Author Topic: PayPal hijacked, NVDTM errors, possible Trojan: Sinowal/Zhelatin/Steal (Read 3079 times)

BobStein · « **on:** March 04, 2010, 11:31:05 PM »

Symptoms:

1. PayPal and eBay logins hijacked, I get to a form asking for SSN, etc. (attached screenshot)
2. Running several different 16-bit MSDOS applications gives "NTVDM ... System Error c0h" errors (attached screenshot)
3. Mysterious "HelpAssistant" user, clone of Administrator account

Avira and Mbam detected trojan files. First time posting. Did I leave out anything? HijackThis report follows...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:12:00, on 03/04/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://intel-drv-cdn.systemrequirementslab...reqlab_srlx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1258743311109
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.36\bin\mysqld.exe

--
End of file - 6161 bytes

guestolo · « **Reply #1 on:** March 06, 2010, 12:34:33 PM »

Sorry for the delay, can you do the following please if you still need a hand
Download [color=\"#FF0000\"]OTL.exe[/color][/url] by OldTimer to your Desktop.

Close all windows and double click on OTL.exe to run it
Under the Custom Scan box paste this in, the contents in Blue

[color=\"#0000FF\"]netsvcs
msconfig
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav [/color]

Click Run Scan and let the program run uninterrupted.
It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
You may need to use two posts to get it all.

NOTE: If you have trouble, or an error message trying to post the logs
Can you upload it to a reply box
In a Reply, select "Browse..." on the bottom right and then navigate to the file and select it
Then click "Upload"

BobStein · « **Reply #2 on:** March 07, 2010, 05:58:49 PM »

Thank you!!

OTL.txt and Extras.txt are attached.

Since I last wrote, in trying to run a GMER log (step 8 at bleepingcomputer) I had a severe crash and a new B.S.O.D. -- no bootable drive! FIXMBR from the Win2K recovery console got the system bootable again. So, since I rewrote the Master Boot Record, the trojan may not be active any more. It seems I can log onto eBay now, so that symptom is gone. I'm hoping you can help me eradicate any vestiges. Thank you so much for the help.

-- Bob Stein, VisiBone, Lyme, NH

OTL logfile created on: 03/07/2010 16:28:47 - Run 1
OTL by OldTimer - Version 3.1.34.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

1,023.00 Mb Total Physical Memory | 788.00 Mb Available Physical Memory | 77.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 111.72 Gb Total Space | 44.38 Gb Free Space | 39.72% Space Free | Partition Type: NTFS
Drive D: | 298.09 Gb Total Space | 11.55 Gb Free Space | 3.88% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 15.14 Mb Total Space | 0.55 Mb Free Space | 3.61% Space Free | Partition Type: FAT
Drive I: | 465.76 Gb Total Space | 237.57 Gb Free Space | 51.01% Space Free | Partition Type: NTFS

Computer Name: TWOHEAD
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=\"#E56717\"]========== Processes (SafeList) ==========[/color]

PRC - [2010/03/07 16:17:05 | 000,553,984 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2009/11/17 17:36:26 | 000,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/11/09 16:05:03 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2004/09/07 10:59:06 | 000,122,128 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\mstask.exe
PRC - [2003/06/19 14:05:04 | 000,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2003/06/19 14:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\WinMgmt.exe
PRC - [2003/06/19 14:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe
PRC - [2003/06/19 14:05:04 | 000,061,712 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\stisvc.exe
PRC - [2003/06/19 14:05:04 | 000,019,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\hidserv.exe
PRC - [2002/05/02 18:58:44 | 000,122,965 | ---- | M] (Roxio) -- C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
PRC - [2002/04/10 16:44:04 | 000,679,936 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[color=\"#E56717\"]========== Modules (SafeList) ==========[/color]

MOD - [2010/03/07 16:17:05 | 000,553,984 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2003/06/19 14:05:04 | 000,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\lz32.dll

[color=\"#E56717\"]========== Win32 Services (SafeList) ==========[/color]

SRV - [2009/12/11 11:48:52 | 001,184,912 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/06/17 11:18:42 | 006,582,912 | ---- | M] () [On_Demand | Stopped] -- c:\wamp\bin\mysql\mysql5.1.36\bin\mysqld.exe -- (wampmysqld)
SRV - [2008/12/10 01:10:14 | 000,024,636 | ---- | M] (Apache Software Foundation) [Auto | Stopped] -- c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe -- (wampapache)
SRV - [2004/09/07 10:59:06 | 000,122,128 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\mstask.exe -- (Schedule)
SRV - [2003/06/19 14:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\wbem\WinMgmt.exe -- (WinMgmt)
SRV - [2003/06/19 14:05:04 | 000,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand | Stopped] -- C:\WINNT\System32\dmadmin.exe -- (dmadmin)
SRV - [2003/06/19 14:05:04 | 000,094,992 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\FAXSVC.EXE -- (Fax)
SRV - [2003/06/19 14:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry)
SRV - [2003/06/19 14:05:04 | 000,061,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\stisvc.exe -- (StiSvc)
SRV - [2003/06/19 14:05:04 | 000,022,800 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\utilman.exe -- (UtilMan)
SRV - [2003/06/19 14:05:04 | 000,019,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\hidserv.exe -- (HidServ)

[color=\"#E56717\"]========== Driver Services (SafeList) ==========[/color]

DRV - [2009/09/23 07:55:23 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINNT\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/06/30 09:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINNT\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2008/09/24 10:40:22 | 004,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2008/08/20 12:58:58 | 000,009,200 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINNT\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2008/08/20 12:58:58 | 000,009,072 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINNT\system32\drivers\cdr4_2K.sys -- (Cdr4_2K)
DRV - [2006/01/24 22:52:31 | 001,478,656 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/07/09 02:58:10 | 000,015,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mpe.sys -- (MPE)
DRV - [2003/06/19 14:05:04 | 000,369,104 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled | Stopped] -- C:\WINNT\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2003/06/19 14:05:04 | 000,137,936 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmio.sys -- (dmio)
DRV - [2003/06/19 14:05:04 | 000,060,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\parallel.sys -- (Parallel)
DRV - [2003/06/19 14:05:04 | 000,049,776 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\usbhub20.sys -- (usbhub20)
DRV - [2003/06/19 14:05:04 | 000,032,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\uhcd.sys -- (uhcd)
DRV - [2003/06/19 14:05:04 | 000,027,440 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINNT\system32\drivers\efs.sys -- (EFS)
DRV - [2003/06/19 14:05:04 | 000,024,784 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\openhci.sys -- (openhci)
DRV - [2003/06/19 14:05:04 | 000,007,728 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\diskperf.sys -- (Diskperf)
DRV - [2003/06/19 14:05:04 | 000,007,312 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmload.sys -- (dmload)
DRV - [2002/10/15 00:00:00 | 000,101,431 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\IdeChnDr.sys -- (IdeChnDr) Intel®
DRV - [2002/10/15 00:00:00 | 000,013,891 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\IdeBusDr.sys -- (IdeBusDr)
DRV - [2002/08/09 11:12:42 | 000,009,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect)
DRV - [2002/08/09 11:08:29 | 000,021,712 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\rca.sys -- (RCA)
DRV - [2002/04/10 17:08:26 | 000,227,266 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINNT\system32\drivers\udfreadr.sys -- (UdfReadr)
DRV - [2002/04/10 17:01:12 | 000,024,554 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2002/04/10 17:01:00 | 000,029,638 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2002/04/10 17:00:44 | 000,117,898 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINNT\system32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2002/04/10 17:00:20 | 000,356,651 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINNT\system32\drivers\cdudf.sys -- (cdudf)
DRV - [2002/02/28 14:49:08 | 000,073,824 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\el90Xbc5.SYS -- (EL90Xbc)
DRV - [2002/02/28 14:49:08 | 000,073,824 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\el90Xbc5.SYS -- (EL90BC)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINNT\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/03/23 00:00:00 | 000,079,106 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\IntelAta.sys -- (IntelATA)
DRV - [1999/10/22 14:54:42 | 000,032,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\ichaud.sys -- (ichaud) Service for AC'97 Driver (WDM)
DRV - [1999/09/24 18:55:30 | 000,602,128 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\winacpci.sys -- (Winacpci)
DRV - [1995/11/07 03:57:16 | 000,006,144 | ---- | M] (Corel Corporation) [Kernel | System | Running] -- C:\WINNT\system32\drivers\crlscsi.sys -- (crlscsi)

[color=\"#E56717\"]========== Standard Registry (SafeList) ==========[/color]

[color=\"#E56717\"]========== Internet Explorer ==========[/color]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

[color=\"#E56717\"]========== FireFox ==========[/color]

FF - prefs.js..browser.startup.homepage: "http://www.visibone.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.11.6a
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/01 08:15:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/20 02:19:21 | 000,000,000 | ---D | M]

[2009/11/04 18:15:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/03/07 16:25:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions
[2009/11/27 13:56:01 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/02/26 00:58:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2009/12/22 20:00:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\[email protected]
[2010/03/07 16:15:45 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2002/08/09 11:09:05 | 000,000,734 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O3 - HKCU\..\Toolbar\ShellBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
O4 - HKLM..\Run: [CreateCD50] C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe (Roxio)
O4 - HKLM..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe (Hewlett-Packard)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Tweak UI] C:\WINNT\System32\TWEAKUI.CPL (Microsoft Corporation)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 95 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} http://intel-drv-cdn.systemrequirementslab...reqlab_srlx.cab (System Requirements Lab Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1258743311109 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.16.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O18 - Protocol\Filter\application/octet-stream - No CLSID value found
O18 - Protocol\Filter\application/x-complus - No CLSID value found
O18 - Protocol\Filter\application/x-msdownload - No CLSID value found
O18 - Protocol\Filter\Class Install Handler - No CLSID value found
O18 - Protocol\Filter\deflate - No CLSID value found
O18 - Protocol\Filter\gzip - No CLSID value found
O18 - Protocol\Filter\lzdhtml - No CLSID value found
O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINNT\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Eudora\EuShlExt.dll File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/04 16:54:39 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/11/04 13:55:00 | 000,000,125 | ---- | M] () - I:\autorunoff.reg -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINNT\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: Ias - C:\WINNT\system32\ias [2009/11/04 18:13:56 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Nwsapagent - File not found

SystemRestore not available.

[color=\"#E56717\"]========== Files/Folders - Created Within 30 Days ==========[/color]

[2010/03/05 10:15:09 | 000,553,984 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/03/04 23:11:42 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/03/04 22:30:10 | 000,000,000 | ---D | C] -- C:\Program Files\a-squared Anti-Malware
[2010/03/04 22:14:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/03/04 22:14:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/04 00:52:00 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINNT\System32\javaws.exe
[2010/03/04 00:35:19 | 000,065,240 | ---- | C] (Avira GmbH) -- C:\WINNT\System32\drivers\avgntflt.sys
[2010/03/04 00:20:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/03/03 23:47:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Malware 2010.0303
[2010/02/23 07:11:22 | 000,726,008 | ---- | C] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Documents and Settings\Administrator\gotomypc_438.exe
[2010/02/11 03:28:33 | 000,000,000 | ---D | C] -- C:\WINNT\Minidump
[2010/02/06 22:07:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\PHP project
[2010/02/06 22:06:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Perl project
[4 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

[color=\"#E56717\"]========== Files - Modified Within 30 Days ==========[/color]

[2010/03/07 16:28:52 | 001,904,640 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/03/07 16:17:05 | 000,553,984 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/03/07 16:12:10 | 000,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2010/03/07 16:12:08 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_260.dat
[2010/03/06 01:32:10 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_468.dat
[2010/03/06 01:31:44 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_298.dat
[2010/03/06 01:19:45 | 000,000,262 | ---- | M] () -- C:\WINNT\tasks\daily.job
[2010/03/06 01:19:05 | 000,000,070 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\aff yesterday.url
[2010/03/06 01:02:07 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/03/06 00:52:24 | 000,002,194 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/03/05 23:17:55 | 000,000,345 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\2contact.lnk
[2010/03/05 17:41:33 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PUTTY.RND
[2010/03/05 17:23:10 | 000,054,156 | -H-- | M] () -- C:\WINNT\QTFont.qfn
[2010/03/05 17:23:10 | 000,001,409 | ---- | M] () -- C:\WINNT\QTFont.for
[2010/03/05 10:33:47 | 000,000,554 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Downloads.lnk
[2010/03/04 23:11:42 | 000,001,590 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2010/03/04 13:52:58 | 000,001,179 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\music.lnk
[2010/03/03 23:47:02 | 000,098,304 | ---- | M] () -- C:\WINNT\System32\dfrg.msc
[2010/03/03 09:53:01 | 000,000,487 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Lyme People.lnk
[2010/03/01 14:20:01 | 000,000,339 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\for J.lnk
[2010/03/01 00:50:47 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_66c.dat
[2010/02/28 23:03:37 | 000,000,557 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Favorites.lnk
[2010/02/28 18:58:53 | 000,000,398 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\posts of mine.lnk
[2010/02/27 11:30:32 | 000,000,264 | ---- | M] () -- C:\WINNT\tasks\weekly.job
[2010/02/27 11:30:32 | 000,000,083 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\aff2010 0220-0226.url
[2010/02/26 11:28:54 | 000,000,473 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\This Ame- rican Life.lnk
[2010/02/25 20:16:48 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_240.dat
[2010/02/25 20:15:31 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/02/25 10:06:30 | 000,001,410 | ---- | M] () -- C:\WINNT\imsins.BAK
[2010/02/23 10:23:51 | 000,000,369 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\share.lnk
[2010/02/23 07:11:29 | 000,726,008 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Documents and Settings\Administrator\gotomypc_438.exe
[2010/02/20 03:06:11 | 000,001,481 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Firefox.lnk
[2010/02/20 03:03:27 | 000,000,083 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\aff2010 0213-0219.url
[2010/02/13 21:06:10 | 000,000,576 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/02/13 11:07:37 | 018,499,623 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\vlc-1.0.5-win32.exe
[2010/02/13 11:05:26 | 000,001,406 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Windows Explorer.lnk
[2010/02/13 02:48:36 | 000,000,083 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\aff2010 0206-0212.url
[2010/02/12 21:39:24 | 000,000,326 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\family pics.lnk
[2010/02/10 10:14:47 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_5d8.dat
[2010/02/10 10:02:30 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_310.dat
[2010/02/10 10:02:28 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_50c.dat
[2010/02/09 14:41:53 | 000,000,455 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Awoke.odt (2).lnk
[2010/02/07 14:32:49 | 000,000,056 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\East Coast Greenway - Massachusetts.URL
[2010/02/06 22:07:33 | 000,000,495 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\perlcheat.lnk
[2010/02/06 03:26:36 | 000,000,083 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\aff2010 0130-0205.url
[4 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

[color=\"#E56717\"]========== Files Created - No Company Name ==========[/color]

[2010/03/07 16:12:08 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_260.dat
[2010/03/06 01:32:10 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_468.dat
[2010/03/06 01:31:44 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_298.dat
[2010/03/06 01:02:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/03/05 17:23:10 | 000,054,156 | -H-- | C] () -- C:\WINNT\QTFont.qfn
[2010/03/05 17:23:10 | 000,001,409 | ---- | C] () -- C:\WINNT\QTFont.for
[2010/03/05 10:33:47 | 000,000,554 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Downloads.lnk
[2010/03/04 23:11:42 | 000,001,590 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2010/03/01 00:50:47 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_66c.dat
[2010/02/27 11:30:32 | 000,000,083 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\aff2010 0220-0226.url
[2010/02/25 20:16:48 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_240.dat
[2010/02/23 10:23:51 | 000,000,369 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\share.lnk
[2010/02/20 03:03:27 | 000,000,083 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\aff2010 0213-0219.url
[2010/02/13 21:06:10 | 000,000,576 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/02/13 11:06:01 | 018,499,623 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\vlc-1.0.5-win32.exe
[2010/02/13 11:05:23 | 000,001,406 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Windows Explorer.lnk
[2010/02/13 02:48:36 | 000,000,083 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\aff2010 0206-0212.url
[2010/02/10 10:14:47 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_5d8.dat
[2010/02/10 10:02:30 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_310.dat
[2010/02/10 10:02:28 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_50c.dat
[2010/02/09 14:41:53 | 000,000,455 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Awoke.odt (2).lnk
[2010/02/07 14:32:49 | 000,000,056 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\East Coast Greenway - Massachusetts.URL
[2010/02/07 13:03:16 | 000,000,084 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\urban dictionary.URL
[2010/02/07 13:02:56 | 000,000,064 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Wikipedia.URL
[2010/02/06 22:07:23 | 000,000,174 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\perlfunc.url
[2010/02/06 22:07:19 | 000,000,495 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\perlcheat.lnk
[2010/02/06 07:44:22 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Astronomy Pic of Day.url
[2010/02/06 03:26:36 | 000,000,083 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\aff2010 0130-0205.url
[2009/11/21 12:55:57 | 000,000,371 | ---- | C] () -- C:\WINNT\wtapi.ini
[2009/11/21 12:55:57 | 000,000,191 | ---- | C] () -- C:\WINNT\rhudwin.ini
[2009/11/21 12:55:57 | 000,000,125 | ---- | C] () -- C:\WINNT\xref.ini
[2009/11/21 12:54:00 | 000,218,400 | ---- | C] () -- C:\WINNT\System32\refeng16.dll
[2009/11/21 12:53:59 | 000,006,694 | ---- | C] () -- C:\WINNT\System32\WTCC60EN.DLL
[2009/11/20 11:13:54 | 000,000,000 | ---- | C] () -- C:\WINNT\longfile.INI
[2009/11/20 11:13:51 | 001,371,436 | R--- | C] () -- C:\WINNT\System32\VBAR2132.DLL
[2009/11/17 09:39:03 | 000,000,000 | ---- | C] () -- C:\WINNT\hpqEmlSz.INI
[2009/11/16 18:02:18 | 000,001,080 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/11/16 18:00:25 | 000,077,824 | ---- | C] () -- C:\WINNT\System32\hpzids01.dll
[2009/11/12 08:32:24 | 000,000,028 | ---- | C] () -- C:\WINNT\pdf995.ini
[2009/11/06 23:41:37 | 000,000,021 | ---- | C] () -- C:\WINNT\pe.ini
[2009/11/06 23:41:37 | 000,000,021 | ---- | C] () -- C:\WINNT\ft99.ini
[2009/11/06 23:41:37 | 000,000,021 | ---- | C] () -- C:\WINNT\cp.ini
[2009/11/06 23:39:58 | 000,000,235 | ---- | C] () -- C:\WINNT\wpd99.drv
[2009/11/06 23:39:57 | 000,051,716 | ---- | C] () -- C:\WINNT\System32\pdf995mon.dll
[2009/11/06 12:40:59 | 000,000,277 | ---- | C] () -- C:\WINNT\hpbafd.ini
[2009/11/05 16:33:47 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PUTTY.RND
[2009/11/05 03:53:14 | 000,147,456 | ---- | C] () -- C:\WINNT\System32\RtlCPAPI.dll
[2009/11/04 23:43:30 | 000,178,176 | ---- | C] () -- C:\WINNT\System32\unrar.dll
[2009/11/04 22:38:27 | 000,000,108 | ---- | C] () -- C:\WINNT\WININIT.INI
[2009/11/04 20:32:01 | 000,354,816 | ---- | C] () -- C:\WINNT\System32\psisdecd.dll
[2009/11/04 16:54:03 | 000,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
[2002/08/09 11:18:21 | 000,000,023 | ---- | C] () -- C:\WINNT\welcome.ini
[2002/08/09 11:14:25 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[2002/08/09 11:09:09 | 000,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
[2002/08/09 11:08:42 | 000,001,505 | ---- | C] () -- C:\WINNT\System32\faxperf.ini
[2002/08/09 11:08:35 | 000,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
[2001/12/07 10:20:46 | 000,006,176 | ---- | C] () -- C:\WINNT\System32\HPBFXMMA.DLL
[2001/08/27 13:13:58 | 000,006,016 | ---- | C] () -- C:\WINNT\System32\HPBMINT.DLL
[2001/07/31 10:17:12 | 000,094,274 | ---- | C] () -- C:\WINNT\System32\HPBHEALR.DLL
[2001/07/07 04:00:00 | 000,003,399 | ---- | C] () -- C:\WINNT\System32\hptcpmon.ini
[1999/09/25 05:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 05:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys

[color=\"#E56717\"]========== Custom Scans ==========[/color]

[color=\"#A23BEC\"]< %SYSTEMDRIVE%\*.exe >[/color]
[2003/06/19 14:05:04 | 000,150,528 | RHS- | M] () -- C:\arcldr.exe
[2003/06/19 14:05:04 | 000,163,840 | RHS- | M] () -- C:\arcsetup.exe

[color=\"#A23BEC\"]< MD5 for: AGP440.SYS >[/color]
[2002/08/09 11:16:06 | 006,412,388 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/11/04 18:13:28 | 010,066,272 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp4.cab:AGP440.sys
[2009/11/04 18:13:28 | 010,066,272 | ---- | M] () .cab file -- C:\WINNT\ServicePackFiles\i386\sp4.cab:AGP440.sys
[2003/06/19 14:05:04 | 000,021,008 | ---- | M] (Microsoft Corporation) MD5=CDDB71A90077C93BEA5C72507F0B1394 -- C:\WINNT\ServicePackFiles\i386\agp440.sys
[2003/06/19 14:05:04 | 000,021,008 | ---- | M] (Microsoft Corporation) MD5=CDDB71A90077C93BEA5C72507F0B1394 -- C:\WINNT\system32\dllcache\agp440.sys
[2003/06/19 14:05:04 | 000,021,008 | ---- | M] (Microsoft Corporation) MD5=CDDB71A90077C93BEA5C72507F0B1394 -- C:\WINNT\system32\drivers\AGP440.SYS

[color=\"#A23BEC\"]< MD5 for: ATAPI.SYS >[/color]
[2002/08/09 11:16:06 | 006,412,388 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp3.cab:atapi.sys
[2009/11/04 18:13:28 | 010,066,272 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp4.cab:atapi.sys
[2009/11/04 18:13:28 | 010,066,272 | ---- | M] () .cab file -- C:\WINNT\ServicePackFiles\i386\sp4.cab:atapi.sys
[2003/06/19 14:05:04 | 000,086,672 | ---- | M] (Microsoft Corporation) MD5=8C718AA8C77041B3285D55A0CE980867 -- C:\WINNT\ServicePackFiles\i386\atapi.sys
[2003/06/19 14:05:04 | 000,086,672 | ---- | M] (Microsoft Corporation) MD5=8C718AA8C77041B3285D55A0CE980867 -- C:\WINNT\system32\dllcache\atapi.sys
[2003/06/19 14:05:04 | 000,086,672 | ---- | M] (Microsoft Corporation) MD5=8C718AA8C77041B3285D55A0CE980867 -- C:\WINNT\system32\drivers\atapi.sys

[color=\"#A23BEC\"]< MD5 for: EVENTLOG.DLL >[/color]
[2003/06/19 14:05:04 | 000,047,888 | ---- | M] (Microsoft Corporation) MD5=5738D5804F61A1D30D86FA24DEE56E0C -- C:\WINNT\$NtUpdateRollupPackUninstall$\eventlog.dll
[2003/06/19 14:05:04 | 000,047,888 | ---- | M] (Microsoft Corporation) MD5=5738D5804F61A1D30D86FA24DEE56E0C -- C:\WINNT\ServicePackFiles\i386\eventlog.dll
[2005/04/08 06:54:32 | 000,049,424 | ---- | M] (Microsoft Corporation) MD5=E7F03344AE103B02135C20112B557051 -- C:\WINNT\system32\dllcache\EVENTLOG.DLL
[2005/04/08 06:54:32 | 000,049,424 | ---- | M] (Microsoft Corporation) MD5=E7F03344AE103B02135C20112B557051 -- C:\WINNT\system32\EVENTLOG.DLL

[color=\"#A23BEC\"]< MD5 for: IDECHNDR.SYS >[/color]
[2002/10/15 00:00:00 | 000,101,431 | ---- | M] (Intel Corporation) MD5=7D2B8BE9E89628663C1FB571F7C34062 -- C:\Program Files\Intel\Intel Application Accelerator\Driver\IdeChnDr.sys
[2002/10/15 00:00:00 | 000,101,431 | ---- | M] (Intel Corporation) MD5=7D2B8BE9E89628663C1FB571F7C34062 -- C:\WINNT\system32\drivers\IdeChnDr.sys

[color=\"#A23BEC\"]< MD5 for: NETLOGON.DLL >[/color]
[2003/06/19 14:05:04 | 000,371,984 | ---- | M] (Microsoft Corporation) MD5=11B91C26925F56F577089FF88AA0BEC0 -- C:\WINNT\$NtUpdateRollupPackUninstall$\netlogon.dll
[2003/06/19 14:05:04 | 000,371,984 | ---- | M] (Microsoft Corporation) MD5=11B91C26925F56F577089FF88AA0BEC0 -- C:\WINNT\ServicePackFiles\i386\netlogon.dll
[2005/04/07 18:24:32 | 000,366,864 | ---- | M] (Microsoft Corporation) MD5=BE8FC3C74AB5212CD4067E8973764AD6 -- C:\WINNT\$NtUninstallKB954600_WM41$\netlogon.dll
[2005/04/08 06:54:32 | 000,366,864 | ---- | M] (Microsoft Corporation) MD5=BE8FC3C74AB5212CD4067E8973764AD6 -- C:\WINNT\$NtUninstallKB957097$\netlogon.dll
[2005/04/07 15:24:32 | 000,366,864 | ---- | M] (Microsoft Corporation) MD5=BE8FC3C74AB5212CD4067E8973764AD6 -- C:\WINNT\$NtUninstallKB960803$\netlogon.dll
[2005/04/07 18:24:32 | 000,366,864 | ---- | M] (Microsoft Corporation) MD5=BE8FC3C74AB5212CD4067E8973764AD6 -- C:\WINNT\$NtUninstallKB960859$\netlogon.dll
[2005/04/08 06:54:32 | 000,366,864 | ---- | M] (Microsoft Corporation) MD5=BE8FC3C74AB5212CD4067E8973764AD6 -- C:\WINNT\system32\dllcache\NETLOGON.DLL
[2005/04/07 18:24:32 | 000,366,864 | ---- | M] (Microsoft Corporation) MD5=BE8FC3C74AB5212CD4067E8973764AD6 -- C:\WINNT\system32\NETLOGON.DLL

[color=\"#A23BEC\"]< MD5 for: SCECLI.DLL >[/color]
[2005/01/12 14:39:44 | 000,114,448 | ---- | M] (Microsoft Corporation) MD5=6FCCE1622E75C7DC46509F7EC4B314A3 -- C:\WINNT\system32\dllcache\scecli.dll
[2005/01/12 14:39:44 | 000,114,448 | ---- | M] (Microsoft Corporation) MD5=6FCCE1622E75C7DC46509F7EC4B314A3 -- C:\WINNT\system32\scecli.dll
[2003/06/19 14:05:04 | 000,114,448 | ---- | M] (Microsoft Corporation) MD5=FF11B32A906D75CD96957B66E318DAD0 -- C:\WINNT\$NtUpdateRollupPackUninstall$\scecli.dll
[2003/06/19 14:05:04 | 000,114,448 | ---- | M] (Microsoft Corporation) MD5=FF11B32A906D75CD96957B66E318DAD0 -- C:\WINNT\ServicePackFiles\i386\scecli.dll

[color=\"#A23BEC\"]< %systemroot%\*. /mp /s >[/color]

[color=\"#A23BEC\"]< %systemroot%\system32\*.dll /lockedfiles >[/color]
[2 C:\WINNT\system32\*.tmp files -> C:\WINNT\system32\*.tmp -> ]

[color=\"#A23BEC\"]< %systemroot%\Tasks\*.job /lockedfiles >[/color]

[color=\"#A23BEC\"]< %systemroot%\system32\drivers\*.sys /lockedfiles >[/color]

[color=\"#A23BEC\"]< %systemroot%\System32\config\*.sav >[/color]
[2009/11/04 11:32:05 | 000,081,920 | ---- | M] () -- C:\WINNT\system32\config\default.sav
[2009/11/04 11:32:05 | 000,532,480 | ---- | M] () -- C:\WINNT\system32\config\software.sav
[2009/11/04 11:32:04 | 000,380,928 | ---- | M] () -- C:\WINNT\system32\config\system.sav

[color=\"#E56717\"]========== Files - Unicode (All) ==========[/color]
[2009/11/05 16:38:31 | 000,000,000 | ---- | M] ()(C:\WINNT\?) -- C:\WINNT\äœ˜
[2009/11/05 16:38:31 | 000,000,000 | ---- | C] ()(C:\WINNT\?) -- C:\WINNT\äœ˜

[color=\"#E56717\"]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD
< End of report >

OTL Extras logfile created on: 03/07/2010 16:28:47 - Run 1
OTL by OldTimer - Version 3.1.34.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

1,023.00 Mb Total Physical Memory | 788.00 Mb Available Physical Memory | 77.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 111.72 Gb Total Space | 44.38 Gb Free Space | 39.72% Space Free | Partition Type: NTFS
Drive D: | 298.09 Gb Total Space | 11.55 Gb Free Space | 3.88% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 15.14 Mb Total Space | 0.55 Mb Free Space | 3.61% Space Free | Partition Type: FAT
Drive I: | 465.76 Gb Total Space | 237.57 Gb Free Space | 51.01% Space Free | Partition Type: NTFS

Computer Name: TWOHEAD
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=\"#E56717\"]========== Extra Registry (SafeList) ==========[/color]

[color=\"#E56717\"]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[color=\"#E56717\"]========== Shell Spawning ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- %1
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[color=\"#E56717\"]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

[color=\"#E56717\"]========== Authorized Applications List ==========[/color]

[color=\"#E56717\"]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{057F9F8C-53DD-44FA-8D41-80A92A81EC31}" = PHP 5.3.1
"{08094E03-AFE4-4853-9D31-6D0743DF5328}" = QuickTime
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(tm) 6 Update 17
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{33D6CC28-9F75-4d1b-A11D-98895B3A3729}" = HP Photosmart 330,380,420,470,7800,8000,8200 Series
"{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6F716D8C-398F-11D3-85E1-005004838609}" = WebFldrs
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{755EC5E3-FD51-46bd-A57F-7A2D56FBF061}" = PSTAPlugin
"{769A295C-DCF4-41d6-AFBA-7D9394B23AFE}" = PSPrinters08
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}" = Adobe Illustrator CS
"{9984DF60-1C5B-11D3-ACA1-908A4FC10801}" = Intel Application Accelerator
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A32A6393-37DA-4E44-BB9F-C4F384F89EB9}" = HP System maintenance for HP Designjet 30 130 series
"{A3455242-DAE0-4523-8242-FD82706ABF4B}" = CameraDrivers
"{A7BF5269-3E74-11D5-B00F-00104B398D77}" = QuarkXPress 5.0
"{A92A4DB0-CD37-42D1-BE1D-603D53C24328}" = Intel® Processor ID Utility
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD716D42-80F7-4227-A3CF-2E8047FD145E}" = Eudora
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skypeâ„¢ 4.1
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F1670367-C07F-411f-A196-79D2C65CBEC0}" = PS8200
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{F6249ABF-F16D-4AF3-8755-4D62F799C238}" = Google AdWords Editor
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"AIM_7" = AIM 7
"ATI Display Driver" = ATI Display Driver
"Corel Applications" = Corel Applications
"EPSON Scanner" = EPSON Scan
"FavOrg" = FavOrg
"GoldWave v5.54" = GoldWave v5.54
"HijackThis" = HijackThis 2.0.2
"HP Imaging Device Functions" = HP Imaging Device Functions 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"jZip" = jZip
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.4.0 (Basic)
"Lavasoft Reghance 2.1" = Lavasoft Reghance 2.1
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.5.

" = Mozilla Firefox (3.5.

"MSDN Library - April 1999" = MSDN Library - April 1999
"Pdf995" = Pdf995
"PdfEdit995" = PdfEdit995
"Q828026" = Windows Media Player Hotfix [See Q828026 for more information]
"RealPlayer 6.0" = RealPlayer
"RH Webster's Unabridged Dictionary" = RH Webster's Unabridged Dictionary
"Screen Calipers" = Screen Calipers
"Signature995" = Signature995
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"SystemRequirementsLab" = System Requirements Lab
"Update Rollup 1" = Update Rollup 1 for Windows 2000 SP4
"Visual C++ 6.0 Standard Edition" = Microsoft Visual C++ 6.0 Standard Edition
"VLC media player" = VLC media player 1.0.5
"WampServer 2_is1" = WampServer 2.0
"Winamp" = Winamp
"WMP7" = Windows Media Player system update (9 Series)
"Yahoo! Messenger" = Yahoo! Messenger

[color=\"#E56717\"]========== HKEY_CURRENT_USER Uninstall List ==========[/color]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"V" = V - The File Viewer

[color=\"#E56717\"]========== Last 10 Event Log Errors ==========[/color]

[ Application Events ]
Error - 03/04/2010 23:41:26 | Computer Name = TWOHEAD | Source = Perflib | ID = 1015
Description = The timeout waiting for the performance data collection function "PerfDisk"
in
the "C:\WINNT\system32\perfdisk.dll" Library to finish has expired. There may be
a problem with this extensible counter or the service it is collecting data from
or the system may have been very busy when this call was attempted.

Error - 03/04/2010 23:41:34 | Computer Name = TWOHEAD | Source = Perflib | ID = 1015
Description = The timeout waiting for the performance data collection function "PerfDisk"
in
the "C:\WINNT\system32\perfdisk.dll" Library to finish has expired. There may be
a problem with this extensible counter or the service it is collecting data from
or the system may have been very busy when this call was attempted.

Error - 03/04/2010 23:53:11 | Computer Name = TWOHEAD | Source = Perflib | ID = 2002
Description = The open procedure for service "PerfDisk" in DLL "C:\WINNT\system32\perfdisk.dll"
has taken longer than the established wait time to complete. There may be a problem
with this extensible counter or the service it is collecting data from or the system
may have been very busy when this call was attempted.

Error - 03/05/2010 00:48:13 | Computer Name = TWOHEAD | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

Error - 03/05/2010 08:24:52 | Computer Name = TWOHEAD | Source = Perflib | ID = 2002
Description = The open procedure for service "PerfDisk" in DLL "C:\WINNT\system32\perfdisk.dll"
has taken longer than the established wait time to complete. There may be a problem
with this extensible counter or the service it is collecting data from or the system
may have been very busy when this call was attempted.

Error - 03/05/2010 11:14:21 | Computer Name = TWOHEAD | Source = Perflib | ID = 1015
Description = The timeout waiting for the performance data collection function "PerfDisk"
in
the "C:\WINNT\system32\perfdisk.dll" Library to finish has expired. There may be
a problem with this extensible counter or the service it is collecting data from
or the system may have been very busy when this call was attempted.

Error - 03/05/2010 11:35:03 | Computer Name = TWOHEAD | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

Error - 03/05/2010 11:36:28 | Computer Name = TWOHEAD | Source = Perflib | ID = 2002
Description = The open procedure for service "PerfDisk" in DLL "C:\WINNT\system32\perfdisk.dll"
has taken longer than the established wait time to complete. There may be a problem
with this extensible counter or the service it is collecting data from or the system
may have been very busy when this call was attempted.

Error - 03/05/2010 18:40:26 | Computer Name = TWOHEAD | Source = Perflib | ID = 1015
Description = The timeout waiting for the performance data collection function "PerfDisk"
in
the "C:\WINNT\system32\perfdisk.dll" Library to finish has expired. There may be
a problem with this extensible counter or the service it is collecting data from
or the system may have been very busy when this call was attempted.

Error - 03/07/2010 17:12:15 | Computer Name = TWOHEAD | Source = Perflib | ID = 2002
Description = The open procedure for service "PerfDisk" in DLL "C:\WINNT\system32\perfdisk.dll"
has taken longer than the established wait time to complete. There may be a problem
with this extensible counter or the service it is collecting data from or the system
may have been very busy when this call was attempted.

[ System Events ]
Error - 02/09/2010 19:22:54 | Computer Name = TWOHEAD | Source = IdeChnDr | ID = 262153
Description = The device, \Device\Ide\IdeDeviceP0T0L0, did not respond within the
timeout period.

Error - 02/10/2010 10:42:46 | Computer Name = TWOHEAD | Source = Removable Storage Service | ID = 262161
Description = RSM cannot manage library PhysicalDrive9. It encountered an unspecified
error. This can be caused by a number of problems including, but not limited to,
database corruption, failure communicating with the library, or insufficient system
resources.

Error - 02/10/2010 10:42:46 | Computer Name = TWOHEAD | Source = Removable Storage Service | ID = 262161
Description = RSM cannot manage library PhysicalDrive7. It encountered an unspecified
error. This can be caused by a number of problems including, but not limited to,
database corruption, failure communicating with the library, or insufficient system
resources.

Error - 02/10/2010 10:58:23 | Computer Name = TWOHEAD | Source = Removable Storage Service | ID = 262161
Description = RSM cannot manage library PhysicalDrive8. It encountered an unspecified
error. This can be caused by a number of problems including, but not limited to,
database corruption, failure communicating with the library, or insufficient system
resources.

Error - 02/10/2010 10:58:23 | Computer Name = TWOHEAD | Source = Removable Storage Service | ID = 262161
Description = RSM cannot manage library PhysicalDrive7. It encountered an unspecified
error. This can be caused by a number of problems including, but not limited to,
database corruption, failure communicating with the library, or insufficient system
resources.

Error - 02/10/2010 10:59:42 | Computer Name = TWOHEAD | Source = Service Control Manager | ID = 7022
Description = The wampapache service hung on starting.

Error - 02/10/2010 11:01:30 | Computer Name = TWOHEAD | Source = Service Control Manager | ID = 7024
Description = The wampapache service terminated with service-specific error 1.

Error - 02/11/2010 03:31:15 | Computer Name = TWOHEAD | Source = IdeChnDr | ID = 262153
Description = The device, \Device\Ide\IdeDeviceP0T0L0, did not respond within the
timeout period.

Error - 02/11/2010 04:28:55 | Computer Name = TWOHEAD | Source = Service Control Manager | ID = 7024
Description = The wampapache service terminated with service-specific error 1.

Error - 02/11/2010 04:29:31 | Computer Name = TWOHEAD | Source = Removable Storage Service | ID = 262161
Description = RSM cannot manage library PhysicalDrive7. It encountered an unspecified
error. This can be caused by a number of problems including, but not limited to,
database corruption, failure communicating with the library, or insufficient system
resources.

< End of report >

guestolo · « **Reply #3 on:** March 07, 2010, 07:08:23 PM »

Can you post the log from GMER after you run it's scan too

BobStein · « **Reply #4 on:** March 08, 2010, 09:00:30 AM »

[quote name=\'guestolo\' post=\'468313\' date=\'Mar 7 2010, 08:08 PM\']Can you post the log from GMER after you run it's scan too[/quote]

Apparently not. Running a GMER scan eventually causes a reboot -- I never get the chance to save it. Would you like me to run something else?

guestolo · « **Reply #5 on:** March 08, 2010, 09:55:09 AM »

You may want to print these instructions:

Please download [color=\"#FF0000\"]HelpAsst_mebroot_fix.exe[/color] and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
helpasst -mbrt
Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.
In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.
mbr -f
Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.
helpasst -mbrt
Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

BobStein · « **Reply #6 on:** March 08, 2010, 12:10:10 PM »

"This tool is not compatible with your system."

Windows 2000 problem?

guestolo · « **Reply #7 on:** March 08, 2010, 03:17:37 PM »

yup, that would be the problem

Can you do the following, I"ll check back later as it's lunch time right now
Download ComboFix only from this location

[color=\"#0000FF\"]Link [/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]

Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please

BobStein · « **Reply #8 on:** March 08, 2010, 05:28:44 PM »

The attached log.txt is the ComboFix report.

(I didn't find a file named literally ComboFix.txt. After scanning, reboot, more scanning, then a log.txt file popped up. That's attached to this message. Do you want any other files?)

ComboFix 10-03-08.01 - Administrator 03/08/2010 15:29:13.1.1 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.624 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\vb40032.dll
c:\winnt\Web\default.htt

c:\winnt\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.

2010-03-08 20:44 . 2010-03-08 20:44   16384   ----atw-   c:\winnt\system32\Perflib_Perfdata_24c.dat
2010-03-08 16:10 . 2003-06-19 19:05   46992   -c--a-w-   c:\winnt\system32\dllcache\i8042prt.sys
2010-03-08 16:10 . 2003-06-19 19:05   46992   ----a-w-   c:\winnt\system32\drivers\i8042prt.sys
2010-03-08 16:10 . 2003-06-19 19:05   21776   -c--a-w-   c:\winnt\system32\dllcache\mouclass.sys
2010-03-08 16:10 . 2003-06-19 19:05   21776   ----a-w-   c:\winnt\system32\drivers\mouclass.sys
2010-03-08 16:10 . 2009-01-07 22:57   27784   ----a-w-   c:\winnt\system32\drivers\point32.sys
2010-03-08 16:10 . 2010-03-08 16:10   --------   d-----w-   c:\program files\Microsoft IntelliPoint
2010-03-08 02:00 . 2010-03-08 17:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-08 02:00 . 2010-03-08 02:00   --------   d-----w-   c:\program files\Kaspersky Lab
2010-03-08 01:58 . 2010-03-08 01:58   --------   d-----w-   c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-03-05 04:11 . 2010-03-05 04:11   --------   d-----w-   c:\program files\Trend Micro
2010-03-05 03:30 . 2010-03-05 15:21   --------   d-----w-   c:\program files\a-squared Anti-Malware
2010-03-05 03:14 . 2010-03-05 03:14   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-05 03:14 . 2010-03-05 03:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-04 06:00 . 2010-03-04 06:00   --------   d-----w-   c:\documents and settings\Default User\Local Settings\Application Data\Microsoft
2010-03-04 05:35 . 2009-03-24 20:07   65240   ----a-w-   c:\winnt\system32\drivers\avgntflt.sys
2010-03-04 05:20 . 2010-03-04 05:25   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-03-02 21:41 . 2010-02-23 12:11   726008   ----a-w-   c:\documents and settings\HelpAssistant\gotomypc_438.exe
2010-02-23 12:11 . 2010-02-23 12:11   726008   ----a-w-   c:\documents and settings\Administrator\gotomypc_438.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 20:11 . 2009-11-25 23:02   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Skype
2010-03-08 14:55 . 2009-11-25 23:04   --------   d-----w-   c:\documents and settings\Administrator\Application Data\skypePM
2010-03-08 02:10 . 2010-03-08 02:10   80400   ----a-w-   c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-03-08 02:10 . 2010-03-08 02:10   109072   ----a-w-   c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-03-08 02:10 . 2010-03-08 02:10   80400   ----a-w-   c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-03-08 02:10 . 2010-03-08 02:10   109072   ----a-w-   c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-03-08 02:00 . 2009-11-05 08:59   --------   d-----w-   c:\documents and settings\Administrator\Application Data\vlc
2010-03-04 05:51 . 2009-11-11 03:55   --------   d-----w-   c:\program files\Java
2010-03-04 05:51 . 2010-03-04 05:51   152576   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-04 05:51 . 2010-03-04 05:51   79488   ----a-w-   c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-02 13:30 . 2009-11-07 04:39   --------   d-----w-   c:\documents and settings\All Users\Application Data\pdf995
2010-02-26 02:24 . 2010-02-26 05:58   634104   ----a-w-   c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-02-26 02:24 . 2010-02-26 05:58   797904   ----a-w-   c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-02-23 16:41 . 2009-11-11 17:52   1   ----a-w-   c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-29 05:55 . 2009-11-10 23:59   --------   d-----w-   c:\documents and settings\Administrator\Application Data\dvdcss
2010-01-20 14:28 . 2009-11-17 12:18   --------   d-----w-   c:\documents and settings\Administrator\Application Data\QuickScan
2010-01-15 19:46 . 2009-11-06 06:26   --------   d-----w-   c:\program files\Common Files\Adobe
2009-12-28 13:03 . 2009-11-04 21:52   319760   ----a-w-   c:\winnt\system32\MSPAINT.EXE
2009-12-18 16:19 . 2009-12-23 01:00   545280   ----a-w-   c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\[email protected]\libs\PicLensHelper.exe
2009-12-18 16:19 . 2009-12-23 01:00   344064   ----a-w-   c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\[email protected]\libs\LaunchCooliris.exe
2009-12-18 16:19 . 2009-12-23 01:00   153600   ----a-w-   c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\[email protected]\plugins\npcoolirisplugin.dll
2009-12-18 16:19 . 2009-12-23 01:00   103424   ----a-w-   c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\[email protected]\libs\pixomatic.dll
2009-12-18 16:19 . 2009-12-23 01:00   57856   ----a-w-   c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\[email protected]\components\coolirisstub.dll
2009-12-18 16:19 . 2009-12-23 01:00   4726272   ----a-w-   c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\[email protected]\libs\cooliris190.dll
2009-12-16 21:25 . 2009-12-16 21:25   576512   ----a-w-   c:\winnt\system32\WININET.DLL
2009-12-14 07:10 . 2002-08-09 16:07   35088   ----a-w-   c:\winnt\system32\CSRSRV.DLL
2009-12-11 16:50 . 2009-12-11 16:50   862040   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-11 16:50 . 2009-12-13 01:49   15880   ----a-w-   c:\winnt\system32\lsdelete.exe
2009-12-11 16:50 . 2009-12-11 16:50   15880   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-12-11 16:50 . 2009-12-11 16:50   206944   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-11 16:50 . 2009-12-11 16:50   390288   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-11 16:50 . 2009-12-11 16:50   537576   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-11 16:50 . 2009-12-11 16:50   370744   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-11 16:50 . 2009-12-11 16:50   163728   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-12-11 16:50 . 2009-12-11 16:50   194104   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-11 16:49 . 2009-12-11 16:49   5908024   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-11 16:49 . 2009-12-11 16:49   327000   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-12-11 16:49 . 2009-12-11 16:49   87496   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-12-11 16:49 . 2009-12-11 16:49   933120   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-11 16:49 . 2009-12-11 16:49   641632   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-12-11 16:49 . 2009-12-11 16:49   816272   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-11 16:49 . 2009-12-11 16:48   822904   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-11 16:48 . 2009-12-11 16:48   1638640   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-11 16:48 . 2009-12-11 16:48   788880   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-11 16:48 . 2009-12-11 16:48   1184912   ----a-w-   c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-10 13:39 . 2002-08-09 16:16   252592   ----a-w-   c:\winnt\system32\drivers\SRV.SYS
2009-11-04 21:54 . 2009-11-04 21:54   21952   ---h--w-   c:\program files\folder.htt
.

------- Sigcheck -------

[-] 2002-11-27 00:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\winnt\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-09 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 106544]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"CreateCD50"="c:\program files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [2002-05-02 122965]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-17 185896]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2006-07-11 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R0 IntelATA;Intel Ultra ATA Controller;c:\winnt\system32\drivers\IntelAta.sys [11/04/2009 22:18 79106]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [10/14/2009 21:18 36880]
R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [12/11/2009 11:50 64288]
R0 pavboot;pavboot;c:\winnt\system32\drivers\pavboot.sys [11/17/2009 07:22 28552]
R1 cdudf;cdudf;c:\winnt\system32\drivers\cdudf.sys [04/10/2002 17:00 356651]
R1 crlscsi;crlscsi;c:\winnt\system32\drivers\crlscsi.sys [11/20/2009 11:10 6144]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\winnt\system32\drivers\klmouflt.sys [10/02/2009 19:39 18448]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [08/09/2002 11:13 24784]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [11/04/2009 18:13 49776]
R3 Winacpci;Winacpci;c:\winnt\system32\drivers\winacpci.sys [11/04/2009 11:34 602128]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90Xbc5.SYS [11/04/2009 22:32 73824]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/24/2009 06:17 1184912]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-03-08 c:\winnt\Tasks\daily.job
- c:\visibone\stats\daily.bat [2009-11-06 13:24]

2010-02-27 c:\winnt\Tasks\weekly.job
- c:\visibone\stats\weekly.bat [2009-11-06 18:17]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.visibone.com/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cpd5imup.default\extensions\[email protected]\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - c:\eudora\EuShlExt.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 16:54
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(224)
c:\winnt\system32\Ati2evxx.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1220)
c:\winnt\system32\SHDOCVW.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\Ati2evxx.exe
c:\winnt\system32\hidserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\winnt\system32\regsvc.exe
c:\winnt\system32\MSTask.exe
c:\winnt\system32\stisvc.exe
c:\winnt\System32\WBEM\WinMgmt.exe
c:\winnt\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2010-03-08 17:00:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-08 22:00

Pre-Run: 47,631,577,088 bytes free
Post-Run: 48,990,216,192 bytes free

- - End Of File - - 0D0403F90D5ACAF277B396A3603E8BC9

guestolo · « **Reply #9 on:** March 08, 2010, 08:25:56 PM »

Let's see what happens after the following
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]
Folder::
c:\documents and settings\HelpAssistant

[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you with the same name C:\ComboFix.txt..
I'll need to see that log again later

One last request
Then, Go to the following link [color=\"#0000FF\"]ESET Online Scanner[/color][/url]
Note: You will need to use Internet Explorer for this scan

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take awhile, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

BobStein · « **Reply #10 on:** March 08, 2010, 11:45:58 PM »

[quote name=\'guestolo\' post=\'468335\' date=\'Mar 8 2010, 09:25 PM\'][color=\"#0000ff\"]Folder::
c:\documents and settings\HelpAssistant
[/color][/quote]

Attached is the ComboFix log. (Loooooong ESET scan is now at 20%, will upload when done.)

BobStein · « **Reply #11 on:** March 08, 2010, 11:48:49 PM »

BTW ComboFix pops up an outlandish error message, "32788R22FWJFW\n.pif Access to the specified device, path, or file is denied." Screenshot attached.

guestolo · « **Reply #12 on:** March 09, 2010, 01:14:02 PM »

Any luck on the log from Eset scanner yet?

BobStein · « **Reply #13 on:** March 09, 2010, 02:06:17 PM »

Eset scan is at 87% and counting. I should have tried to disable scanning the external hard drives.

BobStein · « **Reply #14 on:** March 09, 2010, 08:01:37 PM »

ESET threat list attached.

It would seem to me that none are active? The only two on the C: drive are in a directory for backing up a different system. And the D: and I: drives are backups.

Also attached is a screenshot of the ESET options.

guestolo · « **Reply #15 on:** March 10, 2010, 03:57:05 PM »

Can you go to START>>RUN>>type in control userpasswords
Then hit OK
Under the USERS tab, highlight HelpAssistant and click on REMOVE
follow the prompts
Note: You may have to temporarily put a tick beside
"Users must enter a user name and password to use this computer"
If that is not your usual setup, you can deselect it after removing HelpAssistant

When your done
The next registry entry found with this nasty is not a typical Windows 2000 setting
We should be able to get rid of the whole key, but let's just lose the values
=Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP"=- 
"52344:TCP"=- 
"2479:TCP"=- 
"3246:TCP"=- 
"3389:TCP"=- 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"65533:TCP"=- 
"52344:TCP"=-
"2479:TCP"=-
"3246:TCP"=-
"3389:TCP"=-

Double click on fix.reg and allow to add/merge to the registry at the prompt

1. Please download [color=\"#FF0000\"]Avenger2[/color] by Swandog46 to your Desktop.

Extract the contents to a folder on your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C). Or highlight it and right click and select Copy

Code: [Select]

Folders to delete:
c:\documents and settings\HelpAssistant

3. Now, open the avenger folder and double click on Avenger.exe to run it.

Right click on the window under Input script here:, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
After the restart, it creates a log file that should open with the results of Avengerâ€™s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

With that log, can you also do the following:
Can you do the following
proceed to http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to this file on your hard disk
c:\winnt\system32\comres.dll<--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Or better yet, post the link to the results
Keep me informed how things are running

BobStein · « **Reply #16 on:** March 12, 2010, 04:07:44 PM »

1. (minor difference) I had already removed the HelpAssistant user through the Control Panel.

2. (minor difference) I imported fix.reg via RegEdit.exe menus.

3. avenger.txt attached

4. I can find no comres.dll anywhere, not currently in c:\winnt\system32, nor on my backup of that directory from March 6-7. I searched for the file name on all hard drives. I had run a partial Kazpersky scan at some point but comres.dll is not in its quarantine.

Should I backgrack? Rerun ComboFix?

guestolo · « **Reply #17 on:** March 12, 2010, 04:19:15 PM »

Quote

3. avenger.txt attached

Why attached? Can you not just post it's contents in a reply
I'm having problems viewing the contents

Can you delete your copy of ComboFix, redownload it and run it with my previous instructions
Post the new log

BobStein · « **Reply #18 on:** March 12, 2010, 06:58:49 PM »

Whoa, guess it was Unicode. Ok here's the log

avenger.txt

Code: [Select]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows 2000

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "c:\documents and settings\HelpAssistant" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

guestolo · « **Reply #19 on:** March 12, 2010, 07:45:26 PM »

Quote

Can you delete your copy of ComboFix, redownload it and run it with my previous instructions
Post the new log

Can you delete your copy of ComboFix from desktop
Then, Download ComboFix only from this location

[color=\"#0000FF\"]Link [/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]

Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please
Also, keep me informed how things are now running

News:

Author Topic: PayPal hijacked, NVDTM errors, possible Trojan: Sinowal/Zhelatin/Steal (Read 3079 times)