netsvcs >

< %SYSTEMDRIVE%\*.exe >

AFUDOS.exe -> C:\AFUDOS.exe -> [2004/07/01 10:53:00 | 000,040,325 | ---- | M] ()

comport.exe -> C:\comport.exe -> [2009/03/29 09:15:15 | 000,095,744 | ---- | M] ()

Convert.exe -> C:\Convert.exe -> [1999/10/30 22:54:32 | 000,561,152 | ---- | M] (Joshua F. Madison)

HS0E.EXE -> C:\HS0E.EXE -> [2006/08/28 08:52:50 | 000,815,616 | ---- | M] ()

UNWISE.EXE -> C:\UNWISE.EXE -> [2002/07/26 17:02:06 | 000,153,088 | ---- | M] ()

< %SYSTEMDRIVE%\*.* >

.rnd -> C:\.rnd -> [2006/07/06 09:15:31 | 000,001,024 | ---- | M] ()

1st set.dr8 -> C:\1st set.dr8 -> [2008/03/01 00:40:23 | 013,995,728 | ---- | M] ()

AFUDOS.exe -> C:\AFUDOS.exe -> [2004/07/01 10:53:00 | 000,040,325 | ---- | M] ()

asmruntime.log -> C:\asmruntime.log -> [2006/12/29 03:13:25 | 000,000,924 | ---- | M] ()

AUTOEXEC.BAT -> C:\AUTOEXEC.BAT -> [2006/07/05 12:21:41 | 000,000,000 | ---- | M] ()

Avi2Dvd_Log.txt -> C:\Avi2Dvd_Log.txt -> [2008/08/13 20:54:28 | 000,000,061 | ---- | M] ()

Boot.bak -> C:\Boot.bak -> [2010/02/13 10:32:46 | 000,000,211 | ---- | M] ()

boot.ini -> C:\boot.ini -> [2010/02/23 07:00:46 | 000,000,281 | RHS- | M] ()

CLDMA.LOG -> C:\CLDMA.LOG -> [2008/02/10 21:23:21 | 000,009,236 | R--- | M] ()

cmldr -> C:\cmldr -> [2004/08/03 23:00:00 | 000,260,272 | ---- | M] ()

ComboFix.txt -> C:\ComboFix.txt -> [2010/02/25 11:17:42 | 000,022,483 | ---- | M] ()

comport.exe -> C:\comport.exe -> [2009/03/29 09:15:15 | 000,095,744 | ---- | M] ()

CONFIG.SYS -> C:\CONFIG.SYS -> [2006/07/05 12:21:41 | 000,000,000 | ---- | M] ()

Convert.exe -> C:\Convert.exe -> [1999/10/30 22:54:32 | 000,561,152 | ---- | M] (Joshua F. Madison)

dump_dvd.vob -> C:\dump_dvd.vob -> [2010/02/14 12:37:03 | 000,000,000 | ---- | M] ()

DVDCLog.log -> C:\DVDCLog.log -> [2008/02/12 23:23:33 | 000,014,893 | ---- | M] ()

FirstBackup.spg -> C:\FirstBackup.spg -> [2006/12/10 14:15:50 | 000,002,229 | ---- | M] ()

GirderAmmo.dll -> C:\GirderAmmo.dll -> [2005/12/06 10:33:24 | 000,024,576 | ---- | M] ( )

hiberfil.sys -> C:\hiberfil.sys -> [2010/02/25 06:29:39 | 1073,074,176 | -HS- | M] ()

HS0E.EXE -> C:\HS0E.EXE -> [2006/08/28 08:52:50 | 000,815,616 | ---- | M] ()

IO.SYS -> C:\IO.SYS -> [2006/07/05 12:21:41 | 000,000,000 | RHS- | M] ()

IPH.PH -> C:\IPH.PH -> [2007/04/04 15:46:26 | 000,001,096 | -H-- | M] ()

K8NE0411.ROM -> C:\K8NE0411.ROM -> [2006/02/17 10:05:00 | 000,524,288 | ---- | M] ()

LogEnbWinV.txt -> C:\LogEnbWinV.txt -> [2009/12/22 21:07:58 | 000,000,392 | ---- | M] ()

LogProsType.txt -> C:\LogProsType.txt -> [2009/12/22 21:07:58 | 000,000,029 | ---- | M] ()

Monthly Budget.xls -> C:\Monthly Budget.xls -> [2008/03/09 09:48:47 | 000,015,360 | ---- | M] ()

MSDOS.SYS -> C:\MSDOS.SYS -> [2006/07/05 12:21:41 | 000,000,000 | RHS- | M] ()

net_save.dna -> C:\net_save.dna -> [2008/02/16 11:47:01 | 000,001,295 | ---- | M] ()

NTDETECT.COM -> C:\NTDETECT.COM -> [2004/08/03 16:38:34 | 000,047,564 | RHS- | M] ()

ntldr -> C:\ntldr -> [2008/09/12 15:22:40 | 000,250,048 | RHS- | M] ()

pagefile.sys -> C:\pagefile.sys -> [2010/02/25 06:29:37 | 1610,612,736 | -HS- | M] ()

rkill.log -> C:\rkill.log -> [2010/02/23 13:35:28 | 000,000,276 | ---- | M] ()

sg_backup_2006-12-10-1402.spg -> C:\sg_backup_2006-12-10-1402.spg -> [2006/12/10 14:02:14 | 000,002,236 | ---- | M] ()

sg_backup_2006-12-10-1415.spg -> C:\sg_backup_2006-12-10-1415.spg -> [2006/12/10 14:15:50 | 000,002,229 | ---- | M] ()

temp.txt -> C:\temp.txt -> [2009/01/31 19:09:03 | 000,000,216 | ---- | M] ()

UnInstall.dat -> C:\UnInstall.dat -> [2006/08/08 22:49:44 | 000,000,172 | ---- | M] ()

UNWISE.EXE -> C:\UNWISE.EXE -> [2002/07/26 17:02:06 | 000,153,088 | ---- | M] ()

VideoEditor.log -> C:\VideoEditor.log -> [2006/12/04 13:30:33 | 000,000,507 | ---- | M] ()

volumeid.zbx -> C:\volumeid.zbx -> [2006/10/27 14:19:53 | 000,000,080 | RH-- | M] ()

YServer.txt -> C:\YServer.txt -> [2008/04/26 18:13:54 | 000,000,150 | ---- | M] ()

< %ProgramFiles%\Movie Maker\*.dll >

wmm2ae.dll -> C:\Program Files\Movie Maker\wmm2ae.dll -> [2008/04/13 19:12:09 | 000,167,936 | ---- | M] (Microsoft Corporation)

wmm2eres.dll -> C:\Program Files\Movie Maker\wmm2eres.dll -> [2008/04/13 19:12:09 | 000,004,096 | ---- | M] (Microsoft Corporation)

wmm2ext.dll -> C:\Program Files\Movie Maker\wmm2ext.dll -> [2008/04/13 19:12:09 | 000,007,680 | ---- | M] (Microsoft Corporation)

wmm2filt.dll -> C:\Program Files\Movie Maker\wmm2filt.dll -> [2008/04/13 19:12:09 | 000,402,432 | ---- | M] (Microsoft Corporation)

wmm2fxa.dll -> C:\Program Files\Movie Maker\wmm2fxa.dll -> [2008/04/13 19:12:09 | 000,502,272 | ---- | M] (Microsoft Corporation)

wmm2fxb.dll -> C:\Program Files\Movie Maker\wmm2fxb.dll -> [2008/04/13 19:12:09 | 000,325,632 | ---- | M] (Microsoft Corporation)

wmm2res.dll -> C:\Program Files\Movie Maker\wmm2res.dll -> [2008/04/13 19:12:09 | 004,256,768 | ---- | M] (Microsoft Corporation)

wmm2res2.dll -> C:\Program Files\Movie Maker\wmm2res2.dll -> [2008/04/13 19:12:09 | 000,005,632 | ---- | M] (Microsoft Corporation)

Invalid Environment Variable: ALLUSERSAPPDATA

< %SYSTEMROOT%\*.tmp >

8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->

< %PROGRAMFILES%\Internet Explorer\*.dll >

custsat.dll -> C:\Program Files\Internet Explorer\custsat.dll -> [2006/11/07 21:03:36 | 000,033,792 | ---- | M] (Microsoft Corporation)

hmmapi.dll -> C:\Program Files\Internet Explorer\hmmapi.dll -> [2009/03/08 04:24:28 | 000,068,608 | ---- | M] (Microsoft Corporation)

iecompat.dll -> C:\Program Files\Internet Explorer\iecompat.dll -> [2009/12/11 03:38:55 | 000,069,120 | ---- | M] (Microsoft Corporation)

iedvtool.dll -> C:\Program Files\Internet Explorer\iedvtool.dll -> [2009/03/08 03:35:32 | 000,742,912 | ---- | M] (Microsoft Corporation)

ieproxy.dll -> C:\Program Files\Internet Explorer\ieproxy.dll -> [2009/12/21 14:14:03 | 000,246,272 | ---- | M] (Microsoft Corporation)

jsdbgui.dll -> C:\Program Files\Internet Explorer\jsdbgui.dll -> [2009/03/08 03:35:02 | 000,521,216 | ---- | M] (Microsoft Corporation)

jsdebuggeride.dll -> C:\Program Files\Internet Explorer\jsdebuggeride.dll -> [2009/03/08 03:35:02 | 000,121,344 | ---- | M] (Microsoft Corporation)

JSProfilerCore.dll -> C:\Program Files\Internet Explorer\JSProfilerCore.dll -> [2009/03/08 03:35:04 | 000,118,272 | ---- | M] (Microsoft Corporation)

jsprofilerui.dll -> C:\Program Files\Internet Explorer\jsprofilerui.dll -> [2009/03/08 03:35:12 | 000,233,984 | ---- | M] (Microsoft Corporation)

pdm.dll -> C:\Program Files\Internet Explorer\pdm.dll -> [2009/01/07 17:20:18 | 000,355,832 | ---- | M] (Microsoft Corporation)

sqmapi.dll -> C:\Program Files\Internet Explorer\sqmapi.dll -> [2009/01/07 17:20:54 | 000,134,144 | ---- | M] (Microsoft Corporation)

xpshims.dll -> C:\Program Files\Internet Explorer\xpshims.dll -> [2009/12/21 14:14:05 | 000,012,800 | ---- | M] (Microsoft Corporation)

Invalid Environment Variable: DriveLetter

< %systemroot%\system32\*.dll /lockedfiles >

1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp ->

< MD5 Scans Start>

< %systemdrive%\AGP440.SYS /md5 /s >

AGP440.sys : .cab file -> C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys -> [2006/02/28 07:00:00 | 018,738,937 | ---- | M] ()

AGP440.sys : .cab file -> C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys -> [2008/04/14 05:51:44 | 020,056,462 | ---- | M] ()

AGP440.sys : .cab file -> C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys -> [2008/04/14 05:51:44 | 020,056,462 | ---- | M] ()

agp440.sys : MD5=08FD04AA961BDC77FB983F328334E3D7 -> C:\WINDOWS\ERDNT\cache\agp440.sys -> [2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation)

agp440.sys : MD5=08FD04AA961BDC77FB983F328334E3D7 -> C:\WINDOWS\ServicePackFiles\i386\agp440.sys -> [2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation)

agp440.sys : MD5=08FD04AA961BDC77FB983F328334E3D7 -> C:\WINDOWS\system32\drivers\agp440.sys -> [2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation)

< %systemdrive%\ATAPI.SYS /md5 /s >

atapi.sys : .cab file -> C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys -> [2006/02/28 07:00:00 | 018,738,937 | ---- | M] ()

atapi.sys : .cab file -> C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys -> [2008/04/14 05:51:44 | 020,056,462 | ---- | M] ()

atapi.sys : .cab file -> C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys -> [2008/04/14 05:51:44 | 020,056,462 | ---- | M] ()

atapi.sys : MD5=9F3A2F5AA6875C72BF062C712CFA2674 -> C:\WINDOWS\ERDNT\cache\atapi.sys -> [2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation)

atapi.sys : MD5=9F3A2F5AA6875C72BF062C712CFA2674 -> C:\WINDOWS\ServicePackFiles\i386\atapi.sys -> [2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation)

atapi.sys : MD5=9F3A2F5AA6875C72BF062C712CFA2674 -> C:\WINDOWS\system32\drivers\atapi.sys -> [2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation)

atapi.sys : MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -> C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -> [2006/02/28 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation)

atapi.sys : MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -> C:\WINDOWS\system32\ReinstallBackups\0045\DriverFiles\i386\atapi.sys -> [2006/02/28 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation)

atapi.sys : MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -> C:\WINDOWS\system32\ReinstallBackups\0046\DriverFiles\i386\atapi.sys -> [2006/02/28 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation)

< %systemdrive%\EVENTLOG.DLL /md5 /s >

eventlog.dll : MD5=6D4FEB43EE538FC5428CC7F0565AA656 -> C:\WINDOWS\ERDNT\cache\eventlog.dll -> [2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation)

eventlog.dll : MD5=6D4FEB43EE538FC5428CC7F0565AA656 -> C:\WINDOWS\ServicePackFiles\i386\eventlog.dll -> [2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation)

eventlog.dll : MD5=6D4FEB43EE538FC5428CC7F0565AA656 -> C:\WINDOWS\system32\eventlog.dll -> [2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation)

eventlog.dll : MD5=82B24CB70E5944E6E34662205A2A5B78 -> C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -> [2006/02/28 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation)

< %systemdrive%\NETLOGON.DLL /md5 /s >

netlogon.dll : MD5=1B7F071C51B77C272875C3A23E1E4550 -> C:\WINDOWS\ERDNT\cache\netlogon.dll -> [2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation)

netlogon.dll : MD5=1B7F071C51B77C272875C3A23E1E4550 -> C:\WINDOWS\ServicePackFiles\i386\netlogon.dll -> [2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation)

netlogon.dll : MD5=1B7F071C51B77C272875C3A23E1E4550 -> C:\WINDOWS\system32\netlogon.dll -> [2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation)

netlogon.dll : MD5=96353FCECBA774BB8DA74A1C6507015A -> C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -> [2006/02/28 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation)

< %systemdrive%\NVATABUS.SYS /md5 /s >

NvAtaBus.sys : MD5=46DEED4C6C5FA765F9A2C723BE60348D -> C:\NVIDIA\nForceWin2KXP\5.10\IDE\Win2K\NvAtaBus.sys -> [2004/06/03 09:40:46 | 000,079,360 | ---- | M] (NVIDIA Corporation)

NvAtaBus.sys : MD5=46DEED4C6C5FA765F9A2C723BE60348D -> C:\NVIDIA\nForceWin2KXP\5.10\IDE\WinXP\NvAtaBus.sys -> [2004/06/03 09:40:46 | 000,079,360 | ---- | M] (NVIDIA Corporation)

NvAtaBus.sys : MD5=46DEED4C6C5FA765F9A2C723BE60348D -> C:\NVIDIA\nForceWin2KXP\5.11\IDE\Win2K\NvAtaBus.sys -> [2004/06/03 09:40:46 | 000,079,360 | ---- | M] (NVIDIA Corporation)

NvAtaBus.sys : MD5=46DEED4C6C5FA765F9A2C723BE60348D -> C:\NVIDIA\nForceWin2KXP\5.11\IDE\WinXP\NvAtaBus.sys -> [2004/06/03 09:40:46 | 000,079,360 | ---- | M] (NVIDIA Corporation)

nvatabus.sys : MD5=46DEED4C6C5FA765F9A2C723BE60348D -> C:\WINDOWS\system32\drivers\nvatabus.sys -> [2004/06/02 21:40:46 | 000,079,360 | R--- | M] (NVIDIA Corporation)

< %systemdrive%\SCECLI.DLL /md5 /s >

scecli.dll : MD5=0F78E27F563F2AAF74B91A49E2ABF19A -> C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -> [2006/02/28 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation)

scecli.dll : MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -> C:\WINDOWS\ERDNT\cache\scecli.dll -> [2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation)

scecli.dll : MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -> C:\WINDOWS\ServicePackFiles\i386\scecli.dll -> [2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation)

scecli.dll : MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -> C:\WINDOWS\system32\scecli.dll -> [2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation)

< MD5 Scans End>

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp ->

< %systemroot%\Tasks\*.job /lockedfiles >

< c:\$recycle.bin\*.* /s >

Restore point Set: OTS Restore Point (0)

[Alternate Data Streams]

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0F8F5844

@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E6E3D650

@Alternate Data Stream - 194 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:3CE6BB52

@Alternate Data Stream - 194 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3CE6BB52

< End of report >

ComboFix2.txt

Link to post
Share on other sites

Hey Big Bill,

Shortly after my previous post, I discovered that I could view your profile.

You certainly are a girl, and a mighty pretty one as well! :)

I most certainly will purchase the full version of Malwarebytes, I would like to pass it on to the CEO Marcin, that at least this sale, is the result of your kindness and help!!!

I'll get to that when you're satisfied that we're done here (sticking with you to the end)!

I went back and looked for any and all copies of ComboFix.txt. The only one I found, was the one I posted. Thinking that I screwed up somewhere, I launched it again by dragging and dropping your CFscript.txt file onto it. That does launch it and it runs. However, I noticed that when it reaches stage 49, a windows "Application Error" Application Corrupt" dialogue box pops up. I click OK and ComboFix continues to run. When it's done, the same log without the (((((((((((((((( other deletions ))))))))))))))))))))))))) section is not there.

I then tried deleting Combofix and redownloading it again, same problems but the Application Corrupt dialogue pops up even more. I then checked the CFscript file to make sure it's contents exactly matched what you posted for me to copy and paste, and it does. So I deleted Combofix and again downloaded (from a different mirror), same thing. Each time I run it, the "Application Corrupt" message pops up at a different time. One time after it ran (even with error messages, it did generate a log that did have one file in the (((((((((((((((((((((((( other deletions )))))))))))))))))) section. I will post that one as all the others are the same as the first one I posted ( yes I saved them all, giving each file name a number according to it's scan).

Thank you for your compliments, Bill. :)

It's strange that the Other Deletions section didn't come out. We shall use another tool to remove the files again, just in case. Please bear with me. :)

By the way, please do not run ComboFix unless I tell you to. It is a very advanced tool and if run improperly, could render your computer unbootable or corrupted. I know you are trying your best to follow my steps and do everything you can to help me help you with the cleanup process, but it would be best to not attempt to run any of the tools by yourself in case something goes wrong. Thank you for your understanding and patience. :)

Thank you for reposting the logs, let's continue with the cleanup process then.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/topic114351.html

1) Re-run ComboFix

Uninstall the current ComboFix:

  • Click START then RUN
  • Now type ComboFix /uninstall in the runbox and click OK. Note the space between the x and the /, it needs to be there.
    combofixuninstall.png

NEXT

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

2) Remove files with The Avenger

1. Please download The Avenger by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the Avenger folder to your desktop
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to delete:
c:\windows\unins000.dat
c:\windows\unins000.exe
c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext_3.exe
c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext_2.exe
c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext_1.exe
c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext.exe
c:\windows\system32\bonalopi.dll
c:\windows\system32\bufezeza.dll
c:\windows\system32\fikitiku.dll
c:\windows\system32\gipidiwu.dll
c:\windows\system32\lawariko.dll
c:\windows\system32\mukuvabu.dll
c:\windows\system32\nesibeba.dll
c:\windows\system32\niwebazi.dll
c:\windows\system32\nozepelo.dll
c:\windows\system32\reguligu.dll
c:\windows\system32\romopifo.dll
c:\windows\system32\tahidazu.dll
c:\windows\system32\visegobu.dll
c:\windows\system32\vufosesa.dll
c:\windows\system32\vufurajo.dll
c:\windows\system32\wikufalu.dll
c:\windows\system32\wiwuzoza.dll
c:\windows\system32\wuyeligo.dll
c:\windows\system32\x.dll
c:\windows\system32\xx.dll
c:\windows\system32\xxx.dll
c:\windows\system32\zayitala.dll
c:\windows\system32\zesulalu.dll
C:\WINDOWS\NV8961548.TMP
C:\WINDOWS\NV8961000.TMP
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Desktop\guq7k2pj.exe
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\(S(kjjn0ibkzifyvpba5.pdf

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

3) Optional Removals

From your log, you seem to have Peer Guardian2 installed.

Peer Guardian2 is a Peer-to-peer (P2P) program that can compromise your computer security. Please have a look at the following:

http://www.microsoft.com/protect/data/down...ilesharing.aspx

Due to the dubious nature of these program(s), it is highly recommended that you remove the program(s) via Add or Remove Programs in Control Panel and refrain from downloading these programs in the future. If you have made a decision to remove these programs, please do the following:

Please go to Add or Remove Programs and remove the following (if present):

Peer Guardian2

Then use Windows Explorer and remove the following (if present):

c:\program files\PeerGuardian2

C:\Documents and Settings\All Users\Application Data\Viewpoint

C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Application Data\uTorrent

Reboot your computer.

4) Run Kaspersky Webscanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

Upgrading Java:

  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 18.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u18-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Make sure the C:\Program Files\JAVA folder is removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u18-windows-i586.exe and select "Run as an Administrator.")

THEN

Please do an online scan with Kaspersky WebScanner

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log in your next reply.

Next reply (please include in your post):

ComboFix.txt

Avenger.txt

Kaspersky scan log

Link to post
Share on other sites

Good Morning LTAngelic;

I did as you instructed with ComboFix (sorry about the extra runs), still had several instances of "Corrupt Application" messages popped up. I did not click on the Combofix window while it was running or interfere with it in anyway other than to click the OK button on the Error warnings.

ComboFix did complete it's run and created a log.

ComboFix Log:

ComboFix 10-02-27.04 - Bill & Cindy 02/28/2010 13:08:25.12.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.596 [GMT -5:00]

Running from: c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

-- Previous Run --

Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\ntfs.sys

--------

.

((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))

.

2010-02-25 16:48 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-25 16:48 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-22 03:10 . 2010-02-22 03:10 -------- d-----w- c:\program files\EMCO

2010-02-22 02:51 . 2010-02-22 02:51 50376 ----a-w- c:\windows\system32\drivers\pxrts.sys

2010-02-22 02:51 . 2010-02-22 02:51 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys

2010-02-21 15:48 . 2007-02-28 00:36 974848 ----a-w- c:\windows\system32\mfc70.dll

2010-02-21 15:48 . 2007-02-28 00:36 487424 ----a-w- c:\windows\system32\msvcp70.dll

2010-02-21 15:48 . 2007-02-28 00:36 344064 ----a-w- c:\windows\system32\msvcr70.dll

2010-02-21 15:48 . 2007-02-28 00:36 24576 ----a-w- c:\windows\system32\msxml3a.dll

2010-02-21 15:48 . 2007-02-28 00:36 413760 ----a-w- c:\windows\system32\mpg4c32.dll

2010-02-21 15:48 . 2007-02-28 00:36 261632 ----a-w- c:\windows\system32\mcdvd_32.dll

2010-02-21 15:18 . 2010-02-27 16:38 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\WMTools Downloaded Files

2010-02-18 01:37 . 2010-02-18 01:37 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\IsolatedStorage

2010-02-18 01:07 . 2010-02-18 01:07 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\Intuit

2010-02-18 00:34 . 2010-02-18 00:34 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\IsolatedStorage

2010-02-17 03:36 . 2010-02-17 03:36 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\Apple

2010-02-17 03:36 . 2010-02-17 03:36 -------- d-----w- c:\program files\Apple Software Update

2010-02-17 03:36 . 2010-02-17 03:36 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\Apple Computer

2010-02-14 14:04 . 2010-02-14 14:04 294912 ----a-w- c:\windows\alcupd.exe

2010-02-14 00:21 . 2010-02-17 03:29 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\Ahead

2010-02-13 15:58 . 2010-02-13 15:43 1260800 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgfrw.exe

2010-02-13 15:58 . 2010-02-13 15:44 3777280 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\setup.exe

2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- C:\$AVG

2010-02-13 15:44 . 2010-02-13 15:44 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-02-13 15:44 . 2010-02-13 15:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-02-13 15:44 . 2010-02-13 15:44 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-02-13 15:44 . 2010-02-13 15:44 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-02-13 15:44 . 2010-02-26 23:16 -------- d-----w- c:\windows\system32\drivers\Avg

2010-02-12 22:13 . 2010-02-12 22:18 -------- d-----w- c:\program files\Alwil Software

2010-02-12 18:23 . 2010-02-12 18:23 -------- d-----w- c:\program files\Avery

2010-02-12 18:18 . 2010-02-12 18:18 -------- d-----w- c:\program files\Avery Dennison

2010-02-11 17:51 . 2010-02-26 15:39 -------- d-----w- C:\Security

2010-02-11 02:03 . 2002-11-18 15:02 40960 ----a-w- c:\windows\system32\MMAVILNG.exe

2010-02-11 01:20 . 2010-02-11 01:20 -------- d-sh--w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\IECompatCache

2010-02-10 02:09 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll

2010-02-07 08:09 . 2010-02-07 08:09 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Microsoft Help

2010-02-07 03:21 . 2007-02-28 00:36 524288 ----a-w- c:\windows\system32\xvidcore.dll

2010-02-07 03:21 . 2007-02-28 00:36 139264 ----a-w- c:\windows\system32\xvidvfw.dll

2010-02-06 23:45 . 2008-04-14 00:11 380445 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Creative\Media Database\JetFileBackup\Expsrv.dll

2010-02-06 23:45 . 2008-04-14 00:12 30749 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Creative\Media Database\JetFileBackup\vbajet32.dll

2010-02-06 23:45 . 2008-04-14 00:12 151583 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Creative\Media Database\JetFileBackup\Msjint40.dll

2010-02-06 23:45 . 2008-04-14 00:12 102400 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Creative\Media Database\JetFileBackup\Msjro.dll

2010-02-06 23:45 . 2008-04-14 00:11 57344 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Creative\Media Database\JetFileBackup\Msadrh15.dll

2010-02-06 23:45 . 2008-04-14 00:11 536576 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Creative\Media Database\JetFileBackup\Msado15.dll

2010-02-06 23:45 . 2008-04-14 00:11 200704 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Creative\Media Database\JetFileBackup\Msadox.dll

2010-02-06 23:45 . 2007-10-22 09:30 1516568 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Creative\Media Database\JetFileBackup\Msjet40.dll

2010-02-06 23:45 . 2007-04-02 12:51 621344 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Creative\Media Database\JetFileBackup\Mswstr10.dll

2010-02-06 23:45 . 2007-04-02 12:49 248608 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Creative\Media Database\JetFileBackup\Msjtes40.dll

2010-02-06 23:45 . 2007-04-02 12:49 60192 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Creative\Media Database\JetFileBackup\Msjter40.dll

2010-02-06 23:45 . 2007-04-02 12:49 355112 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Creative\Media Database\JetFileBackup\Msjetoledb40.dll

2010-02-06 22:37 . 1999-10-11 01:00 41984 ------w- c:\windows\Ctregrun.exe

2010-02-06 22:34 . 1999-12-12 17:01 44032 ------w- c:\windows\system32\CTSVCCDA.EXE

2010-02-06 22:34 . 1999-11-17 17:00 25088 ------w- c:\windows\system32\CTSVCCTL.EXE

2010-02-06 03:56 . 2010-02-06 03:56 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\ATI

2010-02-06 03:50 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-02-06 03:49 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-02-06 03:49 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2010-02-06 03:49 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-02-06 03:49 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-02-06 03:49 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-02-06 03:49 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-02-06 03:49 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-02-06 03:49 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-02-06 03:38 . 2010-02-06 03:38 0 ----a-w- c:\windows\ativpsrm.bin

2010-02-06 03:35 . 2009-09-30 02:15 593920 ------w- c:\windows\system32\ati2sgag.exe

2010-02-06 03:35 . 2009-09-30 02:10 155648 ----a-w- c:\windows\system32\ati2evxx.dll

2010-02-06 03:35 . 2009-09-30 02:08 602112 ----a-w- c:\windows\system32\ati2evxx.exe

2010-02-06 02:10 . 2010-02-06 02:10 2014 ----a-w- c:\windows\unins000.dat

2010-02-06 02:10 . 2010-02-06 02:10 673546 ----a-w- c:\windows\unins000.exe

2010-02-06 02:01 . 2010-02-06 02:01 4398 ----a-r- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\controlPanelIcon.exe

2010-02-06 02:01 . 2010-02-06 02:01 3310 ----a-r- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext_3.exe

2010-02-06 02:01 . 2010-02-06 02:01 3310 ----a-r- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext_2.exe

2010-02-06 02:01 . 2010-02-06 02:01 3310 ----a-r- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext_1.exe

2010-02-06 02:01 . 2010-02-06 02:01 3310 ----a-r- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext.exe

2010-02-06 01:26 . 2008-11-10 16:41 32656 ----a-w- c:\windows\system32\msonpmon.dll

2010-02-06 01:26 . 2006-10-27 00:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll

2010-02-06 00:36 . 2010-02-06 00:36 -------- d-sh--w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\PrivacIE

2010-02-05 23:36 . 2010-01-25 13:28 3777816 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\AVG\setup.exe

2010-02-05 22:16 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-02-05 22:13 . 2010-02-05 22:13 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache

2010-02-05 22:12 . 2010-02-05 22:12 -------- d-sh--w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\IETldCache

2010-02-05 22:08 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-02-05 22:07 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-02-05 22:07 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-02-05 22:07 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-02-05 22:07 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-02-05 22:07 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-02-05 22:07 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-02-05 20:46 . 2010-02-05 20:46 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\Microsoft Help

2010-02-05 19:08 . 2010-02-10 01:05 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\Adobe

2010-02-05 18:37 . 2010-02-05 18:37 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\HP

2010-02-05 18:31 . 2008-08-22 12:24 271704 ----a-r- c:\windows\system32\hpzids01.dll

2010-02-05 18:31 . 2008-08-12 15:58 118272 ----a-w- c:\windows\system32\hpf3l082.dll

2010-02-05 18:31 . 2008-08-12 15:58 314880 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp082.dll

2010-02-05 18:30 . 2008-10-06 19:11 741376 ----a-r- c:\windows\system32\hpwwiax5.dll

2010-02-05 18:30 . 2008-10-06 19:11 966656 ----a-r- c:\windows\system32\hpwtiop4.dll

2010-02-05 18:30 . 2007-07-09 18:13 364544 ----a-r- c:\windows\system32\hppldcoi.dll

2010-02-05 18:30 . 2007-07-09 18:13 309760 ----a-r- c:\windows\system32\difxapi.dll

2010-02-05 18:30 . 2007-07-06 18:48 294912 ----a-r- c:\windows\system32\hpovst11.dll

2010-02-05 18:30 . 2001-08-17 18:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys

2010-02-05 18:30 . 2001-08-17 18:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys

2010-02-05 18:27 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2010-02-05 18:27 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-02-05 18:27 . 2008-04-13 18:45 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2010-02-05 18:25 . 2010-02-06 00:02 188909 ----a-w- c:\windows\hpwins22.dat

2010-02-05 18:25 . 2008-10-25 09:40 2979 ------w- c:\windows\hpwmdl22.dat

2010-02-05 18:19 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2010-02-05 17:34 . 2010-02-18 01:17 124112 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-05 17:34 . 2007-07-26 22:13 1843200 ----a-w- c:\windows\system32\acXMLParser.dll

2010-02-05 17:34 . 2007-07-26 22:13 3518464 ----a-w- c:\windows\system32\cdintf300.dll

2010-02-05 17:33 . 2007-08-08 12:33 34080 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Intuit\Quicken\Sku\Deluxe\Custom\billmind.exe

2010-02-05 17:33 . 2007-08-08 12:33 34080 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Intuit\Quicken\Sku\Premier\Custom\billmind.exe

2010-02-05 17:33 . 2007-08-08 12:33 34080 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Intuit\Quicken\Sku\HaB\Custom\billmind.exe

2010-02-05 16:02 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2010-02-05 16:02 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll

2010-02-05 16:02 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2010-02-05 16:02 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe

2010-02-05 16:02 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2010-02-05 16:02 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2010-02-05 16:02 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll

2010-02-05 16:02 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2010-02-05 15:42 . 2004-08-04 03:29 63488 ------w- c:\windows\system32\drivers\atinxsxx.sys

2010-02-05 15:33 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-02-05 15:33 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-02-05 15:32 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-28 17:48 . 2010-02-05 19:09 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\HPAppData

2010-02-28 02:38 . 2010-02-05 18:11 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP

2010-02-27 13:35 . 2010-02-05 16:26 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\uTorrent

2010-02-27 13:35 . 2006-07-13 17:59 -------- d-----w- c:\program files\PeerGuardian2

2010-02-27 02:22 . 2010-02-27 02:22 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\AVS4YOU

2010-02-27 02:22 . 2010-02-27 02:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVS4YOU

2010-02-27 02:20 . 2009-02-10 12:05 -------- d-----w- c:\program files\AVS4YOU

2010-02-26 00:51 . 2010-02-14 17:42 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Vso

2010-02-25 20:30 . 2010-02-25 20:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Ahead

2010-02-21 15:32 . 2010-02-14 00:15 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Ahead

2010-02-21 15:25 . 2010-02-21 15:25 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Nero

2010-02-18 01:02 . 2010-02-05 17:33 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Intuit

2010-02-17 11:19 . 2010-02-05 23:26 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9

2010-02-17 03:40 . 2010-02-17 03:40 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Apple Computer

2010-02-17 03:37 . 2008-06-13 01:27 -------- d-----w- c:\program files\QuickTime

2010-02-17 03:36 . 2010-02-17 03:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer

2010-02-17 03:36 . 2008-03-11 03:38 -------- d-----w- c:\program files\Common Files\Apple

2010-02-17 03:36 . 2010-02-17 03:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple

2010-02-14 17:43 . 2010-02-14 17:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\vsosdk

2010-02-14 00:13 . 2010-02-14 00:13 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Nero

2010-02-12 22:18 . 2010-02-12 22:13 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software

2010-02-12 18:18 . 2006-07-06 14:10 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-12 18:18 . 2010-02-12 18:18 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avery

2010-02-11 17:17 . 2010-02-11 17:17 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Malwarebytes

2010-02-11 17:16 . 2010-02-11 17:16 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2010-02-11 11:36 . 2010-02-11 01:46 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\DivX

2010-02-11 01:35 . 2006-07-15 09:17 -------- d-----w- c:\program files\DivX

2010-02-11 01:35 . 2009-05-26 22:35 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-02-10 02:57 . 2010-02-05 20:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help

2010-02-10 02:41 . 2010-02-10 02:41 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage

2010-02-10 02:41 . 2010-02-10 02:41 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Office Genuine Advantage

2010-02-10 01:06 . 2010-02-10 01:06 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\AdobeUM

2010-02-10 01:02 . 2010-02-10 01:02 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Adobe Systems

2010-02-10 01:01 . 2006-07-06 20:07 -------- d-----w- c:\program files\Common Files\Adobe

2010-02-06 23:45 . 2010-02-06 22:56 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Creative

2010-02-06 05:00 . 2010-02-06 05:00 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\TheaterTek

2010-02-06 04:31 . 2010-02-06 04:31 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ATI

2010-02-06 04:07 . 2008-05-25 21:33 -------- d-----w- c:\program files\ATI Technologies

2010-02-06 03:56 . 2010-02-06 03:56 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\ATI

2010-02-06 01:23 . 2008-05-25 21:28 -------- d-----w- c:\program files\MSBuild

2010-02-06 00:30 . 2010-02-06 00:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\FLEXnet

2010-02-05 23:49 . 2010-02-05 23:49 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\HP

2010-02-05 23:26 . 2008-07-09 19:07 -------- d-----w- c:\program files\AVG

2010-02-05 19:09 . 2010-02-05 19:09 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Yahoo!

2010-02-05 18:38 . 2010-02-05 18:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WEBREG

2010-02-05 18:35 . 2010-02-05 18:33 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP

2010-02-05 18:34 . 2010-02-05 18:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Product Assistant

2010-02-05 18:16 . 2010-02-05 18:16 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Citrix

2010-02-05 18:11 . 2010-02-05 18:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TheaterTek

2010-02-05 17:33 . 2010-02-05 17:33 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Intuit

2010-02-05 15:55 . 2010-02-05 04:47 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-01-31 15:58 . 2007-01-02 16:31 -------- d-----w- c:\program files\TurboTax

2010-01-06 01:47 . 2010-01-06 01:47 -------- d-----w- c:\program files\Xvid

2009-12-31 16:50 . 2006-02-28 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-22 05:20 . 2009-12-22 05:20 81920 ------w- c:\windows\system32\ieencode.dll

2009-12-21 19:14 . 2006-02-28 12:00 916480 ------w- c:\windows\system32\wininet.dll

2009-12-14 07:08 . 2006-02-28 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:27 . 2006-02-28 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-03 22:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2006-02-28 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-02-13 15:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Microsoft Office Groove Audit Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"e:\\Program Files\\uTorrent\\uTorrent.exe"=

"\\\\Kids\\Basement D\\setup\\hpznui01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\{624E7452-BA43-4f55-B9D5-FC75EEA0808B}\\setup\\hpznui01.exe"=

"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"e:\\Program Files\\Promixis\\Girder\\girder.exe"=

"e:\\Program Files\\Promixis\\Girder\\grunt.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\PeerGuardian2\\pg2.exe"=

"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexStoreSvr.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgchsvx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/13/2010 10:44 AM 333192]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/13/2010 10:44 AM 360584]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/13/2010 10:43 AM 285392]

S3 pbfilter;pbfilter;\??\e:\program files\PeerBlock\pbfilter.sys --> e:\program files\PeerBlock\pbfilter.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.comcast.net/

IE: Convert link target to Adobe PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: intuit.com\ttlc

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-28 13:14

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4068)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-02-28 13:15:58

ComboFix-quarantined-files.txt 2010-02-28 18:15

ComboFix2.txt 2010-02-28 00:40

Pre-Run: 22,946,754,560 bytes free

Post-Run: 22,913,224,704 bytes free

- - End Of File - - 6914F5BC7E369A95F4D5D94C2CBBBC47

Avenger Log:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File "c:\windows\unins000.dat" deleted successfully.

File "c:\windows\unins000.exe" deleted successfully.

File "c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext_3.exe" deleted successfully.

File "c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext_2.exe" deleted successfully.

File "c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext_1.exe" deleted successfully.

File "c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\ext.exe" deleted successfully.

Error: file "c:\windows\system32\bonalopi.dll" not found!

Deletion of file "c:\windows\system32\bonalopi.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\bufezeza.dll" not found!

Deletion of file "c:\windows\system32\bufezeza.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\fikitiku.dll" not found!

Deletion of file "c:\windows\system32\fikitiku.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\gipidiwu.dll" not found!

Deletion of file "c:\windows\system32\gipidiwu.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\lawariko.dll" not found!

Deletion of file "c:\windows\system32\lawariko.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\mukuvabu.dll" not found!

Deletion of file "c:\windows\system32\mukuvabu.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\nesibeba.dll" not found!

Deletion of file "c:\windows\system32\nesibeba.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\niwebazi.dll" not found!

Deletion of file "c:\windows\system32\niwebazi.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\nozepelo.dll" not found!

Deletion of file "c:\windows\system32\nozepelo.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\reguligu.dll" not found!

Deletion of file "c:\windows\system32\reguligu.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\romopifo.dll" not found!

Deletion of file "c:\windows\system32\romopifo.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\tahidazu.dll" not found!

Deletion of file "c:\windows\system32\tahidazu.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\visegobu.dll" not found!

Deletion of file "c:\windows\system32\visegobu.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\vufosesa.dll" not found!

Deletion of file "c:\windows\system32\vufosesa.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\vufurajo.dll" not found!

Deletion of file "c:\windows\system32\vufurajo.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\wikufalu.dll" not found!

Deletion of file "c:\windows\system32\wikufalu.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\wiwuzoza.dll" not found!

Deletion of file "c:\windows\system32\wiwuzoza.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\wuyeligo.dll" not found!

Deletion of file "c:\windows\system32\wuyeligo.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\x.dll" not found!

Deletion of file "c:\windows\system32\x.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\xx.dll" not found!

Deletion of file "c:\windows\system32\xx.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\xxx.dll" not found!

Deletion of file "c:\windows\system32\xxx.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\zayitala.dll" not found!

Deletion of file "c:\windows\system32\zayitala.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\zesulalu.dll" not found!

Deletion of file "c:\windows\system32\zesulalu.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: "C:\WINDOWS\NV8961548.TMP" is a folder, not a file!

Deletion of file "C:\WINDOWS\NV8961548.TMP" failed!

Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)

--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: "C:\WINDOWS\NV8961000.TMP" is a folder, not a file!

Deletion of file "C:\WINDOWS\NV8961000.TMP" failed!

Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)

--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Error: file "C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Desktop\guq7k2pj.exe" not found!

Deletion of file "C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Desktop\guq7k2pj.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

File "C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\(S(kjjn0ibkzifyvpba5.pdf" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Kaspersky Scan Log:

KASPERSKY ONLINE SCANNER 7.0: scan report

Monday, March 1, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Sunday, February 28, 2010 20:40:41

Records in database: 3672167

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

F:\

Scan statistics:

Objects scanned: 194008

Threats found: 8

Infected objects found: 10

Suspicious objects found: 0

Scan duration: 04:18:56

File name / Threat / Threats count

C:\Disk & Boot Utilities\XPBootCD\xpboot.iso Infected: Trojan.DOS.KillCMOS.k 1

C:\Disk & Boot Utilities\XPBootCD\xpboot.iso Infected: Trojan.DOS.KillCMOS.c 1

C:\Disk & Boot Utilities\xpkeys.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 2

C:\Disk & Boot Utilities\xpkeys.zip Infected: not-a-virus:PSWTool.Win32.NetPass.g 1

C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\My Documents\BLMInstall265.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1

C:\Hc\Add-on.zip Infected: not-a-virus:Monitor.Win32.HiddenCamera.o 1

C:\Hc\Employee component quick installer\servemp_quicksetup.exe Infected: not-a-virus:Monitor.Win32.HiddenCamera.o 1

C:\Hc\hiddencamera225_setup.exe Infected: not-a-virus:Monitor.Win32.HiddenCamera.j 1

D:\Program Downloads\Home Studio Bundle\VST-DX PLUGINS\50x vst plugins\50 pieces of VST plugins.exe Infected: Trojan.Win32.Agent.dkmd 1

Selected area has been scanned.

Link to post
Share on other sites

Hey Big Bill,

Thanks for the OTS log, we still have some things to handle.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/topic114351.html

1) Run CFScript

1. Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Dirlook::
C:\Program Files\WindowsUpdate
C:\WINDOWS\System32\zh-TW
C:\WINDOWS\System32\zh-HK
C:\WINDOWS\System32\tr-TR
C:\WINDOWS\System32\sv-SE
C:\WINDOWS\System32\pt-BR
C:\WINDOWS\System32\nl-NL
C:\WINDOWS\System32\nb-NO
C:\WINDOWS\System32\ko-KR
C:\WINDOWS\System32\it-IT
C:\WINDOWS\System32\he-IL
C:\WINDOWS\System32\fr-FR
C:\WINDOWS\System32\fi-FI
C:\WINDOWS\System32\es-ES
C:\WINDOWS\System32\el-GR
C:\WINDOWS\System32\de-DE
C:\WINDOWS\System32\da-DK
C:\WINDOWS\System32\ar-SA
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\GGru612642m
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\BnDHfux
C:\WINDOWS\System32\vunavuse
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\e1wnOl
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\MVkXhU7

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt .

2) Run Malwarebytes' Anti-Malware

  • Open Malwarebytes by clicking on its shortcut on desktop. Please click on the "Update" tab and click "Check for Updates".
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next reply (please include in your post):

ComboFix.txt

MBAM scan log

Link to post
Share on other sites

Hi LTAngelic;

I ran Combofix as instructed. Even though there were hundreds of "Application Error / Corrupt Application" warning dialogues that popped up, I just kept acknowledging them and ComboFix continued to proceed to the end. It did find a bunch of infected system files that it restored.

Well, anyway, here's the ComboFix log.

ComboFix 10-03-03.07 - Bill & Cindy 03/04/2010 7:40.13.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.587 [GMT -5:00]

Running from: c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\NtUser.dat

c:\documents and settings\All Users\NtUser.dat.LOG

c:\windows\system32\imm32.dll . . . is infected!!

c:\windows\regedit.exe . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\Drivers\atapi.sys . . . is infected!!

c:\windows\system32\drivers\ntfs.sys . . . is infected!!

c:\windows\system32\drivers\beep.sys . . . is infected!!

c:\windows\system32\msgsvc.dll . . . is infected!!

c:\windows\system32\drivers\AGP440.sys . . . is infected!!

c:\windows\system32\drivers\asyncmac.sys . . . is infected!!

.

((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))

.

2010-02-28 18:49 . 2010-02-28 18:49 -------- d-----w- c:\windows\Sun

2010-02-28 18:48 . 2010-02-28 18:48 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-02-28 18:48 . 2010-02-28 18:48 -------- d-----w- c:\program files\Java

2010-02-28 18:44 . 2010-02-28 18:44 -------- d-----w- c:\program files\Common Files\Java

2010-02-27 02:22 . 2010-02-27 02:22 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\AVS4YOU

2010-02-27 02:22 . 2010-02-27 02:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVS4YOU

2010-02-25 20:30 . 2010-02-25 20:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Ahead

2010-02-25 16:48 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-25 16:48 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-22 03:10 . 2010-02-22 03:10 -------- d-----w- c:\program files\EMCO

2010-02-22 02:51 . 2010-02-22 02:51 50376 ----a-w- c:\windows\system32\drivers\pxrts.sys

2010-02-22 02:51 . 2010-02-22 02:51 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys

2010-02-21 15:48 . 2007-02-28 00:36 974848 ----a-w- c:\windows\system32\mfc70.dll

2010-02-21 15:48 . 2007-02-28 00:36 487424 ----a-w- c:\windows\system32\msvcp70.dll

2010-02-21 15:48 . 2007-02-28 00:36 344064 ----a-w- c:\windows\system32\msvcr70.dll

2010-02-21 15:48 . 2007-02-28 00:36 24576 ----a-w- c:\windows\system32\msxml3a.dll

2010-02-21 15:48 . 2007-02-28 00:36 413760 ----a-w- c:\windows\system32\mpg4c32.dll

2010-02-21 15:48 . 2007-02-28 00:36 261632 ----a-w- c:\windows\system32\mcdvd_32.dll

2010-02-21 15:25 . 2010-02-21 15:25 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Nero

2010-02-21 15:18 . 2010-03-03 12:25 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\WMTools Downloaded Files

2010-02-18 01:37 . 2010-02-18 01:37 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\IsolatedStorage

2010-02-18 01:07 . 2010-02-18 01:07 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\Intuit

2010-02-18 00:34 . 2010-02-18 00:34 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\IsolatedStorage

2010-02-17 03:40 . 2010-02-17 03:40 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Apple Computer

2010-02-17 03:36 . 2010-02-17 03:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer

2010-02-17 03:36 . 2010-02-17 03:36 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\Apple

2010-02-17 03:36 . 2010-02-17 03:36 -------- d-----w- c:\program files\Apple Software Update

2010-02-17 03:36 . 2010-02-17 03:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple

2010-02-17 03:36 . 2010-02-17 03:36 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\Apple Computer

2010-02-14 17:43 . 2010-02-14 17:43 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\vsosdk

2010-02-14 17:42 . 2010-02-26 00:51 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Vso

2010-02-14 14:04 . 2010-02-14 14:04 294912 ----a-w- c:\windows\alcupd.exe

2010-02-14 00:21 . 2010-02-17 03:29 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\Ahead

2010-02-14 00:15 . 2010-02-21 15:32 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Ahead

2010-02-14 00:13 . 2010-02-14 00:13 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Nero

2010-02-13 15:44 . 2010-02-13 15:44 -------- d-----w- C:\$AVG

2010-02-13 15:44 . 2010-02-13 15:44 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-02-13 15:44 . 2010-02-13 15:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-02-13 15:44 . 2010-02-13 15:44 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-02-13 15:44 . 2010-02-13 15:44 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-02-13 15:44 . 2010-03-03 18:55 -------- d-----w- c:\windows\system32\drivers\Avg

2010-02-12 22:13 . 2010-02-12 22:18 -------- d-----w- c:\program files\Alwil Software

2010-02-12 22:13 . 2010-02-12 22:18 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software

2010-02-12 18:23 . 2010-02-12 18:23 -------- d-----w- c:\program files\Avery

2010-02-12 18:18 . 2010-02-12 18:18 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avery

2010-02-12 18:18 . 2010-02-12 18:18 -------- d-----w- c:\program files\Avery Dennison

2010-02-11 17:51 . 2010-03-04 00:12 -------- d-----w- C:\Security

2010-02-11 17:17 . 2010-02-11 17:17 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Malwarebytes

2010-02-11 17:16 . 2010-02-11 17:16 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2010-02-11 02:03 . 2002-11-18 15:02 40960 ----a-w- c:\windows\system32\MMAVILNG.exe

2010-02-11 01:46 . 2010-02-11 11:36 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\DivX

2010-02-11 01:20 . 2010-02-11 01:20 -------- d-sh--w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\IECompatCache

2010-02-10 02:41 . 2010-02-10 02:41 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage

2010-02-10 02:41 . 2010-02-10 02:41 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Office Genuine Advantage

2010-02-10 02:09 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll

2010-02-10 01:06 . 2010-02-10 01:06 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\AdobeUM

2010-02-10 01:02 . 2010-02-10 01:02 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Adobe Systems

2010-02-07 03:21 . 2007-02-28 00:36 524288 ----a-w- c:\windows\system32\xvidcore.dll

2010-02-07 03:21 . 2007-02-28 00:36 139264 ----a-w- c:\windows\system32\xvidvfw.dll

2010-02-06 22:56 . 2010-02-06 23:45 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Creative

2010-02-06 22:37 . 1999-10-11 01:00 41984 ------w- c:\windows\Ctregrun.exe

2010-02-06 22:34 . 1999-12-12 17:01 44032 ------w- c:\windows\system32\CTSVCCDA.EXE

2010-02-06 22:34 . 1999-11-17 17:00 25088 ------w- c:\windows\system32\CTSVCCTL.EXE

2010-02-06 05:00 . 2010-02-06 05:00 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\TheaterTek

2010-02-06 04:31 . 2010-02-06 04:31 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ATI

2010-02-06 03:56 . 2010-02-06 03:56 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\ATI

2010-02-06 03:56 . 2010-02-06 03:56 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\ATI

2010-02-06 03:50 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-02-06 03:49 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-02-06 03:49 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2010-02-06 03:49 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-02-06 03:49 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-02-06 03:49 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-02-06 03:49 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-02-06 03:49 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2010-02-06 03:49 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-02-06 03:38 . 2010-02-06 03:38 0 ----a-w- c:\windows\ativpsrm.bin

2010-02-06 03:35 . 2009-09-30 02:15 593920 ------w- c:\windows\system32\ati2sgag.exe

2010-02-06 03:35 . 2009-09-30 02:10 155648 ----a-w- c:\windows\system32\ati2evxx.dll

2010-02-06 03:35 . 2009-09-30 02:08 602112 ----a-w- c:\windows\system32\ati2evxx.exe

2010-02-06 01:26 . 2008-11-10 16:41 32656 ----a-w- c:\windows\system32\msonpmon.dll

2010-02-06 01:26 . 2006-10-27 00:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll

2010-02-06 00:36 . 2010-02-06 00:36 -------- d-sh--w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\PrivacIE

2010-02-06 00:30 . 2010-02-06 00:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\FLEXnet

2010-02-05 23:49 . 2010-02-05 23:49 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\HP

2010-02-05 23:26 . 2010-02-17 11:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9

2010-02-05 22:16 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-02-05 22:13 . 2010-02-05 22:13 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache

2010-02-05 22:12 . 2010-02-05 22:12 -------- d-sh--w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\IETldCache

2010-02-05 22:08 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-02-05 22:07 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-02-05 22:07 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-02-05 22:07 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-02-05 22:07 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-02-05 22:07 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-02-05 22:07 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-02-05 20:46 . 2010-02-05 20:46 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\Microsoft Help

2010-02-05 20:46 . 2010-02-10 02:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help

2010-02-05 19:09 . 2010-03-04 12:38 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\HPAppData

2010-02-05 19:09 . 2010-02-05 19:09 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Yahoo!

2010-02-05 19:08 . 2010-02-10 01:05 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\Adobe

2010-02-05 18:38 . 2010-02-05 18:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WEBREG

2010-02-05 18:37 . 2010-02-05 18:37 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\HP

2010-02-05 18:34 . 2010-02-05 18:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Product Assistant

2010-02-05 18:33 . 2010-02-05 18:35 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP

2010-02-05 18:31 . 2008-08-22 12:24 271704 ----a-r- c:\windows\system32\hpzids01.dll

2010-02-05 18:31 . 2008-08-12 15:58 118272 ----a-w- c:\windows\system32\hpf3l082.dll

2010-02-05 18:31 . 2008-08-12 15:58 314880 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp082.dll

2010-02-05 18:30 . 2008-10-06 19:11 741376 ----a-r- c:\windows\system32\hpwwiax5.dll

2010-02-05 18:30 . 2008-10-06 19:11 966656 ----a-r- c:\windows\system32\hpwtiop4.dll

2010-02-05 18:30 . 2007-07-09 18:13 364544 ----a-r- c:\windows\system32\hppldcoi.dll

2010-02-05 18:30 . 2007-07-09 18:13 309760 ----a-r- c:\windows\system32\difxapi.dll

2010-02-05 18:30 . 2007-07-06 18:48 294912 ----a-r- c:\windows\system32\hpovst11.dll

2010-02-05 18:30 . 2001-08-17 18:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys

2010-02-05 18:30 . 2001-08-17 18:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys

2010-02-05 18:27 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2010-02-05 18:27 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2010-02-05 18:27 . 2008-04-13 18:45 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2010-02-05 18:25 . 2010-02-06 00:02 188909 ----a-w- c:\windows\hpwins22.dat

2010-02-05 18:25 . 2008-10-25 09:40 2979 ------w- c:\windows\hpwmdl22.dat

2010-02-05 18:16 . 2010-02-05 18:16 -------- d-----w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Citrix

2010-02-05 18:11 . 2010-03-02 03:02 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP

2010-02-05 18:11 . 2010-02-05 18:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TheaterTek

2010-02-05 17:34 . 2010-02-18 01:17 124112 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-05 17:34 . 2007-07-26 22:13 1843200 ----a-w- c:\windows\system32\acXMLParser.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-02 08:41 . 2006-07-13 17:59 -------- d-----w- c:\program files\PeerGuardian2

2010-02-28 18:48 . 2010-02-28 18:48 61440 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-631a0c1e-n\decora-sse.dll

2010-02-28 18:48 . 2010-02-28 18:48 503808 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5eef3e9c-n\msvcp71.dll

2010-02-28 18:48 . 2010-02-28 18:48 499712 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5eef3e9c-n\jmc.dll

2010-02-28 18:48 . 2010-02-28 18:48 348160 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5eef3e9c-n\msvcr71.dll

2010-02-28 18:48 . 2010-02-28 18:48 12800 ----a-w- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-631a0c1e-n\decora-d3d.dll

2010-02-27 02:20 . 2009-02-10 12:05 -------- d-----w- c:\program files\AVS4YOU

2010-02-17 03:37 . 2008-06-13 01:27 -------- d-----w- c:\program files\QuickTime

2010-02-17 03:36 . 2008-03-11 03:38 -------- d-----w- c:\program files\Common Files\Apple

2010-02-13 15:44 . 2010-02-13 15:58 3777280 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\setup.exe

2010-02-13 15:43 . 2010-02-13 15:58 1260800 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9\update\backup\avgfrw.exe

2010-02-12 18:18 . 2006-07-06 14:10 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-11 01:35 . 2006-07-15 09:17 -------- d-----w- c:\program files\DivX

2010-02-11 01:35 . 2009-05-26 22:35 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-02-10 01:01 . 2006-07-06 20:07 -------- d-----w- c:\program files\Common Files\Adobe

2010-02-06 04:07 . 2008-05-25 21:33 -------- d-----w- c:\program files\ATI Technologies

2010-02-06 02:01 . 2010-02-06 02:01 4398 ----a-r- c:\documents and settings\Bill & Cindy.WILLIAM-15738B9\Application Data\Microsoft\Installer\{9C9B12FD-ED94-4757-B8BB-1FA22A6C1D32}\controlPanelIcon.exe

2010-02-06 01:23 . 2008-05-25 21:28 -------- d-----w- c:\program files\MSBuild

2010-02-05 23:26 . 2008-07-09 19:07 -------- d-----w- c:\program files\AVG

2010-02-05 15:55 . 2010-02-05 04:47 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-02-02 04:43 . 2010-02-01 02:55 -------- d-----w- c:\program files\HP

2010-02-02 04:40 . 2010-02-02 04:40 -------- d-----w- c:\program files\Common Files\HP

2010-02-02 04:39 . 2010-02-02 04:39 -------- d-----w- c:\program files\Hewlett-Packard

2010-02-01 02:55 . 2010-02-01 02:55 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2010-01-31 15:58 . 2007-01-02 16:31 -------- d-----w- c:\program files\TurboTax

2010-01-25 13:28 . 2010-02-05 23:36 3777816 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\AVG\setup.exe

2010-01-06 01:47 . 2010-01-06 01:47 -------- d-----w- c:\program files\Xvid

2009-12-31 16:50 . 2006-02-28 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-22 05:20 . 2009-12-22 05:20 81920 ------w- c:\windows\system32\ieencode.dll

2009-12-21 19:14 . 2006-02-28 12:00 916480 ------w- c:\windows\system32\wininet.dll

2009-12-14 07:08 . 2006-02-28 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:27 . 2006-02-28 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-03 22:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2006-02-28 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-02-13 15:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Microsoft Office Groove Audit Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"e:\\Program Files\\uTorrent\\uTorrent.exe"=

"\\\\Kids\\Basement D\\setup\\hpznui01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\{624E7452-BA43-4f55-B9D5-FC75EEA0808B}\\setup\\hpznui01.exe"=

"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"e:\\Program Files\\Promixis\\Girder\\girder.exe"=

"e:\\Program Files\\Promixis\\Girder\\grunt.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\PeerGuardian2\\pg2.exe"=

"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexStoreSvr.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgchsvx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/13/2010 10:44 AM 333192]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/13/2010 10:44 AM 360584]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/13/2010 10:43 AM 285392]

S3 pbfilter;pbfilter;\??\e:\program files\PeerBlock\pbfilter.sys --> e:\program files\PeerBlock\pbfilter.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.comcast.net/

IE: Convert link target to Adobe PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - e:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: intuit.com\ttlc

.

- - - - ORPHANS REMOVED - - - -

AddRemove-Girder plugin for Remote Wonder Remote series_is1 - c:\windows\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-04 07:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(368)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\system32\CTsvcCDA.EXE

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\AVG\AVG9\avgnsx.exe

.

**************************************************************************

.

Completion time: 2010-03-04 07:58:09 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-04 12:58

Pre-Run: 22,419,050,496 bytes free

Post-Run: 22,603,001,856 bytes free

- - End Of File - - 1F6BCD0A4FE76299BD9949BB5832B7B0

and the mbam.log

Malwarebytes' Anti-Malware 1.44

Database version: 3823

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/4/2010 8:50:34 AM

mbam-log-2010-03-04 (08-50-34).txt

Scan type: Quick Scan

Objects scanned: 169611

Time elapsed: 12 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hey Big Bill,

Apologies for the late reply, I was busy the past few days. I'll be back with a fix by today.

Thank you for your understanding and patience. :P

Link to post
Share on other sites

Hey Big Bill,

There is something strange going on in your computer, let's run some scans.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/topic114351.html

1) Run GMER

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

2) Run MBR

Please download MBR.exe to your desktop. Double-click on it and it will produce a log on desktop (mbr.log). Please post the log in your next reply.

Next reply (please include in your post):

GMER.txt

MBR log

Link to post
Share on other sites

Hi LTAngelic:

Please, no need to appologize. I too have a life beyond this computer and I totaly understand being busy. I'm just very grateful for your help! :P

Here is the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-03-07 19:31:21

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\BILL&C~1.WIL\LOCALS~1\Temp\awtcyfod.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF5957000, 0x1C5D38, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[872] GDI32.dll!StartDocW + 4EB 77F45E4D 1 Byte [89]

.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!ControlTraceW + 28 77DFCD15 1 Byte [0F]

.text C:\Program Files\QuickTime\qttask.exe[1260] GDI32.dll!EnumMetaFile + 2F2 77F25E4D 1 Byte [FF]

.text C:\Program Files\QuickTime\qttask.exe[1260] ADVAPI32.dll!SetSecurityInfoExA + DC 77E24135 1 Byte [8B]

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!BeginUpdateResourceW + FD 7C870D15 1 Byte [F9]

.text C:\WINDOWS\system32\svchost.exe[1776] SHELL32.dll!SHLoadNonloadedIconOverlayIdentifiers + 2126 7CAD8D15 1 Byte [8B]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HP Document Manager@UninstallString C:\Program Files\HP\Digital Imaging\DocumentManager\hpzscr01.exe -datfile hpqbud18.dat

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HP Document Manager@DisplayName HP Document Manager 2.0

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HP Document Manager@DisplayIcon C:\Program Files\HP\Digital Imaging\DocumentManager\hpzscr01.exe,0

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HP Document Manager@DisplayVersion 2.0

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HP Document Manager@Publisher HP

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HP Document Manager@URLUpdateInfo http://www.hp.com

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HP Document Manager@HelpLink http://www.hp.com/support

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HP Document Manager@Description Easily search, view, annotate, OCR, print, fax, etc scanned documents/images.

Reg HKLM\SOFTWARE\Classes\Interface\{29c13f49-bcef-4fe2-bfc7-6f03b82b726f}@ _CMYKColor

Reg HKLM\SOFTWARE\Classes\Interface\{29c13f49-bcef-4fe2-bfc7-6f03b82b726f}\ProxyStubClsid

Reg HKLM\SOFTWARE\Classes\Interface\{29c13f49-bcef-4fe2-bfc7-6f03b82b726f}\ProxyStubClsid@ {00020420-0000-0000-C000-000000000046}

Reg HKLM\SOFTWARE\Classes\Interface\{29c13f49-bcef-4fe2-bfc7-6f03b82b726f}\ProxyStubClsid32

Reg HKLM\SOFTWARE\Classes\Interface\{29c13f49-bcef-4fe2-bfc7-6f03b82b726f}\ProxyStubClsid32@ {00020420-0000-0000-C000-000000000046}

Reg HKLM\SOFTWARE\Classes\Interface\{29c13f49-bcef-4fe2-bfc7-6f03b82b726f}\TypeLib

Reg HKLM\SOFTWARE\Classes\Interface\{29c13f49-bcef-4fe2-bfc7-6f03b82b726f}\TypeLib@ {E891EE9A-D0AE-4CB4-8871-F92C0109F18E}

Reg HKLM\SOFTWARE\Classes\Interface\{29c13f49-bcef-4fe2-bfc7-6f03b82b726f}\TypeLib@Version 1.0

Reg HKLM\SOFTWARE\Classes\Interface\{A4202D2A-1774-4B96-BE11-5D3406EE6C07}\TypeLib@Version ???

---- EOF - GMER 1.0.15 ----

And here is the MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

Link to post
Share on other sites

Hey Big Bill,

Let's try running ComboFix again.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/topic114351.html

Uninstall the current ComboFix you have:

  • Click START then RUN
  • Now type ComboFix /uninstall in the runbox and click OK. Note the space between the x and the /, it needs to be there.
    combofixuninstall.png

NEXT

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Next reply (please include in your post):

New OTS log (Please re-run OTS and attach the log)

ComboFix.txt

Link to post
Share on other sites

Hey Big Bill,

We still have some files to check and some work to do.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/topic114351.html

1) Run CFScript

Important! Please disconnect your computer from the Internet before running the script below.

1. Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

FCopy::
c:\windows\ERDNT\cache\explorer.exe | C:\windows\explorer.exe
c:\windows\ServicePackFiles\i386\mshtml.dll | c:\windows\$NtServicePackUninstall$\mshtml.dll
c:\windows\ServicePackFiles\i386\mshtml.dll | c:\windows\$hf_mig$\KB911164\SP2QFE\mshtml.dll
c:\windows\$hf_mig$\KB978207\SP3QFE\mshtml.dll | c:\windows\ERDNT\cache\mshtml.dll
c:\windows\ServicePackFiles\i386\mshtml.dll | c:\windows\$NtServicePackUninstall$\mshtml.dll
c:\windows\SoftwareDistribution\Download\f1062d4e51d6818acdde68ea67673088\SP3GDR\mshtml.dll | c:\windows\system32\mshtml.dll

Folder::
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\GGru612642m
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\BnDHfux
C:\WINDOWS\System32\vunavuse
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\e1wnOl
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\MVkXhU7
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\R4AlO7HdsW5
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\d1NJm3Vp784

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt .

2) Upload file for analysis

To enable the viewing of Hidden files follow these steps:

  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and close My Computer.
  • Now your computer is configured to show all hidden files.

NEXT

  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • C:\WINDOWS\System32\drivers\ASUSHWIO.SYS

    [*] Click on the Upload button

    [*] Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.

    [*] Paste the contents of the Clipboard in your next reply.

Next reply (please include in your post):

New OTS log (Please re-run with the first settings I gave you here and attach the log)

ComboFix.txt

Virscan report

Link to post
Share on other sites

OTS.Txt

Hi LTAngelic;

When I ran ComboFix, as always I got several "Application Corrupt" warnings that I had to acknowledge before ComboFix would continue. But unlike other runs in the past, as ComboFix was finishing, and getting ready to create a log, the computer simply shut down and restarted. This was not the reboot that ComboFix does intentionally. In fact, ComboFix had already rebooted the computer and was in the process of generating a log. Anyway, there was no log generated and As you've instructed in the past, I did not re-reun it. So, no ComboFix.txt in this reply.

However, here is the log from the online virus scan of the suspicious file.

VirSCAN.org Scanned Report :

Scanned time : 2009/06/05 00:31:50 (EDT)

Scanner results: 79% Scanner(s) (30/38) found malware!

File Name : 1.html

File Size : 4037 byte

File Type : Sendmail frozen configuration - version body bgcolor=

MD5 : 4a2514195555a43458b4e087d29124be

SHA1 : e96f20c01c95b12a6cf9992b1e16deaac5ca025c

Online report : http://virscan.org/report/e8541b64f8b1bb1c...5aa9dfd4d2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result

a-squared 4.0.0.32 20090604013225 2009-06-04 2.05 Virus.Win32.Killmbr.D!IK

AhnLab V3 2009.06.05.00 2009.06.05 2009-06-05 0.74 Win-Trojan/Dialer.712704.B

AntiVir 8.2.0.180 7.1.4.59 2009-06-04 0.55 KIT/GhostDial.1

Antiy 2.0.18 20090604.2498051 2009-06-04 0.15 Trojan/Win32.Dialer.gvg

Arcavir 2009 200906041608 2009-06-04 0.39 Dialer.Bib

Authentium 5.1.1 200906041652 2009-06-04 1.18 W32/Trojan2.DOJN (Exact)

AVAST! 4.7.4 090604-0 2009-06-04 0.05 Win32:Dialer-1314 [Trj]

AVG 8.5.286 270.12.53/2155 2009-06-05 0.37 Dialer.KNV

BitDefender 7.81008.3335505 7.25811 2009-06-05 0.75 Trojan.Generic.1004008

CA (VET) 9.0.0.143 31.6.6539 2009-06-05 9.17 -

ClamAV 0.95.1 9421 2009-06-05 0.18 Dialer-3765

Comodo 3.9 1259 2009-06-04 0.74 ApplicUnwnt.Win32.PornTool.Agent.fi

CP Secure 1.1.0.715 2009.06.03 2009-06-03 9.97 -

Dr.Web 4.44.0.9170 2009.06.05 2009-06-05 4.85 BackDoor.Pigeon.12989

F-Prot 4.4.4.56 20090604 2009-06-04 1.15 W32/Trojan2.DOJN (exact)

F-Secure 5.51.6100 2009.06.05.03 2009-06-05 5.79 -

Fortinet 2.81-3.117 10.466 2009-06-04 0.35 Suspicious

GData 19.5615/19.353 20090605 2009-06-05 4.39 Win32:Dialer-1313 [Trj] [Engine:B]

ViRobot 20090604 2009.06.04 2009-06-04 0.42 -

Ikarus T3.1.01.57 2009.06.03.72814 2009-06-03 3.11 Virus.Win32.Killmbr.D

JiangMin 11.0.706 2009.06.03 2009-06-03 2.07 Trojan/Dialer.gnc

Kaspersky 5.5.10 2009.06.05 2009-06-05 0.08 not-a-virus:Porn-Dialer.Win32.Agent.fi

KingSoft 2009.2.5.15 2009.6.4.21 2009-06-04 0.51 Win32.Hack.ReSSDT.c.716800

McAfee 5.3.00 5636 2009-06-04 2.97 BackDoor-DSQ

Microsoft 1.4701 2009.06.04 2009-06-04 4.29 Backdoor:Win32/Farfli.J

mks_vir 2.01 2009.06.05 2009-06-05 3.35 -

Norman 6.01.05 6.01.00 2009-06-02 4.01 W32/Dialer.DHRP

Panda 9.05.01 2009.06.04 2009-06-04 1.86 -

Trend Micro 8.700-1004 6.170.08 2009-06-04 0.06 TROJ_DIAL.RHB

Quick Heal 10.00 2009.06.05 2009-06-05 1.37 -

Rising 20.0 21.32.34.00 2009-06-04 0.99 Backdoor.Win32.Drwolf.axh

Sophos 2.87.1 4.42 2009-06-05 2.44 Mal/Whybo-A

Sunbelt 5170 5170 2009-06-04 0.94 Porn-Dialer.Win32.Agent.fi

Symantec 1.3.0.24 20090604.002 2009-06-04 0.06 -

nProtect 20090604.01 4070376 2009-06-04 5.23 Trojan/W32.Dialer.712704

The Hacker 6.3.4.3 v00340 2009-06-04 0.63 Trojan/Dialer.Agent.fi

VBA32 3.12.10.6 20090604.1412 2009-06-04 1.96 Porn-Dialer.Win32.Agent.fi

VirusBuster 4.5.11.10 10.107.2/1575686 2009-06-04 1.90 Dialer.Agent.IFEU

Link to post
Share on other sites

Hey Big Bill,

Since ComboFix won't work, we'll try a stronger tool.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (AVG anti-virus) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/topic114351.html

1) Re-run Avenger

  • Open Avenger program.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to move:
c:\windows\ERDNT\cache\explorer.exe | C:\windows\explorer.exe
c:\windows\ServicePackFiles\i386\mshtml.dll | c:\windows\$NtServicePackUninstall$\mshtml.dll
c:\windows\ServicePackFiles\i386\mshtml.dll | c:\windows\$hf_mig$\KB911164\SP2QFE\mshtml.dll
c:\windows\$hf_mig$\KB978207\SP3QFE\mshtml.dll | c:\windows\ERDNT\cache\mshtml.dll
c:\windows\ServicePackFiles\i386\mshtml.dll | c:\windows\$NtServicePackUninstall$\mshtml.dll
c:\windows\SoftwareDistribution\Download\f1062d4e51d6818acdde68ea67673088\SP3GDR\mshtml.dll | c:\windows\system32\mshtml.dll
Folders to delete:
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\GGru612642m
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\BnDHfux
C:\WINDOWS\System32\vunavuse
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\e1wnOl
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\MVkXhU7
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\R4AlO7HdsW5
C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\d1NJm3Vp784

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

2) Fix with Registry script

Important! Registry edit is a dangerous process and any mistakes can corrupt the entire registry, rendering your system unbootable or unrepairable. Thus, it is important to always back up your registry before attempting any registry edits. Please do the following:

  1. Go to Start>Run and type regedit.
  2. On the left panel, highlight My Computer.
  3. Click on File>Export, and save the file as registrybackup.reg in a safe location. (Make sure you remember the location where you saved the backup)

Please open notepad, and copy/paste the following text (including REGEDIT4) into the notepad window:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

  • Save the file above as fixit.reg on deskstop.
  • Double click on it. A window will open and prompt you if you want to merge it with the registry, click "Yes".
  • Another window will pop up informing you the merge was successful.

3) Run MBR

Please download MBR.exe to your desktop. Double-click on it and it will produce a log on desktop (mbr.log). Please post the log in your next reply.

4) Run scan with Dr Web

Download Dr.Web CureIt to the desktop.

  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb_green_arrow.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    drweb_check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    drweb_move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Next reply (please include in your post):

Avenger.txt

MBR.txt

Dr Web scan report

Link to post
Share on other sites

OTS.Txt

Hi LTAngelic:

I ran the scans you asked for, The Dr. Web Scan Ran into some problems. The first time it ran, it ran for about 2 1/2 hours. Although the progress bar had only advanced about 1/2 way, a warning dialouge popped up and stated that the lsass service unexpectedly stopped and that explorer wold shut down. It then began a 60 second count-down, and the restarted the computer. Prior to that happenening, it had found 4 objects. I don't know what it did with them.

After the re-boot, I ran dr. web scan again. This time, while I was away from the computer, it only took about an hour. Complete scan was selected, yet it finished quickly and said no infections were found. So, I ran a complete scan again. This time it took about an hour and found two infections. This is the result I will post.

Again, the OTS.log is attached, because of it's size.

Here's the Avenger.log

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\windows\explorer.exe" is whitelisted

File move operation "c:\windows\ERDNT\cache\explorer.exe|C:\windows\explorer.exe" failed!

Status: 0xc0000022 (STATUS_ACCESS_DENIED)

File move operation "c:\windows\ServicePackFiles\i386\mshtml.dll|c:\windows\$NtServicePackUninstall$\mshtml.dll" completed successfully.

Error: file "c:\windows\ServicePackFiles\i386\mshtml.dll" not found!

File move operation "c:\windows\ServicePackFiles\i386\mshtml.dll|c:\windows\$hf_mig$\KB911164\SP2QFE\mshtml.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

File move operation "c:\windows\$hf_mig$\KB978207\SP3QFE\mshtml.dll|c:\windows\ERDNT\cache\mshtml.dll" completed successfully.

Error: file "c:\windows\ServicePackFiles\i386\mshtml.dll" not found!

File move operation "c:\windows\ServicePackFiles\i386\mshtml.dll|c:\windows\$NtServicePackUninstall$\mshtml.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

File move operation "c:\windows\SoftwareDistribution\Download\f1062d4e51d6818acdde68ea67673088\SP3GDR\mshtml.dll|c:\windows\system32\mshtml.dll" completed successfully.

Error: "C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\GGru612642m" is not a folder! It may instead be a file.

Deletion of folder "C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\GGru612642m" failed!

Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY)

--> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary file

Error: "C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\BnDHfux" is not a folder! It may instead be a file.

Deletion of folder "C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\BnDHfux" failed!

Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY)

--> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary file

Error: "C:\WINDOWS\System32\vunavuse" is not a folder! It may instead be a file.

Deletion of folder "C:\WINDOWS\System32\vunavuse" failed!

Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY)

--> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary file

Error: "C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\e1wnOl" is not a folder! It may instead be a file.

Deletion of folder "C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\e1wnOl" failed!

Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY)

--> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary file

Error: "C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\MVkXhU7" is not a folder! It may instead be a file.

Deletion of folder "C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\MVkXhU7" failed!

Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY)

--> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary file

Error: "C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\R4AlO7HdsW5" is not a folder! It may instead be a file.

Deletion of folder "C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\R4AlO7HdsW5" failed!

Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY)

--> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary file

Error: "C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\d1NJm3Vp784" is not a folder! It may instead be a file.

Deletion of folder "C:\Documents and Settings\Bill & Cindy.WILLIAM-15738B9\Local Settings\Application Data\d1NJm3Vp784" failed!

Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY)

--> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary file

Completed script processing.

*******************

Finished! Terminate.

Here's the MBR.log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

And this is the Dr. Web Scan Log.

UCI.msi\stream000;C:\ATI\SUPPORT\7-10_xp32_dd_ccc_wdm_enu_53250\Driver\vc8\UCI.msi;Win32.HLLW.Okamai.origin;;

UCI.msi;C:\ATI\SUPPORT\7-10_xp32_dd_ccc_wdm_enu_53250\Driver\vc8;Archive contains infected objects;Moved.;

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.