smitfraud, rogue, netpumper

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Want a New HP LaserJet MFP? Trade in your old printer and receive $1,000 in savings!
Trade in your old printer and receive up to $1,000 in saving on a new HP LaserJet Multifunction Printer. Click here for savings!

BleepingComputer.com > Security > Virus, Trojan, Spyware, and Malware Removal Logs

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

DO NOT RUN ComboFix unless requested to.

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages

1 2 >

smitfraud, rogue, netpumper - you name it..., Multiple infection recover help requested

Options

ok computer View Member Profile	Jan 9 2010, 08:43 PM Post #1
Member Group: Members Posts: 38 Joined: 19-October 09 Member No.: 392,143	I am fixing this for a neighbor - I've seen it before: "I have Norton on there, but I think maybe the subscription is expired". Of course it was, and there was no boot at all, not even to Safe Mode. I used a boot disk to run Avira, Spybot, and Avast, got it to boot, ran MBAM and removed Norton (as far as I can tell). It operates nicely enough, but still a few bad problems: I still can't boot to Safe Mode...it ends in a blue screen with no legible writing on it (a few random characters). It boots successfully to Windows XP but the onboard network adapter will not connect. I managed to get a wireless adaper to work, but I had to use the manufacturer's utility - the Zero Configuration thing will not work, even thought it shows running under the list of services. I'm guessing there may be other hidden gems in here too. I have no idea how to find them or fix them. Let me know if the MBAM log would help. I could also attach a HJT log if desired. Thank you! Any and all help is greatly appreciated!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DDS (Ver_09-12-01.01) - NTFSx86 Run by dad at 16:51:34.88 on Sat 01/09/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.558 [GMT -8:00] AV: Trend Micro PC-cillin Internet Security On-access scanning disabled (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5} ============== Running Processes =============== C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Ralink\Common\RalinkRegistryWriter.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Ralink\Common\RaUI.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\dad\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/http://www.yahoo.com uDefault_Page_URL = hxxp://www.msn.com uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/http://www.yahoo.com/ext/search/search.html mDefault_Page_URL = hxxp://www.yahoo.com/ mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/http://www.yahoo.com mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/http://www.yahoo.com mStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/http://www.yahoo.com uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: {52706EF7-D7A2-49AD-A615-E903858CF284} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Net Games Toolbar: {8a6264b5-a8f2-494b-8f37-cf898a763e42} - c:\program files\net_games\tbNet1.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Net Games Toolbar: {8a6264b5-a8f2-494b-8f37-cf898a763e42} - c:\program files\net_games\tbNet1.dll TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll" mRun: [Easy Dock] c:\documents and settings\lee speaks\my documents\rca easyrip\EZDock.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\lee speaks\start menu\programs\imvu\Run IMVU.lnk IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL AppInit_DLLs: c:\windows\system32\sajifamu.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\05p9w8ju.default\ FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RalinkRegistryWriter.exe [2010-1-8 75040] S2 NNServ;NNServ;"c:\program files\newdotnet\nnrun.exe" "c:\program files\newdotnet\nncore.dll" servicestart --> c:\program files\newdotnet\nnrun.exe [?] S3 RAPIProtocol;Ralink RAPI Protocol Driver;c:\windows\system32\drivers\RAPIProtocol.sys [2010-1-8 16512] S3 TDWXP;WavePlus 802.11b Wireless PCI/PCMCIA Card Driver;c:\windows\system32\drivers\wpndis51.sys [2004-8-3 151552] =============== Created Last 30 ================ 2010-01-08 08:27:01 315510 ----a-w- c:\windows\system32\RAPI.dll 2010-01-08 08:27:01 200704 ----a-w- c:\windows\system32\ssleay32.dll 2010-01-08 08:27:01 16512 ----a-w- c:\windows\system32\drivers\RAPIProtocol.sys 2010-01-08 08:27:01 1093632 ----a-w- c:\windows\system32\libeay32.dll 2010-01-08 08:26:56 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys 2010-01-08 08:26:55 465152 ----a-w- c:\windows\system32\drivers\rt73.sys 2010-01-08 08:26:54 0 d-----w- c:\program files\Ralink 2010-01-08 06:51:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Ralink Driver 2010-01-07 06:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-07 06:55:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-07 06:55:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-07 04:40:51 0 ----a-w- c:\windows\system32\11478.exe 2010-01-04 22:09:46 25823502 ----a-w- C:\vdf_fusebundle.zip 2010-01-04 20:38:49 262144 ----a-w- c:\windows\SAM 2010-01-03 21:24:47 0 d-sh--w- C:\found.001 2009-12-29 09:27:20 0 ----a-w- c:\windows\system32\3902.exe 2009-12-29 09:07:18 0 ----a-w- c:\windows\system32\14604.exe 2009-12-28 07:00:04 0 ----a-w- c:\windows\system32\31673.exe 2009-12-28 06:40:03 0 ----a-w- c:\windows\system32\2306.exe 2009-12-28 06:20:03 0 ----a-w- c:\windows\system32\13977.exe 2009-12-28 06:00:02 0 ----a-w- c:\windows\system32\9930.exe 2009-12-28 05:40:02 0 ----a-w- c:\windows\system32\22704.exe 2009-12-28 05:20:01 0 ----a-w- c:\windows\system32\29658.exe 2009-12-28 05:00:01 0 ----a-w- c:\windows\system32\4639.exe 2009-12-28 04:40:00 0 ----a-w- c:\windows\system32\31115.exe 2009-12-28 04:20:00 0 ----a-w- c:\windows\system32\4833.exe 2009-12-28 03:59:59 0 ----a-w- c:\windows\system32\16541.exe 2009-12-28 03:39:59 0 ----a-w- c:\windows\system32\22929.exe 2009-12-28 03:19:58 0 ----a-w- c:\windows\system32\2082.exe 2009-12-28 02:59:58 0 ----a-w- c:\windows\system32\16118.exe 2009-12-28 02:39:57 0 ----a-w- c:\windows\system32\21538.exe 2009-12-28 02:19:57 0 ----a-w- c:\windows\system32\5537.exe 2009-12-28 01:59:56 0 ----a-w- c:\windows\system32\11323.exe 2009-12-28 01:39:56 0 ----a-w- c:\windows\system32\24626.exe 2009-12-28 01:19:55 0 ----a-w- c:\windows\system32\32439.exe 2009-12-28 00:59:55 0 ----a-w- c:\windows\system32\16944.exe 2009-12-28 00:39:54 0 ----a-w- c:\windows\system32\26308.exe 2009-12-28 00:19:53 0 ----a-w- c:\windows\system32\13931.exe 2009-12-27 23:59:53 0 ----a-w- c:\windows\system32\7376.exe 2009-12-27 23:39:52 0 ----a-w- c:\windows\system32\4966.exe 2009-12-27 23:19:52 0 ----a-w- c:\windows\system32\11840.exe 2009-12-27 22:59:51 0 ----a-w- c:\windows\system32\18756.exe 2009-12-27 22:19:47 0 ----a-w- c:\windows\system32\24084.exe 2009-12-27 21:59:47 0 ----a-w- c:\windows\system32\12623.exe 2009-12-27 21:39:46 0 ----a-w- c:\windows\system32\19629.exe 2009-12-27 21:19:45 0 ----a-w- c:\windows\system32\3548.exe 2009-12-27 20:59:45 0 ----a-w- c:\windows\system32\24393.exe 2009-12-27 20:39:45 0 ----a-w- c:\windows\system32\31101.exe 2009-12-27 20:19:45 0 ----a-w- c:\windows\system32\15006.exe 2009-12-27 19:59:45 0 ----a-w- c:\windows\system32\15350.exe 2009-12-27 19:39:45 0 ----a-w- c:\windows\system32\24370.exe 2009-12-27 19:19:45 0 ----a-w- c:\windows\system32\6729.exe 2009-12-27 18:59:45 0 ----a-w- c:\windows\system32\15890.exe 2009-12-27 18:39:45 0 ----a-w- c:\windows\system32\23805.exe 2009-12-27 18:19:45 0 ----a-w- c:\windows\system32\27446.exe 2009-12-27 17:59:45 0 ----a-w- c:\windows\system32\22648.exe 2009-12-27 17:39:45 0 ----a-w- c:\windows\system32\19264.exe 2009-12-27 17:19:45 0 ----a-w- c:\windows\system32\8942.exe 2009-12-27 16:59:44 0 ----a-w- c:\windows\system32\9040.exe 2009-12-27 16:39:44 0 ----a-w- c:\windows\system32\30106.exe 2009-12-27 16:19:44 0 ----a-w- c:\windows\system32\288.exe 2009-12-27 15:59:44 0 ----a-w- c:\windows\system32\1842.exe 2009-12-27 15:39:44 0 ----a-w- c:\windows\system32\22190.exe 2009-12-27 15:19:44 0 ----a-w- c:\windows\system32\3035.exe 2009-12-27 14:59:44 0 ----a-w- c:\windows\system32\12316.exe 2009-12-27 14:39:44 0 ----a-w- c:\windows\system32\778.exe 2009-12-27 14:19:44 0 ----a-w- c:\windows\system32\27529.exe 2009-12-27 13:59:44 0 ----a-w- c:\windows\system32\9741.exe 2009-12-27 13:39:44 0 ----a-w- c:\windows\system32\8723.exe 2009-12-27 13:19:44 0 ----a-w- c:\windows\system32\12859.exe 2009-12-27 12:59:41 0 ----a-w- c:\windows\system32\20037.exe 2009-12-27 12:39:40 0 ----a-w- c:\windows\system32\32757.exe 2009-12-27 12:19:40 0 ----a-w- c:\windows\system32\32662.exe 2009-12-27 11:59:40 0 ----a-w- c:\windows\system32\27644.exe 2009-12-27 11:39:40 0 ----a-w- c:\windows\system32\25547.exe 2009-12-27 11:19:40 0 ----a-w- c:\windows\system32\6868.exe 2009-12-27 10:59:40 0 ----a-w- c:\windows\system32\28253.exe 2009-12-27 10:39:40 0 ----a-w- c:\windows\system32\7711.exe 2009-12-27 10:19:40 0 ----a-w- c:\windows\system32\15141.exe 2009-12-27 09:59:40 0 ----a-w- c:\windows\system32\4664.exe 2009-12-27 09:39:40 0 ----a-w- c:\windows\system32\17673.exe 2009-12-27 09:19:40 0 ----a-w- c:\windows\system32\30333.exe 2009-12-27 09:01:36 0 d-----w- c:\program files\Counter-Strike 2D 2009-12-27 08:59:40 0 ----a-w- c:\windows\system32\31322.exe 2009-12-27 08:39:40 0 ----a-w- c:\windows\system32\23811.exe 2009-12-27 08:36:52 6 ----a-w- c:\windows\system32\ClassU 2009-12-27 08:36:52 5 ----a-w- c:\windows\system32\Band4 2009-12-27 08:19:39 0 ----a-w- c:\windows\system32\28703.exe 2009-12-27 07:59:39 0 ----a-w- c:\windows\system32\9894.exe 2009-12-27 07:39:39 0 ----a-w- c:\windows\system32\17035.exe 2009-12-27 07:20:12 0 ----a-w- c:\windows\system32\26299.exe 2009-12-27 07:00:11 0 ----a-w- c:\windows\system32\25667.exe 2009-12-27 06:40:10 0 ----a-w- c:\windows\system32\19912.exe 2009-12-27 06:20:10 0 ----a-w- c:\windows\system32\1869.exe 2009-12-27 06:00:09 0 ----a-w- c:\windows\system32\11538.exe 2009-12-27 05:40:09 0 ----a-w- c:\windows\system32\14771.exe 2009-12-27 05:20:08 0 ----a-w- c:\windows\system32\21726.exe 2009-12-27 05:00:08 0 ----a-w- c:\windows\system32\5447.exe 2009-12-27 04:40:07 0 ----a-w- c:\windows\system32\19895.exe 2009-12-27 04:20:07 0 ----a-w- c:\windows\system32\19718.exe 2009-12-27 04:00:06 0 ----a-w- c:\windows\system32\18716.exe 2009-12-27 03:40:06 0 ----a-w- c:\windows\system32\17421.exe 2009-12-27 03:20:05 0 ----a-w- c:\windows\system32\12382.exe 2009-12-27 03:00:05 0 ----a-w- c:\windows\system32\292.exe 2009-12-27 02:40:04 0 ----a-w- c:\windows\system32\153.exe 2009-12-27 01:39:26 0 ----a-w- c:\windows\system32\32391.exe 2009-12-27 01:19:25 0 ----a-w- c:\windows\system32\5436.exe 2009-12-27 00:59:25 0 ----a-w- c:\windows\system32\4827.exe 2009-12-27 00:39:24 0 ----a-w- c:\windows\system32\11942.exe 2009-12-26 22:40:35 0 ----a-w- c:\windows\system32\28145.exe 2009-12-26 22:20:35 0 ----a-w- c:\windows\system32\5705.exe 2009-12-26 20:40:31 0 ----a-w- c:\windows\system32\15724.exe 2009-12-26 20:20:30 0 ----a-w- c:\windows\system32\19169.exe 2009-12-26 20:00:29 0 ----a-w- c:\windows\system32\26500.exe 2009-12-26 19:40:28 0 ----a-w- c:\windows\system32\6334.exe 2009-12-26 19:20:27 0 ----a-w- c:\windows\system32\18467.exe 2009-12-26 00:05:52 0 d-----w- c:\program files\KingsIsle Entertainment 2009-12-11 22:19:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton ==================== Find3M ==================== 2010-01-09 17:28:04 246784 ----a-w- c:\windows\system32\drivers\iaStor.sys 2010-01-08 08:26:56 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe 2009-12-30 04:54:50 14336 ----a-w- c:\windows\system32\svchost.exe 2009-12-30 04:54:50 14336 ----a-w- c:\windows\system32\dllcache\svchost.exe 2009-11-30 21:40:27 662 ----a-w- c:\docume~1\dad\applic~1\wklnhst.dat 2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe 2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 06:00:55 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll 2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-21 06:00:55 25088 ------w- c:\windows\system32\dllcache\httpapi.dll 2009-10-20 14:58:48 263552 ------w- c:\windows\system32\dllcache\http.sys 2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll 2009-10-13 10:53:29 266752 ------w- c:\windows\system32\dllcache\oakley.dll 2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll 2009-10-12 13:54:17 69632 ------w- c:\windows\system32\dllcache\raschap.dll 2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:54:17 112128 ------w- c:\windows\system32\dllcache\rastls.dll 2008-11-13 02:37:08 6956032 -csha-w- c:\program files\ehthumbs.db 2007-04-07 08:04:55 774144 ----a-w- c:\program files\RngInterstitial.dll 2006-09-27 00:17:03 251 ----a-w- c:\program files\wt3d.ini ============= FINISH: 16:53:42.52 =============== Attached File(s) Attach.txt ( 16.29k ) Number of downloads: 9 ark.txt ( 4.07k ) Number of downloads: 0

myrti View Member Profile	Jan 15 2010, 06:51 PM Post #2
bleepin' _temp_ Group: Malware Response Instructor Posts: 14,924 Joined: 25-January 08 From: At home Member No.: 186,120	Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far. Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem. Please download OTL from following mirror: This is THE Mirror Save it to your desktop. Double click on the icon on your desktop. Click the "Scan All Users" checkbox. Push the button. Two reports will open, copy and paste them in a reply here: OTL.txt <-- Will be opened Extra.txt <-- Will be minimized In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine. After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. regards myrti -------------------- Help request via PM will be ignored, unless I am already helping you. Please use the forums! If I have helped you please consider to to help me continue the malware fight! Thank you!

myrti View Member Profile	Jan 17 2010, 12:43 PM Post #4
bleepin' _temp_ Group: Malware Response Instructor Posts: 14,924 Joined: 25-January 08 From: At home Member No.: 186,120	Hi, please run a rootkit scan with gmer as well: Please download GMER from one of the following locations and save it to your desktop: Main Mirror This version will download a randomly named file (Recommended) Zipped Mirror This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO. Now click the Scan button. If you see a rootkit warning window, click OK. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log. Click the Copy button and paste the results into your next reply. Exit GMER and re-enable all active protection when done. -- If you encounter any problems, try running GMER in Safe Mode. regards myrti -------------------- Help request via PM will be ignored, unless I am already helping you. Please use the forums! If I have helped you please consider to to help me continue the malware fight! Thank you!

ok computer View Member Profile	Jan 17 2010, 08:39 PM Post #5
Member Group: Members Posts: 38 Joined: 19-October 09 Member No.: 392,143	This has given me some trouble. When I first ran it, I got a blue screen within about 20 minutes. I rebooted and ran it again, and it was doing great, though the scan apparently takes many hours. I found that the log could be saved as-is before the scan was over so I saved a copy every hour or so, in case it crashed again. The last time I tried saving one, it crashed (though not a blue screen - the program just froze up). I am attaching the last copy of the gmer.log file that I was able to save, but again, this was before the program was finished scanning. I'll try to run another one, and I'll let you know how it goes. GMER.LOG ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-01-17 12:01:09 Windows 5.1.2600 Service Pack 2 Running: unenv9g6.exe; Driver: C:\DOCUME~1\dad\LOCALS~1\Temp\pgloapoc.sys ---- Kernel code sections - GMER 1.0.15 ---- .rsrc C:\WINDOWS\system32\drivers\iastor.sys entry point in ".rsrc" section [0xF73FC024] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF5E02360, 0x3CEED5, 0xE8000020] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \FileSystem\Fastfat \Fat AFBB6C8A AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions) Device -> \Driver\iastor \Device\Harddisk0\DR0 870E7841

myrti View Member Profile	Jan 17 2010, 08:51 PM Post #6
bleepin' _temp_ Group: Malware Response Instructor Posts: 14,924 Joined: 25-January 08 From: At home Member No.: 186,120	Hi, I am suspecting a rootkit, please run this additional scan for confirmation: Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!). Go to Start > Run and type: cmd.exe press Ok. At the command prompt type: c:\mbr.exe -t >"C:\mbr.log" press Enter. A "DOS" box will open and quickly disappear. That is normal. A log file named mbr.log will be created and saved to the root of the system drive (usually C:\). Copy and paste the results of the mbr.log in your next reply. regards myrti -------------------- Help request via PM will be ignored, unless I am already helping you. Please use the forums! If I have helped you please consider to to help me continue the malware fight! Thank you!

ok computer View Member Profile	Jan 18 2010, 10:33 AM Post #7
Member Group: Members Posts: 38 Joined: 19-October 09 Member No.: 392,143	Here it is. Hope it helps... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x870E0841]<< kernel: MBR read successfully user & kernel MBR OK

myrti View Member Profile	Jan 19 2010, 09:57 AM Post #8
bleepin' _temp_ Group: Malware Response Instructor Posts: 14,924 Joined: 25-January 08 From: At home Member No.: 186,120	Hi, you have been infected by a nasty rootkit. It is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files. I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? When Should I Format, How Should I Reinstall We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to clean, then please run ComboFix and post the log in your next reply: Please download ComboFix from one of these locations: Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply. This tool is not a toy and not for everyday use. ComboFix SHOULD NOT** be used unless requested by a forum helper If you need help, see this link: http://www.bleepingcomputer.com/combofix/how-to-use-combofix regards myrti -------------------- Help request via PM will be ignored, unless I am already helping you. Please use the forums! If I have helped you please consider to to help me continue the malware fight! Thank you!

ok computer View Member Profile	Jan 19 2010, 11:52 PM Post #9
Member Group: Members Posts: 38 Joined: 19-October 09 Member No.: 392,143	This isn't my computer (it's my neighbor's) so it it's just the same with you, I'll continue the cleanup process and then hand it back to him with your information about the root kit and corresponding threat. Frankly, this machine could use a clean install. Attached below is the text from the ComboFix log. Awaiting your instructions... ComboFix log: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ComboFix 10-01-19.02 - dad 01/19/2010 19:48:58.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.605 [GMT -8:00] Running from: c:\documents and settings\dad\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Flags.dtd c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\UA.dtd c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\UAcpt.dtd c:\documents and settings\Guest\Application Data\Dxcdmns.dll c:\documents and settings\Guest\err.log c:\documents and settings\Guest\Local Settings\Temporary Internet Files\Dxc.log c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\Dxc.log c:\progra~1\COMMON~1\{2CAA5~1 c:\progra~1\COMMON~1\{3CAA5~1 c:\program files\Common Files\Companion Wizard c:\program files\deluxecommunications c:\program files\Seekmo Programs c:\windows\kb913800.exe c:\windows\pack.epk c:\windows\system32\11323.exe c:\windows\system32\11478.exe c:\windows\system32\11538.exe c:\windows\system32\11840.exe c:\windows\system32\11942.exe c:\windows\system32\12316.exe c:\windows\system32\12382.exe c:\windows\system32\12623.exe c:\windows\system32\12859.exe c:\windows\system32\13931.exe c:\windows\system32\13977.exe c:\windows\system32\14604.exe c:\windows\system32\14771.exe c:\windows\system32\15006.exe c:\windows\system32\15141.exe c:\windows\system32\153.exe c:\windows\system32\15350.exe c:\windows\system32\15724.exe c:\windows\system32\15890.exe c:\windows\system32\16118.exe c:\windows\system32\16541.exe c:\windows\system32\16944.exe c:\windows\system32\17035.exe c:\windows\system32\17421.exe c:\windows\system32\17673.exe c:\windows\system32\1842.exe c:\windows\system32\18467.exe c:\windows\system32\1869.exe c:\windows\system32\18716.exe c:\windows\system32\18756.exe c:\windows\system32\19169.exe c:\windows\system32\19264.exe c:\windows\system32\19629.exe c:\windows\system32\19718.exe c:\windows\system32\19895.exe c:\windows\system32\19912.exe c:\windows\system32\20037.exe c:\windows\system32\2082.exe c:\windows\system32\21538.exe c:\windows\system32\21726.exe c:\windows\system32\22190.exe c:\windows\system32\22648.exe c:\windows\system32\22704.exe c:\windows\system32\22929.exe c:\windows\system32\2306.exe c:\windows\system32\23805.exe c:\windows\system32\23811.exe c:\windows\system32\24084.exe c:\windows\system32\24370.exe c:\windows\system32\24393.exe c:\windows\system32\24626.exe c:\windows\system32\25547.exe c:\windows\system32\25667.exe c:\windows\system32\26299.exe c:\windows\system32\26308.exe c:\windows\system32\26500.exe c:\windows\system32\27446.exe c:\windows\system32\27529.exe c:\windows\system32\27644.exe c:\windows\system32\28145.exe c:\windows\system32\28253.exe c:\windows\system32\28703.exe c:\windows\system32\288.exe c:\windows\system32\292.exe c:\windows\system32\29658.exe c:\windows\system32\30106.exe c:\windows\system32\30333.exe c:\windows\system32\3035.exe c:\windows\system32\31101.exe c:\windows\system32\31115.exe c:\windows\system32\31322.exe c:\windows\system32\31673.exe c:\windows\system32\32391.exe c:\windows\system32\32439.exe c:\windows\system32\32662.exe c:\windows\system32\32757.exe c:\windows\system32\3548.exe c:\windows\system32\3902.exe c:\windows\system32\4639.exe c:\windows\system32\4664.exe c:\windows\system32\4827.exe c:\windows\system32\4833.exe c:\windows\system32\4966.exe c:\windows\system32\5436.exe c:\windows\system32\5447.exe c:\windows\system32\5537.exe c:\windows\system32\5705.exe c:\windows\system32\6334.exe c:\windows\system32\6729.exe c:\windows\system32\6868.exe c:\windows\system32\7376.exe c:\windows\system32\7711.exe c:\windows\system32\778.exe c:\windows\system32\8723.exe c:\windows\system32\8942.exe c:\windows\system32\9040.exe c:\windows\system32\9741.exe c:\windows\system32\9894.exe c:\windows\system32\9930.exe c:\windows\system32\stera.log Infected copy of c:\windows\system32\drivers\iastor.sys was found and disinfected Restored copy from - Kitty ate it . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FCI -------\Legacy_NNSERV -------\Service_NNServ ((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 ))))))))))))))))))))))))))))))) . 2010-01-18 15:29 . 2010-01-18 15:29 77312 ----a-w- C:\mbr.exe 2010-01-16 02:10 . 2010-01-16 02:10 -------- d-----w- c:\documents and settings\dad\Local Settings\Application Data\AVG Security Toolbar 2010-01-15 03:13 . 2010-01-15 03:13 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe 2010-01-13 06:28 . 2010-01-13 06:52 -------- d-----w- C:\$AVG 2010-01-13 06:27 . 2010-01-13 06:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-01-13 06:27 . 2010-01-13 06:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-01-13 06:27 . 2010-01-13 06:27 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-01-13 06:27 . 2010-01-13 06:27 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-01-13 06:27 . 2010-01-17 16:46 -------- d-----w- c:\windows\system32\drivers\Avg 2010-01-13 06:27 . 2010-01-16 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2010-01-13 06:27 . 2010-01-17 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2010-01-13 06:27 . 2010-01-13 06:27 -------- d-----w- c:\program files\AVG 2010-01-13 05:41 . 2010-01-13 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro 2010-01-10 10:01 . 2010-01-15 03:13 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-01-08 08:27 . 2008-09-09 19:03 315510 ----a-w- c:\windows\system32\RAPI.dll 2010-01-08 08:27 . 2008-08-07 22:42 16512 ----a-w- c:\windows\system32\drivers\RAPIProtocol.sys 2010-01-08 08:27 . 2008-06-14 04:11 200704 ----a-w- c:\windows\system32\ssleay32.dll 2010-01-08 08:27 . 2008-06-14 04:11 1093632 ----a-w- c:\windows\system32\libeay32.dll 2010-01-08 08:26 . 2010-01-08 08:26 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys 2010-01-08 08:26 . 2008-10-21 19:16 465152 ----a-w- c:\windows\system32\drivers\rt73.sys 2010-01-08 08:26 . 2010-01-08 08:26 -------- d-----w- c:\program files\Ralink 2010-01-08 06:51 . 2010-01-08 06:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Ralink Driver 2010-01-08 06:50 . 2010-01-08 06:50 -------- d-----w- c:\documents and settings\dad\Application Data\InstallShield 2010-01-07 06:55 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-07 06:55 . 2010-01-16 01:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-07 06:55 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-04 22:09 . 2010-01-04 22:09 25823502 ----a-w- C:\vdf_fusebundle.zip 2010-01-03 21:24 . 2010-01-03 21:24 -------- d-----w- C:\found.001 2009-12-27 09:01 . 2009-12-27 09:01 -------- d-----w- c:\program files\Counter-Strike 2D 2009-12-26 00:05 . 2009-12-26 00:05 -------- d-----w- c:\program files\KingsIsle Entertainment . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-16 08:21 . 2006-09-19 12:37 246784 ----a-w- c:\windows\system32\drivers\iastor.sys 2010-01-16 02:25 . 2006-10-28 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo! 2010-01-16 02:25 . 2006-10-28 04:44 -------- d-----w- c:\program files\Yahoo! 2010-01-16 01:58 . 2010-01-16 01:58 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-01-13 20:30 . 2005-08-17 01:54 -------- d-----w- c:\program files\DIGStream 2010-01-13 06:27 . 2010-01-13 06:47 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe 2010-01-13 06:27 . 2010-01-13 06:47 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe 2010-01-13 06:27 . 2010-01-13 06:47 2033432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe 2010-01-13 06:27 . 2010-01-13 06:47 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll 2010-01-13 06:27 . 2010-01-13 06:47 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll 2010-01-13 06:27 . 2010-01-13 06:47 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll 2010-01-13 05:30 . 2006-11-16 23:42 -------- d-----w- c:\program files\Windows Live Safety Center 2010-01-13 05:30 . 2005-08-17 01:58 -------- d-----w- c:\program files\RGB 2010-01-08 08:26 . 2009-04-20 21:27 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe 2010-01-08 08:17 . 2007-05-23 22:59 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-01-08 08:17 . 2007-05-23 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2010-01-08 06:51 . 2006-09-19 12:59 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-01-06 05:12 . 2007-05-24 20:55 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-12-30 04:54 . 2005-08-16 09:18 14336 ----a-w- c:\windows\system32\svchost.exe 2009-12-11 22:19 . 2009-12-11 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-11-30 21:40 . 2008-09-25 00:55 662 ----a-w- c:\documents and settings\dad\Application Data\wklnhst.dat 2009-11-25 21:01 . 2010-01-16 02:31 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-11-21 16:36 . 2005-08-16 09:18 470528 ----a-w- c:\windows\AppPatch\aclayers.dll 2009-10-29 07:45 . 2005-08-16 09:18 916480 ----a-w- c:\windows\system32\wininet.dll 2008-11-13 02:37 . 2008-09-14 07:36 6956032 -csha-w- c:\program files\ehthumbs.db 2007-04-07 08:04 . 2007-04-07 08:05 774144 ----a-w- c:\program files\RngInterstitial.dll 2006-09-27 00:17 . 2006-09-27 00:17 251 ----a-w- c:\program files\wt3d.ini . ------- Sigcheck ------- [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys [7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys [-] 2008-06-20 . 0B788EE2A876D7B31DF840C13F08CD2B . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys [7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys [-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys [-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tcpip.sys [7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys [7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-11-25 21:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048] "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-13 2033432] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe [2010-1-8 1634304] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-01-13 06:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk \0stera [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] 2007-03-15 18:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] 2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate] 2007-11-15 17:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] 2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] 2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] 2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2009-05-01 07:30 13750272 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2009-05-01 07:30 86016 ----a-w- c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2009-05-01 07:31 1657376 ----a-w- c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0620 STISvc] 2005-05-10 17:03 36864 ----a-r- c:\windows\system32\P0620Pin.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-02-01 07:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp] 2006-07-24 22:20 282624 ----a-w- c:\windows\stsystra.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-03-09 12:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] 2009-05-27 04:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\h3rojr\\counter-strike\\hl.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\h3rojr\\day of defeat\\hl.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\h3rojr\\deathmatch classic\\hl.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "57988:TCP"= 57988:TCP:Pando Media Booster "57988:UDP"= 57988:UDP:Pando Media Booster R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/12/2010 10:27 PM 333192] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/12/2010 10:27 PM 360584] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/12/2010 10:27 PM 906520] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/12/2010 10:27 PM 285392] R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\Ralink\Common\RalinkRegistryWriter.exe [1/8/2010 12:27 AM 75040] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/6/2010 10:55 PM 38224] S3 RAPIProtocol;Ralink RAPI Protocol Driver;c:\windows\system32\drivers\RAPIProtocol.sys [1/8/2010 12:27 AM 16512] S3 TDWXP;WavePlus 802.11b Wireless PCI/PCMCIA Card Driver;c:\windows\system32\drivers\wpndis51.sys [8/3/2004 3:24 PM 151552] . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/ mStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/http://www.yahoo.com IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\lee speaks\Start Menu\Programs\IMVU\Run IMVU.lnk FF - ProfilePath - c:\documents and settings\dad\Application Data\Mozilla\Firefox\Profiles\05p9w8ju.default\ FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. - - - - ORPHANS REMOVED - - - - BHO-{8a6264b5-a8f2-494b-8f37-cf898a763e42} - (no file) WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file) HKLM-Run-Easy Dock - c:\documents and settings\lee speaks\My Documents\RCA easyRip\EZDock.exe MSConfigStartUp-Internet Security 2010 - c:\program files\InternetSecurity2010\IS2010.exe MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe MSConfigStartUp-tgcmd - c:\program files\Support.com\bin\tgcmd.exe MSConfigStartUp-Windows Console - wkssvc.exe MSConfigStartUp-winupdate86 - c:\windows\system32\winupdate86.exe AddRemove-RCA Detective™_is1 - c:\documents and settings\lee speaks\My Documents\RCA Detective\unins000.exe AddRemove-RCA easyRip_is1 - c:\documents and settings\lee speaks\My Documents\RCA easyRip\unins000.exe AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-19 20:25 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2176) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\AVG\AVG9\avgnsx.exe c:\windows\system32\PnkBstrA.exe c:\windows\ehome\mcrdsvc.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\dllhost.exe c:\windows\system32\wscntfy.exe . ************************************************************************ . Completion time: 2010-01-19 20:33:38 - machine was rebooted ComboFix-quarantined-files.txt 2010-01-20 04:33 Pre-Run: 194,806,603,776 bytes free Post-Run: 195,002,728,448 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect [spybotsd] timeout.old=30 - - End Of File - - 028DA2388543D1223E5CBB75BA5C83C7

myrti View Member Profile	Jan 20 2010, 02:54 PM Post #10
bleepin' _temp_ Group: Malware Response Instructor Posts: 14,924 Joined: 25-January 08 From: At home Member No.: 186,120	Hi, well the cleaner the machine, the less likely it is they will actually reformat. Anywho to continue the cleaning process: 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: QUOTE FCopy:: c:\windows\system32\dllcache\tcpip.sys \| c:\windows\system32\drivers\tcpip.sys Registry:: [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00 Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. How is the PC doing now? You should have seen some improvement after running combofix. regards myrti -------------------- Help request via PM will be ignored, unless I am already helping you. Please use the forums! If I have helped you please consider to to help me continue the malware fight! Thank you!

ok computer View Member Profile	Jan 20 2010, 09:45 PM Post #11
Member Group: Members Posts: 38 Joined: 19-October 09 Member No.: 392,143	The new ComboFix log is below. As for the computer's operation, yes, it seems to be greatly improved, though I haven't been really using it heavily except to run these processes and communicate with you. Still, I don't think one would have any idea at this point that there was anything wrong with it, except for the fact that Safe Mode doesn't work. Maybe it does work now - I haven't tried it in a few days. Thanks again for all your help. Here is the log: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ComboFix 10-01-19.02 - dad 01/20/2010 18:25:26.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.659 [GMT -8:00] Running from: c:\documents and settings\dad\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\dad\Desktop\CFScript.txt AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys . ((((((((((((((((((((((((( Files Created from 2009-12-21 to 2010-01-21 ))))))))))))))))))))))))))))))) . 2010-01-18 15:29 . 2010-01-18 15:29 77312 ----a-w- C:\mbr.exe 2010-01-16 02:31 . 2009-11-25 21:01 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2010-01-16 02:10 . 2010-01-16 02:10 -------- d-----w- c:\documents and settings\dad\Local Settings\Application Data\AVG Security Toolbar 2010-01-16 01:58 . 2010-01-16 01:58 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-01-15 03:13 . 2010-01-15 03:13 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe 2010-01-13 06:47 . 2010-01-13 06:27 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe 2010-01-13 06:47 . 2010-01-13 06:27 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe 2010-01-13 06:47 . 2010-01-13 06:27 2033432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe 2010-01-13 06:47 . 2010-01-13 06:27 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll 2010-01-13 06:47 . 2010-01-13 06:27 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll 2010-01-13 06:47 . 2010-01-13 06:27 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll 2010-01-13 06:28 . 2010-01-13 06:52 -------- d-----w- C:\$AVG 2010-01-13 06:27 . 2010-01-13 06:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-01-13 06:27 . 2010-01-13 06:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-01-13 06:27 . 2010-01-13 06:27 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-01-13 06:27 . 2010-01-13 06:27 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-01-13 06:27 . 2010-01-17 16:46 -------- d-----w- c:\windows\system32\drivers\Avg 2010-01-13 06:27 . 2010-01-16 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2010-01-13 06:27 . 2010-01-17 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2010-01-13 06:27 . 2010-01-13 06:27 -------- d-----w- c:\program files\AVG 2010-01-13 05:41 . 2010-01-13 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro 2010-01-10 10:01 . 2010-01-15 03:13 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-01-08 08:27 . 2008-09-09 19:03 315510 ----a-w- c:\windows\system32\RAPI.dll 2010-01-08 08:27 . 2008-08-07 22:42 16512 ----a-w- c:\windows\system32\drivers\RAPIProtocol.sys 2010-01-08 08:27 . 2008-06-14 04:11 200704 ----a-w- c:\windows\system32\ssleay32.dll 2010-01-08 08:27 . 2008-06-14 04:11 1093632 ----a-w- c:\windows\system32\libeay32.dll 2010-01-08 08:26 . 2010-01-08 08:26 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys 2010-01-08 08:26 . 2008-10-21 19:16 465152 ----a-w- c:\windows\system32\drivers\rt73.sys 2010-01-08 08:26 . 2010-01-08 08:26 -------- d-----w- c:\program files\Ralink 2010-01-08 06:51 . 2010-01-08 06:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Ralink Driver 2010-01-08 06:51 . 2008-10-21 19:16 465152 ----a-w- c:\documents and settings\All Users\Application Data\Ralink Driver\RT7x Wireless LAN Card\Driver\rt73.sys 2010-01-08 06:51 . 2008-07-11 03:34 528384 ----a-w- c:\documents and settings\All Users\Application Data\Ralink Driver\RT7x Wireless LAN Card\Driver\RaInst.exe 2010-01-08 06:51 . 2007-05-17 19:17 192512 ----a-w- c:\documents and settings\All Users\Application Data\Ralink Driver\RT7x Wireless LAN Card\Driver\CoInstaller.dll 2010-01-08 06:51 . 2006-11-02 15:21 319456 ----a-w- c:\documents and settings\All Users\Application Data\Ralink Driver\RT7x Wireless LAN Card\Driver\difxapi.dll 2010-01-08 06:50 . 2010-01-08 06:50 -------- d-----w- c:\documents and settings\dad\Application Data\InstallShield 2010-01-07 06:55 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-07 06:55 . 2010-01-16 01:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-07 06:55 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-04 22:09 . 2010-01-04 22:09 25823502 ----a-w- C:\vdf_fusebundle.zip 2010-01-03 21:24 . 2010-01-03 21:24 -------- d-----w- C:\found.001 2009-12-27 09:01 . 2009-12-27 09:01 -------- d-----w- c:\program files\Counter-Strike 2D 2009-12-26 00:05 . 2009-12-26 00:05 -------- d-----w- c:\program files\KingsIsle Entertainment . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-16 08:21 . 2006-09-19 12:37 246784 ----a-w- c:\windows\system32\drivers\iastor.sys 2010-01-16 02:25 . 2006-10-28 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo! 2010-01-16 02:25 . 2006-10-28 04:44 -------- d-----w- c:\program files\Yahoo! 2010-01-13 20:30 . 2005-08-17 01:54 -------- d-----w- c:\program files\DIGStream 2010-01-13 05:30 . 2006-11-16 23:42 -------- d-----w- c:\program files\Windows Live Safety Center 2010-01-13 05:30 . 2005-08-17 01:58 -------- d-----w- c:\program files\RGB 2010-01-08 08:26 . 2009-04-20 21:27 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe 2010-01-08 08:17 . 2007-05-23 22:59 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-01-08 08:17 . 2007-05-23 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2010-01-08 06:51 . 2006-09-19 12:59 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-01-06 05:12 . 2007-05-24 20:55 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-12-30 04:54 . 2005-08-16 09:18 14336 ------w- c:\windows\system32\svchost.exe 2009-12-11 22:19 . 2009-12-11 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-11-30 21:40 . 2008-09-25 00:55 662 ----a-w- c:\documents and settings\dad\Application Data\wklnhst.dat 2009-11-21 16:36 . 2005-08-16 09:18 470528 ----a-w- c:\windows\AppPatch\aclayers.dll 2009-10-29 07:45 . 2005-08-16 09:18 916480 ------w- c:\windows\system32\wininet.dll 2008-11-13 02:37 . 2008-09-14 07:36 6956032 -csha-w- c:\program files\ehthumbs.db 2007-04-07 08:04 . 2007-04-07 08:05 774144 ----a-w- c:\program files\RngInterstitial.dll 2006-09-27 00:17 . 2006-09-27 00:17 251 ----a-w- c:\program files\wt3d.ini . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-11-25 21:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048] "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-13 2033432] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe [2010-1-8 1634304] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-01-13 06:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] 2007-03-15 18:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher] 2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate] 2007-11-15 17:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] 2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] 2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] 2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2009-05-01 07:30 13750272 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2009-05-01 07:30 86016 ----a-w- c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2009-05-01 07:31 1657376 ----a-w- c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0620 STISvc] 2005-05-10 17:03 36864 ----a-r- c:\windows\system32\P0620Pin.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-02-01 07:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp] 2006-07-24 22:20 282624 ----a-w- c:\windows\stsystra.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-03-09 12:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] 2009-05-27 04:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\h3rojr\\counter-strike\\hl.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\h3rojr\\day of defeat\\hl.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\h3rojr\\deathmatch classic\\hl.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "57988:TCP"= 57988:TCP:Pando Media Booster "57988:UDP"= 57988:UDP:Pando Media Booster R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/12/2010 10:27 PM 333192] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/12/2010 10:27 PM 360584] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/12/2010 10:27 PM 906520] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/12/2010 10:27 PM 285392] R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\Ralink\Common\RalinkRegistryWriter.exe [1/8/2010 12:27 AM 75040] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/6/2010 10:55 PM 38224] S3 RAPIProtocol;Ralink RAPI Protocol Driver;c:\windows\system32\drivers\RAPIProtocol.sys [1/8/2010 12:27 AM 16512] S3 TDWXP;WavePlus 802.11b Wireless PCI/PCMCIA Card Driver;c:\windows\system32\drivers\wpndis51.sys [8/3/2004 3:24 PM 151552] . . ------- Supplementary Scan ------- . uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/ mStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/http://www.yahoo.com/ext/search/search.html uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/http://www.yahoo.com IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\lee speaks\Start Menu\Programs\IMVU\Run IMVU.lnk FF - ProfilePath - c:\documents and settings\dad\Application Data\Mozilla\Firefox\Profiles\05p9w8ju.default\ FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-20 18:32 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2992) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-01-20 18:34:39 ComboFix-quarantined-files.txt 2010-01-21 02:34 ComboFix2.txt 2010-01-20 04:33 Pre-Run: 195,020,443,648 bytes free Post-Run: 194,995,888,128 bytes free - - End Of File - - AA348763E9BD53BFF046CAC213DB6D7F

myrti View Member Profile	Jan 21 2010, 06:05 AM Post #12
bleepin' _temp_ Group: Malware Response Instructor Posts: 14,924 Joined: 25-January 08 From: At home Member No.: 186,120	Hi, the log looks good. Please run a scan with Eset: Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan Click the button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on to download the ESET Smart Installer. Save it to your desktop. Double click on the icon on your desktop. Check Click the button. Accept any security warnings from your browser. Check Push the Start button. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan completes, push Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Push the button. Push and provide a new log from OTL. regards myrti -------------------- Help request via PM will be ignored, unless I am already helping you. Please use the forums! If I have helped you please consider to to help me continue the malware fight! Thank you!

ok computer View Member Profile	Jan 21 2010, 10:24 PM Post #13
Member Group: Members Posts: 38 Joined: 19-October 09 Member No.: 392,143	At this point I AM able to boot into Safe Mode, so that problem seems to be remedied as well, thanks to you. The ESET log is below. I'm amazed at how much is still being detected. The OTL log follows that...didn't OTL produce 2 reports before? ESET ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ C:\Program Files\Trend Micro\Internet Security 12\VSS7R9EN.000 a variant of Win32/Adware.CommAd application cleaned by deleting - quarantined C:\Program Files\Trend Micro\Internet Security 12\VSSCD5EN.000 a variant of Win32/Adware.CommAd application cleaned by deleting - quarantined C:\Program Files\Trend Micro\Internet Security 12\VSSCD6T7.000 a variant of Win32/Adware.CommAd application cleaned by deleting - quarantined C:\Program Files\Trend Micro\Internet Security 12\VSSCD8BV.000 a variant of Win32/Adware.CommAd application cleaned by deleting - quarantined C:\Program Files\Trend Micro\Internet Security 12\VSSEA1U7.000 a variant of Win32/Adware.CommAd application cleaned by deleting - quarantined C:\Program Files\Trend Micro\Internet Security 12\VSSEFR17.000 a variant of Win32/Adware.CommAd application cleaned by deleting - quarantined C:\Program Files\Trend Micro\Internet Security 12\VSSEHNEN.000 a variant of Win32/Adware.CommAd application cleaned by deleting - quarantined C:\Program Files\Trend Micro\Internet Security 12\VSSEUKCV.001 a variant of Win32/Adware.CommAd application cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\iaStor.sys.vir Win32/Olmarik.SJ virus deleted - quarantined OTL... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ OTL logfile created on: 1/21/2010 7:08:50 PM - Run 2 OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\dad\Desktop Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 \| Country: United States \| Language: ENU \| Date Format: M/d/yyyy 1,022.00 Mb Total Physical Memory \| 345.00 Mb Available Physical Memory \| 34.00% Memory free 2.00 Gb Paging File \| 2.00 Gb Available in Paging File \| 77.00% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: \| %SystemRoot% = C:\WINDOWS \| %ProgramFiles% = C:\Program Files Drive C: \| 228.13 Gb Total Space \| 181.43 Gb Free Space \| 79.53% Space Free \| Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: DCJZ5TB1 Current User Name: dad Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Processes (SafeList) ========== PRC - [2010/01/17 08:42:07 \| 00,547,328 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\dad\Desktop\OTL.exe PRC - [2010/01/12 22:47:06 \| 02,033,432 \| ---- \| M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe PRC - [2010/01/12 22:27:35 \| 01,055,000 \| ---- \| M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe PRC - [2010/01/12 22:27:35 \| 00,600,344 \| ---- \| M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe PRC - [2010/01/12 22:27:35 \| 00,503,576 \| ---- \| M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe PRC - [2010/01/12 22:27:33 \| 00,702,744 \| ---- \| M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe PRC - [2010/01/12 22:27:30 \| 00,906,520 \| ---- \| M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe PRC - [2010/01/12 22:27:29 \| 00,285,392 \| ---- \| M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe PRC - [2009/10/26 15:45:38 \| 00,843,032 \| ---- \| M] () -- C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe PRC - [2009/04/30 23:30:18 \| 00,168,004 \| ---- \| M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe PRC - [2009/03/09 04:19:15 \| 00,152,984 \| ---- \| M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe PRC - [2009/03/08 13:09:26 \| 00,638,816 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe PRC - [2009/01/26 14:31:12 \| 05,365,592 \| RHS- \| M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe PRC - [2008/11/11 20:54:50 \| 01,634,304 \| ---- \| M] (Ralink Technology, Corp.) -- C:\Program Files\Ralink\Common\RaUI.exe PRC - [2008/09/05 10:23:20 \| 00,075,040 \| ---- \| M] (Ralink Technology, Corp.) -- C:\Program Files\Ralink\Common\RalinkRegistryWriter.exe PRC - [2007/11/28 19:51:10 \| 00,583,048 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe PRC - [2007/10/31 14:09:16 \| 00,110,592 \| ---- \| M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe PRC - [2007/08/14 23:49:26 \| 00,063,040 \| ---- \| M] () -- C:\WINDOWS\system32\PnkBstrA.exe PRC - [2007/06/13 02:23:07 \| 01,033,216 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2006/07/06 04:15:00 \| 00,151,552 \| ---- \| M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe PRC - [2006/07/06 04:14:30 \| 00,090,112 \| ---- \| M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe PRC - [2005/09/08 02:20:00 \| 00,122,940 \| ---- \| M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE ========== Modules (SafeList) ========== MOD - [2010/01/17 08:42:07 \| 00,547,328 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\dad\Desktop\OTL.exe MOD - [2006/08/25 07:45:55 \| 01,054,208 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Auto \| Stopped] -- -- (LiveUpdate Notice Ex) SRV - [2010/01/12 22:27:30 \| 00,906,520 \| ---- \| M] (AVG Technologies CZ, s.r.o.) [Auto \| Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc) SRV - [2010/01/12 22:27:29 \| 00,285,392 \| ---- \| M] (AVG Technologies CZ, s.r.o.) [Auto \| Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd) SRV - [2009/09/07 20:14:16 \| 00,103,736 \| ---- \| M] () [On_Demand \| Stopped] -- C:\WINDOWS\system32\PnkBstrB.exe -- (PnkBstrB) SRV - [2009/04/30 23:30:18 \| 00,168,004 \| ---- \| M] (NVIDIA Corporation) [Auto \| Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc) SRV - [2009/03/09 04:19:15 \| 00,152,984 \| ---- \| M] (Sun Microsystems, Inc.) [Auto \| Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService) SRV - [2008/09/05 10:23:20 \| 00,075,040 \| ---- \| M] (Ralink Technology, Corp.) [Auto \| Running] -- C:\Program Files\Ralink\Common\RalinkRegistryWriter.exe -- (RalinkRegistryWriter) SRV - [2007/11/28 19:51:10 \| 00,583,048 \| ---- \| M] (Symantec Corporation) [Auto \| Running] -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service) SRV - [2007/10/31 14:09:16 \| 00,110,592 \| ---- \| M] (Apple, Inc.) [Auto \| Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device) SRV - [2007/08/14 23:49:26 \| 00,063,040 \| ---- \| M] () [Auto \| Running] -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA) SRV - [2007/03/07 14:47:46 \| 00,076,848 \| ---- \| M] () [On_Demand \| Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService) SRV - [2006/07/06 04:14:30 \| 00,090,112 \| ---- \| M] (Intel Corporation) [Auto \| Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel® SRV - [2006/06/01 13:25:00 \| 00,180,224 \| ---- \| M] (Intel Corporation) [Auto \| Stopped] -- C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe -- (ELService) Intel® SRV - [2004/07/14 22:49:26 \| 00,032,768 \| ---- \| M] (Microsoft Corporation) [On_Demand \| Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state) ========== Driver Services (SafeList) ========== DRV - [2010/01/16 00:21:14 \| 00,246,784 \| ---- \| M] (Intel Corporation) [Kernel \| Boot \| Running] -- C:\WINDOWS\system32\drivers\iastor.sys -- (iastor) DRV - [2010/01/12 22:27:51 \| 00,360,584 \| ---- \| M] (AVG Technologies CZ, s.r.o.) [Kernel \| System \| Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX) DRV - [2010/01/12 22:27:51 \| 00,333,192 \| ---- \| M] (AVG Technologies CZ, s.r.o.) [Kernel \| System \| Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86) DRV - [2010/01/12 22:27:51 \| 00,028,424 \| ---- \| M] (AVG Technologies CZ, s.r.o.) [File_System \| System \| Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86) DRV - [2010/01/08 00:26:56 \| 00,021,361 \| ---- \| M] (Cisco Systems, Inc.) [Kernel \| Auto \| Running] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x) DRV - [2010/01/07 16:07:14 \| 00,038,224 \| ---- \| M] (Malwarebytes Corporation) [Kernel \| On_Demand \| Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy) DRV - [2009/09/07 20:14:49 \| 00,022,328 \| ---- \| M] () [Kernel \| On_Demand \| Stopped] -- C:\WINDOWS\system32\drivers\PnkBstrK.sys -- (PnkBstrK) DRV - [2009/04/30 21:02:00 \| 08,055,584 \| ---- \| M] (NVIDIA Corporation) [Kernel \| On_Demand \| Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv) DRV - [2008/10/21 11:16:58 \| 00,465,152 \| ---- \| M] (Ralink Technology, Corp.) [Kernel \| On_Demand \| Stopped] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73) DRV - [2008/08/07 14:42:36 \| 00,016,512 \| ---- \| M] (Ralink Technology, Corp.) [Kernel \| On_Demand \| Stopped] -- C:\WINDOWS\system32\drivers\RAPIProtocol.sys -- (RAPIProtocol) DRV - [2008/06/20 01:52:06 \| 00,225,920 \| ---- \| M] (Microsoft Corporation) [Kernel \| System \| Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6) DRV - [2007/11/13 02:25:53 \| 00,020,480 \| ---- \| M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel \| Auto \| Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv) DRV - [2007/10/31 14:09:14 \| 00,030,464 \| ---- \| M] (Apple, Inc.) [Kernel \| On_Demand \| Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL) DRV - [2007/02/25 11:10:48 \| 00,005,376 \| --S- \| M] (Gteko Ltd.) [Kernel \| Auto \| Running] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv) DRV - [2006/12/18 17:46:38 \| 00,016,224 \| ---- \| M] (LogMeIn, Inc.) [Kernel \| On_Demand \| Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi) DRV - [2006/10/26 20:39:59 \| 00,008,413 \| ---- \| M] (RealNetworks, Inc.) [Kernel \| Auto \| Running] -- C:\WINDOWS\system32\drivers\mcstrm.sys -- (MCSTRM) DRV - [2006/10/05 15:07:28 \| 00,004,736 \| ---- \| M] (Gteko Ltd.) [Kernel \| On_Demand \| Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct) DRV - [2006/09/19 05:02:07 \| 00,008,552 \| ---- \| M] (Windows ® 2000 DDK provider) [Kernel \| Auto \| Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM) DRV - [2006/07/24 14:20:00 \| 01,156,648 \| ---- \| M] (SigmaTel, Inc.) [Kernel \| On_Demand \| Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) DRV - [2006/06/05 10:49:08 \| 00,230,400 \| ---- \| M] (Intel Corporation) [Kernel \| On_Demand \| Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel® DRV - [2006/05/09 12:36:44 \| 00,009,728 \| ---- \| M] (Intel Corporation) [Kernel \| On_Demand \| Stopped] -- C:\WINDOWS\system32\drivers\ELacpi.sys -- (ELacpi) DRV - [2006/05/09 12:36:42 \| 00,007,040 \| ---- \| M] (Intel Corporation) [Kernel \| System \| Running] -- C:\WINDOWS\system32\drivers\Elmon.sys -- (ELmon) DRV - [2006/05/09 12:36:22 \| 00,006,912 \| ---- \| M] (Intel Corporation) [Kernel \| System \| Running] -- C:\WINDOWS\system32\drivers\Elkbd.sys -- (ELkbd) DRV - [2006/05/09 12:36:20 \| 00,006,400 \| ---- \| M] (Intel Corporation) [Kernel \| System \| Running] -- C:\WINDOWS\system32\drivers\Elmou.sys -- (ELmou) DRV - [2006/05/09 12:36:18 \| 00,010,112 \| ---- \| M] (Intel Corporation) [Kernel \| System \| Running] -- C:\WINDOWS\system32\drivers\Elhid.sys -- (ELhid) DRV - [2005/09/12 00:30:00 \| 00,089,264 \| ---- \| M] (Sonic Solutions) [Kernel \| Boot \| Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB) DRV - [2005/09/08 02:20:00 \| 00,094,332 \| ---- \| M] (Sonic Solutions) [File_System \| Auto \| Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM) DRV - [2005/09/08 02:20:00 \| 00,087,036 \| ---- \| M] (Sonic Solutions) [File_System \| Auto \| Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M) DRV - [2005/09/08 02:20:00 \| 00,086,524 \| ---- \| M] (Sonic Solutions) [File_System \| Auto \| Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M) DRV - [2005/09/08 02:20:00 \| 00,025,628 \| ---- \| M] (Sonic Solutions) [File_System \| Auto \| Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM) DRV - [2005/09/08 02:20:00 \| 00,014,684 \| ---- \| M] (Sonic Solutions) [File_System \| Auto \| Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM) DRV - [2005/09/08 02:20:00 \| 00,006,364 \| ---- \| M] (Sonic Solutions) [File_System \| Auto \| Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM) DRV - [2005/09/08 02:20:00 \| 00,002,496 \| ---- \| M] (Sonic Solutions) [File_System \| Auto \| Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN) DRV - [2005/08/25 09:16:52 \| 00,005,628 \| ---- \| M] (Sonic Solutions) [File_System \| System \| Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM) DRV - [2005/08/25 09:16:16 \| 00,022,684 \| ---- \| M] (Sonic Solutions) [File_System \| System \| Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N) DRV - [2005/08/12 02:20:00 \| 00,040,544 \| ---- \| M] (Sonic Solutions) [File_System \| Auto \| Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM) DRV - [2005/05/11 19:24:08 \| 00,062,856 \| ---- \| M] (Service & Quality Technology.) [Kernel \| On_Demand \| Stopped] -- C:\WINDOWS\system32\drivers\Capt9080.sys -- (SQTECH9080) MegaCam(PID_9080_00) DRV - [2005/04/24 17:57:36 \| 00,091,864 \| R--- \| M] (Creative Technology Ltd.) [Kernel \| On_Demand \| Stopped] -- C:\WINDOWS\system32\drivers\P0620Vid.sys -- (PD0620VID) DRV - [2005/01/25 23:03:00 \| 00,020,576 \| ---- \| M] (Sonic Solutions) [Kernel \| Boot \| Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20) DRV - [2004/08/12 14:45:54 \| 00,137,728 \| ---- \| M] (Windows ® Server 2003 DDK provider) [Kernel \| On_Demand \| Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus) DRV - [2004/08/10 02:00:00 \| 00,017,792 \| ---- \| M] (Parallel Technologies, Inc.) [Kernel \| On_Demand \| Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink) DRV - [2004/08/03 20:07:44 \| 00,043,008 \| ---- \| M] (Advanced Micro Devices, Inc.) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp) DRV - [2004/08/03 20:07:44 \| 00,041,088 \| ---- \| M] (Silicon Integrated Systems Corporation) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp) DRV - [2004/08/03 15:24:22 \| 00,151,552 \| ---- \| M] (WavePlus Technology Co., Ltd.) [Kernel \| On_Demand \| Stopped] -- C:\WINDOWS\system32\drivers\wpndis51.sys -- (TDWXP) DRV - [2004/06/09 07:29:56 \| 00,006,977 \| ---- \| M] (Gteko Ltd.) [Kernel \| On_Demand \| Stopped] -- C:\WINDOWS\system32\DDMI2.sys -- (SDDMI2) DRV - [2003/11/17 18:59:20 \| 00,212,224 \| ---- \| M] (Conexant Systems, Inc.) [Kernel \| On_Demand \| Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2) DRV - [2003/11/17 18:58:02 \| 00,680,704 \| ---- \| M] (Conexant Systems, Inc.) [Kernel \| On_Demand \| Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf) DRV - [2003/11/17 18:56:26 \| 01,042,432 \| ---- \| M] (Conexant Systems, Inc.) [Kernel \| On_Demand \| Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP) DRV - [2003/04/09 15:48:08 \| 00,011,043 \| ---- \| M] (Conexant) [Kernel \| Auto \| Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk) DRV - [2002/09/23 01:49:00 \| 00,068,672 \| R--- \| M] (2Wire, Inc.) [Kernel \| On_Demand \| Stopped] -- C:\WINDOWS\system32\drivers\2WirePCP.sys -- (2WIREPCP) DRV - [2001/08/17 11:07:44 \| 00,019,072 \| ---- \| M] (Adaptec, Inc.) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow) DRV - [2001/08/17 11:07:42 \| 00,030,688 \| ---- \| M] (LSI Logic) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3) DRV - [2001/08/17 11:07:40 \| 00,028,384 \| ---- \| M] (LSI Logic) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi) DRV - [2001/08/17 11:07:36 \| 00,032,640 \| ---- \| M] (LSI Logic) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx) DRV - [2001/08/17 11:07:34 \| 00,016,256 \| ---- \| M] (Symbios Logic Inc.) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810) DRV - [2001/08/17 10:57:38 \| 00,016,128 \| ---- \| M] (Microsoft Corporation) [Kernel \| On_Demand \| Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA) DRV - [2001/08/17 10:52:22 \| 00,036,736 \| ---- \| M] (Promise Technology, Inc.) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra) DRV - [2001/08/17 10:52:20 \| 00,045,312 \| ---- \| M] (QLogic Corporation) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160) DRV - [2001/08/17 10:52:20 \| 00,040,320 \| ---- \| M] (QLogic Corporation) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080) DRV - [2001/08/17 10:52:18 \| 00,049,024 \| ---- \| M] (QLogic Corporation) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280) DRV - [2001/08/17 10:52:16 \| 00,179,584 \| ---- \| M] (Mylex Corporation) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k) DRV - [2001/08/17 10:52:12 \| 00,017,280 \| ---- \| M] (American Megatrends Inc.) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x) DRV - [2001/08/17 10:52:00 \| 00,026,496 \| ---- \| M] (Advanced System Products, Inc.) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc) DRV - [2001/08/17 10:51:58 \| 00,014,848 \| ---- \| M] (Advanced System Products, Inc.) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550) DRV - [2001/08/17 10:51:56 \| 00,005,248 \| ---- \| M] (Acer Laboratories Inc.) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde) DRV - [2001/08/17 10:51:54 \| 00,006,656 \| ---- \| M] (CMD Technology, Inc.) [Kernel \| Disabled \| Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde) DRV - [2001/08/17 09:12:10 \| 00,117,760 \| ---- \| M] (Intel Corporation) [Kernel \| On_Demand \| Stopped] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel® ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5060919 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5060919 IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5060919 IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5060919 IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/ IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/ IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-2891760595-2461145334-508594633-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.live.com [binary data] IE - HKU\S-1-5-21-2891760595-2461145334-508594633-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKU\S-1-5-21-2891760595-2461145334-508594633-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/ IE - HKU\S-1-5-21-2891760595-2461145334-508594633-1007\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll () IE - HKU\S-1-5-21-2891760595-2461145334-508594633-1007\S-1-5-21-2891760595-2461145334-508594633-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-2891760595-2461145334-508594633-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5060919 IE - HKU\S-1-5-21-2891760595-2461145334-508594633-500\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com IE - HKU\S-1-5-21-2891760595-2461145334-508594633-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/ IE - HKU\S-1-5-21-2891760595-2461145334-508594633-500\S-1-5-21-2891760595-2461145334-508594633-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-2891760595-2461145334-508594633-501\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com IE - HKU\S-1-5-21-2891760595-2461145334-508594633-501\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.live.com [binary data] IE - HKU\S-1-5-21-2891760595-2461145334-508594633-501\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://g.msn.com/1me10IE8ENUS/701 IE - HKU\S-1-5-21-2891760595-2461145334-508594633-501\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKU\S-1-5-21-2891760595-2461145334-508594633-501\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google IE - HKU\S-1-5-21-2891760595-2461145334-508594633-501\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8 IE - HKU\S-1-5-21-2891760595-2461145334-508594633-501\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = www.live.com [binary data] IE - HKU\S-1-5-21-2891760595-2461145334-508594633-501\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com IE - HKU\S-1-5-21-2891760595-2461145334-508594633-501\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie IE - HKU\S-1-5-21-2891760595-2461145334-508594633-501\..\URLSearchHook: {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - Reg Error: Key error. File not found IE - HKU\S-1-5-21-2891760595-2461145334-508594633-501\S-1-5-21-2891760595-2461145334-508594633-501\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716 FF - prefs.js..extensions.enabledItems: avg@igeared:3.011.025.005 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/01/12 22:27:29 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2010/01/12 22:27:48 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/20 18:21:29 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/17 10:31:52 \| 00,000,000 \| ---D \| M] [2008/06/23 10:58:10 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\dad\Application Data\Mozilla\Extensions [2010/01/15 18:31:42 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\05p9w8ju.default\extensions [2010/01/19 20:59:05 \| 00,000,000 \| ---D \| M] -- C:\Program Files\Mozilla Firefox\extensions [2009/04/08 22:40:58 \| 00,239,432 \| ---- \| M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll [2005/04/27 12:10:49 \| 00,102,400 \| ---- \| M] (RealNetworks) -- C:\Program Files\Mozilla Firefox\plugins\npracplug.dll O1 HOSTS File: ([2010/01/19 20:24:16 \| 00,000,027 \| ---- \| M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - No CLSID value found. O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll () O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.) O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.) O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll () O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-21-2891760595-2461145334-508594633-1007\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-21-2891760595-2461145334-508594633-1007\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll () O3 - HKU\S-1-5-21-2891760595-2461145334-508594633-500\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-21-2891760595-2461145334-508594633-501\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.) O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions) O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation) O4 - HKLM..\Run: [Symantec PIF AlertEng] C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation) O4 - HKU\S-1-5-21-2891760595-2461145334-508594633-500..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.) O4 - HKU\S-1-5-21-2891760595-2461145334-508594633-500..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe File not found O4 - HKU\S-1-5-21-2891760595-2461145334-508594633-501..\Run: [cmonitor] C:\Program Files\SystemDoctor 2006 Free\pasmon.exe File not found O4 - HKU\S-1-5-21-2891760595-2461145334-508594633-501..\Run: [dc6_check] C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe File not found O4 - HKU\S-1-5-21-2891760595-2461145334-508594633-501..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.) O4 - HKU\S-1-5-21-2891760595-2461145334-508594633-501..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe File not found O4 - HKU\S-1-5-21-2891760595-2461145334-508594633-501..\Run: [ERS_check] C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe File not found O4 - HKU\S-1-5-21-2891760595-2461145334-508594633-501..\Run: [msnmsgr] C:\Program Files\MSN Messenger\msnmsgr.exe File not found O4 - HKU\S-1-5-21-2891760595-2461145334-508594633-501..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe File not found O4 - HKU\S-1-5-21-2891760595-2461145334-508594633-501..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe File not found O4 - HKU\S-1-5-21-2891760595-2461145334-508594633-501..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.) O4 - HKU\S-1-5-21-2891760595-2461145334-508594633-501..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found O4 - HKU\S-1-5-21-2891760595-2461145334-508594633-501..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk = C:\Program Files\Ralink\Common\RaUI.exe (Ralink Technology, Corp.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme () O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\PE_C_ALL USERS\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-2891760595-2461145334-508594633-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-2891760595-2461145334-508594633-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-21-2891760595-2461145334-508594633-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-21-2891760595-2461145334-508594633-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\S-1-5-21-2891760595-2461145334-508594633-1007_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-2891760595-2461145334-508594633-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-2891760595-2461145334-508594633-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-2891760595-2461145334-508594633-501\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-2891760595-2461145334-508594633-501\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\lee speaks\Start Menu\Programs\IMVU\Run IMVU.lnk File not found O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKU\.DEFAULT\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKU\S-1-5-18\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKU\S-1-5-21-2891760595-2461145334-508594633-1007\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKU\S-1-5-21-2891760595-2461145334-508594633-500\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKU\S-1-5-21-2891760595-2461145334-508594633-501\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone. O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (Checkers Class) O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13) O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (MessengerStatsClient Class) O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class) O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.) O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.) O24 - Desktop WallPaper: C:\WINDOWS\Dell.bmp O24 - Desktop BackupWallPaper: C:\WINDOWS\Dell.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2005/08/16 01:43:04 \| 00,000,000 \| ---- \| M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk ) - File not found O35 - comfile [open] -- "%1" % O35 - exefile [open] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/01/21 17:17:01 \| 00,000,000 \| ---D \| C] -- C:\Program Files\ESET [2010/01/20 18:43:17 \| 00,000,000 \| -HSD \| C] -- C:\RECYCLER [2010/01/19 19:42:21 \| 00,000,000 \| RHSD \| C] -- C:\cmdcons [2010/01/19 19:39:48 \| 00,212,480 \| ---- \| C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010/01/19 19:39:48 \| 00,161,792 \| ---- \| C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010/01/19 19:39:48 \| 00,136,704 \| ---- \| C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010/01/19 19:39:48 \| 00,031,232 \| ---- \| C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010/01/19 19:39:22 \| 00,000,000 \| ---D \| C] -- C:\WINDOWS\ERDNT [2010/01/19 19:38:40 \| 00,000,000 \| ---D \| C] -- C:\Qoobox [2010/01/17 08:42:07 \| 00,547,328 \| ---- \| C] (OldTimer Tools) -- C:\Documents and Settings\dad\Desktop\OTL.exe [2010/01/15 18:10:43 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\dad\Local Settings\Application Data\AVG Security Toolbar [2010/01/12 22:28:21 \| 00,000,000 \| ---D \| C] -- C:\$AVG [2010/01/12 22:27:52 \| 00,012,464 \| ---- \| C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll [2010/01/12 22:27:51 \| 00,360,584 \| ---- \| C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys [2010/01/12 22:27:51 \| 00,333,192 \| ---- \| C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys [2010/01/12 22:27:51 \| 00,028,424 \| ---- \| C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys [2010/01/12 22:27:50 \| 00,000,000 \| ---D \| C] -- C:\WINDOWS\System32\drivers\Avg [2010/01/12 22:27:48 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar [2010/01/12 22:27:29 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\All Users\Application Data\avg9 [2010/01/12 22:27:29 \| 00,000,000 \| ---D \| C] -- C:\Program Files\AVG [2010/01/12 22:24:53 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [2010/01/12 21:41:19 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\All Users\Application Data\Trend Micro [2010/01/12 21:39:35 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\dad\Desktop\32bit [2010/01/12 21:25:27 \| 00,000,000 \| --SD \| M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [2010/01/12 21:25:27 \| 00,000,000 \| --SD \| M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft [2010/01/12 21:25:27 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2010/01/09 16:55:05 \| 00,472,064 \| ---- \| C] ( ) -- C:\Documents and Settings\dad\Desktop\RootRepeal.exe [2010/01/09 16:45:14 \| 00,812,344 \| ---- \| C] (Trend Micro Inc.) -- C:\Documents and Settings\dad\Desktop\HJTInstall.exe [2010/01/08 00:27:01 \| 01,093,632 \| ---- \| C] (The OpenSSL Project, http://www.openssl.org/) -- C:\WINDOWS\System32\libeay32.dll [2010/01/08 00:27:01 \| 00,315,510 \| ---- \| C] (Ralink Technology, Corp.) -- C:\WINDOWS\System32\RAPI.dll [2010/01/08 00:27:01 \| 00,200,704 \| ---- \| C] (The OpenSSL Project, http://www.openssl.org/) -- C:\WINDOWS\System32\ssleay32.dll [2010/01/08 00:27:01 \| 00,016,512 \| ---- \| C] (Ralink Technology, Corp.) -- C:\WINDOWS\System32\drivers\RAPIProtocol.sys [2010/01/08 00:26:56 \| 00,021,361 \| ---- \| C] (Cisco Systems, Inc.) -- C:\WINDOWS\System32\drivers\AegisP.sys [2010/01/08 00:26:55 \| 00,465,152 \| ---- \| C] (Ralink Technology, Corp.) -- C:\WINDOWS\System32\drivers\rt73.sys [2010/01/08 00:26:54 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Ralink [2010/01/07 22:51:01 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\All Users\Application Data\Ralink Driver [2010/01/07 22:50:42 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\dad\Application Data\InstallShield [2010/01/06 22:55:24 \| 00,038,224 \| ---- \| C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/01/06 22:55:21 \| 00,019,160 \| ---- \| C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/01/06 22:55:21 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/01/06 22:54:54 \| 05,061,512 \| ---- \| C] (Malwarebytes Corporation ) -- C:\Documents and Settings\dad\Desktop\mbam-setup.exe [2010/01/03 13:24:47 \| 00,000,000 \| ---D \| C] -- C:\found.001 [2009/12/28 18:28:13 \| 00,000,000 \| ---D \| C] -- C:\Config.Msi [2009/12/27 01:01:36 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Counter-Strike 2D [2009/12/26 20:48:00 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\All Users\Application Data\Macromedia [2009/12/25 16:05:52 \| 00,000,000 \| ---D \| C] -- C:\Program Files\KingsIsle Entertainment [2007/08/29 09:50:01 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple [2007/04/07 00:05:03 \| 00,774,144 \| ---- \| C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll [2006/11/17 15:44:16 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla [2006/11/17 15:44:16 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Application Data\Mozilla [2006/11/11 15:08:18 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia [2006/11/07 18:09:40 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia [2006/11/06 18:50:28 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Application Data\Sun [2006/11/05 23:00:48 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Application Data\yahoo! [2006/11/05 20:36:07 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google [2006/11/05 20:36:07 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Application Data\Google [10 C:\WINDOWS\System32\.tmp files -> C:\WINDOWS\System32\.tmp -> ] [1 C:\WINDOWS\.tmp files -> C:\WINDOWS\.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/01/21 17:19:36 \| 54,493,657 \| ---- \| M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm [2010/01/21 17:19:07 \| 00,142,495 \| ---- \| M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg [2010/01/21 17:15:55 \| 06,291,456 \| -H-- \| M] () -- C:\Documents and Settings\dad\NTUSER.DAT [2010/01/21 17:13:41 \| 00,002,206 \| ---- \| M] () -- C:\WINDOWS\System32\wpa.dbl [2010/01/21 17:12:45 \| 00,000,006 \| -H-- \| M] () -- C:\WINDOWS\tasks\SA.DAT [2010/01/21 17:12:42 \| 00,002,048 \| --S- \| M] () -- C:\WINDOWS\bootstat.dat [2010/01/21 17:12:39 \| 10,716,89728 \| -HS- \| M] () -- C:\hiberfil.sys [2010/01/21 17:11:40 \| 00,000,178 \| -HS- \| M] () -- C:\Documents and Settings\dad\ntuser.ini [2010/01/21 17:11:38 \| 02,128,656 \| -H-- \| M] () -- C:\Documents and Settings\dad\Local Settings\Application Data\IconCache.db [2010/01/20 18:32:29 \| 00,000,227 \| ---- \| M] () -- C:\WINDOWS\system.ini [2010/01/19 20:24:16 \| 00,000,027 \| ---- \| M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2010/01/19 19:42:35 \| 00,000,307 \| RHS- \| M] () -- C:\boot.ini [2010/01/19 19:37:45 \| 03,829,629 \| R--- \| M] () -- C:\Documents and Settings\dad\Desktop\ComboFix.exe [2010/01/18 07:29:53 \| 00,077,312 \| ---- \| M] () -- C:\mbr.exe [2010/01/18 07:02:03 \| 00,236,544 \| ---- \| M] () -- C:\Documents and Settings\dad\Desktop\pev.exe [2010/01/18 07:02:03 \| 00,008,984 \| ---- \| M] () -- C:\Documents and Settings\dad\Desktop\ncmd.cfxxe [2010/01/18 07:02:03 \| 00,000,476 \| ---- \| M] () -- C:\Documents and Settings\dad\Desktop\rkill.reg [2010/01/17 10:33:00 \| 00,293,376 \| ---- \| M] () -- C:\Documents and Settings\dad\Desktop\unenv9g6.exe [2010/01/17 08:42:07 \| 00,547,328 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\dad\Desktop\OTL.exe [2010/01/16 00:21:14 \| 00,246,784 \| ---- \| M] (Intel Corporation) -- C:\WINDOWS\System32\drivers\iastor.sys [2010/01/14 19:13:05 \| 00,000,664 \| ---- \| M] () -- C:\WINDOWS\System32\d3d9caps.dat [2010/01/12 22:28:03 \| 00,113,461 \| ---- \| M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm [2010/01/12 22:27:52 \| 00,012,464 \| ---- \| M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll [2010/01/12 22:27:52 \| 00,001,507 \| ---- \| M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk [2010/01/12 22:27:51 \| 06,061,540 \| ---- \| M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg [2010/01/12 22:27:51 \| 00,492,629 \| ---- \| M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg [2010/01/12 22:27:51 \| 00,360,584 \| ---- \| M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys [2010/01/12 22:27:51 \| 00,333,192 \| ---- \| M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys [2010/01/12 22:27:51 \| 00,028,424 \| ---- \| M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys [2010/01/09 16:55:23 \| 00,000,000 \| ---- \| M] () -- C:\Documents and Settings\dad\Desktop\settings.dat [2010/01/09 16:55:09 \| 00,472,064 \| ---- \| M] ( ) -- C:\Documents and Settings\dad\Desktop\RootRepeal.exe [2010/01/09 16:51:14 \| 00,524,288 \| ---- \| M] () -- C:\Documents and Settings\dad\Desktop\dds.scr [2010/01/09 16:45:16 \| 00,812,344 \| ---- \| M] (Trend Micro Inc.) -- C:\Documents and Settings\dad\Desktop\HJTInstall.exe [2010/01/09 09:11:19 \| 00,441,626 \| ---- \| M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010/01/09 09:11:19 \| 00,381,692 \| ---- \| M] () -- C:\WINDOWS\System32\perfh009.dat [2010/01/09 09:11:19 \| 00,053,436 \| ---- \| M] () -- C:\WINDOWS\System32\perfc009.dat [2010/01/08 00:27:01 \| 00,001,621 \| ---- \| M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk [2010/01/08 00:26:56 \| 00,376,832 \| ---- \| M] () -- C:\WINDOWS\System32\AegisI5Installer.exe [2010/01/08 00:26:56 \| 00,021,361 \| ---- \| M] (Cisco Systems, Inc.) -- C:\WINDOWS\System32\drivers\AegisP.sys [2010/01/07 23:51:20 \| 00,027,015 \| ---- \| M] () -- C:\Documents and Settings\dad\Desktop\norton program info.JPG [2010/01/07 23:20:22 \| 00,000,528 \| ---- \| M] () -- C:\WINDOWS\win.ini [2010/01/07 23:20:22 \| 00,000,237 \| ---- \| M] () -- C:\Boot.bak [2010/01/07 16:07:14 \| 00,038,224 \| ---- \| M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/01/07 16:07:04 \| 00,019,160 \| ---- \| M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/01/06 22:55:27 \| 00,000,696 \| ---- \| M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/01/06 22:17:14 \| 05,061,512 \| ---- \| M] (Malwarebytes Corporation ) -- C:\Documents and Settings\dad\Desktop\mbam-setup.exe [2010/01/06 21:45:10 \| 00,263,168 \| ---- \| M] () -- C:\Documents and Settings\dad\Desktop\rkill.com [2010/01/06 21:23:02 \| 00,039,507 \| ---- \| M] () -- C:\WINDOWS\System32\nvapps.xml [2010/01/04 14:09:46 \| 25,823,502 \| ---- \| M] () -- C:\vdf_fusebundle.zip [2010/01/04 12:38:49 \| 00,262,144 \| ---- \| M] () -- C:\WINDOWS\SAM [2009/12/29 20:54:50 \| 00,014,336 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\svchost.exe [2009/12/27 00:36:52 \| 00,000,006 \| ---- \| M] () -- C:\WINDOWS\System32\ClassU [2009/12/27 00:36:52 \| 00,000,005 \| ---- \| M] () -- C:\WINDOWS\System32\Band4 [2009/12/25 01:28:07 \| 00,054,156 \| -H-- \| M] () -- C:\WINDOWS\QTFont.qfn [10 C:\WINDOWS\System32\.tmp files -> C:\WINDOWS\System32\.tmp -> ] [1 C:\WINDOWS\.tmp files -> C:\WINDOWS\.tmp -> ] ========== Files Created - No Company Name ========== [2010/01/21 17:12:39 \| 10,716,89728 \| -HS- \| C] () -- C:\hiberfil.sys [2010/01/19 19:42:34 \| 00,000,237 \| ---- \| C] () -- C:\Boot.bak [2010/01/19 19:42:25 \| 00,260,272 \| ---- \| C] () -- C:\cmldr [2010/01/19 19:39:48 \| 00,261,632 \| ---- \| C] () -- C:\WINDOWS\PEV.exe [2010/01/19 19:39:48 \| 00,098,816 \| ---- \| C] () -- C:\WINDOWS\sed.exe [2010/01/19 19:39:48 \| 00,080,412 \| ---- \| C] () -- C:\WINDOWS\grep.exe [2010/01/19 19:39:48 \| 00,077,312 \| ---- \| C] () -- C:\WINDOWS\MBR.exe [2010/01/19 19:39:48 \| 00,068,096 \| ---- \| C] () -- C:\WINDOWS\zip.exe [2010/01/19 19:35:30 \| 03,829,629 \| R--- \| C] () -- C:\Documents and Settings\dad\Desktop\ComboFix.exe [2010/01/18 07:29:53 \| 00,077,312 \| ---- \| C] () -- C:\mbr.exe [2010/01/18 07:02:03 \| 00,236,544 \| ---- \| C] () -- C:\Documents and Settings\dad\Desktop\pev.exe [2010/01/18 07:02:03 \| 00,008,984 \| ---- \| C] () -- C:\Documents and Settings\dad\Desktop\ncmd.cfxxe [2010/01/18 07:02:03 \| 00,000,476 \| ---- \| C] () -- C:\Documents and Settings\dad\Desktop\rkill.reg [2010/01/17 10:32:59 \| 00,293,376 \| ---- \| C] () -- C:\Documents and Settings\dad\Desktop\unenv9g6.exe [2010/01/12 22:28:02 \| 00,113,461 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm [2010/01/12 22:27:52 \| 54,493,657 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm [2010/01/12 22:27:52 \| 00,001,507 \| ---- \| C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk [2010/01/12 22:27:51 \| 06,061,540 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg [2010/01/12 22:27:51 \| 00,492,629 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg [2010/01/12 22:27:51 \| 00,142,495 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg [2010/01/10 02:01:24 \| 00,000,664 \| ---- \| C] () -- C:\WINDOWS\System32\d3d9caps.dat [2010/01/09 16:55:23 \| 00,000,000 \| ---- \| C] () -- C:\Documents and Settings\dad\Desktop\settings.dat [2010/01/09 16:51:10 \| 00,524,288 \| ---- \| C] () -- C:\Documents and Settings\dad\Desktop\dds.scr [2010/01/08 00:27:01 \| 00,001,621 \| ---- \| C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk [2010/01/07 23:51:20 \| 00,027,015 \| ---- \| C] () -- C:\Documents and Settings\dad\Desktop\norton program info.JPG [2010/01/06 22:55:27 \| 00,000,696 \| ---- \| C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/01/06 22:40:04 \| 00,263,168 \| ---- \| C] () -- C:\Documents and Settings\dad\Desktop\rkill.com [2010/01/04 14:09:46 \| 25,823,502 \| ---- \| C] () -- C:\vdf_fusebundle.zip [2010/01/04 12:38:49 \| 00,262,144 \| ---- \| C] () -- C:\WINDOWS\SAM [2009/12/27 00:36:52 \| 00,000,006 \| ---- \| C] () -- C:\WINDOWS\System32\ClassU [2009/12/27 00:36:52 \| 00,000,005 \| ---- \| C] () -- C:\WINDOWS\System32\Band4 [2009/04/30 23:31:06 \| 01,724,416 \| ---- \| C] () -- C:\WINDOWS\System32\nvwdmcpl.dll [2009/04/30 23:31:06 \| 01,507,328 \| ---- \| C] () -- C:\WINDOWS\System32\nview.dll [2009/04/30 23:31:06 \| 01,101,824 \| ---- \| C] () -- C:\WINDOWS\System32\nvwimg.dll [2009/04/30 23:31:06 \| 00,466,944 \| ---- \| C] () -- C:\WINDOWS\System32\nvshell.dll [2008/09/24 16:55:03 \| 00,000,662 \| ---- \| C] () -- C:\Documents and Settings\dad\Application Data\wklnhst.dat [2008/09/24 16:48:48 \| 00,005,120 \| ---- \| C] () -- C:\Documents and Settings\dad\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2008/09/13 23:36:07 \| 06,956,032 \| -HS- \| C] () -- C:\Program Files\ehthumbs.db [2008/01/03 22:36:59 \| 00,000,126 \| ---- \| C] () -- C:\Documents and Settings\dad\Local Settings\Application Data\fusioncache.dat [2007/12/30 17:46:24 \| 00,022,328 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys [2007/11/06 21:53:39 \| 00,001,755 \| ---- \| C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache [2007/07/24 15:55:13 \| 00,000,110 \| ---- \| C] () -- C:\WINDOWS\GMouse.ini [2007/06/19 07:59:36 \| 00,070,400 \| ---- \| C] () -- C:\WINDOWS\System32\PhysXLoader.dll [2007/04/20 06:57:30 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll [2007/04/20 06:57:28 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll [2007/04/20 06:57:28 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll [2007/04/20 06:57:28 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll [2007/04/20 06:57:28 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll [2007/04/20 06:57:28 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll [2007/04/20 06:57:28 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll [2007/04/20 06:57:28 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll [2007/04/20 06:57:28 \| 00,053,248 \| ---- \| C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll [2007/04/07 00:07:27 \| 00,000,094 \| -H-- \| C] () -- C:\WINDOWS\System32\tbd_G1ssg.ini [2006/12/14 21:24:24 \| 00,000,754 \| ---- \| C] () -- C:\WINDOWS\WORDPAD.INI [2006/11/16 15:17:07 \| 00,000,002 \| ---- \| C] () -- C:\WINDOWS\msoffice.ini [2006/11/11 03:02:38 \| 00,000,187 \| ---- \| C] () -- C:\Documents and Settings\LocalService\Application Data\G-Force Prefs (WindowsMediaPlayer).txt [2006/11/02 20:22:09 \| 00,000,175 \| ---- \| C] () -- C:\WINDOWS\em06z.ini [2006/09/26 16:17:03 \| 00,000,251 \| ---- \| C] () -- C:\Program Files\wt3d.ini [2006/09/19 05:12:11 \| 00,000,061 \| ---- \| C] () -- C:\WINDOWS\smscfg.ini [2006/09/19 05:05:46 \| 00,000,930 \| ---- \| C] () -- C:\WINDOWS\wininit.ini [2006/09/19 05:04:35 \| 00,000,376 \| ---- \| C] () -- C:\WINDOWS\ODBC.INI [2006/09/19 04:37:10 \| 00,000,393 \| ---- \| C] () -- C:\WINDOWS\System32\OEMINFO.INI [2005/11/10 05:56:34 \| 00,000,000 \| ---- \| C] () -- C:\WINDOWS\System32\px.ini [2005/08/16 01:37:24 \| 00,001,793 \| ---- \| C] () -- C:\WINDOWS\System32\fxsperf.ini [2005/08/16 01:18:35 \| 00,005,632 \| ---- \| C] () -- C:\WINDOWS\System32\security.dll [2005/08/05 11:01:54 \| 00,235,008 \| ---- \| C] () -- C:\WINDOWS\System32\psisdecd.dll ========== Alternate Data Streams ========== @Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ECF5194F < End of report >

myrti View Member Profile	Jan 22 2010, 12:27 PM Post #14
bleepin' _temp_ Group: Malware Response Instructor Posts: 14,924 Joined: 25-January 08 From: At home Member No.: 186,120	Hi, OTL only produces two log when it is run for the first time. After that, unless specifically asked for, it will only produce the one log. The finds from Eset actually are good. (I know, weird, hu? ) Eset found the files in the quarantine folders of other removal tools, none of these files can do any harm. Before we get to the final step I would like you to update your java: Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop. Look for "Java Runtime Environment (JRE)" JRE 6 Update 18. Click the Download button to the right. Select your Platform: "Windows". Select your Language: "Multi-language". Read the License Agreement, and then check the box that says: "Accept License Agreement". Click Continue and the page will refresh. Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version. -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator. -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it. -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually. Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer. let me know if you run into any problem with that. regards myrti -------------------- Help request via PM will be ignored, unless I am already helping you. Please use the forums! If I have helped you please consider to to help me continue the malware fight! Thank you!

ok computer View Member Profile	Jan 23 2010, 11:44 AM Post #15
Member Group: Members Posts: 38 Joined: 19-October 09 Member No.: 392,143	Right - I guess that makes sense about the detections. I uninstalled all of the Java installations and then installed JRE 6, update 18. I disabled "quick start". I hate those. What happens next?? I like the photos attached to your profile. Are those yours? Can I ask where they are?

« Next Oldest · Virus, Trojan, Spyware, and Malware Removal Logs · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 6th September 2010 - 03:39 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides