TechSpot

Performance and stability virus removal- could someone review my logs?

By stavros
Aug 28, 2011
  1. Hi!!

    Firstly, thanks so much to everyone who contributes to this forum, it’s been so useful in getting me as far as I have with removing the virus.

    Unfortunately my friend’s laptop got infected with the ‘performance and stability analysis report’ virus which left her with the usual, no programs, no access to files etc. I have followed the ‘6 step virus removal preliminary instructions’ that I found on this site and have got the labtop working again but I was hoping someone on here wouldn’t mind having a look through the logs produced from the 6 step process as the GMER scan said ‘GMER has found system modifications cased by ROOTKIT activity’ so am not sure it is all fixed yet

    Action taken so far:

    1 Ran malwarebytes – full scan (this appeared to find and remove the virus)
    N.B. I skipped step one of the 6 step process as couldn’t access programs and hence antivirus
    2 Ran GMER scan (returned the message ‘GMER has found system modifications cased by ROOTKIT activity’)
    3 Ran unhide.exe (this returned all the programs and files etc)
    4 having found there was not antivirus software running on the computer (sophos was installed but didn’t appear to have been updated or used in a while) I installed AVG free edition (and removed sophos). I ran an antivirus scan with AVG, which found nothing
    5 having installed the antivirus and also 78!! updates being installed by windows I restarted the 6 step process
    6. ran malwarebytes – quick scan (nothing found)
    7 ran GMER scan ( returned the message ‘GMER has found system modifications cased by ROOTKIT activity’)
    8 ran DDS scan

    I have attached the various logs below. i have included
    *1st and 2nd malware bytes scan
    *2nd GMER scan (i still have the 1st one if it's useful)
    *DDS scan (only done this once)


    Alternatively, if nobody can look at the logs, if you could point me in the direction of information regarding their interpretation I could try and figure it out

    Thanks so much for any help with this

    Martin

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    Malware bytes log - 1st scan
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7586

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 7.0.5730.13

    27/08/2011 13:52:11
    mbam-log-2011-08-27 (13-52-04).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 270316
    Time elapsed: 40 minute(s), 24 second(s)

    Memory Processes Infected: 2
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 7
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    c:\documents and settings\all users\application data\esktravboyfmk.exe (Trojan.FakeAlert) -> 2420 -> No action taken.
    c:\documents and settings\all users\application data\p1kalmig2kb7fz.exe (Trojan.FakeAlert.Gen) -> 3820 -> No action taken.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\esKTRAVboYfmk (Trojan.FakeAlert) -> Value: esKTRAVboYfmk -> No action taken.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\all users\application data\esktravboyfmk.exe (Trojan.FakeAlert) -> No action taken.
    c:\documents and settings\all users\application data\p1kalmig2kb7fz.exe (Trojan.FakeAlert.Gen) -> No action taken.

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    Malware bytes log - 2nd scan
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7588

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 7.0.5730.13

    27/08/2011 23:13:11
    mbam-log-2011-08-27 (23-13-11).txt

    Scan type: Quick scan
    Objects scanned: 200362
    Time elapsed: 25 minute(s), 56 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    GMER - SCAN
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-08-28 15:07:10
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST960813AS rev.3.CDD
    Running: e3c1vtvc.exe; Driver: C:\DOCUME~1\sbe\LOCALS~1\Temp\kwddqpoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA870D738]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA870D7DC]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA870D878]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA870D914]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text KDCOM.DLL!KdSendPacket BA5A8345 6 Bytes [FA, 8D, 46, 01, 25, FF]
    .text KDCOM.DLL!KdSendPacket BA5A834D 5 Bytes [80, 79, 07, 48, 0D]
    .text KDCOM.DLL!KdSendPacket BA5A8353 29 Bytes [FF, FF, FF, 40, 0F, B6, F0, ...]
    .text KDCOM.DLL!KdSendPacket BA5A8371 28 Bytes [FF, FF, FF, 42, 0F, B6, FA, ...]
    .text KDCOM.DLL!KdD0Transition + 8 BA5A838E 17 Bytes [08, 03, 55, F8, 03, D8, 81, ...]
    .text KDCOM.DLL!KdD0Transition + 1A BA5A83A0 42 Bytes [FF, FF, FF, 43, 0F, B6, C3, ...]
    .text KDCOM.DLL!KdDebuggerInitialize0 + 25 BA5A83CB 6 Bytes [00, C9, C2, 08, 00, 55] {ADD CL, CL; RET 0x8; PUSH EBP}
    .text KDCOM.DLL!KdDebuggerInitialize0 + 2C BA5A83D2 23 Bytes [EC, 83, C8, FF, 83, 7D, 08, ...]
    .text KDCOM.DLL!KdDebuggerInitialize0 + 44 BA5A83EA 162 Bytes [42, 5E, F6, C1, 01, 74, 0A, ...]
    .text KDCOM.DLL!KdRestore + 2D BA5A848D 1 Byte [43]
    .text KDCOM.DLL!KdRestore + 2D BA5A848D 77 Bytes [43, 08, 89, 45, FC, 8B, 55, ...]
    .text KDCOM.DLL!KdRestore + 7C BA5A84DC 25 Bytes [C9, C2, 08, 00, 55, 8B, EC, ...]
    .text KDCOM.DLL!KdRestore + 97 BA5A84F7 21 Bytes [89, 06, 89, 46, 08, 89, 46, ...]
    .text KDCOM.DLL!KdRestore + AD BA5A850D 241 Bytes CALL BA5A846D \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
    .text ...
    PAGEKD KDCOM.DLL!KdReceivePacket + 2 BA5A8F4E 205 Bytes [F0, 8D, 45, FC, 50, 53, 56, ...]
    PAGEKD KDCOM.DLL!KdReceivePacket + D0 BA5A901C 2 Bytes [75, 0E] {JNZ 0x10}
    PAGEKD KDCOM.DLL!KdReceivePacket + D3 BA5A901F 1 Byte [C0]
    PAGEKD KDCOM.DLL!KdReceivePacket + D3 BA5A901F 103 Bytes [C0, 02, 83, C2, 02, 84, DB, ...]
    PAGEKD KDCOM.DLL!KdReceivePacket + 13B BA5A9087 131 Bytes [7D, 0C, B8, 4D, 5A, 00, 00, ...]
    PAGEKD ...
    PAGEKD KDCOM.DLL!KdSendPacket + 6F BA5A9221 181 Bytes [83, C4, 18, 33, C0, 85, FF, ...]

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdSendPacket] [BA5A8631] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
    IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdD0Transition] [BA5A85DF] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
    IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdD3Transition] [BA5A85E9] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
    IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdReceivePacket] [BA5A860D] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
    IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdDebuggerInitialize0] [BA5A85F3] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
    IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdSave] [BA5A8625] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
    IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdDebuggerInitialize1] [BA5A85FF] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
    IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdRestore] [BA5A8619] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
    IAT \WINDOWS\system32\hal.dll[KDCOM.dll!KdRestore] [BA5A8619] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
    IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!READ_PORT_UCHAR] 736F746E
    IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!WRITE_PORT_UCHAR] 6C6E726B
    IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalQueryRealTimeClock] 6578652E
    IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalInitSystem] 00000000
    IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!KdComPortInUse] 2E6C6168

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:108] 89CFD0C3
    Thread System [4:116] 89CFDB19
    Thread System [4:120] 89CFE9FD

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1801674531-527237240-2146984249-7077@RefCount 22

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- EOF - GMER 1.0.15 ----

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    DDS attach.txt
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 23/04/2007 00:06:09
    System Uptime: 28/08/2011 11:23:19 (4 hours ago)
    .
    Motherboard: Dell Inc. | | 0XM006
    Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-56 | Microprocessor | 702/100mhz
    Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-56 | Microprocessor | 798/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 56 GiB total, 41.491 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\3A2A8870314FC000
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\3A2A8870314FC000
    Service: NIC1394
    .
    ==== System Restore Points ===================
    .
    RP62: 27/07/2011 10:38:29 - Removed Google Earth.
    RP63: 01/08/2011 09:37:20 - System Checkpoint
    RP64: 06/08/2011 12:42:40 - System Checkpoint
    RP65: 09/08/2011 09:38:52 - System Checkpoint
    RP66: 10/08/2011 20:20:54 - System Checkpoint
    RP67: 14/08/2011 19:16:37 - System Checkpoint
    RP68: 21/08/2011 17:40:29 - System Checkpoint
    RP69: 24/08/2011 20:42:12 - System Checkpoint
    RP70: 27/08/2011 12:16:37 - System Checkpoint
    RP71: 27/08/2011 17:05:15 - Removed Sophos Anti-Virus
    RP72: 27/08/2011 17:06:40 - Removed Sophos AutoUpdate
    RP73: 27/08/2011 17:07:47 - Removed Sophos Remote Management System
    RP74: 27/08/2011 17:09:35 - Software Distribution Service 3.0
    RP75: 27/08/2011 21:22:19 - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    RP76: 27/08/2011 21:22:29 - Installed AVG 2011
    RP77: 27/08/2011 21:22:59 - Installed AVG 2011
    RP78: 27/08/2011 21:35:52 - Software Distribution Service 3.0
    RP79: 27/08/2011 23:17:52 - Software Distribution Service 3.0
    RP80: 27/08/2011 23:26:20 - Software Distribution Service 3.0
    RP81: 27/08/2011 23:29:52 - Software Distribution Service 3.0
    RP82: 27/08/2011 23:42:05 - Software Distribution Service 3.0
    RP83: 28/08/2011 00:23:28 - Software Distribution Service 3.0
    RP84: 28/08/2011 11:33:52 - Installed Windows XP WgaNotify.
    RP85: 28/08/2011 12:00:25 - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 10 ActiveX
    Adobe Reader 8
    Adobe Shockwave Player
    AMD Processor Driver
    ArcSoft Magic-i Visual Effects 2
    ArcSoft WebCam Companion 3
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    AVG 2011
    Broadcom ASF Management Applications
    Broadcom Gigabit Integrated Controller
    Broadcom Management Programs
    Conexant HDA D330 MDC V.92 Modem
    Cortona® VRML Client
    Dell Touchpad
    Dell Wireless WLAN Card
    Flowol 3
    Flowol Control Picture Mimics
    Google Chrome
    Google Earth
    Google SketchUp 6
    Google Toolbar for Internet Explorer
    Google Update Helper
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.0 (KB932471)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB896344)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB918997)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB981793)
    HP Button Manager
    HP Webcam User's Guide
    IntelliSonic Speech Enhancement
    Macromedia Dreamweaver MX 2004
    Macromedia Extension Manager
    Macromedia Fireworks MX 2004
    Macromedia Flash MX 2004
    Macromedia FreeHand MXa
    Malwarebytes' Anti-Malware version 1.51.1.1800
    MatchWare Mediator 8.0 Pro
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0
    Microsoft .NET Framework 3.0
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Modem Diagnostic Tool
    Move Media Player
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    NetWaiting
    OpenMind
    Picasa 2
    PowerDVD
    QuickTime
    RealPlayer
    Security Update for Microsoft .NET Framework 2.0 (KB928365)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937143)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981349)
    SigmaTel Audio
    SIMS Infrastructure
    Skype Toolbars
    Skype™ 5.3
    SMART Board Software
    SMART Board Software (English United Kingdom Language Pack)
    SMART Essentials for Educators
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920342)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB925876)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Communication Foundation
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 11
    Windows Presentation Foundation
    Windows Workflow Foundation
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    28/08/2011 12:00:43, error: NtServicePack [4373] - Windows XP KB979683 installation failed.
    An internal error occurred.
    28/08/2011 12:00:38, error: NtServicePack [4373] - Windows XP KB956572 installation failed.
    An internal error occurred.
    28/08/2011 00:23:30, error: NtServicePack [4373] - Windows XP KB956572 installation failed.
    An internal error occurred.
    27/08/2011 23:42:29, error: NtServicePack [4373] - Windows XP KB979683 installation failed.
    An internal error occurred.
    27/08/2011 23:42:09, error: NtServicePack [4373] - Windows XP KB956572 installation failed.
    An internal error occurred.
    27/08/2011 23:26:26, error: NtServicePack [4373] - Windows XP KB979683 installation failed.
    An internal error occurred.
    27/08/2011 23:26:23, error: NtServicePack [4373] - Windows XP KB956572 installation failed.
    An internal error occurred.
    27/08/2011 23:24:31, error: NtServicePack [4373] - Windows XP KB979683 installation failed.
    An internal error occurred.
    27/08/2011 23:24:14, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.
    27/08/2011 23:22:26, error: NtServicePack [4373] - Windows XP KB956572 installation failed.
    An internal error occurred.
    27/08/2011 17:20:20, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007054f: Security Update for Windows XP (KB979683).
    27/08/2011 17:20:19, error: NtServicePack [4373] - Windows XP KB979683 installation failed.
    An internal error occurred.
    27/08/2011 17:17:00, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007054f: Security Update for Windows XP (KB956572).
    27/08/2011 17:16:59, error: NtServicePack [4373] - Windows XP KB956572 installation failed.
    An internal error occurred.
    27/08/2011 14:10:19, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    27/08/2011 11:29:23, error: NETLOGON [5719] - No Domain Controller is available for domain WALKER due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    24/08/2011 19:50:12, error: Service Control Manager [7023] - The WMI Performance Adapter service terminated with the following error: Unspecified error
    24/08/2011 19:47:25, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVOnAccessControl SAVOnAccessFilter Tcpip
    24/08/2011 19:47:25, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    24/08/2011 19:47:25, error: Service Control Manager [7001] - The SMART Board Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    24/08/2011 19:47:25, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    24/08/2011 19:47:25, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    24/08/2011 19:47:25, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    .
    ==== End Of File ===========================


    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    DDS scan dds.txt
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.5730.13
    Run by sbe at 15:12:21 on 2011-08-28
    Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1918.947 [GMT 1:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\SMART Board Software\SMARTBoardService.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\system32\KADxMain.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    C:\Program Files\Apoint\ApMsgFwd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\HP\Button Manager\BM.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyServer = 168.4.0.6:80
    uInternet Settings,ProxyOverride = webmail.newcastlelea.org;walkerdc;https://168.4.0.5:8443;citrixvs01.schools.newcastle.ad;192.168.57.81;<local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart board software\NotebookPlugin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [KADxMain] c:\windows\system32\KADxMain.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
    mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpbutt~1.lnk - c:\program files\hp\button manager\BM.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187250813734
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{2D773A9D-C6A3-430B-8696-7E152D55574D} : DhcpNameServer = 192.168.0.1
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-27 366640]
    R2 uCamMonitor;CamMonitor;c:\program files\arcsoft\magic-i visual effects 2\uCamMonitor.exe [2007-8-12 104960]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
    R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-27 22712]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-21 135664]
    S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2007-8-12 14336]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-8-27 1025352]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-21 135664]
    .
    =============== Created Last 30 ================
    .
    2011-08-27 22:24:14 -------- d-----w- c:\windows\system32\KB905474
    2011-08-27 20:25:58 -------- d-----w- c:\documents and settings\sbe\application data\AVG10
    2011-08-27 20:24:20 -------- d-----w- c:\documents and settings\all users\application data\AVG Security Toolbar
    2011-08-27 20:23:09 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-08-27 20:23:09 -------- d-----w- c:\documents and settings\all users\application data\AVG10
    2011-08-27 20:22:33 -------- d-----w- c:\program files\AVG
    2011-08-27 20:15:27 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
    2011-08-27 20:15:20 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-08-27 20:08:53 -------- d-----w- c:\windows\system32\CatRoot_bak
    2011-08-27 16:17:14 -------- d-----w- c:\windows\ServicePackFiles
    2011-08-27 15:53:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
    2011-08-27 15:53:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
    2011-08-27 13:04:16 293376 ------w- c:\windows\system32\browserchoice.exe
    2011-08-27 13:01:41 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-27 12:06:04 -------- d-----w- c:\documents and settings\sbe\application data\Malwarebytes
    2011-08-27 12:05:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-27 12:05:54 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-08-27 12:05:50 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-27 12:05:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-24 18:55:15 -------- d-----w- c:\documents and settings\sbe\local settings\application data\Sophos
    2011-08-24 18:49:09 -------- d-----w- c:\windows\pss
    .
    ==================== Find3M ====================
    .
    .
    ============= FINISH: 15:19:11.57 ===============
     
  2. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===============================================================

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  3. stavros

    stavros TS Rookie Topic Starter Posts: 19

    speedy reply, thanks for your time broni

    I have downloaded tdsskiller and began the scan

    it has found a 'malicious object' what action should I take. should I cure it. e.g. it is not referred to as a suspicious file or an infected file. apologies if i'm being stupid or over cautious

    martin
     
  4. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Cure it.............
     
  5. stavros

    stavros TS Rookie Topic Starter Posts: 19

    here is the report from the tdsskiller


    2011/08/28 19:04:58.0203 3536 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
    2011/08/28 19:04:58.0375 3536 ================================================================================
    2011/08/28 19:04:58.0375 3536 SystemInfo:
    2011/08/28 19:04:58.0375 3536
    2011/08/28 19:04:58.0375 3536 OS Version: 5.1.2600 ServicePack: 2.0
    2011/08/28 19:04:58.0375 3536 Product type: Workstation
    2011/08/28 19:04:58.0375 3536 ComputerName: 1Y2P23J
    2011/08/28 19:04:58.0375 3536 UserName: sbe
    2011/08/28 19:04:58.0375 3536 Windows directory: C:\WINDOWS
    2011/08/28 19:04:58.0375 3536 System windows directory: C:\WINDOWS
    2011/08/28 19:04:58.0375 3536 Processor architecture: Intel x86
    2011/08/28 19:04:58.0375 3536 Number of processors: 2
    2011/08/28 19:04:58.0375 3536 Page size: 0x1000
    2011/08/28 19:04:58.0375 3536 Boot type: Normal boot
    2011/08/28 19:04:58.0375 3536 ================================================================================
    2011/08/28 19:04:59.0453 3536 Initialize success
    2011/08/28 19:05:07.0421 3924 ================================================================================
    2011/08/28 19:05:07.0421 3924 Scan started
    2011/08/28 19:05:07.0421 3924 Mode: Manual;
    2011/08/28 19:05:07.0421 3924 ================================================================================
    2011/08/28 19:05:10.0500 3924 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/08/28 19:05:10.0625 3924 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/08/28 19:05:10.0750 3924 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
    2011/08/28 19:05:10.0843 3924 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
    2011/08/28 19:05:11.0078 3924 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
    2011/08/28 19:05:11.0250 3924 ApfiltrService (b8d65da679a4a8d048783ede2691b5d4) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
    2011/08/28 19:05:11.0312 3924 ArcSoftKsUFilter (35a6a419d7526f5cf824afb23afa08d6) C:\WINDOWS\system32\DRIVERS\ArcSoftKsUFilter.sys
    2011/08/28 19:05:11.0406 3924 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/08/28 19:05:11.0703 3924 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/08/28 19:05:11.0812 3924 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/08/28 19:05:12.0125 3924 ati2mtag (aff027496f2d60f7f54a7cc8421a9f5a) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2011/08/28 19:05:12.0328 3924 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/08/28 19:05:12.0453 3924 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/08/28 19:05:12.0578 3924 AVGIDSDriver (c403e7f715bb0a851a9dfae16ec4ae42) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
    2011/08/28 19:05:12.0609 3924 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
    2011/08/28 19:05:12.0640 3924 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
    2011/08/28 19:05:12.0703 3924 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
    2011/08/28 19:05:12.0781 3924 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
    2011/08/28 19:05:12.0843 3924 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
    2011/08/28 19:05:12.0890 3924 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
    2011/08/28 19:05:13.0015 3924 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
    2011/08/28 19:05:13.0140 3924 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
    2011/08/28 19:05:13.0265 3924 BASFND (5c68ac6f3e5b3e6d6a78e97d05e42c3a) C:\Program Files\Broadcom\ASFIPMon\BASFND.sys
    2011/08/28 19:05:13.0359 3924 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
    2011/08/28 19:05:13.0453 3924 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/08/28 19:05:13.0484 3924 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/08/28 19:05:13.0546 3924 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/08/28 19:05:13.0578 3924 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/08/28 19:05:13.0640 3924 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/08/28 19:05:13.0734 3924 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/08/28 19:05:14.0062 3924 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/08/28 19:05:14.0140 3924 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/08/28 19:05:14.0406 3924 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/08/28 19:05:14.0531 3924 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/08/28 19:05:14.0609 3924 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2011/08/28 19:05:14.0687 3924 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/08/28 19:05:14.0828 3924 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/08/28 19:05:14.0953 3924 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/08/28 19:05:15.0015 3924 DXEC01 (549734664886d91222969845e4311d1b) C:\WINDOWS\system32\drivers\dxec01.sys
    2011/08/28 19:05:15.0109 3924 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/08/28 19:05:15.0140 3924 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/08/28 19:05:15.0281 3924 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2011/08/28 19:05:15.0312 3924 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/08/28 19:05:15.0453 3924 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/08/28 19:05:15.0546 3924 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/08/28 19:05:15.0640 3924 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/08/28 19:05:15.0703 3924 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/08/28 19:05:15.0890 3924 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/08/28 19:05:16.0031 3924 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/08/28 19:05:16.0234 3924 HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
    2011/08/28 19:05:16.0406 3924 HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
    2011/08/28 19:05:16.0593 3924 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/08/28 19:05:16.0890 3924 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/08/28 19:05:16.0984 3924 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/08/28 19:05:17.0171 3924 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/08/28 19:05:17.0281 3924 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/08/28 19:05:17.0359 3924 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/08/28 19:05:17.0437 3924 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/08/28 19:05:17.0515 3924 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/08/28 19:05:17.0578 3924 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/08/28 19:05:17.0640 3924 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/08/28 19:05:17.0703 3924 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/08/28 19:05:17.0796 3924 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/08/28 19:05:17.0859 3924 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/08/28 19:05:18.0046 3924 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys
    2011/08/28 19:05:18.0156 3924 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2011/08/28 19:05:18.0250 3924 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/08/28 19:05:18.0328 3924 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2011/08/28 19:05:18.0453 3924 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/08/28 19:05:18.0593 3924 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/08/28 19:05:18.0671 3924 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/08/28 19:05:18.0734 3924 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/08/28 19:05:18.0890 3924 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/08/28 19:05:18.0953 3924 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/08/28 19:05:19.0015 3924 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/08/28 19:05:19.0031 3924 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/08/28 19:05:19.0078 3924 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/08/28 19:05:19.0171 3924 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/08/28 19:05:19.0265 3924 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/08/28 19:05:19.0359 3924 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/08/28 19:05:19.0468 3924 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/08/28 19:05:19.0515 3924 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/08/28 19:05:19.0578 3924 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/08/28 19:05:19.0640 3924 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/08/28 19:05:19.0703 3924 Ndisuio (8d3ce6b579cde8d37acc690b67dc2106) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/08/28 19:05:19.0718 3924 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/08/28 19:05:19.0750 3924 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/08/28 19:05:19.0781 3924 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/08/28 19:05:19.0796 3924 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/08/28 19:05:19.0906 3924 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/08/28 19:05:19.0968 3924 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/08/28 19:05:20.0078 3924 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/08/28 19:05:20.0171 3924 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/08/28 19:05:20.0250 3924 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/08/28 19:05:20.0265 3924 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/08/28 19:05:20.0343 3924 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/08/28 19:05:20.0406 3924 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
    2011/08/28 19:05:20.0484 3924 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/08/28 19:05:20.0531 3924 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/08/28 19:05:20.0562 3924 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/08/28 19:05:20.0593 3924 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/08/28 19:05:20.0640 3924 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2011/08/28 19:05:21.0015 3924 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/08/28 19:05:21.0109 3924 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/08/28 19:05:21.0140 3924 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/08/28 19:05:21.0171 3924 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/08/28 19:05:21.0218 3924 PxHelp20 (f7bb4e7a7c02ab4a2672937e124e306e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/08/28 19:05:21.0453 3924 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/08/28 19:05:21.0562 3924 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/08/28 19:05:21.0609 3924 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/08/28 19:05:21.0656 3924 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/08/28 19:05:21.0750 3924 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/08/28 19:05:21.0781 3924 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/08/28 19:05:21.0890 3924 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/08/28 19:05:21.0968 3924 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/08/28 19:05:22.0000 3924 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/08/28 19:05:22.0078 3924 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/08/28 19:05:22.0203 3924 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/08/28 19:05:22.0218 3924 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/08/28 19:05:22.0250 3924 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/08/28 19:05:22.0375 3924 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/08/28 19:05:22.0515 3924 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/08/28 19:05:22.0609 3924 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/08/28 19:05:22.0687 3924 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/08/28 19:05:22.0890 3924 STHDA (31ba85e1cff39a57f702a2a0877bb8e1) C:\WINDOWS\system32\drivers\sthda.sys
    2011/08/28 19:05:23.0015 3924 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/08/28 19:05:23.0109 3924 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/08/28 19:05:23.0218 3924 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/08/28 19:05:23.0468 3924 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/08/28 19:05:23.0562 3924 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/08/28 19:05:23.0640 3924 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/08/28 19:05:23.0703 3924 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/08/28 19:05:23.0765 3924 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/08/28 19:05:23.0906 3924 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/08/28 19:05:24.0031 3924 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/08/28 19:05:24.0156 3924 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
    2011/08/28 19:05:24.0250 3924 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/08/28 19:05:24.0359 3924 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/08/28 19:05:24.0390 3924 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/08/28 19:05:24.0468 3924 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2011/08/28 19:05:24.0546 3924 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/08/28 19:05:24.0609 3924 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
    2011/08/28 19:05:24.0687 3924 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2011/08/28 19:05:24.0765 3924 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/08/28 19:05:24.0796 3924 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/08/28 19:05:24.0906 3924 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/08/28 19:05:25.0015 3924 winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    2011/08/28 19:05:25.0171 3924 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2011/08/28 19:05:25.0265 3924 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/08/28 19:05:25.0343 3924 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/08/28 19:05:25.0390 3924 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/08/28 19:05:25.0468 3924 MBR (0x1B8) (6f9a1d528242bc09104b85e0becf5554) \Device\Harddisk0\DR0
    2011/08/28 19:05:25.0484 3924 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)
    2011/08/28 19:05:25.0484 3924 Boot (0x1200) (5678c2bab753b3bfe44746cd662ad1cf) \Device\Harddisk0\DR0\Partition0
    2011/08/28 19:05:25.0500 3924 ================================================================================
    2011/08/28 19:05:25.0500 3924 Scan finished
    2011/08/28 19:05:25.0500 3924 ================================================================================
    2011/08/28 19:05:25.0500 3504 Detected object count: 1
    2011/08/28 19:05:25.0500 3504 Actual detected object count: 1
    2011/08/28 19:18:12.0093 3504 \Device\Harddisk0\DR0 (Rootkit.Boot.SST.a) - will be cured after reboot
    2011/08/28 19:18:12.0093 3504 \Device\Harddisk0\DR0 - ok
    2011/08/28 19:18:12.0093 3504 Rootkit.Boot.SST.a(\Device\Harddisk0\DR0) - User select action: Cure
    2011/08/28 19:19:02.0062 3632 Deinitialize success
     
  6. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Very well :)

    Let's double check...

    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".
     
  7. stavros

    stavros TS Rookie Topic Starter Posts: 19

    here you go buddy!



    RkU Version: 3.8.389.593, Type LE (SR2)
    ==============================================
    OS Name: Windows XP
    Version 5.1.2600 (Service Pack 2)
    Number of processors #2
    ==============================================
    >Drivers
    ==============================================
    0xBF0F7000 C:\WINDOWS\System32\ati3duag.dll 2830336 bytes (ATI Technologies Inc. , ati3duag.dll)
    0xB9B88000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 2179072 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
    0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2142208 bytes (Microsoft Corporation, NT Kernel & System)
    0x804D7000 PnpManager 2142208 bytes
    0x804D7000 RAW 2142208 bytes
    0x804D7000 WMIxWDM 2142208 bytes
    0xBF800000 Win32k 1851392 bytes
    0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0xBF3AA000 C:\WINDOWS\System32\ativvaxx.dll 1273856 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
    0xAF605000 C:\WINDOWS\system32\drivers\sthda.sys 1175552 bytes (SigmaTel, Inc., NDRC)
    0xAF4A5000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 991232 bytes (Conexant Systems, Inc., HSF_DP driver)
    0xAF3F2000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)
    0xB9AE0000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 606208 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
    0xB9E3D000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
    0xAF1F3000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0xAF367000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
    0xAC87B000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
    0xBF056000 C:\WINDOWS\System32\ati2cqag.dll 348160 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
    0xBF0AB000 C:\WINDOWS\System32\atikvmag.dll 311296 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
    0xAF320000 C:\WINDOWS\system32\DRIVERS\avgtdix.sys 290816 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
    0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
    0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 278528 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
    0xABCBC000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0xAF1B7000 C:\WINDOWS\system32\DRIVERS\avgldx86.sys 245760 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
    0xAF597000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 212992 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
    0xB9970000 C:\WINDOWS\system32\DRIVERS\update.sys 212992 bytes (Microsoft Corporation, Update Driver)
    0xB99A4000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
    0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
    0xAC9EA000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
    0xB9E10000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
    0xB9AB5000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 176128 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
    0xAB78E000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
    0xAF262000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0xAF2AF000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
    0xB9A49000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 155648 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0)
    0xB9A25000 C:\WINDOWS\system32\DRIVERS\Apfiltr.sys 147456 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
    0xB9A6F000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
    0xB9A92000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0xAF28D000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0xAF5E3000 C:\WINDOWS\system32\drivers\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0xAF2FF000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
    0x806E2000 ACPI_HAL 134400 bytes
    0x806E2000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0xAC690000 C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys 131072 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Driver.)
    0xB9EF3000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0xB9F2B000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
    0xB9F4A000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
    0xB9DF5000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
    0xB9F13000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
    0xAF087000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
    0xAF5CB000 C:\WINDOWS\system32\drivers\dxec01.sys 98304 bytes (Knowles Acoustics, dxec01.sys)
    0xB9ECA000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0xB99E6000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0xAC74E000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
    0xB9B74000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
    0xAF3BF000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
    0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
    0xB9EE1000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
    0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0xB99D5000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
    0xB9950000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
    0xBA158000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
    0xBA208000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
    0xBA0B8000 ohci1394.sys 61440 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
    0xBA138000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
    0xAF157000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
    0xBA1F8000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0xBA2F8000 C:\WINDOWS\system32\DRIVERS\AmdK8.sys 57344 bytes (Advanced Micro Devices, AMD Processor Driver)
    0xBA0C8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 53248 bytes (Microsoft Corporation, 1394 Bus Device Driver)
    0xBA318000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0xBA108000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
    0xBA148000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
    0xBA168000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0xBA218000 C:\WINDOWS\system32\DRIVERS\avgmfx86.sys 49152 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
    0xBA188000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0xBA308000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
    0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
    0xBA178000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0xBA1B8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
    0xBA1A8000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
    0xAB879000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
    0xBA0F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
    0xBA258000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
    0xABAFC000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
    0xBA0A8000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
    0xBA198000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
    0xBA238000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
    0xBA118000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
    0xBA228000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0xBA428000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
    0xBA458000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
    0xBA338000 avgrkx86.sys 28672 bytes (AVG Technologies CZ, s.r.o., AVG Anti-Rootkit Driver)
    0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0xBA3F8000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0xBA408000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
    0xBA400000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
    0xBA448000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0xBA460000 C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys 20480 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Filter Driver.)
    0xBA3C0000 C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys 20480 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Loader Driver.)
    0xBA450000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
    0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
    0xBA418000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
    0xBA420000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
    0xBA410000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
    0xBA3F0000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
    0xBA390000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
    0xBA4C4000 AVGIDSEH.Sys 16384 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Helper Driver.)
    0xBA4C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
    0xBA590000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
    0xACD77000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
    0xAC9D2000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
    0xB9DC1000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
    0xACC73000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
    0xBA58C000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
    0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
    0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
    0xAF738000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
    0xBA598000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0xBA580000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
    0xBA594000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
    0xBA5C2000 C:\Program Files\Broadcom\ASFIPMon\BASFND.sys 8192 bytes (Broadcom Corporation, Broadcom NetDetect Driver.)
    0xBA5F2000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
    0xBA644000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
    0xBA5F0000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
    0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
    0xBA5F4000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
    0xBA5F6000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
    0xBA5E6000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0xBA5EC000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
    0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0xBA78A000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
    0xBA7DC000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
    0xBA6B3000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
    0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
    ==============================================
    >Stealth
    ==============================================
     
  8. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Good :)

    How is computer doing?

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  9. stavros

    stavros TS Rookie Topic Starter Posts: 19

    it appears to be working well thanks! although web pages are occasionally failing to load and so have to hit refresh a few times. that could just be my internet connection though. Will go ahead and do those things from above
     
  10. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    OK :)................
     
  11. stavros

    stavros TS Rookie Topic Starter Posts: 19

    I don't know if this is in anyway userful or virus related but when i tried to down load combofix it returned a download error

    couldn't download file.. .
    connetion to server has been reset

    it was doing this yesterday too when i was downloading things, i was able to download combofix at the second attempt. this may just be todo with the internet connection and related to the failure to connect to websites that i mentioned above.

    anyway will get on with running combofix
     
  12. stavros

    stavros TS Rookie Topic Starter Posts: 19

    hi broni

    i have run aswMBR and combofix.

    i was running AVG antivirus, shall i go ahead and reinstall it (I uninstalled it as part of the combofix run).

    Note also combofix tried to download the recovery console, but i think it lost the internet connection so failed to download, combofix went ahead and ran anyway. Am going to try plugging the laptop directly into the router to see if that improves the internet access

    see below for the logs

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@
    aswMBR - report
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-08-28 19:57:03
    -----------------------------
    19:57:03.531 OS Version: Windows 5.1.2600 Service Pack 2
    19:57:03.531 Number of processors: 2 586 0x6801
    19:57:03.531 ComputerName: 1Y2P23J UserName: sbe
    19:57:04.390 Initialize success
    19:58:33.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    19:58:33.234 Disk 0 Vendor: ST960813AS 3.CDD Size: 57231MB BusType: 3
    19:58:35.421 Disk 0 MBR read successfully
    19:58:35.421 Disk 0 MBR scan
    19:58:35.421 Disk 0 Windows XP default MBR code
    19:58:35.421 Disk 0 scanning sectors +117194175
    19:58:35.546 Disk 0 scanning C:\WINDOWS\system32\drivers
    19:58:42.781 Service scanning
    19:58:43.828 Modules scanning
    19:58:48.906 Disk 0 trace - called modules:
    19:58:48.937 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS BlackBox.SYS
    19:58:48.937 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89d06ab8]
    19:58:48.937 3 CLASSPNP.SYS[ba10905b] -> nt!IofCallDriver -> \Device\0000007d[0x89cf5490]
    19:58:48.937 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89c42d98]
    19:58:48.953 Scan finished successfully
    19:59:39.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\sbe\Desktop\MBR.dat"
    19:59:39.671 The log file has been saved successfully to "C:\Documents and Settings\sbe\Desktop\aswMBR.txt"


    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    combofix log
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

    ComboFix 11-08-28.01 - sbe 28/08/2011 20:28:25.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1918.1283 [GMT 1:00]
    Running from: c:\documents and settings\sbe\Desktop\ComboFix.exe
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\sbe\Application Data\Microsoft\Internet Explorer\Quick Launch\System Repair.lnk
    c:\documents and settings\sbe\Desktop\System Repair.lnk
    c:\documents and settings\sbe\Start Menu\Programs\System Repair
    c:\documents and settings\sbe\Start Menu\Programs\System Repair\System Repair.lnk
    c:\documents and settings\sbe\Start Menu\Programs\System Repair\Uninstall System Repair.lnk
    c:\windows\system\CW3215.DLL
    c:\windows\system\CW3215MT.DLL
    c:\windows\system\SIMSCLRA.FON
    c:\windows\system\SIMSFNAV.FON
    c:\windows\system\SIMSMONO.FON
    c:\windows\system32\comct332.ocx
    c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-28 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-28 19:19 . 2011-08-28 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
    2011-08-27 20:23 . 2011-08-28 19:18 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-08-27 20:15 . 2011-08-27 20:15 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-08-27 20:08 . 2011-08-27 21:59 -------- d-----w- c:\windows\system32\CatRoot_bak
    2011-08-27 16:17 . 2011-08-27 16:17 -------- d-----w- c:\windows\ServicePackFiles
    2011-08-27 15:53 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
    2011-08-27 15:53 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
    2011-08-27 13:04 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
    2011-08-27 13:01 . 2011-08-27 13:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-27 12:06 . 2011-08-27 12:06 -------- d-----w- c:\documents and settings\sbe\Application Data\Malwarebytes
    2011-08-27 12:05 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-27 12:05 . 2011-08-27 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-27 12:05 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-27 12:05 . 2011-08-27 12:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-24 18:55 . 2011-08-24 18:55 -------- d-----w- c:\documents and settings\sbe\Local Settings\Application Data\Sophos
    2011-08-04 12:30 . 2011-08-04 12:30 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-13 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
    "KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
    "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 366400]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [N/A]
    HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2007-8-12 356864]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\MatchWare\\OpenMind\\OpenMind.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [19/12/2006 14:21 79432]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [27/08/2011 13:05 366640]
    R2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [12/08/2007 10:25 104960]
    R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [02/11/2006 12:32 97536]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [27/08/2011 13:05 22712]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/02/2010 17:00 135664]
    S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [12/08/2007 10:25 14336]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [21/02/2010 17:00 135664]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 16:00]
    .
    2011-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 16:00]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyServer = 168.4.0.6:80
    uInternet Settings,ProxyOverride = webmail.newcastlelea.org;walkerdc;https://168.4.0.5:8443;citrixvs01.schools.newcastle.ad;192.168.57.81;<local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.0.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-28 20:35
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(868)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2011-08-28 20:37:10
    ComboFix-quarantined-files.txt 2011-08-28 19:37
    .
    Pre-Run: 45,082,423,296 bytes free
    Post-Run: 45,670,363,136 bytes free
    .
    - - End Of File - - 341EF4B6CA0E98BA830CF4EDFF07B14A
     
  13. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Make sure to allow recovery console installation this time...

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    DDS::
    uInternet Settings,ProxyServer = 168.4.0.6:80
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  14. stavros

    stavros TS Rookie Topic Starter Posts: 19

    okay, the recovery console downloaded this time!. I think this is what you want

    ComboFix 11-08-28.01 - sbe 28/08/2011 22:06:54.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1918.1281 [GMT 1:00]
    Running from: c:\documents and settings\sbe\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\sbe\Desktop\CFScript.txt
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-28 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-28 19:19 . 2011-08-28 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
    2011-08-27 20:23 . 2011-08-28 19:18 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-08-27 20:15 . 2011-08-27 20:15 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-08-27 20:08 . 2011-08-27 21:59 -------- d-----w- c:\windows\system32\CatRoot_bak
    2011-08-27 16:17 . 2011-08-27 16:17 -------- d-----w- c:\windows\ServicePackFiles
    2011-08-27 15:53 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
    2011-08-27 15:53 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
    2011-08-27 13:04 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
    2011-08-27 13:01 . 2011-08-27 13:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-27 12:06 . 2011-08-27 12:06 -------- d-----w- c:\documents and settings\sbe\Application Data\Malwarebytes
    2011-08-27 12:05 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-27 12:05 . 2011-08-27 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-27 12:05 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-27 12:05 . 2011-08-27 12:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-24 18:55 . 2011-08-24 18:55 -------- d-----w- c:\documents and settings\sbe\Local Settings\Application Data\Sophos
    2011-08-04 12:30 . 2011-08-04 12:30 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-13 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
    "KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
    "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 366400]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [N/A]
    HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2007-8-12 356864]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\MatchWare\\OpenMind\\OpenMind.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [19/12/2006 14:21 79432]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [27/08/2011 13:05 366640]
    R2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [12/08/2007 10:25 104960]
    R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [02/11/2006 12:32 97536]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [27/08/2011 13:05 22712]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/02/2010 17:00 135664]
    S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [12/08/2007 10:25 14336]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [21/02/2010 17:00 135664]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 16:00]
    .
    2011-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-21 16:00]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = webmail.newcastlelea.org;walkerdc;https://168.4.0.5:8443;citrixvs01.schools.newcastle.ad;192.168.57.81;<local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.0.1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-28 22:10
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(868)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(2824)
    c:\windows\system32\WININET.dll
    c:\windows\system32\IEFRAME.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-08-28 22:11:15
    ComboFix-quarantined-files.txt 2011-08-28 21:11
    ComboFix2.txt 2011-08-28 19:37
    .
    Pre-Run: 45,662,810,112 bytes free
    Post-Run: 45,650,673,664 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
    .
    - - End Of File - - D2677D254343CDC8C8D285090359F595
     
  15. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Looks good :)

    How is computer doing?

    You can reinstall AVG now.

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  16. stavros

    stavros TS Rookie Topic Starter Posts: 19

    computer seems to be working great thanks!


    have split the two logs over two posts as was too long


    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    extras.txt
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    OTL Extras logfile created on: 28/08/2011 23:01:01 - Run 1
    OTL by OldTimer - Version 3.2.26.6 Folder = C:\Documents and Settings\sbe\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    1.87 Gb Total Physical Memory | 1.13 Gb Available Physical Memory | 60.25% Memory free
    3.72 Gb Paging File | 3.09 Gb Available in Paging File | 82.90% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 55.88 Gb Total Space | 41.84 Gb Free Space | 74.87% Space Free | Partition Type: NTFS

    Computer Name: 1Y2P23J | User Name: sbe | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    [HKEY_USERS\S-1-5-21-1801674531-527237240-2146984249-7077\SOFTWARE\Classes\<extension>]
    .html [@ = htmlfile] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\MatchWare\OpenMind\OpenMind.exe" = C:\Program Files\MatchWare\OpenMind\OpenMind.exe:*:Enabled:MatchWare OpenMind -- (MatchWare A/S)
    "C:\Program Files\AVG\AVG10\avgnsx.exe" = C:\Program Files\AVG\AVG10\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
    "C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
    "C:\Program Files\AVG\AVG10\avgemcx.exe" = C:\Program Files\AVG\AVG10\avgemcx.exe:*:Enabled:personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}" = Macromedia Dreamweaver MX 2004
    "{08094E03-AFE4-4853-9D31-6D0743DF5328}" = QuickTime
    "{126BAF42-DB8A-43A7-BE2C-F50DA0C477DD}" = Flowol 3
    "{15095BF3-A3D7-4DDF-B193-3A496881E003}" = Microsoft .NET Framework 3.0
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{1A1BA8DD-3222-4823-B508-A902128A5544}" = MatchWare Mediator 8.0 Pro
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{20EAC554-95F9-4926-8D9A-C4FF3EC44C72}" = AVG 2011
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{27E25625-DB51-42E6-BEB7-0C8DC878770C}" = Broadcom ASF Management Applications
    "{2F353D44-73BB-4971-B31D-F7642E9E9531}" = Macromedia Flash MX 2004
    "{334713BA-B8E7-4A60-988C-4110753A191E}" = ArcSoft Magic-i Visual Effects 2
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
    "{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}" = Google Earth
    "{467665E7-8C14-4797-BC3F-E72E9A1C7AF6}" = Flowol Control Picture Mimics
    "{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation
    "{4D918BF6-9C9A-4FF4-A188-54DAD933C286}" = SMART Board Software (English United Kingdom Language Pack)
    "{636F5444-8C7C-40C6-A89B-A1D2F01DC7F6}" = ATI Catalyst Control Center
    "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
    "{695B13B2-7919-4EC5-8601-092F0D2DE069}" = AVG 2011
    "{6D82EA51-EF5B-4DE5-A673-CB26BAF31E47}" = SIMS Infrastructure
    "{6D8EACA3-664E-4F83-8A84-BE3AE952DAB6}" = ArcSoft WebCam Companion 3
    "{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{7390FC95-D842-448A-A3A2-C8DC89AEB83A}" = HP Button Manager
    "{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation
    "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{939740B5-0064-4779-854A-8C1086181C05}" = Macromedia FreeHand MXa
    "{98736A65-3C79-49EC-B7E9-A3C77774B0E6}" = Google SketchUp 6
    "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
    "{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
    "{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-A80000000002}" = Adobe Reader 8
    "{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}" = Google SketchUp 6
    "{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Toolbars
    "{B72EB184-2A42-4B3C-8F8F-D7EF163829B4}" = SMART Board Software
    "{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
    "{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
    "{C9710CCD-2A90-4545-B4B9-1E525FBB9195}" = SMART Essentials for Educators
    "{C99C0593-3B48-41D9-B42F-6E035B320449}" = Broadcom Management Programs
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{D31612BB-C6D7-4142-96AE-16DB062354CF}" = HP Webcam User's Guide
    "{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}" = Broadcom Gigabit Integrated Controller
    "{D6F879CC-59D6-4D4B-AE9B-D761E48D25ED}" = Skype™ 5.3
    "{D9FCA292-1186-421F-8D93-9A5D272AD5D0}" = IntelliSonic Speech Enhancement
    "{E583ED6F-BD99-4066-A420-C815BF692B69}" = Macromedia Fireworks MX 2004
    "{E9A46F5F-1E5C-4023-87CF-37787D021931}" = OpenMind
    "{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Shockwave Player" = Adobe Shockwave Player
    "All ATI Software" = ATI - Software Uninstall Utility
    "ATI Display Driver" = ATI Display Driver
    "AVG" = AVG 2011
    "Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
    "CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
    "Cortona® VRML Client" = Cortona® VRML Client
    "Google Chrome" = Google Chrome
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
    "Microsoft .NET Framework 3.0" = Microsoft .NET Framework 3.0
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "Picasa2" = Picasa 2
    "RealPlayer 6.0" = RealPlayer
    "WIC" = Windows Imaging Component
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
    "XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-1801674531-527237240-2146984249-7077\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Move Media Player" = Move Media Player

    ========== Last 10 Event Log Errors ==========

    Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

    < End of report >
     
  17. stavros

    stavros TS Rookie Topic Starter Posts: 19

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    OLT.txt
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

    23:14 28/08/2011OTL logfile created on: 28/08/2011 23:01:01 - Run 1
    OTL by OldTimer - Version 3.2.26.6 Folder = C:\Documents and Settings\sbe\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    1.87 Gb Total Physical Memory | 1.13 Gb Available Physical Memory | 60.25% Memory free
    3.72 Gb Paging File | 3.09 Gb Available in Paging File | 82.90% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 55.88 Gb Total Space | 41.84 Gb Free Space | 74.87% Space Free | Partition Type: NTFS

    Computer Name: 1Y2P23J | User Name: sbe | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/08/28 22:58:41 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sbe\Desktop\OTL.exe
    PRC - [2011/07/06 19:52:38 | 000,449,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    PRC - [2011/07/06 19:52:38 | 000,366,640 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    PRC - [2011/04/18 17:40:08 | 002,334,560 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe
    PRC - [2011/04/18 17:39:42 | 007,398,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    PRC - [2011/04/14 05:36:42 | 001,080,672 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe
    PRC - [2011/03/28 03:00:52 | 000,351,072 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe
    PRC - [2011/03/16 16:05:14 | 000,656,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe
    PRC - [2011/02/10 07:55:18 | 001,148,256 | ---- | M] () -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
    PRC - [2011/02/08 05:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe
    PRC - [2011/02/08 05:33:20 | 000,658,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe
    PRC - [2009/10/10 13:32:18 | 000,305,664 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    PRC - [2009/10/10 13:32:18 | 000,203,264 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    PRC - [2009/09/28 09:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    PRC - [2009/07/24 18:55:30 | 000,356,864 | ---- | M] () -- C:\Program Files\HP\Button Manager\BM.exe
    PRC - [2008/09/18 10:59:10 | 000,104,960 | ---- | M] (ArcSoft, Inc.) -- C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
    PRC - [2007/06/16 00:15:02 | 000,366,400 | ---- | M] (Google Inc.) -- C:\Program Files\Picasa2\PicasaMediaDetector.exe
    PRC - [2007/06/13 11:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2007/02/19 14:27:16 | 000,090,112 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
    PRC - [2007/02/19 14:26:32 | 000,303,104 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
    PRC - [2007/01/29 19:07:18 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApMsgFwd.exe
    PRC - [2007/01/25 17:34:22 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
    PRC - [2006/12/19 14:21:48 | 000,079,432 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    PRC - [2006/11/02 14:05:50 | 000,282,624 | ---- | M] (Knowles Acoustics) -- C:\WINDOWS\system32\KADxMain.exe
    PRC - [2006/09/25 09:12:20 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    PRC - [2006/09/18 04:45:32 | 000,978,944 | ---- | M] (SMART Technologies Inc.) -- C:\Program Files\SMART Board Software\SMARTBoardService.exe
    PRC - [2006/09/08 15:10:22 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\hidfind.exe
    PRC - [2006/09/08 15:06:08 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/08/27 17:20:13 | 003,391,488 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_84515009\mscorlib.dll
    MOD - [2011/08/27 17:20:10 | 000,835,584 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_9d5ed24e\system.drawing.dll
    MOD - [2011/08/27 17:20:00 | 002,088,960 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_f915318d\system.xml.dll
    MOD - [2011/08/27 17:19:53 | 003,018,752 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_199e3d30\system.windows.forms.dll
    MOD - [2011/08/27 17:19:42 | 001,966,080 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_91239e91\system.dll
    MOD - [2011/08/27 17:19:34 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
    MOD - [2011/08/27 17:19:33 | 001,265,664 | ---- | M] () -- c:\windows\assembly\gac\system.web\1.0.5000.0__b03f5f7f11d50a3a\system.web.dll
    MOD - [2011/07/26 10:15:58 | 002,532,680 | ---- | M] () -- C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    MOD - [2011/02/10 07:55:18 | 001,148,256 | ---- | M] () -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
    MOD - [2009/07/24 18:55:30 | 000,356,864 | ---- | M] () -- C:\Program Files\HP\Button Manager\BM.exe
    MOD - [2007/08/16 12:29:38 | 001,339,392 | ---- | M] () -- c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
    MOD - [2007/08/16 12:29:38 | 000,372,736 | ---- | M] () -- c:\windows\assembly\gac\system.management\1.0.5000.0__b03f5f7f11d50a3a\system.management.dll
    MOD - [2007/08/16 12:29:37 | 000,323,584 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.remoting\1.0.5000.0__b77a5c561934e089\system.runtime.remoting.dll
    MOD - [2007/08/16 12:29:36 | 000,466,944 | ---- | M] () -- c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll
    MOD - [2007/08/16 12:29:35 | 002,052,096 | ---- | M] () -- c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
    MOD - [2007/03/16 18:10:38 | 000,757,760 | ---- | M] () -- C:\WINDOWS\system32\bcm1xsup.dll
    MOD - [2004/09/01 07:42:44 | 000,257,536 | ---- | M] () -- C:\WINDOWS\system32\BiImg.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - [2011/07/26 10:16:02 | 001,025,352 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
    SRV - [2011/07/06 19:52:38 | 000,366,640 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2011/04/18 17:39:42 | 007,398,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
    SRV - [2011/02/08 05:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
    SRV - [2009/09/28 09:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
    SRV - [2008/09/18 10:59:10 | 000,104,960 | ---- | M] (ArcSoft, Inc.) [Auto | Running] -- C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe -- (uCamMonitor)
    SRV - [2007/08/16 11:25:30 | 000,069,632 | ---- | M] (Macromedia) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)
    SRV - [2007/02/19 14:27:16 | 000,090,112 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe -- (STacSV)
    SRV - [2006/12/19 14:21:48 | 000,079,432 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon)
    SRV - [2006/09/18 04:45:32 | 000,978,944 | ---- | M] (SMART Technologies Inc.) [Auto | Running] -- C:\Program Files\SMART Board Software\SMARTBoardService.exe -- (SMART Board Service)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2011/04/14 21:28:42 | 000,134,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
    DRV - [2011/04/05 00:59:56 | 000,297,168 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
    DRV - [2011/03/16 16:03:20 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
    DRV - [2011/03/01 14:25:18 | 000,034,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
    DRV - [2011/02/22 08:13:02 | 000,022,992 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
    DRV - [2011/02/10 07:53:54 | 000,027,216 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
    DRV - [2011/02/10 07:53:52 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
    DRV - [2011/01/07 06:41:46 | 000,248,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
    DRV - [2008/04/25 05:06:44 | 000,014,336 | ---- | M] (ArcSoft, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ArcSoftKsUFilter.sys -- (ArcSoftKsUFilter)
    DRV - [2007/03/28 22:02:20 | 001,975,808 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2007/03/16 18:10:46 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
    DRV - [2007/02/19 14:27:34 | 001,228,296 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
    DRV - [2007/02/17 21:00:42 | 000,132,608 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
    DRV - [2007/02/16 15:46:00 | 000,160,256 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2006/12/19 14:21:52 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\BASFND.sys -- (BASFND)
    DRV - [2006/11/02 18:47:36 | 000,989,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
    DRV - [2006/11/02 18:47:00 | 000,209,152 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
    DRV - [2006/11/02 18:46:56 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2006/11/02 12:32:32 | 000,097,536 | ---- | M] (Knowles Acoustics) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dxec01.sys -- (DXEC01)
    DRV - [2006/07/01 22:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 168.4.0.6:80


    IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-1801674531-527237240-2146984249-7077\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    IE - HKU\S-1-5-21-1801674531-527237240-2146984249-7077\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
    IE - HKU\S-1-5-21-1801674531-527237240-2146984249-7077\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    IE - HKU\S-1-5-21-1801674531-527237240-2146984249-7077\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    IE - HKU\S-1-5-21-1801674531-527237240-2146984249-7077\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKU\S-1-5-21-1801674531-527237240-2146984249-7077\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKU\S-1-5-21-1801674531-527237240-2146984249-7077\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-1801674531-527237240-2146984249-7077\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = webmail.newcastlelea.org;walkerdc;https://168.4.0.5:8443;citrixvs01.schools.newcastle.ad;192.168.57.81;<local>

    FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\sbe\Application Data\Move Networks\plugins\npqmp071505000011.dll (Move Networks)
    FF - HKLM\Software\MozillaPlugins\@parallelgraphics.com/Cortona: C:\Program Files\Common Files\ParallelGraphics\Cortona\npCortona.dll (ParallelGraphics)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2768: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2826: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1578: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\sbe\Application Data\Move Networks\plugins\npqmp071505000011.dll (Move Networks)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\ [2011/08/28 22:48:15 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Documents and Settings\sbe\Application Data\Move Networks [2010/03/08 14:42:19 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2011/08/28 20:35:29 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
    O2 - BHO: (CIEDownload Object) - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Board Software\NotebookPlugin.dll (SMART Technologies Inc.)
    O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
    O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
    O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
    O3 - HKU\S-1-5-21-1801674531-527237240-2146984249-7077\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
    O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
    O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
    O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
    O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
    O4 - HKLM..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe (Knowles Acoustics)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)
    O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk = File not found
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Button Manager.lnk = C:\Program Files\HP\Button Manager\BM.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-1801674531-527237240-2146984249-7077\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1801674531-527237240-2146984249-7077\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-21-1801674531-527237240-2146984249-7077\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-1801674531-527237240-2146984249-7077\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-1801674531-527237240-2146984249-7077\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll (Google Inc.)
    O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1187250813734 (WUWebControl Class)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = walker.local
    O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
    O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop WallPaper: C:\Documents and Settings\sbe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\sbe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007/08/15 15:50:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
    O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax ()
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll ()
    Drivers32: vidc.tscc - C:\WINDOWS\System32\tsccvid.dll (TechSmith Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/08/28 22:58:40 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\sbe\Desktop\OTL.exe
    [2011/08/28 22:51:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sbe\Application Data\AVG10
    [2011/08/28 22:49:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG 2011
    [2011/08/28 22:48:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
    [2011/08/28 22:47:16 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
    [2011/08/28 22:43:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2011/08/28 22:19:27 | 000,000,000 | --SD | C] -- C:\ComboFix
    [2011/08/28 22:11:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2011/08/28 22:05:43 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/08/28 20:31:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sophos
    [2011/08/28 20:25:44 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/08/28 20:25:44 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/08/28 20:25:44 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/08/28 20:25:44 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/08/28 20:25:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/08/28 20:25:23 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/08/28 20:19:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
    [2011/08/28 20:14:51 | 008,719,160 | ---- | C] (OPSWAT, Inc.) -- C:\Documents and Settings\sbe\Desktop\AppRemover.exe
    [2011/08/28 20:02:57 | 004,188,595 | R--- | C] (Swearware) -- C:\Documents and Settings\sbe\Desktop\ComboFix.exe
    [2011/08/28 19:56:46 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\sbe\Desktop\aswMBR.exe
    [2011/08/28 19:04:07 | 001,406,768 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\sbe\Desktop\tdsskiller.exe
    [2011/08/28 15:12:21 | 000,000,000 | R--D | C] -- C:\Documents and Settings\sbe\Start Menu\Programs\Administrative Tools
    [2011/08/28 15:12:13 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\sbe\Desktop\dds.scr
    [2011/08/27 21:23:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\AVG
    [2011/08/27 21:15:27 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2011/08/27 21:14:55 | 005,570,000 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\sbe\Desktop\avg.exe
    [2011/08/27 21:08:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
    [2011/08/27 17:17:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
    [2011/08/27 13:06:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sbe\Application Data\Malwarebytes
    [2011/08/27 13:05:55 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2011/08/27 13:05:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/08/27 13:05:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2011/08/27 13:05:50 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/08/27 13:05:49 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/08/27 13:05:03 | 000,000,000 | R--D | C] -- C:\Documents and Settings\sbe\Recent
    [2011/08/27 13:04:58 | 009,466,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\sbe\Desktop\mbam-setup.exe
    [2011/08/24 19:55:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sbe\Local Settings\Application Data\Sophos
    [2011/08/24 19:49:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/08/28 22:58:41 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sbe\Desktop\OTL.exe
    [2011/08/28 22:57:44 | 000,438,212 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/08/28 22:57:44 | 000,071,426 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/08/28 22:56:47 | 130,311,348 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
    [2011/08/28 22:53:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/08/28 22:53:18 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/08/28 22:52:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/08/28 22:49:15 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2011.lnk
    [2011/08/28 22:35:11 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/08/28 22:05:49 | 000,000,339 | RHS- | M] () -- C:\boot.ini
    [2011/08/28 20:35:29 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/08/28 20:14:57 | 008,719,160 | ---- | M] (OPSWAT, Inc.) -- C:\Documents and Settings\sbe\Desktop\AppRemover.exe
    [2011/08/28 20:02:56 | 004,188,595 | R--- | M] (Swearware) -- C:\Documents and Settings\sbe\Desktop\ComboFix.exe
    [2011/08/28 19:59:39 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\sbe\Desktop\MBR.dat
    [2011/08/28 19:56:56 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\sbe\Desktop\aswMBR.exe
    [2011/08/28 19:35:01 | 000,029,558 | ---- | M] () -- C:\Documents and Settings\sbe\Desktop\rootkit unhooker
    [2011/08/28 19:32:21 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\sbe\Desktop\RKUnhookerLE.EXE
    [2011/08/28 19:04:08 | 001,406,768 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\sbe\Desktop\tdsskiller.exe
    [2011/08/28 17:12:50 | 000,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/08/28 15:12:13 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\sbe\Desktop\dds.scr
    [2011/08/27 21:37:18 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
    [2011/08/27 21:15:08 | 005,570,000 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\sbe\Desktop\avg.exe
    [2011/08/27 21:02:44 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
    [2011/08/27 21:02:14 | 000,243,128 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/08/27 16:55:52 | 000,684,297 | ---- | M] () -- C:\Documents and Settings\sbe\Desktop\unhide.exe
    [2011/08/27 14:06:00 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\sbe\Desktop\e3c1vtvc.exe
    [2011/08/27 13:05:56 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/08/27 13:04:58 | 009,466,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\sbe\Desktop\mbam-setup.exe
    [2011/08/24 13:58:43 | 000,000,392 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz
    [2011/08/24 13:56:15 | 000,000,224 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz
    [2011/08/24 13:56:14 | 000,000,168 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fzr
    [2011/08/21 22:30:04 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/08/28 22:56:47 | 130,311,348 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
    [2011/08/28 22:49:15 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 2011.lnk
    [2011/08/28 22:05:49 | 000,000,223 | ---- | C] () -- C:\Boot.bak
    [2011/08/28 22:05:45 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/08/28 20:31:34 | 000,000,712 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
    [2011/08/28 20:25:44 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/08/28 20:25:44 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/08/28 20:25:44 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/08/28 20:25:44 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/08/28 20:25:44 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/08/28 19:59:39 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\sbe\Desktop\MBR.dat
    [2011/08/28 19:35:01 | 000,029,558 | ---- | C] () -- C:\Documents and Settings\sbe\Desktop\rootkit unhooker
    [2011/08/28 19:32:54 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\sbe\Desktop\RKUnhookerLE.EXE
    [2011/08/27 21:02:44 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
    [2011/08/27 17:02:20 | 000,002,265 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
    [2011/08/27 17:02:20 | 000,001,906 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Magic-i Visual Effects 2.lnk
    [2011/08/27 17:02:20 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
    [2011/08/27 17:02:20 | 000,001,657 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WebCam Companion 3.lnk
    [2011/08/27 17:02:20 | 000,000,170 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Download HP Photosmart Essential.url
    [2011/08/27 17:02:17 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\sbe\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
    [2011/08/27 17:02:17 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\sbe\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
    [2011/08/27 17:02:16 | 000,001,802 | ---- | C] () -- C:\Documents and Settings\sbe\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk
    [2011/08/27 17:02:16 | 000,001,791 | ---- | C] () -- C:\Documents and Settings\sbe\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
    [2011/08/27 17:02:12 | 000,001,389 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Button Manager.lnk
    [2011/08/27 17:02:09 | 000,002,311 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 8.lnk
    [2011/08/27 17:02:09 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
    [2011/08/27 17:02:09 | 000,000,721 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\RealPlayer.lnk
    [2011/08/27 17:02:09 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
    [2011/08/27 16:55:44 | 000,684,297 | ---- | C] () -- C:\Documents and Settings\sbe\Desktop\unhide.exe
    [2011/08/27 14:05:59 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\sbe\Desktop\e3c1vtvc.exe
    [2011/08/27 13:05:56 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/08/24 14:34:37 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\sbe\Start Menu\Programs\Outlook Express.lnk
    [2011/08/24 14:34:34 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\sbe\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/08/24 13:56:14 | 000,000,224 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz
    [2011/08/24 13:56:14 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fzr
    [2011/08/24 13:56:08 | 000,000,392 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz
    [2009/02/20 15:29:34 | 000,007,680 | ---- | C] () -- C:\Documents and Settings\sbe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2007/09/13 16:26:54 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\sbe\Local Settings\Application Data\fusioncache.dat
    [2007/08/16 13:59:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2007/08/16 13:09:02 | 000,000,067 | ---- | C] () -- C:\WINDOWS\WININIT.INI
    [2007/08/16 13:04:11 | 000,978,432 | ---- | C] () -- C:\WINDOWS\System32\pg32.dll
    [2007/08/16 13:04:10 | 000,748,160 | ---- | C] () -- C:\WINDOWS\System32\CO2C40EN.DLL
    [2007/08/16 13:04:10 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\implode.dll
    [2007/08/16 12:51:55 | 000,001,074 | ---- | C] () -- C:\WINDOWS\SIMS.INI
    [2007/08/16 12:36:26 | 000,151,608 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2007/08/16 09:53:01 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2007/08/16 08:42:19 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
    [2007/08/16 08:42:17 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
    [2007/08/16 08:42:17 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
    [2007/08/16 08:26:00 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
    [2007/08/16 08:25:59 | 000,128,813 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
    [2007/08/15 16:38:21 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2007/08/15 16:37:04 | 000,243,128 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2007/08/15 15:52:40 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2007/08/15 15:47:06 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2005/01/30 01:26:20 | 000,000,071 | ---- | C] () -- C:\WINDOWS\System32\FlowGo_300_UN.ini
    [2004/09/01 07:42:44 | 000,257,536 | ---- | C] () -- C:\WINDOWS\System32\BiImg.dll
    [2004/09/01 07:42:44 | 000,257,536 | ---- | C] () -- C:\WINDOWS\BiImg.dll
    [2004/09/01 07:42:44 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\JPeg32.dll
    [2004/09/01 07:42:44 | 000,110,592 | ---- | C] () -- C:\WINDOWS\JPeg32.dll
    [2004/09/01 07:42:44 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\BiEResNT.dll
    [2004/09/01 07:42:44 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\Bic_Res.dll
    [2004/09/01 07:42:44 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\BiEAppNT.exe
    [2004/09/01 07:42:44 | 000,000,002 | ---- | C] () -- C:\WINDOWS\bi_group.ini
    [2004/08/04 13:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2004/08/04 13:00:00 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
    [2004/08/04 13:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 13:00:00 | 000,438,212 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/04 13:00:00 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
    [2004/08/04 13:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 13:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 13:00:00 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
    [2004/08/04 13:00:00 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
    [2004/08/04 13:00:00 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
    [2004/08/04 13:00:00 | 000,071,426 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/04 13:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 13:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 13:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
    [2004/08/04 13:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 13:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/04 13:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2004/08/04 13:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
     
  18. stavros

    stavros TS Rookie Topic Starter Posts: 19

    ========== LOP Check ==========

    [2011/08/28 22:57:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
    [2011/08/28 22:50:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
    [2011/08/27 21:15:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2011/08/28 22:47:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2007/08/16 10:43:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SMART Technologies Inc
    [2011/08/27 17:08:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sophos
    [2007/08/16 09:57:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\MatchWare
    [2007/08/16 10:43:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\SMART Technologies Inc
    [2011/08/28 22:51:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sbe\Application Data\AVG10
    [2007/08/16 09:57:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sbe\Application Data\MatchWare
    [2007/08/16 10:43:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sbe\Application Data\SMART Technologies Inc
    [2007/08/16 09:57:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Teacher\Application Data\MatchWare
    [2007/08/16 10:43:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Teacher\Application Data\SMART Technologies Inc

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2007/08/15 15:50:16 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2007/08/12 10:28:02 | 000,000,178 | ---- | M] () -- C:\BMSetup.log
    [2007/04/23 00:04:11 | 000,000,223 | ---- | M] () -- C:\Boot.bak
    [2011/08/28 22:05:49 | 000,000,339 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2011/08/28 22:11:16 | 000,007,781 | ---- | M] () -- C:\ComboFix.txt
    [2007/08/15 15:50:16 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2007/08/15 15:50:16 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2007/08/15 15:50:16 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2004/08/04 13:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2004/08/04 13:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr
    [2011/08/28 22:52:41 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
    [2009/05/11 15:02:20 | 000,000,187 | ---- | M] () -- C:\SIMSApplicationSetup.log
    [2009/05/11 15:04:00 | 000,000,161 | ---- | M] () -- C:\SIMSManualSetup.log
    [2011/08/28 19:19:02 | 000,041,330 | ---- | M] () -- C:\TDSSKiller.2.5.17.0_28.08.2011_19.04.58_log.txt
    [2007/08/16 13:09:08 | 000,000,355 | ---- | M] () -- C:\_DEISREG.ISR
    [1997/04/23 01:16:12 | 000,040,960 | ---- | M] (Stirling) -- C:\_ISREG32.DLL

    < %systemroot%\Fonts\*.com >
    [2006/04/19 20:21:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/07/02 22:37:10 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/19 20:21:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/07/02 22:37:12 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2007/08/15 15:49:47 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2004/09/01 07:42:44 | 000,014,488 | ---- | M] (Black Ice Software) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\BiEProNT.dll
    [2006/10/14 16:43:18 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2004/03/22 16:17:08 | 000,025,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2007/03/22 20:25:42 | 000,677,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\PrintFilterPipelineSvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2007/08/15 16:36:20 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
    [2007/08/15 16:36:19 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
    [2007/08/15 16:36:19 | 000,905,216 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2009/06/20 22:33:46 | 000,000,242 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\College Email.url
    [2007/08/15 15:50:21 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2007/08/15 15:55:12 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\sbe\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2007/08/15 15:55:11 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\sbe\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2011/08/28 20:14:57 | 008,719,160 | ---- | M] (OPSWAT, Inc.) -- C:\Documents and Settings\sbe\Desktop\AppRemover.exe
    [2011/08/28 19:56:56 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\sbe\Desktop\aswMBR.exe
    [2011/08/27 21:15:08 | 005,570,000 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\sbe\Desktop\avg.exe
    [2011/08/28 20:02:56 | 004,188,595 | R--- | M] (Swearware) -- C:\Documents and Settings\sbe\Desktop\ComboFix.exe
    [2011/08/27 14:06:00 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\sbe\Desktop\e3c1vtvc.exe
    [2011/08/27 13:04:58 | 009,466,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\sbe\Desktop\mbam-setup.exe
    [2011/08/28 22:58:41 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sbe\Desktop\OTL.exe
    [2011/08/28 19:32:21 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\sbe\Desktop\RKUnhookerLE.EXE
    [2011/08/28 19:04:08 | 001,406,768 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\sbe\Desktop\tdsskiller.exe
    [2011/08/27 16:55:52 | 000,684,297 | ---- | M] () -- C:\Documents and Settings\sbe\Desktop\unhide.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2007/08/15 15:55:11 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\sbe\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2008/03/19 16:51:30 | 000,002,784 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/08/28 22:53:27 | 000,360,448 | ---- | M] () -- C:\Documents and Settings\sbe\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2004/08/04 13:00:00 | 000,028,672 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/04 01:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/04 01:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 15:22:02 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2004/08/04 01:06:34 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2004/10/13 17:24:37 | 001,694,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2004/08/04 13:00:00 | 000,009,306 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2004/08/04 13:00:00 | 000,018,052 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2004/08/04 13:00:00 | 000,009,306 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004/08/04 01:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/04 01:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >
    [2000/09/07 08:58:16 | 000,252,112 | ---- | M] (WexTech Systems, Inc.) -- C:\WINDOWS\system\D2HNAV16.EXE
    [2000/09/07 08:58:18 | 000,262,704 | ---- | M] (Bits Per Second Ltd) -- C:\WINDOWS\system\GSW.EXE
    [2000/09/07 08:58:20 | 000,141,264 | ---- | M] (heilerSoftware) -- C:\WINDOWS\system\HEPRO16.EXE

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < End of report >
     
  19. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Good news :)

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
      IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 168.4.0.6:80
      IE - HKU\S-1-5-21-1801674531-527237240-2146984249-7077\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = webmail.newcastlelea.org;walkerdc;https://168.4.0.5:8443;citrixvs01.schools.newcastle.ad;192.168.57.81;<local>
      O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk = File not found
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
      [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ======================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  20. stavros

    stavros TS Rookie Topic Starter Posts: 19

    here is the OLT log

    All processes killed
    ========== OTL ==========
    HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
    HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
    HKU\S-1-5-21-1801674531-527237240-2146984249-7077\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk moved successfully.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    C:\WINDOWS\SET3.tmp deleted successfully.
    C:\WINDOWS\SET4.tmp deleted successfully.
    C:\WINDOWS\SET8.tmp deleted successfully.
    C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: All Users

    User: Default User
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 348 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 49286 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: sbe
    ->Temp folder emptied: 12852081 bytes
    ->Temporary Internet Files folder emptied: 19796949 bytes
    ->Google Chrome cache emptied: 321991018 bytes
    ->Flash cache emptied: 48240 bytes

    User: Teacher
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 348 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 591 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 338.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    User: sbe
    ->Flash cache emptied: 0 bytes

    User: Teacher
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    Error: Unable to interpret <[Reboot]Then click the Run Fix button > in the current context!

    OTL by OldTimer - Version 3.2.26.6 log created on 08282011_233917

    Files\Folders moved on Reboot...
    C:\Documents and Settings\sbe\Local Settings\Temp\config.dat moved successfully.
    File\Folder C:\Documents and Settings\sbe\Local Settings\Temp\~DFF710.tmp not found!
    File\Folder C:\Documents and Settings\sbe\Local Settings\Temp\~DFF73B.tmp not found!
    C:\Documents and Settings\sbe\Local Settings\Temporary Internet Files\Content.IE5\XG8FXPGH\default[1].htm moved successfully.
    C:\Documents and Settings\sbe\Local Settings\Temporary Internet Files\Content.IE5\SW69C60D\showthread[2].htm moved successfully.
    C:\Documents and Settings\sbe\Local Settings\Temporary Internet Files\Content.IE5\1G8711WD\ads[3].htm moved successfully.
    C:\Documents and Settings\sbe\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

    Registry entries deleted on Reboot...
     
  21. stavros

    stavros TS Rookie Topic Starter Posts: 19

    and here is the security check log, will do the other scans now


    Results of screen317's Security Check version 0.99.7
    Windows XP Service Pack 2
    Out of date service pack!!
    Internet Explorer 7 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Security Center service is not running! This report may not be accurate!
    Windows Firewall Enabled!
    AVG 2011
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Adobe Flash Player
    Adobe Reader 8
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Malwarebytes' Anti-Malware mbamservice.exe
    Malwarebytes' Anti-Malware mbamgui.exe
    AVG avgwdsvc.exe
    AVG avgtray.exe
    AVG avgrsx.exe
    AVG avgnsx.exe
    ``````````End of Log````````````
     
  22. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.
     
  23. stavros

    stavros TS Rookie Topic Starter Posts: 19

    I have run the temp file cleaner and the ESET online scanner, which found no threats. I will get on and download the latest adobe reader as recommended
     
  24. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current (including Service Pack 3 installation!!!)

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  25. stavros

    stavros TS Rookie Topic Starter Posts: 19

    Excellent news! I fell asleep last night (i am in england) will do these things later today and get back to you

    Thanks buddy

    Martin
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...