Infected with Foster Parent and possibly other Malware

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Virus, Trojan, Spyware, and Malware Removal Logs

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

DO NOT RUN ComboFix unless requested to.

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages

1 2 >

Infected with Foster Parent and possibly other Malware, Would like help removing

Options

Thordon View Member Profile	Jan 11 2010, 12:56 PM Post #1
New Member Group: Members Posts: 11 Joined: 11-January 10 Member No.: 432,945	Hi, I'm using Windows XP on a 2006 Dell Inspiron I6400 laptop. This morning when I turned off my laptop, it was lagging a bit, and then an End Program prompt came up for a program called "Foster Parent" which I had never seen before. I did a search online about this program, and I could not find much information about this program. I use avast 4.8 home edition free antivirus. My DDS.txt log is posted below. When I run rootrepeal however, A gray box comes up that says the program is initializing, and then my entire computer freezes. I have tried this twice already with the same result both times. Any help and advice would be appreciated. Thanks. DDS (Ver_09-12-01.01) - NTFSx86 Run by Zhang at 12:27:42.06 on Mon 01/11/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Home Edition 5.1.2600.3.1257.372.1033.18.1014.345 [GMT -5:00] AV: avast! antivirus 4.8.1351 [VPS 100111-0] On-access scanning enabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Sandboxie\SbieSvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\stsystra.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Sandboxie\SbieCtrl.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\3M\PSNLite\PsnLite.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe C:\PROGRA~1\3M\PSNLite\PSNGive.exe C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com uSearch Bar = uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033 uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe" uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1 uRun: [Google Update] "c:\documents and settings\zhang\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe" mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe" mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [<NO NAME>] mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\docume~1\zhang\startm~1\programs\startup\thoosj~1.lnk - c:\program files\thoosje sidebar v2.3\Thoosje Vista Sidebar.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnlite\PsnLite.exe IE: &WordWeb... - c:\windows\system32\wweb32.dll/lookup.html IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm IE: Download using FlashGet - c:\program files\flashget\jc_link.htm IE: Download using LeechGet - file://c:\program files\leechget 2006\\AddUrl.html IE: Download using LeechGet Wizard - file://c:\program files\leechget 2006\\Wizard.html IE: Parse with LeechGet - file://c:\program files\leechget 2006\\Parser.html IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac0.security.health.ufl.edu/auth/taweb.cab DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223900221125 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} - hxxps://nac0.security.health.ufl.edu/auth/CCALogin.CAB DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\zhang\applic~1\mozilla\firefox\profiles\vumtcd3w.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.google.com FF - plugin: c:\documents and settings\zhang\application data\move networks\plugins\npqmp071705000014.dll FF - plugin: c:\documents and settings\zhang\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll FF - plugin: c:\program files\mozilla firefox\plugins\npvirtools.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-8 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-8 20560] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-8 138680] R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-8 254040] R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-8 352920] R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936] S3 Fadpu16E;Fadpu16E;c:\docume~1\zhang\locals~1\temp\Fadpu16E.sys [2004-7-17 31744] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512] S3 tap0801;Smarthide TAP driver;c:\windows\system32\drivers\tap0801.sys [2007-10-12 55808] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?] =============== Created Last 30 ================ 2009-12-26 00:26:48 0 d-----w- c:\program files\common files\DivX Shared ==================== Find3M ==================== 2009-12-20 06:40:31 90471 -c--a-w- c:\windows\War3Unin.dat 2009-12-10 02:09:51 39 ----a-w- c:\documents and settings\zhang\jagex_runescape_preferences.dat 2009-12-10 01:49:04 69 ----a-w- c:\documents and settings\zhang\jagex_runescape_preferences2.dat 2009-11-25 00:53:52 98304 -c--a-w- c:\windows\system32\CmdLineExt.dll 2009-11-25 00:37:50 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll 2009-11-25 00:05:06 55296 ----a-w- c:\windows\system32\disable.exe 2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll 2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll 2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll 2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys 2007-12-27 23:54:57 88 --sh--r- c:\windows\system32\8C7EDB19A9.sys 2009-03-18 03:15:36 56 --sh--r- c:\windows\system32\A919DB7E8C.sys 2009-03-18 03:15:36 4912 --sha-w- c:\windows\system32\KGyGaAvL.sys 2008-09-12 11:42:56 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat ============= FINISH: 12:28:33.39 =============== Attached File(s) Attach.txt ( 13.22k ) Number of downloads: 8

schrauber View Member Profile	Jan 16 2010, 04:15 PM Post #2
Mr.Mechanic Group: Malware Response Team Posts: 20,486 Joined: 3-May 08 From: Saarland,Germany Member No.: 206,858	Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far. Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware. If you have already posted a DDS log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread. Thanks and again sorry for the delay. We need to see some information about what is happening in your machine. Please perform the following scan: Download DDS by sUBs from one of the following links. Save it to your desktop. DDS.scr DDS.pif Double click on the DDS icon, allow it to run. A small box will open, with an explaination about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that pop up for posting the results. Close the program window, and delete the program from your desktop. Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE -------------------- regards, schrauber If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you! Unavailable at mondays and thursdays! If I have helped you then please consider donating to continue the fight against malware

Thordon View Member Profile	Jan 17 2010, 07:05 PM Post #3
New Member Group: Members Posts: 11 Joined: 11-January 10 Member No.: 432,945	Not a problem. To restate my problem, I'm using Windows XP on a 2006 Dell Inspiron I6400 laptop. A few days ago when I turned off my laptop, it was lagging a bit, and then an End Program prompt came up for a program called "Foster Parent" which I had never seen before. I did a search online about this program, and I could not find much information about this program. I use avast 4.8 home edition free antivirus. I rand a DDS before and posted it in my first post, but could not run a rootrepeal because it caused my entire computer to freeze. While waiting for a response from this forum, I downloaded and ran SuperAntiSpyware as well as scanned my entire computer with avast. My new DDS that I just ran is posted below. I'd like to know if there's anything else that looks suspicious or if the new antispyware program removed it. Thanks. DDS (Ver_09-12-01.01) - NTFSx86 Run by Zhang at 18:59:08.04 on Sun 01/17/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Home Edition 5.1.2600.3.1257.372.1033.18.1014.411 [GMT -5:00] AV: avast! antivirus 4.8.1351 [VPS 100117-1] On-access scanning enabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Sandboxie\SbieSvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\stsystra.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Sandboxie\SbieCtrl.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\3M\PSNLite\PsnLite.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\PROGRA~1\3M\PSNLite\PSNGive.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\Java\jre6\bin\jucheck.exe C:\Documents and Settings\Zhang\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com uSearch Bar = uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033 uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe" uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1 uRun: [Google Update] "c:\documents and settings\zhang\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe" mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe" mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [<NO NAME>] mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\docume~1\zhang\startm~1\programs\startup\thoosj~1.lnk - c:\program files\thoosje sidebar v2.3\Thoosje Vista Sidebar.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnlite\PsnLite.exe IE: &WordWeb... - c:\windows\system32\wweb32.dll/lookup.html IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm IE: Download using FlashGet - c:\program files\flashget\jc_link.htm IE: Download using LeechGet - file://c:\program files\leechget 2006\\AddUrl.html IE: Download using LeechGet Wizard - file://c:\program files\leechget 2006\\Wizard.html IE: Parse with LeechGet - file://c:\program files\leechget 2006\\Parser.html IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac0.security.health.ufl.edu/auth/taweb.cab DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223900221125 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} - hxxps://nac0.security.health.ufl.edu/auth/CCALogin.CAB DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\zhang\applic~1\mozilla\firefox\profiles\vumtcd3w.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.google.com FF - plugin: c:\documents and settings\zhang\application data\move networks\plugins\npqmp071705000014.dll FF - plugin: c:\documents and settings\zhang\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll FF - plugin: c:\program files\mozilla firefox\plugins\npvirtools.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-8 114768] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-8 20560] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-8 138680] R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-8 254040] R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-8 352920] R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408] R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936] S3 Fadpu16E;Fadpu16E;\??\c:\docume~1\zhang\locals~1\temp\fadpu16e.sys --> c:\docume~1\zhang\locals~1\temp\Fadpu16E.sys [?] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512] S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?] S3 tap0801;Smarthide TAP driver;c:\windows\system32\drivers\tap0801.sys [2007-10-12 55808] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?] =============== Created Last 30 ================ 2010-01-11 17:59:15 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2010-01-11 17:59:02 0 d-----w- c:\program files\SUPERAntiSpyware 2010-01-11 17:59:02 0 d-----w- c:\docume~1\zhang\applic~1\SUPERAntiSpyware.com 2009-12-26 00:26:48 0 d-----w- c:\program files\common files\DivX Shared ==================== Find3M ==================== 2009-12-20 06:40:31 90471 -c--a-w- c:\windows\War3Unin.dat 2009-12-10 02:09:51 39 ----a-w- c:\documents and settings\zhang\jagex_runescape_preferences.dat 2009-12-10 01:49:04 69 ----a-w- c:\documents and settings\zhang\jagex_runescape_preferences2.dat 2009-11-25 00:53:52 98304 -c--a-w- c:\windows\system32\CmdLineExt.dll 2009-11-25 00:37:50 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll 2009-11-25 00:05:06 55296 ----a-w- c:\windows\system32\disable.exe 2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll 2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll 2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll 2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys 2007-12-27 23:54:57 88 --sh--r- c:\windows\system32\8C7EDB19A9.sys 2009-03-18 03:15:36 56 --sh--r- c:\windows\system32\A919DB7E8C.sys 2009-03-18 03:15:36 4912 --sha-w- c:\windows\system32\KGyGaAvL.sys 2008-09-12 11:42:56 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913 \index.dat ============= FINISH: 19:00:01.30 ===============

schrauber View Member Profile	Jan 18 2010, 02:08 PM Post #4
Mr.Mechanic Group: Malware Response Team Posts: 20,486 Joined: 3-May 08 From: Saarland,Germany Member No.: 206,858	Hello, Thordon and again Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems. If you do not make a reply in 5 days, we will have to close your topic. You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here. Please take note of some guidelines for this fix: Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken. Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself. Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post. Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here. Please set your system to show all files. Click Start, open My Computer, select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders. Uncheck: Hide file extensions for known file types Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Please download GMER from one of the following locations and save it to your desktop: Main Mirror This version will download a randomly named file (Recommended) Zipped Mirror This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO. Now click the Scan button. If you see a rootkit warning window, click OK. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log. Click the Copy button and paste the results into your next reply. Exit GMER and re-enable all active protection when done. -- If you encounter any problems, try running GMER in Safe Mode. -------------------- regards, schrauber If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you! Unavailable at mondays and thursdays! If I have helped you then please consider donating to continue the fight against malware

Thordon View Member Profile	Jan 19 2010, 09:23 AM Post #5
New Member Group: Members Posts: 11 Joined: 11-January 10 Member No.: 432,945	Here is my gmer scan results: GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-01-19 09:13:13 Windows 5.1.2600 Service Pack 3 Running: yyemy6nt.exe; Driver: C:\DOCUME~1\Zhang\LOCALS~1\Temp\fxtdapog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAA12C6B8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAA12C574] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAA12CA52] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAA12C14C] SSDT sptd.sys ZwEnumerateKey [0xF72E8A92] SSDT sptd.sys ZwEnumerateValueKey [0xF72E8E20] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAA12C64E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAA12C08C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAA12C0F0] SSDT sptd.sys ZwQueryKey [0xF72E8EF8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAA12C76E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAA12C72E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAA12C8AE] SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA2890B0] Code 8767C4FC NlsAnsiCodePage ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process. .text USBPORT.SYS!DllUnload F67AB8AC 5 Bytes JMP 86DA6960 ? System32\Drivers\aca2taef.SYS The system cannot find the path specified. ! .text win32k.sys!EngAcquireSemaphore + 20E2 BF8082E1 5 Bytes JMP 860A84D0 .text win32k.sys!EngFreeUserMem + 5BD2 BF80EE68 5 Bytes JMP 860A8430 .text win32k.sys!EngCreateBitmap + DDB2 BF845CCB 5 Bytes JMP 860A8610 .text win32k.sys!EngMultiByteToWideChar + 2F32 BF852C47 5 Bytes JMP 860A8750 .text win32k.sys!XLATEOBJ_iXlate + 3A50 BF86368D 5 Bytes JMP 860A8570 .text win32k.sys!FONTOBJ_pxoGetXform + CC3E BF8C31D6 5 Bytes JMP 860A86B0 .text win32k.sys!PATHOBJ_vGetBounds + 74EE BF8F00FB 5 Bytes JMP 860A87F0 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72E3AB4] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72E3BFA] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72E3B7C] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72E4728] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72E45FE] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72F6C5A] sptd.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[1068] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00620002 IAT C:\WINDOWS\system32\services.exe[1068] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00620000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 86F5F1E8 AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\usbuhci \Device\USBPDO-0 86DA51E8 Device \Driver\usbuhci \Device\USBPDO-1 86DA51E8 Device \Driver\usbuhci \Device\USBPDO-2 86DA51E8 Device \Driver\usbuhci \Device\USBPDO-3 86DA51E8 Device \Driver\usbehci \Device\USBPDO-4 86D761E8 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\Ftdisk \Device\HarddiskVolume1 86FD21E8 Device \Driver\PCI_NTPNP2150 \Device\00000058 sptd.sys Device \Driver\PCI_NTPNP2150 \Device\00000058 sptd.sys Device \Driver\Ftdisk \Device\HarddiskVolume2 86FD21E8 Device \Driver\Cdrom \Device\CdRom0 86D031E8 Device \Driver\Cdrom \Device\CdRom1 86D031E8 Device \Driver\Ftdisk \Device\HarddiskVolume3 86FD21E8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F725DB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F725DB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F725DB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F725DB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume4 86FD21E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{8188A1CB-D553-448B-9954-B3005A41F8A0} 860E6980 Device \Driver\NetBT \Device\NetBt_Wins_Export 860E6980 Device \Driver\NetBT \Device\NetbiosSmb 860E6980 Device \Driver\NetBT \Device\NetBT_Tcpip_{DB1D5840-FF99-4F11-A9D2-BBEADA3B2E62} 860E6980 Device \Driver\NetBT \Device\NetBT_Tcpip_{D72B58AA-7A9E-440A-ADF9-9A7CFB38EF06} 860E6980 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbuhci \Device\USBFDO-0 86DA51E8 Device \Driver\usbuhci \Device\USBFDO-1 86DA51E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 860E4980 Device \Driver\usbuhci \Device\USBFDO-2 86DA51E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 860E4980 Device \Driver\usbuhci \Device\USBFDO-3 86DA51E8 Device \Driver\usbehci \Device\USBFDO-4 86D761E8 Device \Driver\Ftdisk \Device\FtControl 86FD21E8 Device \Driver\aca2taef \Device\Scsi\aca2taef1Port2Path0Target0Lun0 86CE4648 Device \Driver\aca2taef \Device\Scsi\aca2taef1 86CE4648 Device \FileSystem\Fastfat \Fat 858551E8 Device \FileSystem\Fastfat \Fat A899A297 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Cdfs \Cdfs 86BD2310 Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1145923146 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -941535021 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x79 0x98 0xF0 0x7A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x57 0x87 0x4F 0xBE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD3 0xAA 0x1C 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xEE 0xF9 0xB4 0xD2 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x79 0x98 0xF0 0x7A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x57 0x87 0x4F 0xBE ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD3 0xAA 0x1C 0x64 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xEE 0xF9 0xB4 0xD2 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x79 0x98 0xF0 0x7A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x57 0x87 0x4F 0xBE ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6A 0x25 0x38 0x8D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x43 0x1B 0x2A 0x58 ... ---- EOF - GMER 1.0.15 ----

schrauber View Member Profile	Jan 20 2010, 12:54 PM Post #6
Mr.Mechanic Group: Malware Response Team Posts: 20,486 Joined: 3-May 08 From: Saarland,Germany Member No.: 206,858	Hi, Please download OTL from one of the following mirrors: This is THE Mirror Save it to your desktop. Double click on the icon on your desktop. Under the Custom Scan box paste this in netsvcs %SYSTEMDRIVE%\.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys /md5stop %systemroot%\. /mp /s CREATERESTOREPOINT Push the Quick Scan button. Two reports will open, copy and paste them in a reply here: OTL.txt <-- Will be opened Extra.txt <-- Will be minimized -------------------- regards, schrauber If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you! Unavailable at mondays and thursdays! If I have helped you then please consider donating to continue the fight against malware

schrauber View Member Profile	Jan 22 2010, 01:59 PM Post #8
Mr.Mechanic Group: Malware Response Team Posts: 20,486 Joined: 3-May 08 From: Saarland,Germany Member No.: 206,858	Hi, Please go here and have a look how you can disable your security software. Download Combofix from any of the links below but rename it to <schrauber> before saving it to your desktop. Link 1 Link 2 -------------------------------------------------------------------- Double click on the renamed Combofix.exe & follow the prompts. When finished, it will produce a report for you. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply. This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper If you need help, see this link: http://www.bleepingcomputer.com/combofix/how-to-use-combofix -------------------- regards, schrauber If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you! Unavailable at mondays and thursdays!** If I have helped you then please consider donating to continue the fight against malware

schrauber View Member Profile	Jan 23 2010, 03:38 PM Post #10
Mr.Mechanic Group: Malware Response Team Posts: 20,486 Joined: 3-May 08 From: Saarland,Germany Member No.: 206,858	Please delete your copy of Combofix and download a fresh one, let it run and post back with the content of the logfile. -------------------- regards, schrauber If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you! Unavailable at mondays and thursdays! If I have helped you then please consider donating to continue the fight against malware

Thordon View Member Profile	Jan 24 2010, 11:15 PM Post #11
New Member Group: Members Posts: 11 Joined: 11-January 10 Member No.: 432,945	The first download link appears to be broken, and the second one links to a Spanish site which I cannot read. Should I google the program or wait until the links are back up?

schrauber View Member Profile	Jan 25 2010, 01:09 PM Post #12
Mr.Mechanic Group: Malware Response Team Posts: 20,486 Joined: 3-May 08 From: Saarland,Germany Member No.: 206,858	Please try again, should be fixed -------------------- regards, schrauber If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you! Unavailable at mondays and thursdays! If I have helped you then please consider donating to continue the fight against malware

Thordon View Member Profile	Jan 25 2010, 10:58 PM Post #13
New Member Group: Members Posts: 11 Joined: 11-January 10 Member No.: 432,945	Okay, here's the new Combofix log: ComboFix 10-01-25.02 - Zhang 01/25/2010 22:45:21.3.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1257.372.1033.18.1014.532 [GMT -5:00] Running from: c:\documents and settings\Zhang\Desktop\Schauber.exe AV: avast! antivirus 4.8.1351 [VPS 100125-2] On-access scanning disabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . /wow section - STAGE 3 'play.lnk' is not recognized as an internal or external command 'ECHOhdahc.drv' is not recognized as an internal or external command 'play.lnk' is not recognized as an internal or external command 'Malware' is not recognized as an internal or external command 'play.lnk' is not recognized as an internal or external command 'Malware' is not recognized as an internal or external command Ā was unexpected at this time. PEV Error: LocalAppDataFile PEV Error: LocalAppDataFolder PEV Error: LocalSettingsFile PEV Error: MenuFile PEV Error: MenuFolder PEV Error: TemplatesFile PEV Error: TemplatesFolder ((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 ))))))))))))))))))))))))))))))) . 2010-01-23 00:38 . 2010-01-23 00:49 -------- d-----w- C:\schrauber 2010-01-19 04:24 . 2010-01-19 04:24 152576 ----a-w- c:\documents and settings\Zhang\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2010-01-19 04:24 . 2010-01-19 04:24 79488 ----a-w- c:\documents and settings\Zhang\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2010-01-11 17:59 . 2010-01-11 17:59 52224 ----a-w- c:\documents and settings\Zhang\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-01-11 17:59 . 2010-01-11 17:59 117760 ----a-w- c:\documents and settings\Zhang\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-01-11 17:59 . 2010-01-11 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-01-11 17:59 . 2010-01-11 17:59 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-01-11 17:59 . 2010-01-11 17:59 -------- d-----w- c:\documents and settings\Zhang\Application Data\SUPERAntiSpyware.com . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-26 03:25 . 2008-08-18 06:30 -------- d-----w- c:\program files\Diablo II 2010-01-24 18:16 . 2006-08-24 02:35 -------- d-----w- c:\program files\Warcraft III 2010-01-22 05:55 . 2009-01-20 02:02 1 ----a-w- c:\documents and settings\Zhang\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-01-22 03:07 . 2008-08-19 16:11 -------- d-----w- c:\program files\Microsoft Silverlight 2010-01-19 04:25 . 2006-07-13 06:59 -------- d-----w- c:\program files\Java 2010-01-11 17:58 . 2008-08-13 01:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-12-28 00:50 . 2009-12-26 22:41 -------- d-----w- c:\documents and settings\Zhang\Application Data\Move Networks 2009-12-26 22:41 . 2009-12-26 22:41 144160 ----a-w- c:\documents and settings\Zhang\Application Data\Move Networks\uninstall.exe 2009-12-26 22:41 . 2009-12-07 01:22 5603776 ----a-w- c:\documents and settings\Zhang\Application Data\Move Networks\plugins\npqmp071705000014.dll 2009-12-26 00:27 . 2006-07-22 22:52 -------- d-----w- c:\program files\DivX 2009-12-26 00:26 . 2009-12-26 00:26 -------- d-----w- c:\program files\Common Files\DivX Shared 2009-12-25 23:10 . 2009-11-11 15:20 -------- d-----w- c:\documents and settings\Zhang\Application Data\Orbit 2009-12-23 10:13 . 2006-07-18 22:44 -------- d-----w- c:\program files\Trillian 2009-12-21 19:14 . 2004-08-10 17:51 916480 ------w- c:\windows\system32\wininet.dll 2009-12-20 06:40 . 2006-08-24 02:39 90471 -c--a-w- c:\windows\War3Unin.dat 2009-12-10 02:09 . 2009-12-10 01:36 39 ----a-w- c:\documents and settings\Zhang\jagex_runescape_preferences.dat 2009-12-10 01:49 . 2009-12-10 01:37 69 ----a-w- c:\documents and settings\Zhang\jagex_runescape_preferences2.dat 2009-12-07 01:22 . 2009-12-07 01:22 97216 ----a-w- c:\documents and settings\Zhang\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe 2009-12-04 04:52 . 2006-08-06 05:19 -------- d-----w- c:\program files\WordWeb 2009-12-03 03:16 . 2006-08-21 02:23 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-11-30 03:07 . 2009-11-30 03:07 -------- d-----w- c:\program files\FLV Player 2009-11-25 00:53 . 2007-03-16 20:04 98304 -c--a-w- c:\windows\system32\CmdLineExt.dll 2009-11-25 00:37 . 2009-11-25 00:37 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll 2009-11-25 00:05 . 2008-12-20 20:26 55296 ----a-w- c:\windows\system32\disable.exe 2009-11-25 00:05 . 2008-12-20 20:26 117 ----a-w- c:\windows\system32\disabledvd.vbs 2009-11-21 15:51 . 2004-08-10 17:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll 2009-11-01 04:21 . 2009-11-01 04:21 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe 2007-12-27 23:54 . 2006-11-29 23:56 88 --sh--r- c:\windows\system32\8C7EDB19A9.sys 2009-03-18 03:15 . 2006-10-17 00:41 56 --sh--r- c:\windows\system32\A919DB7E8C.sys 2009-03-18 03:15 . 2006-10-17 00:41 4912 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2010-01-23_00.17.32 ))))))))))))))))))))))))))))))))))))))))) . + 2010-01-23 00:36 . 2010-01-23 00:36 16384 c:\windows\Temp\Perflib_Perfdata_f4.dat + 2010-01-23 00:36 . 2010-01-23 00:36 16384 c:\windows\Temp\Perflib_Perfdata_7e0.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592] "SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2009-01-05 336896] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "Google Update"="c:\documents and settings\Zhang\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-17 133104] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-27 185896] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] c:\documents and settings\Zhang\Start Menu\Programs\Startup\ Thoosje Vista Sidebar.lnk - c:\program files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe [2007-10-21 524288] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-13 24576] Post-it© Software Notes Lite.lnk - c:\program files\3M\PSNLite\PsnLite.exe [2004-10-15 2080768] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "c:\\Program Files\\Warcraft III\\Warcraft III.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Chami\\HTML-Kit\\Bin\\HTMLKit.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Azureus\\Azureus.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "c:\\Program Files\\THQ\\Dawn of War\\W40k.exe"= "c:\\Program Files\\Hamachi\\hamachi.exe"= "d:\\Neverwinter Nights\\nwmain.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\WINDOWS\\system32\\dplaysvr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6112:TCP"= 6112:TCP:WC3 R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/8/2009 12:40 AM 114768] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/8/2009 12:40 AM 20560] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408] R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [1/5/2009 9:39 AM 103936] S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/16/2007 10:03 AM 646392] S3 Fadpu16E;Fadpu16E;\??\c:\docume~1\Zhang\LOCALS~1\Temp\Fadpu16E.sys --> c:\docume~1\Zhang\LOCALS~1\Temp\Fadpu16E.sys [?] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512] S3 tap0801;Smarthide TAP driver;c:\windows\system32\drivers\tap0801.sys [10/12/2007 8:07 AM 55808] . Contents of the 'Scheduled Tasks' folder 2010-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34] 2010-01-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-365796306-1116947286-554802149-1006Core.job - c:\documents and settings\Zhang\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-17 12:37] 2010-01-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-365796306-1116947286-554802149-1006UA.job - c:\documents and settings\Zhang\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-17 12:37] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us IE: &WordWeb... - c:\windows\system32\wweb32.dll/lookup.html IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm IE: Download using LeechGet - file://c:\program files\LeechGet 2006\\AddUrl.html IE: Download using LeechGet Wizard - file://c:\program files\LeechGet 2006\\Wizard.html IE: Parse with LeechGet - file://c:\program files\LeechGet 2006\\Parser.html DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac0.security.health.ufl.edu/auth/taweb.cab DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} - hxxps://nac0.security.health.ufl.edu/auth/CCALogin.CAB FF - ProfilePath - c:\documents and settings\Zhang\Application Data\Mozilla\Firefox\Profiles\vumtcd3w.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.google.com FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-25 22:53 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(964) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(5372) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-01-25 22:55:33 ComboFix-quarantined-files.txt 2010-01-26 03:55 ComboFix2.txt 2010-01-23 00:49 Pre-Run: 6,179,549,184 bytes free Post-Run: 6,163,734,528 bytes free - - End Of File - - 39381BA953ED0BB232A4D991D88DA607

schrauber View Member Profile	Jan 26 2010, 04:10 PM Post #14
Mr.Mechanic Group: Malware Response Team Posts: 20,486 Joined: 3-May 08 From: Saarland,Germany Member No.: 206,858	HI, Please download OTL from one of the following mirrors: This is THE Mirror Save it to your desktop. Double click on the icon on your desktop. Under the Custom Scan box paste this in netsvcs %SYSTEMDRIVE%\.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys /md5stop %systemroot%\. /mp /s CREATERESTOREPOINT Push the Quick Scan button. Two reports will open, copy and paste them in a reply here: OTL.txt <-- Will be opened Extra.txt <-- Will be minimized -------------------- regards, schrauber If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you! Unavailable at mondays and thursdays! If I have helped you then please consider donating to continue the fight against malware

Thordon View Member Profile	Jan 27 2010, 10:30 PM Post #15
New Member Group: Members Posts: 11 Joined: 11-January 10 Member No.: 432,945	Hey schrauber, I tried twice and both times I didn't get the Extra.txt report. My OTL.txt is as follows: OTL logfile created on: 1/27/2010 7:20:46 PM - Run 3 OTL by OldTimer - Version 3.1.27.0 Folder = C:\Documents and Settings\Zhang\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 \| Country: United States \| Language: ENU \| Date Format: M/d/yyyy 1,014.00 Mb Total Physical Memory \| 486.00 Mb Available Physical Memory \| 48.00% Memory free 2.00 Gb Paging File \| 2.00 Gb Available in Paging File \| 75.00% Paging File free Paging file location(s): C:\pagefile.sys 1524 3048 [binary data] %SystemDrive% = C: \| %SystemRoot% = C:\WINDOWS \| %ProgramFiles% = C:\Program Files Drive C: \| 52.72 Gb Total Space \| 5.73 Gb Free Space \| 10.87% Space Free \| Partition Type: NTFS Drive D: \| 17.08 Gb Total Space \| 7.20 Gb Free Space \| 42.14% Space Free \| Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: DZANG Current User Name: Zhang Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010/01/27 19:20:15 \| 00,548,864 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Zhang\Desktop\OTL.exe PRC - [2010/01/05 07:56:02 \| 02,002,160 \| ---- \| M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe PRC - [2009/11/02 18:42:17 \| 00,136,176 \| ---- \| M] (Google Inc.) -- C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe PRC - [2009/10/28 19:21:26 \| 00,141,600 \| ---- \| M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe PRC - [2009/10/28 19:21:14 \| 00,545,568 \| ---- \| M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe PRC - [2009/10/11 04:17:36 \| 00,149,280 \| ---- \| M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe PRC - [2009/10/11 04:17:35 \| 00,153,376 \| ---- \| M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe PRC - [2009/09/01 00:00:00 \| 01,873,272 \| ---- \| M] (Cerulean Studios) -- C:\Program Files\Trillian\trillian.exe PRC - [2009/08/17 11:07:23 \| 00,081,000 \| ---- \| M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe PRC - [2009/08/17 11:07:17 \| 00,138,680 \| ---- \| M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe PRC - [2009/08/17 11:07:01 \| 00,254,040 \| ---- \| M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe PRC - [2009/08/17 11:04:21 \| 00,352,920 \| ---- \| M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe PRC - [2009/08/17 10:58:55 \| 00,018,752 \| ---- \| M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe PRC - [2009/05/29 12:41:26 \| 00,144,712 \| ---- \| M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe PRC - [2009/01/05 09:39:54 \| 00,336,896 \| ---- \| M] (tzuk) -- C:\Program Files\Sandboxie\SbieCtrl.exe PRC - [2009/01/05 09:39:52 \| 00,052,224 \| ---- \| M] (tzuk) -- C:\Program Files\Sandboxie\SbieSvc.exe PRC - [2008/12/12 10:17:38 \| 00,238,888 \| ---- \| M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe PRC - [2008/05/27 11:24:53 \| 00,185,896 \| ---- \| M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe PRC - [2008/04/13 19:12:19 \| 01,033,728 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2006/11/12 05:48:46 \| 00,157,592 \| ---- \| M] (DT Soft Ltd.) -- C:\Program Files\DAEMON Tools\daemon.exe PRC - [2006/05/16 22:15:10 \| 00,071,288 \| ---- \| M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe PRC - [2006/04/06 14:57:54 \| 00,380,928 \| ---- \| M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe PRC - [2006/03/24 16:30:44 \| 00,282,624 \| ---- \| M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe PRC - [2006/03/08 11:48:02 \| 00,761,947 \| ---- \| M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe PRC - [2005/12/28 12:04:56 \| 00,262,217 \| ---- \| M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe PRC - [2005/12/28 11:56:16 \| 00,602,182 \| ---- \| M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe PRC - [2005/12/28 11:55:40 \| 00,667,718 \| ---- \| M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe PRC - [2005/12/28 11:52:32 \| 00,397,381 \| ---- \| M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe PRC - [2005/12/28 11:47:10 \| 00,540,745 \| ---- \| M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe PRC - [2005/12/28 11:45:02 \| 00,114,753 \| ---- \| M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe PRC - [2005/12/28 11:44:24 \| 00,217,164 \| ---- \| M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe PRC - [2005/12/13 16:45:00 \| 00,118,784 \| ---- \| M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe PRC - [2005/12/13 16:41:08 \| 00,077,824 \| ---- \| M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe PRC - [2005/12/13 16:41:00 \| 00,159,744 \| ---- \| M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe PRC - [2005/03/14 12:05:02 \| 00,069,632 \| ---- \| M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe PRC - [2004/12/06 01:05:00 \| 00,127,035 \| ---- \| M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfswctrl.exe PRC - [2004/10/15 14:27:22 \| 00,065,536 \| ---- \| M] (3M) -- C:\Program Files\3M\PSNLite\PSNGive.exe PRC - [2004/10/15 14:26:54 \| 02,080,768 \| ---- \| M] (3M) -- C:\Program Files\3M\PSNLite\PsnLite.exe PRC - [2003/10/29 02:06:00 \| 00,024,576 \| ---- \| M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe ========== Modules (SafeList) ========== MOD - [2010/01/27 19:20:15 \| 00,548,864 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Zhang\Desktop\OTL.exe MOD - [2005/12/13 16:39:58 \| 00,073,728 \| ---- \| M] (Intel Corporation) -- C:\WINDOWS\system32\hccutils.dll ========== Win32 Services (SafeList) ========== SRV - [2009/10/28 19:21:14 \| 00,545,568 \| ---- \| M] (Apple Inc.) [On_Demand \| Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service) SRV - [2009/10/11 04:17:35 \| 00,153,376 \| ---- \| M] (Sun Microsystems, Inc.) [Auto \| Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService) SRV - [2009/08/17 11:07:17 \| 00,138,680 \| ---- \| M] (ALWIL Software) [Auto \| Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus) SRV - [2009/08/17 11:07:01 \| 00,254,040 \| ---- \| M] (ALWIL Software) [On_Demand \| Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner) SRV - [2009/08/17 11:04:21 \| 00,352,920 \| ---- \| M] (ALWIL Software) [On_Demand \| Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner) SRV - [2009/08/17 10:58:55 \| 00,018,752 \| ---- \| M] (ALWIL Software) [Auto \| Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv) SRV - [2009/05/29 12:41:26 \| 00,144,712 \| ---- \| M] (Apple Inc.) [Auto \| Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device) SRV - [2009/01/05 09:39:52 \| 00,052,224 \| ---- \| M] (tzuk) [Auto \| Running] -- C:\Program Files\Sandboxie\SbieSvc.exe -- (SbieSvc) SRV - [2008/12/12 10:17:38 \| 00,238,888 \| ---- \| M] (Apple Inc.) [Auto \| Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service) SRV - [2006/04/06 14:57:54 \| 00,380,928 \| ---- \| M] (Dell Inc.) [Auto \| Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC) SRV - [2005/12/28 12:04:56 \| 00,262,217 \| ---- \| M] (Intel® Corporation) [Auto \| Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel® SRV - [2005/12/28 11:47:10 \| 00,540,745 \| ---- \| M] (Intel Corporation ) [Auto \| Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel® SRV - [2005/12/28 11:45:02 \| 00,114,753 \| ---- \| M] (Intel Corporation) [Auto \| Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel® SRV - [2005/12/28 11:44:24 \| 00,217,164 \| ---- \| M] (Intel Corporation) [Auto \| Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel® SRV - [2005/08/02 16:18:49 \| 00,086,016 \| ---- \| M] (CACE Technologies) [On_Demand \| Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental) SRV - [2005/03/14 12:05:02 \| 00,069,632 \| ---- \| M] (HP) [Auto \| Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12) SRV - [2004/10/22 02:24:18 \| 00,073,728 \| ---- \| M] (Macrovision Corporation) [On_Demand \| Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.startup.homepage: "www.google.com" FF - prefs.js..extensions.enabledItems: staff@hide-my-ip.com:1.0 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7 FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.18 FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/05/27 11:25:39 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/20 11:14:06 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/13 22:25:11 \| 00,000,000 \| ---D \| M] [2008/08/21 23:48:38 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\Mozilla\Extensions [2010/01/27 15:28:42 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\Mozilla\Firefox\Profiles\vumtcd3w.default\extensions [2007/10/20 20:02:51 \| 00,000,000 \| ---D \| M] (No name found) -- C:\Documents and Settings\Zhang\Application Data\Mozilla\Firefox\Profiles\vumtcd3w.default\extensions\{34274bf4-1d97-a289-e984-17e546307e4f} [2009/11/29 21:51:12 \| 00,000,000 \| ---D \| M] (NoScript) -- C:\Documents and Settings\Zhang\Application Data\Mozilla\Firefox\Profiles\vumtcd3w.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} [2010/01/27 15:28:42 \| 00,000,000 \| ---D \| M] -- C:\Program Files\Mozilla Firefox\extensions [2009/06/27 16:18:26 \| 00,000,000 \| ---D \| M] -- C:\Program Files\Mozilla Firefox\extensions\staff@hide-my-ip.com [2006/10/12 11:08:00 \| 00,114,688 \| ---- \| M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll [2007/10/25 10:17:00 \| 00,237,568 \| ---- \| M] (Virtools SA) -- C:\Program Files\Mozilla Firefox\plugins\npvirtools.dll O1 HOSTS File: ([2004/08/04 05:00:00 \| 00,000,734 \| ---- \| M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions) O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.) O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) O3 - HKLM\..\Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found. O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.) O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software) O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions) O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation) O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation) O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation) O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation) O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation) O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (InstallShield Software Corporation) O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation) O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.) O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.) O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.) O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.) O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.) O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.) O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.) O4 - HKCU..\Run: [DAEMON Tools] C:\Program Files\DAEMON Tools\daemon.exe (DT Soft Ltd.) O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Zhang\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.) O4 - HKCU..\Run: [SandboxieControl] C:\Program Files\Sandboxie\SbieCtrl.exe (tzuk) O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com) O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe (3M) O4 - Startup: C:\Documents and Settings\Zhang\Start Menu\Programs\Startup\Thoosje Vista Sidebar.lnk = C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8 - Extra context menu item: &WordWeb... - C:\WINDOWS\System32\wweb32.dll (Antony Lewis) O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - Reg Error: Value error. File not found O9 - Extra 'Tools' menuitem : &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - Reg Error: Value error. File not found O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone. O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6) O16 - DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} https://nac0.security.health.ufl.edu/auth/taweb.cab (Cisco NAC Web Agent Control) O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab (Windows Live Safety Center Base Module) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1223900221125 (MUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab (IWinAmpActiveX Class) O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} https://nac0.security.health.ufl.edu/auth/CCALogin.CAB (CCAWebLogin Control) O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/shock...ash/swflash.cab (Shockwave Flash Object) O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe (Virtools WebPlayer Class) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com) O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation) O24 - Desktop WallPaper: C:\Documents and Settings\Zhang\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Zhang\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2004/08/10 13:04:08 \| 00,000,000 \| ---- \| M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk ) - File not found O35 - comfile [open] -- "%1" % O35 - exefile [open] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/10 12:52:56 \| 00,000,000 \| ---D \| M] NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation) NetSvcs: WmdmPmSp - File not found CREATERESTOREPOINT Restore point Set: OTL Restore Point (55735438412873728) ========== Files/Folders - Created Within 14 Days ========== [2010/01/27 19:20:15 \| 00,548,864 \| ---- \| C] (OldTimer Tools) -- C:\Documents and Settings\Zhang\Desktop\OTL.exe [2010/01/27 15:23:19 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Zhang\Desktop\Goldberg [2010/01/25 22:55:57 \| 00,000,000 \| -HSD \| C] -- C:\RECYCLER [2010/01/22 19:39:23 \| 00,000,000 \| RHSD \| C] -- C:\cmdcons [2010/01/22 19:38:40 \| 00,000,000 \| ---D \| C] -- C:\schrauber [2010/01/22 19:08:03 \| 00,031,232 \| ---- \| C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010/01/22 19:08:02 \| 00,212,480 \| ---- \| C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010/01/22 19:08:02 \| 00,161,792 \| ---- \| C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010/01/22 19:08:02 \| 00,136,704 \| ---- \| C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010/01/22 19:07:44 \| 00,000,000 \| ---D \| C] -- C:\WINDOWS\ERDNT [2010/01/22 19:05:31 \| 00,000,000 \| ---D \| C] -- C:\Qoobox [2009/05/08 00:47:59 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [2009/05/08 00:43:38 \| 00,000,000 \| --SD \| M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [2009/05/08 00:43:38 \| 00,000,000 \| --SD \| M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft [2009/05/08 00:43:38 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2009/04/02 22:00:27 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Application Data\VMware [2007/07/17 15:25:01 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple [2006/07/22 11:19:43 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\NetworkService\Application Data\Intel [2006/07/18 16:10:38 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall [5 C:\WINDOWS\System32\.tmp files -> C:\WINDOWS\System32\.tmp -> ] [1 C:\WINDOWS\.tmp files -> C:\WINDOWS\.tmp -> ] ========== Files - Modified Within 14 Days ========== [2010/01/27 19:20:15 \| 00,548,864 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Zhang\Desktop\OTL.exe [2010/01/27 18:47:02 \| 00,000,978 \| ---- \| M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-365796306-1116947286-554802149-1006UA.job [2010/01/27 18:47:02 \| 00,000,926 \| ---- \| M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-365796306-1116947286-554802149-1006Core.job [2010/01/27 17:48:28 \| 00,002,284 \| ---- \| M] () -- C:\Documents and Settings\Zhang\Desktop\Google Chrome.lnk [2010/01/27 15:54:39 \| 00,001,622 \| ---- \| M] () -- C:\Documents and Settings\Zhang\Desktop\Trillian.lnk [2010/01/27 15:22:27 \| 00,002,206 \| ---- \| M] () -- C:\WINDOWS\System32\wpa.dbl [2010/01/27 15:21:56 \| 00,000,006 \| -H-- \| M] () -- C:\WINDOWS\tasks\SA.DAT [2010/01/27 15:21:48 \| 00,002,048 \| --S- \| M] () -- C:\WINDOWS\bootstat.dat [2010/01/27 15:21:47 \| 10,637,14816 \| -HS- \| M] () -- C:\hiberfil.sys [2010/01/27 13:50:10 \| 09,437,184 \| -H-- \| M] () -- C:\Documents and Settings\Zhang\NTUSER.DAT [2010/01/27 13:50:10 \| 00,000,178 \| -HS- \| M] () -- C:\Documents and Settings\Zhang\ntuser.ini [2010/01/26 00:09:30 \| 00,000,069 \| ---- \| M] () -- C:\Documents and Settings\Zhang\jagex_runescape_preferences2.dat [2010/01/26 00:08:51 \| 00,000,039 \| ---- \| M] () -- C:\Documents and Settings\Zhang\jagex_runescape_preferences.dat [2010/01/25 22:53:11 \| 00,000,227 \| ---- \| M] () -- C:\WINDOWS\system.ini [2010/01/25 12:00:03 \| 00,000,284 \| ---- \| M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job [2010/01/22 19:39:30 \| 00,000,281 \| RHS- \| M] () -- C:\boot.ini [2010/01/19 21:15:34 \| 00,018,432 \| ---- \| M] () -- C:\Documents and Settings\Zhang\Desktop\Jan 2010 Revised CV.doc [2010/01/19 21:11:37 \| 00,019,968 \| ---- \| M] () -- C:\Documents and Settings\Zhang\Desktop\Jan 2010 CV.doc [5 C:\WINDOWS\System32\.tmp files -> C:\WINDOWS\System32\.tmp -> ] [1 C:\WINDOWS\.tmp files -> C:\WINDOWS\.tmp -> ] ========== Files Created - No Company Name ========== [2010/01/22 19:39:30 \| 00,000,211 \| ---- \| C] () -- C:\Boot.bak [2010/01/22 19:39:26 \| 00,260,272 \| ---- \| C] () -- C:\cmldr [2010/01/22 19:08:03 \| 00,077,312 \| ---- \| C] () -- C:\WINDOWS\MBR.exe [2010/01/22 19:08:02 \| 00,261,632 \| ---- \| C] () -- C:\WINDOWS\PEV.exe [2010/01/22 19:08:02 \| 00,098,816 \| ---- \| C] () -- C:\WINDOWS\sed.exe [2010/01/22 19:08:02 \| 00,080,412 \| ---- \| C] () -- C:\WINDOWS\grep.exe [2010/01/22 19:08:02 \| 00,068,096 \| ---- \| C] () -- C:\WINDOWS\zip.exe [2010/01/19 21:15:34 \| 00,018,432 \| ---- \| C] () -- C:\Documents and Settings\Zhang\Desktop\Jan 2010 Revised CV.doc [2010/01/19 20:35:20 \| 00,019,968 \| ---- \| C] () -- C:\Documents and Settings\Zhang\Desktop\Jan 2010 CV.doc [2010/01/19 00:28:47 \| 10,637,14816 \| -HS- \| C] () -- C:\hiberfil.sys [2009/11/24 19:37:05 \| 00,043,520 \| ---- \| C] () -- C:\WINDOWS\System32\CmdLineExt03.dll [2009/04/12 12:26:38 \| 00,847,360 \| ---- \| C] () -- C:\WINDOWS\System32\JS32.dll [2009/03/29 09:48:34 \| 00,002,574 \| ---- \| C] () -- C:\WINDOWS\Sandboxie.ini [2008/11/21 16:45:16 \| 00,000,416 \| ---- \| C] () -- C:\WINDOWS\System32\dtu100.dll.manifest [2008/11/21 16:45:16 \| 00,000,416 \| ---- \| C] () -- C:\WINDOWS\System32\dpl100.dll.manifest [2008/11/21 16:44:16 \| 00,012,288 \| ---- \| C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll [2008/08/20 09:33:17 \| 00,462,848 \| ---- \| C] () -- C:\WINDOWS\System32\lame_enc.dll [2008/05/12 15:20:54 \| 00,021,840 \| ---- \| C] () -- C:\WINDOWS\System32\SIntfNT.dll [2008/05/12 15:20:54 \| 00,017,212 \| ---- \| C] () -- C:\WINDOWS\System32\SIntf32.dll [2008/02/12 15:51:24 \| 00,000,381 \| ---- \| C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log [2008/02/12 15:51:02 \| 00,077,824 \| ---- \| C] () -- C:\WINDOWS\System32\hpzids01.dll [2008/01/08 15:28:52 \| 00,000,028 \| ---- \| C] () -- C:\WINDOWS\ODBC.INI [2008/01/04 16:58:50 \| 03,596,288 \| ---- \| C] () -- C:\WINDOWS\System32\qt-dx331.dll [2007/05/22 12:50:31 \| 00,000,000 \| ---- \| C] () -- C:\WINDOWS\AutoRun.INI [2007/03/16 11:15:42 \| 00,000,170 \| ---- \| C] () -- C:\WINDOWS\game.ini [2007/03/16 10:03:34 \| 00,646,392 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\sptd.sys [2006/11/29 18:56:54 \| 00,000,088 \| RHS- \| C] () -- C:\WINDOWS\System32\8C7EDB19A9.sys [2006/10/16 19:41:35 \| 00,004,912 \| -HS- \| C] () -- C:\WINDOWS\System32\KGyGaAvL.sys [2006/10/16 19:41:35 \| 00,000,056 \| RHS- \| C] () -- C:\WINDOWS\System32\A919DB7E8C.sys [2006/09/19 14:46:27 \| 00,061,440 \| ---- \| C] () -- C:\WINDOWS\System32\wintab32.dll [2006/09/18 22:21:49 \| 00,001,367 \| ---- \| C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache [2006/08/21 20:46:44 \| 00,909,312 \| ---- \| C] () -- C:\WINDOWS\j3dcore-d3d.dll [2006/08/21 20:46:44 \| 00,192,512 \| ---- \| C] () -- C:\WINDOWS\j3dcore-ogl.dll [2006/08/21 20:46:44 \| 00,045,056 \| ---- \| C] () -- C:\WINDOWS\j3dutils.dll [2006/08/21 20:46:44 \| 00,040,960 \| ---- \| C] () -- C:\WINDOWS\j3dcore-ogl-cg.dll [2006/07/26 23:03:19 \| 00,061,678 \| ---- \| C] () -- C:\Documents and Settings\Zhang\Application Data\PFP120JPR.{PB [2006/07/26 23:03:19 \| 00,012,358 \| ---- \| C] () -- C:\Documents and Settings\Zhang\Application Data\PFP120JCM.{PB [2006/07/22 16:46:47 \| 00,154,624 \| ---- \| C] () -- C:\Documents and Settings\Zhang\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2006/07/21 01:23:13 \| 00,000,002 \| ---- \| C] () -- C:\WINDOWS\msoffice.ini [2006/07/18 20:35:14 \| 00,000,128 \| ---- \| C] () -- C:\Documents and Settings\Zhang\Local Settings\Application Data\fusioncache.dat [2006/07/13 02:29:55 \| 00,000,061 \| ---- \| C] () -- C:\WINDOWS\smscfg.ini [2006/07/13 02:16:17 \| 00,712,704 \| ---- \| C] () -- C:\WINDOWS\System32\DellSystemRestore.dll [2006/07/13 02:12:25 \| 00,000,139 \| ---- \| C] () -- C:\WINDOWS\wininit.ini [2006/07/13 02:05:27 \| 00,000,004 \| -H-- \| C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare [2006/07/13 01:41:51 \| 00,016,480 \| ---- \| C] () -- C:\WINDOWS\System32\rixdicon.dll [2006/07/13 01:40:35 \| 00,000,391 \| ---- \| C] () -- C:\WINDOWS\System32\OEMINFO.INI [2005/10/15 15:45:54 \| 00,421,888 \| ---- \| C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll [2005/10/15 15:45:40 \| 01,040,384 \| ---- \| C] () -- C:\WINDOWS\System32\vorbisenc.dll [2005/10/15 15:45:40 \| 00,077,824 \| ---- \| C] () -- C:\WINDOWS\System32\vorbisfile.dll [2005/10/15 15:45:38 \| 01,163,264 \| ---- \| C] () -- C:\WINDOWS\System32\vorbis.dll [2005/10/15 15:45:38 \| 00,061,440 \| ---- \| C] () -- C:\WINDOWS\System32\ogg.dll [2005/08/02 16:24:01 \| 00,053,299 \| ---- \| C] () -- C:\WINDOWS\System32\pthreadVC.dll [2005/04/09 10:04:54 \| 00,000,000 \| ---- \| C] () -- C:\WINDOWS\System32\px.ini [2004/08/10 13:12:05 \| 00,000,780 \| ---- \| C] () -- C:\WINDOWS\orun32.ini [2004/08/10 13:01:18 \| 00,001,793 \| ---- \| C] () -- C:\WINDOWS\System32\fxsperf.ini [2002/11/09 02:04:42 \| 00,225,280 \| ---- \| C] () -- C:\WINDOWS\System32\qtmlClient.dll ========== LOP Check ========== [2009/06/27 16:03:31 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Arovax [2009/05/08 00:48:06 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Avg7 [2009/09/20 11:11:38 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Azureus [2008/04/03 00:24:55 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier [2008/01/06 15:36:13 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems [2006/07/13 02:12:06 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint [2007/04/23 17:38:46 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\WildTangent [2009/03/22 01:59:27 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3} [2009/09/13 22:54:58 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} [2009/04/14 21:29:03 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} [2008/01/24 22:35:10 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\3M [2007/03/16 10:33:50 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\Activision [2009/11/18 22:49:25 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\Audacity [2009/09/20 20:37:14 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\Azureus [2008/08/20 09:33:22 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\Browzar [2008/09/29 22:08:38 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\CrystalMaker Software [2009/11/11 10:20:49 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\GrabPro [2009/10/14 22:36:04 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\gtk-2.0 [2007/03/16 15:01:07 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\Leadertech [2007/12/14 19:15:40 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\NJStar [2009/01/19 21:00:45 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\OpenOffice.org [2009/12/25 18:10:28 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\Orbit [2008/05/19 16:26:04 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\Ruckus Network [2007/08/05 09:19:21 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Zhang\Application Data\Uniblue ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\.exe > < MD5 for: AGP440.SYS > [2004/08/04 05:00:00 \| 18,738,937 \| ---- \| M] () .cab file -- C:\i386\sp2.cab:AGP440.sys [2004/08/04 05:00:00 \| 18,738,937 \| ---- \| M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys [2008/09/11 23:53:40 \| 23,852,652 \| ---- \| M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys [2008/09/11 23:53:40 \| 23,852,652 \| ---- \| M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys [2008/04/13 13:36:38 \| 00,042,368 \| ---- \| M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys [2008/04/13 13:36:38 \| 00,042,368 \| ---- \| M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008/04/13 13:36:38 \| 00,042,368 \| ---- \| M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys [2004/08/03 23:07:42 \| 00,042,368 \| ---- \| M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS [2004/08/03 23:07:42 \| 00,042,368 \| ---- \| M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys < MD5 for: ATAPI.SYS > [2004/08/04 05:00:00 \| 18,738,937 \| ---- \| M] () .cab file -- C:\i386\sp2.cab:atapi.sys [2004/08/04 05:00:00 \| 18,738,937 \| ---- \| M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys [2008/09/11 23:53:40 \| 23,852,652 \| ---- \| M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys [2008/09/11 23:53:40 \| 23,852,652 \| ---- \| M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys [2008/04/13 13:40:30 \| 00,096,512 \| ---- \| M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys [2008/04/13 13:40:30 \| 00,096,512 \| ---- \| M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008/04/13 13:40:30 \| 00,096,512 \| ---- \| M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys [2004/08/03 22:59:44 \| 00,095,360 \| ---- \| M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys [2004/08/03 22:59:44 \| 00,095,360 \| ---- \| M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys [2004/08/03 22:59:44 \| 00,095,360 \| ---- \| M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys < MD5 for: EVENTLOG.DLL > [2008/04/13 19:11:53 \| 00,056,320 \| ---- \| M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll [2008/04/13 19:11:53 \| 00,056,320 \| ---- \| M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008/04/13 19:11:53 \| 00,056,320 \| ---- \| M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll [2004/08/04 05:00:00 \| 00,055,808 \| ---- \| M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll [2004/08/04 05:00:00 \| 00,055,808 \| ---- \| M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll < MD5 for: NETLOGON.DLL > [2008/04/13 19:12:01 \| 00,407,040 \| ---- \| M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll [2008/04/13 19:12:01 \| 00,407,040 \| ---- \| M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll [2008/04/13 19:12:01 \| 00,407,040 \| ---- \| M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll [2004/08/04 05:00:00 \| 00,407,040 \| ---- \| M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll [2004/08/04 05:00:00 \| 00,407,040 \| ---- \| M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll < MD5 for: SCECLI.DLL > [2004/08/04 05:00:00 \| 00,180,224 \| ---- \| M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll [2004/08/04 05:00:00 \| 00,180,224 \| ---- \| M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll [2008/04/13 19:12:05 \| 00,181,248 \| ---- \| M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll [2008/04/13 19:12:05 \| 00,181,248 \| ---- \| M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008/04/13 19:12:05 \| 00,181,248 \| ---- \| M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll < %systemroot%\. /mp /s > < End of report >

« Next Oldest · Virus, Trojan, Spyware, and Malware Removal Logs · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 29th July 2010 - 09:22 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides