Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting redirected, can't install/run MBAM


  • This topic is locked This topic is locked
21 replies to this topic

#1 MarcAngeDraco

MarcAngeDraco

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 15 May 2009 - 09:10 PM

I had posted over in the "Am I infected" topic, but wasn't getting anywhere...

Brief summary:

I'm getting redirected when I use google, yahoo, etc. Also having trouble downloading files like MBAM, I get 404 error messages etc.

Tried to install MBAM, but it won't run.

Tried to run Kaspersky Online Scan, but it won't run.

I was able to get HijackThis to run, so I'll paste the logfile below.

Any help would be greatly appreciated!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:32 PM, on 5/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\iolo\System Mechanic Professional\IoloSGCtrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iolo\System Mechanic Professional\SystemGuardAlerter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Mark\Application Data\Smilebox\SmileboxTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iolo\System Mechanic Professional\SysMech.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] C:\Program Files\iolo\System Mechanic Professional\SystemGuardAlerter.exe
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Mark\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail.alticor.com/,DanaInfo=LNOT15.i...va+iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1237507492718
O16 - DPF: {707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11} (UltraMJCamX Class) - http://67.239.5.28:81/UltraMJCamX.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} (iolo.ProductDetector) - https://secure.iolo.com/app/ocx/UpgradeVerify.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1073295A-0F2D-4036-84D8-994025BC06CA}: NameServer = 85.255.112.165,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3922A2E-E4DC-4DF2-A8A9-C8645A54281C}: NameServer = 85.255.112.165,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2656653-D58E-4922-888D-1C60000AFECB}: NameServer = 85.255.112.165,85.255.112.216
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.165,85.255.112.216
O17 - HKLM\System\CS1\Services\Tcpip\..\{1073295A-0F2D-4036-84D8-994025BC06CA}: NameServer = 85.255.112.165,85.255.112.216
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.165,85.255.112.216
O17 - HKLM\System\CS2\Services\Tcpip\..\{1073295A-0F2D-4036-84D8-994025BC06CA}: NameServer = 85.255.112.165,85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.165,85.255.112.216
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Update Service (gupdate1c9b25c1220ff1c) (gupdate1c9b25c1220ff1c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

--
End of file - 11470 bytes

Edited by MarcAngeDraco, 15 May 2009 - 09:11 PM.


BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:13 AM

Posted 15 May 2009 - 11:02 PM

Hello MarcAngeDraco and welcome to BC forums.

This system has a DNS Changer infection, plus it is blocking the running of anti-malware apps.
Please start by doing the following.

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=
If you do not have MBAM, use another pc to download MBAM and save it to CD/DVD or a known-clean USB flash drive; copy MBAM setup to desktop.

Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechie.net/tools/mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Next, disconnect this pc from internet - unplug the connection to the modem. If you have a router, power down the router.

Now, locate mbam-setup.exe ; do a right-click on it, select Rename, and RENAME it to Alpha.exe

Double Click Alpha.exe to install the application.
  • Make sure a checkmark is placed next to Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

=
Now, power up the router. Wait a bit until the display lights are normal. Then, reconnect this pc to internet.

Download OTListIt by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe
  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTListIt.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTListIt2 by clicking the X at top right.
Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
Posted Image If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):
  • copy of the MBAM scan log
  • the contents of OTListIt.txt
  • the contents of Extras.txt and
  • the contents of checkup.txt
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 MarcAngeDraco

MarcAngeDraco
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 16 May 2009 - 07:42 AM

Maurice,

First of all, thanks for your help.

My progress following your instructions:

Completed 1), with no problem.

Started 2),
I was able to download the ATF cleaner and used it in all 3 of user accounts on my machine.
I was able to download mbam-setup.exe, rename it to Alpha.exe, and it seemed to install okay. But it did not launch at the end of installation even though I had checked the launch box. Trying to manually launch it doesn't work either. I also tried renaming the mbam.exe file to see if that would work, but it did not.

Any other ideas for that step or should I proceed with the following steps?

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:13 AM

Posted 16 May 2009 - 08:25 AM

As I noted, one of the infections is DNS Changer.
This time around, let's make sure you do this.

Logoff Windows and and select shutdown.
Power off your pc.
If it has a physical connection to a modem or router, disconnect it as well.
If you have a router, unplug it from power.


Power up the pc (while it is NOT connected to modem or router). Immediately start tapping F8 function key.
You need to get the Advanced Bottup menu, and then select SAFE mode.

In Safe mode, locate and rename Mbam.exe to something like Tango.exe
the run Tango (MBAM in safe mode). Do a quick scan.

When completed, logoff and Restart the pc --- still disconnected from internet.
In Normal mode, start Tango and do a new Quick scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

I will need copies of both those logs in your next reply.

Next, reconnect router if unplugged and wait for it to display all lights, and connected.
Wait about a minute or so.
Reconnect the connections of this pc to the modem or router.

Make sure that pc has internet connectivity.

Then, proceed to get and run OTListIt2 and security check.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 MarcAngeDraco

MarcAngeDraco
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 16 May 2009 - 09:43 AM

Thanks for all of your help so far, Maurice. I finally feel like I'm making some progress!

I got MBAM to run in safe mode, then in normal mode (while disconnected).

It found and deleted 22 items.

The MBAM logfile contents:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/16/2009 9:58:37 AM
mbam-log-2009-05-16 (09-58-37).txt

Scan type: Quick Scan
Objects scanned: 87596
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 14
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33331111-1111-1111-1111-611111193423} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33331111-1111-1111-1111-611111193429} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33331111-1111-1111-1111-615111193427} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (Adware.Mirar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.165,85.255.112.216 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1073295a-0f2d-4036-84d8-994025bc06ca}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.165,85.255.112.216 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e3922a2e-e4dc-4df2-a8a9-c8645a54281c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.165,85.255.112.216 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f2656653-d58e-4922-888d-1c60000afecb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.165,85.255.112.216 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.165,85.255.112.216 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1073295a-0f2d-4036-84d8-994025bc06ca}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.165,85.255.112.216 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e3922a2e-e4dc-4df2-a8a9-c8645a54281c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.165,85.255.112.216 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f2656653-d58e-4922-888d-1c60000afecb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.165,85.255.112.216 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.165,85.255.112.216 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1073295a-0f2d-4036-84d8-994025bc06ca}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.165,85.255.112.216 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e3922a2e-e4dc-4df2-a8a9-c8645a54281c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.165,85.255.112.216 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{f2656653-d58e-4922-888d-1c60000afecb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.165,85.255.112.216 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-2-9-75-100013656-100009927-100001202-9191.com (Trojan.Agent) -> Quarantined and deleted successfully.


The contents of OTLISTIT.TXT

OTListIt logfile created on: 5/16/2009 10:15:14 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Mark\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.80 Mb Total Physical Memory | 211.54 Mb Available Physical Memory | 42.07% Memory free
1.20 Gb Paging File | 0.95 Gb Available in Paging File | 79.01% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 36.90 Gb Free Space | 49.52% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STUDYMAIN
Current User Name: Mark
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2003/08/29 09:54:16 | 00,307,200 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE
PRC - [2003/08/29 09:50:24 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXPPS.EXE
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/03/31 19:54:31 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe
PRC - [2004/03/12 08:18:54 | 00,135,168 | ---- | M] (Alcor Micro, Corp.) -- C:\Program Files\eMachines Bay Reader\shwiconem.exe
PRC - [2004/05/01 14:53:13 | 00,026,112 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\RealPlay.exe
PRC - [2006/09/25 14:54:24 | 00,229,952 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2008/10/07 11:23:46 | 00,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2009/03/25 16:44:16 | 00,364,384 | ---- | M] () -- C:\Program Files\iolo\System Mechanic Professional\SystemGuardAlerter.exe
PRC - [2006/01/19 11:29:52 | 00,100,032 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
PRC - [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2007/05/20 07:29:34 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/06/01 16:22:56 | 00,177,448 | R--- | M] (Authentium, Inc.) -- C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
PRC - [2009/02/06 18:16:54 | 00,712,048 | ---- | M] () -- C:\Program Files\iolo\common\lib\ioloServiceManager.exe
PRC - [2009/03/25 16:44:22 | 00,323,424 | ---- | M] () -- C:\Program Files\iolo\System Mechanic Professional\IoloSGCtrl.exe
PRC - [2006/09/25 14:54:22 | 00,451,136 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/03/13 10:04:26 | 01,320,800 | ---- | M] () -- C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
PRC - [2008/12/15 19:13:26 | 01,106,784 | ---- | M] () -- C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
PRC - [2008/12/15 19:13:50 | 00,412,544 | ---- | M] () -- C:\Program Files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
PRC - [2009/05/16 10:11:55 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (AOL ACS [Auto | Stopped])
SRV - [2005/09/23 08:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2006/01/19 11:29:52 | 00,100,032 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler [Auto | Running])
SRV - [2005/09/23 08:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/06/01 16:22:56 | 00,177,448 | R--- | M] (Authentium, Inc.) -- C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe -- (dvpapi [Auto | Running])
SRV - [2009/03/31 19:54:31 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9b25c1220ff1c [Auto | Stopped])
SRV - [2009/03/31 19:53:37 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2009/02/06 18:16:54 | 00,712,048 | ---- | M] () -- C:\Program Files\iolo\common\lib\ioloServiceManager.exe -- (ioloFileInfoList [Auto | Running])
SRV - [2009/02/06 18:16:54 | 00,712,048 | ---- | M] () -- C:\Program Files\iolo\common\lib\ioloServiceManager.exe -- (ioloSystemService [Auto | Running])
SRV - [2009/03/25 16:44:22 | 00,323,424 | ---- | M] () -- C:\Program Files\iolo\System Mechanic Professional\IoloSGCtrl.exe -- (IOLO_SRV [Auto | Running])
SRV - [2006/09/25 14:54:22 | 00,451,136 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2003/08/29 09:54:16 | 00,307,200 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS [Auto | Running])
SRV - [2006/01/19 11:29:52 | 02,041,536 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate [On_Demand | Stopped])
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2004/10/07 21:16:04 | 00,035,840 | ---- | M] (Oak Technology Inc.) -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K [System | Running])
DRV - [2003/12/12 17:54:14 | 00,391,424 | ---- | M] (Sensaura Ltd) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS [On_Demand | Running])
DRV - [2004/01/10 17:17:02 | 00,601,100 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2003/03/31 08:00:00 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde [Boot | Running])
DRV - [2008/04/13 14:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp [Boot | Running])
DRV - [2003/03/31 08:00:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc [Boot | Running])
DRV - [2003/03/31 08:00:00 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550 [Boot | Running])
DRV - [2004/05/01 14:53:22 | 00,008,552 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM [Auto | Running])
DRV - [2007/02/06 16:01:48 | 00,016,512 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32 [System | Running])
DRV - [2003/03/31 08:00:00 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde [Boot | Running])
DRV - [2008/06/01 15:58:30 | 00,750,904 | ---- | M] (Authentium, Inc.) -- C:\WINDOWS\system32\DRIVERS\css-dvp.sys -- (CSS DVP [Auto | Running])
DRV - [2003/03/31 08:00:00 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k [Boot | Running])
DRV - [2002/09/25 23:09:12 | 00,140,800 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2008/04/17 10:45:38 | 00,009,341 | ---- | M] (iolo technologies, LLC (based on original work by Bo Brantén)) -- C:\WINDOWS\System32\drivers\filedisk.sys -- (FileDisk [System | Running])
DRV - [2006/07/14 15:03:02 | 00,014,448 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2003/11/14 12:19:48 | 00,210,304 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2 [On_Demand | Running])
DRV - [2003/11/14 12:17:00 | 01,042,816 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSF_DP.sys -- (HSF_DP [On_Demand | Running])
DRV - [2004/01/30 12:13:06 | 00,095,579 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2004/01/17 08:21:48 | 00,012,970 | ---- | M] (Conexant) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2003/03/31 08:00:00 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x [Boot | Running])
DRV - [2001/08/17 13:53:42 | 00,004,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\loop.sys -- (msloop [On_Demand | Running])
DRV - [2001/08/17 09:49:32 | 00,019,968 | ---- | M] (Macronix International Co., Ltd. ) -- C:\WINDOWS\System32\DRIVERS\mxnic.sys -- (mxnic [On_Demand | Stopped])
DRV - [2003/11/26 01:58:10 | 00,006,912 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\pcitest.sys -- (PciTest [On_Demand | Stopped])
DRV - [2003/03/31 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2003/03/31 08:00:00 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080 [Boot | Running])
DRV - [2003/03/31 08:00:00 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160 [Boot | Running])
DRV - [2003/03/31 08:00:00 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280 [Boot | Running])
DRV - [2008/04/13 12:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/04/13 14:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp [Boot | Running])
DRV - [2003/03/31 08:00:00 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow [Boot | Running])
DRV - [2005/03/24 17:21:22 | 00,038,937 | ---- | M] (Service & Quality Technology.) -- C:\WINDOWS\System32\Drivers\Capt905c.sys -- (SQTECH905C [On_Demand | Stopped])
DRV - [2004/03/23 04:01:38 | 00,040,564 | ---- | M] (Alcor Micro Corp.) -- C:\WINDOWS\System32\Drivers\sunkfilt.sys -- (SunkFilt [On_Demand | Stopped])
DRV - [2004/03/23 04:27:20 | 00,042,936 | ---- | M] (Alcor Micro Corp.) -- C:\WINDOWS\System32\Drivers\sunkfilt39.sys -- (SunkFilt39 [On_Demand | Running])
DRV - [2003/03/31 08:00:00 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810 [Boot | Running])
DRV - [2003/03/31 08:00:00 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx [Boot | Running])
DRV - [2006/09/20 17:22:06 | 00,010,344 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\symlcbrd.sys -- (symlcbrd [Auto | Running])
DRV - [2003/03/31 08:00:00 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi [Boot | Running])
DRV - [2003/03/31 08:00:00 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3 [Boot | Running])
DRV - [2003/03/31 08:00:00 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra [Boot | Running])
DRV - [2008/04/13 14:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\usb8023.sys -- (usb_rndis [On_Demand | Running])
DRV - [2003/01/11 03:13:04 | 00,033,588 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys -- (wanatw [On_Demand | Stopped])
DRV - [2003/11/14 12:18:36 | 00,679,808 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])
DRV - [2007/10/02 12:41:12 | 00,039,424 | ---- | M] (iolo technologies, LLC) -- C:\WINDOWS\System32\xpacket.sys -- (XPacket [Boot | Running])
DRV - [2004/01/30 12:13:06 | 00,122,110 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Running])
DRV - [2004/01/30 12:13:04 | 00,099,002 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Netscape 6 6.2.1\Extensions\\Components: C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\COMPONENTS [2006/10/26 18:15:50 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 6 6.2.1\Extensions\\Plugins: C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\PLUGINS [2009/03/21 04:05:17 | 00,000,000 | ---D | M]


O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe File not found
O4 - HKLM..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe" ()
O4 - HKLM..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe" ()
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Computer, Inc.)
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER (RealNetworks, Inc.)
O4 - HKLM..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe File not found
O4 - HKLM..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [SystemGuardAlerter] C:\Program Files\iolo\System Mechanic Professional\SystemGuardAlerter.exe ()
O4 - HKLM..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" (Yahoo! Inc)
O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\WINDOWS\system32\iavlsp.dll (iolo technologies, LLC)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} https://mail.alticor.com/,DanaInfo=LNOT15.i...va+iNotes6W.cab (iNotes6 Class)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www1.snapfish.com/SnapfishActivia.cab (Snapfish Activia)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1237507492718 (MUWebControl Class)
O16 - DPF: {707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11} http://67.239.5.28:81/UltraMJCamX.cab (UltraMJCamX Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} https://secure.iolo.com/app/ocx/UpgradeVerify.cab (iolo.ProductDetector)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/05/01 13:54:27 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (/r) - File not found
O34 - HKLM BootExecute: (\??\C:) - C: [2009/05/16 10:11:54 | 00,000,000 | ---D | M]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/05/16 10:11:54 | 00,000,000 | ---D | M]

========== Files/Folders - Created Within 30 Days ==========

[2009/05/16 10:11:54 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTListIt2.exe
[2009/05/16 09:53:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\Malwarebytes
[2009/05/16 09:51:55 | 52,729,0368 | -HS- | C] () -- C:\hiberfil.sys
[2009/05/16 08:32:48 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/16 08:32:48 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/16 08:32:46 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/16 08:32:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/16 08:27:39 | 02,967,800 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mark\Desktop\Alpha.exe
[2009/05/16 08:17:34 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/15 20:04:51 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\HijackThis.lnk
[2009/05/15 20:04:51 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/05/15 20:04:37 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Mark\Desktop\HJTInstall.exe
[2009/05/15 17:33:38 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Authentium
[2009/05/15 17:33:31 | 00,000,892 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\System Mechanic Professional.lnk
[2009/05/15 17:33:30 | 00,936,288 | ---- | C] () -- C:\WINDOWS\System32\Incinerator.dll
[2009/05/15 17:33:26 | 00,039,424 | ---- | C] (iolo technologies, LLC) -- C:\WINDOWS\System32\xpacket.sys
[2009/05/15 17:33:26 | 00,009,341 | ---- | C] (iolo technologies, LLC (based on original work by Bo Brantén)) -- C:\WINDOWS\System32\drivers\filedisk.sys
[2009/05/15 17:33:23 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\iolobtdfg.exe
[2009/05/15 17:33:23 | 00,008,192 | ---- | C] () -- C:\WINDOWS\System32\smrgdf.exe
[2009/05/15 17:33:21 | 00,000,000 | ---D | C] -- C:\Program Files\iolo
[2009/05/15 17:31:25 | 45,070,641 | ---- | C] (iolo technologies, LLC ) -- C:\Documents and Settings\Mark\Desktop\SystemMechanicPro.exe
[2009/05/14 01:43:49 | 00,001,836 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2009/05/13 19:20:59 | 00,000,432 | ---- | C] () -- C:\WINDOWS\System32\iolo.ini
[2009/05/13 19:09:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2009/05/13 19:07:55 | 39,647,808 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Mark\Desktop\kav8.0.0.506en.exe
[2009/05/13 16:08:50 | 03,570,176 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\avsdk2.msi
[2009/05/12 18:44:55 | 00,608,344 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\MCPR.exe
[2009/05/11 15:20:27 | 00,000,526 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\BootExecute.reg
[2009/05/11 15:19:13 | 00,000,351 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\bootexecute.zip
[2009/05/11 13:41:25 | 00,118,784 | ---- | C] (iolo technologies, LLC) -- C:\WINDOWS\System32\iavlsp.dll
[2009/05/11 13:32:58 | 00,074,703 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll
[2009/05/11 13:31:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\iolo
[2009/05/11 13:31:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\iolo
[2009/05/11 13:30:51 | 00,424,816 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\smpro_dm.exe
[2009/04/27 22:27:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Desktop\AZ 09
[2009/04/22 18:22:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Desktop\4-22 upload #2
[2009/04/22 18:14:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Desktop\4-22-09 upload
[2009/04/22 17:43:03 | 00,092,672 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\Reservations Cancel.doc
[2009/03/14 09:09:50 | 00,001,433 | ---- | C] () -- C:\WINDOWS\SysMech6.INI
[2008/08/01 21:34:28 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PTWebCam.INI
[2008/07/20 16:24:59 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\PTTreeIcons.dll
[2006/10/27 22:07:12 | 00,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/09/19 19:10:09 | 00,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2006/02/07 20:34:22 | 00,000,275 | ---- | C] () -- C:\WINDOWS\KA.INI
[2005/02/16 18:17:44 | 00,000,161 | ---- | C] () -- C:\WINDOWS\upst.ini
[2005/02/16 18:17:44 | 00,000,024 | ---- | C] () -- C:\WINDOWS\atid.ini
[2005/01/06 20:16:35 | 00,000,165 | ---- | C] () -- C:\WINDOWS\BluesCluesPreschool.ini
[2004/11/26 12:40:41 | 00,000,026 | ---- | C] () -- C:\WINDOWS\UP9ASP.INI
[2004/09/12 13:35:43 | 00,000,713 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2004/09/12 13:35:11 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxblvs.dll
[2004/09/12 13:35:09 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\LXBLLCNP.DLL
[2004/09/08 20:47:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2004/05/17 08:55:28 | 00,000,482 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/05/04 09:48:14 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2004/05/04 08:40:00 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2004/05/04 06:13:35 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/05/02 03:40:08 | 00,001,120 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/05/02 03:40:08 | 00,000,490 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2004/05/02 03:39:49 | 00,000,700 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/05/01 14:50:46 | 00,000,132 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2004/05/01 14:50:09 | 00,000,310 | ---- | C] () -- C:\WINDOWS\net2fone.ini
[2004/05/01 14:09:46 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/05/01 13:39:45 | 00,000,277 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/03/27 16:28:44 | 00,004,955 | ---- | C] () -- C:\WINDOWS\System32\DProg.ini
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/05/16 10:11:55 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTListIt2.exe
[2009/05/16 10:09:18 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/05/16 10:08:59 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
[2009/05/16 10:08:59 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Mark\Local Settings\desktop.ini
[2009/05/16 10:08:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/16 10:08:49 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/16 10:08:48 | 52,729,0368 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/16 08:32:48 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/16 08:27:44 | 02,967,800 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mark\Desktop\Alpha.exe
[2009/05/15 20:04:51 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\HijackThis.lnk
[2009/05/15 20:04:39 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Mark\Desktop\HJTInstall.exe
[2009/05/15 17:33:31 | 00,000,892 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\System Mechanic Professional.lnk
[2009/05/15 17:31:28 | 45,070,641 | ---- | M] (iolo technologies, LLC ) -- C:\Documents and Settings\Mark\Desktop\SystemMechanicPro.exe
[2009/05/14 01:43:49 | 00,001,836 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2009/05/13 19:20:59 | 00,000,432 | ---- | M] () -- C:\WINDOWS\System32\iolo.ini
[2009/05/13 19:07:57 | 39,647,808 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Mark\Desktop\kav8.0.0.506en.exe
[2009/05/13 16:08:57 | 03,570,176 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\avsdk2.msi
[2009/05/12 18:44:56 | 00,608,344 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\MCPR.exe
[2009/05/11 15:19:16 | 00,000,351 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\bootexecute.zip
[2009/05/11 13:32:58 | 00,074,703 | ---- | M] () -- C:\WINDOWS\System32\mfc45.dll
[2009/05/11 13:31:00 | 00,424,816 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\smpro_dm.exe
[2009/05/10 13:56:00 | 00,001,433 | ---- | M] () -- C:\WINDOWS\SysMech6.INI
[2009/05/09 09:52:14 | 00,001,773 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2009/04/22 17:43:04 | 00,092,672 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\Reservations Cancel.doc
[2009/04/22 17:41:33 | 00,002,497 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\Word 2003.lnk

========== LOP Check ==========

[2009/05/16 08:32:45 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2007/10/28 14:28:49 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{20E1CFB2-E119-47A5-8179-A3647933EE5A}
[2009/03/12 18:33:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2006/10/27 22:14:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL
[2005/03/13 11:15:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL Downloads
[2007/12/24 00:35:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2006/10/26 18:16:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2004/05/04 13:19:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2009/01/14 20:04:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/05/15 19:13:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google Updater
[2005/05/07 14:30:48 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\GTek
[2009/05/15 17:33:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2009/05/13 19:09:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2007/04/14 15:19:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Knowledge Adventure
[2009/05/16 08:32:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2007/04/13 19:19:58 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2006/09/19 19:10:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Motive
[2006/09/19 19:13:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MotiveSysIDs
[2004/09/26 08:14:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN6
[2008/09/08 21:38:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NOS
[2005/03/13 11:18:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pure Networks
[2004/05/04 13:19:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QuickTime
[2008/09/25 17:26:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2007/02/08 06:53:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/03/21 13:49:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2007/11/28 22:14:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2007/11/29 19:15:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2009/05/16 09:53:33 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Mark\Application Data
[2008/01/06 18:11:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Adobe
[2004/09/22 22:13:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\AdobeUM
[2008/07/08 20:28:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Amazon
[2006/10/27 22:14:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\AOL
[2006/11/05 17:42:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Apple Computer
[2004/05/17 08:54:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\CyberLink
[2009/03/31 19:58:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Google
[2005/05/07 14:30:48 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Mark\Application Data\GTek
[2004/10/09 10:02:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Help
[2005/01/28 22:12:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Hewlett-Packard
[2004/05/04 13:19:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Identities
[2007/12/31 12:12:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\InstallShield
[2009/05/11 15:45:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\iolo
[2004/09/19 21:25:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Macromedia
[2009/05/16 09:53:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Malwarebytes
[2009/03/21 15:02:56 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Mark\Application Data\Microsoft
[2006/09/19 19:20:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Motive
[2008/10/08 18:21:23 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Mark\Application Data\Move Networks
[2006/09/25 16:00:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Mozilla
[2006/09/23 16:09:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\NetMedia Providers
[2006/09/23 16:09:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Publish Providers
[2008/06/30 14:17:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Real
[2005/01/26 20:32:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Share-to-Web Upload Folder
[2009/04/05 20:15:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Smilebox
[2008/01/10 19:59:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Snapfish
[2006/09/23 16:09:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Sony
[2004/05/04 13:19:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Sun
[2008/09/25 17:18:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Symantec
[2004/11/18 18:03:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Template
[2007/02/14 20:37:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Viewpoint
[2008/10/21 18:14:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Yahoo!
[2005/03/13 11:19:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\You've Got Pictures Screensaver
[2003/03/31 15:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/05/16 10:09:18 | 00,000,868 | ---- | M] () -- C:\WINDOWS\Tasks\Google Software Updater.job
[2009/05/16 10:08:59 | 00,000,882 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskMachine.job
[2009/05/16 10:08:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========

< End of report >


To be continued....

#6 MarcAngeDraco

MarcAngeDraco
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 16 May 2009 - 09:45 AM

The contents of extras.txt:

OTListIt Extras logfile created on: 5/16/2009 10:15:14 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Mark\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.80 Mb Total Physical Memory | 211.54 Mb Available Physical Memory | 42.07% Memory free
1.20 Gb Paging File | 0.95 Gb Available in Paging File | 79.01% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 36.90 Gb Free Space | 49.52% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STUDYMAIN
Current User Name: Mark
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/08/30 18:43:18 | 04,670,704 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[2009/03/13 10:04:26 | 01,320,800 | ---- | M] () -- C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe:*:Enabled:iolo Firewall®
[2008/12/15 19:13:26 | 01,106,784 | ---- | M] () -- C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe:*:Enabled:iolo AntiVirus®
[2008/12/15 19:13:50 | 00,412,544 | ---- | M] () -- C:\Program Files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe:*:Enabled:iolo AntiVirus® Email Protection

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306
"{12F4BE69-6614-41D3-BB3B-DF7F921DF2BB}" = Sony ACID XPress 5.0a
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{22B90C20-2697-4790-A95E-56463563F2EF}" = Authentium AntiVirus SDK - 2
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{483BBD1A-3292-47D5-B357-C4010E203145}" = Learning QuickBooks 2008
"{49FC50FC-F965-40D9-89B4-CBFF80941033}" = Windows Movie Maker 2.0
"{4B46E96E-6E42-407B-B61A-86594AD376BC}" = Zoo Empire
"{523BD5B6-E904-493C-B902-1BC9B7D44DF4}" = Lexmark Photo Center
"{55937F00-A69B-4049-8D3A-1C7729742B6F}" = BUM
"{55BF0E5F-EA8E-4C13-A8B4-9E4857F5A2DE}" = QuickTime
"{5878FF02-3B8F-4309-B4E5-0D3DB6F2E8E6}" = iTunes
"{590D4F8F-98FE-47FA-AC2B-3F22FDCF7C09}" = ShareIns
"{64963FAF-E357-4B8E-BDB6-A02C9F6C2D4E}" = In-Fisherman Freshwater Trophies
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7148F0A8-6813-11D6-A77B-00B0D0142000}" = Java 2 Runtime Environment, SE v1.4.2
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{796ADAFF-7C5B-4CED-BA11-55A3644F1E0D}" = HP Photo and Imaging 2.2 - Scanjet 3970 Series
"{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}" = eMachines Bay Reader
"{83d96ed0-98aa-4515-8ddc-816f3efdd104}" = MyDSC2
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8B611C23-ADB6-4F5E-A04A-959EB0D349F6}" = Winkflash Transporter
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90170409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office FrontPage 2003
"{903B0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Project Professional 2003
"{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{BBD3F66B-1180-4785-B679-3F91572CD3B4}_is1" = iolo technologies' System Mechanic Professional
"{CC016F21-3970-11DE-B878-005056806466}" = Google Earth
"{E2D7E05E-C8C7-45F4-8D89-D6696075E0B7}" = Sansa Updater
"{E4641D0C-1C16-4930-BCCC-04C6C01EA6BA}" = SI Tiff Viewer Plugin v4
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AIMars" = Kids Cam Show and Share Creativity Center
"BigFix" = BigFix
"BluesCluesPreschoolDKey" = Blue's Preschool
"Chicken Attack (CD version)" = Chicken Attack (CD version)
"Chicken’s Revenge (CD version)" = Chicken’s Revenge (CD version)
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = SoftV92 Data Fax Modem with SmartCP
"Google Chrome" = Google Chrome
"Google Updater" = Google Updater
"HijackThis" = HijackThis 2.0.2
"ICQ" = ICQ
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"InstallShield_{523BD5B6-E904-493C-B902-1BC9B7D44DF4}" = Lexmark Photo Center
"InstallShield_{64963FAF-E357-4B8E-BDB6-A02C9F6C2D4E}" = In-Fisherman Freshwater Trophies
"InstallShield_{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}" = eMachines Bay Reader
"InterActual Player" = InterActual Player
"James Bond 007 Girls & Gadgets" = James Bond 007 Girls & Gadgets Screen Saver
"JumpStart Advanced 2nd Grade" = JumpStart Advanced 2nd Grade
"KG_2.4b" = JumpStart Kindergarten v2.4b
"Learning QuickBooks 2008" = Learning QuickBooks 2008
"Lexmark Z700-P700 Series" = Lexmark Z700-P700 Series
"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Move Networks Player_is1" = Move Networks Player for Internet Explorer
"Netscape 6 (6.2.1)" = Netscape 6 (6.2.1)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OfotoEZUpload" = KODAK EASYSHARE Gallery Upload ActiveX Control
"PROSet" = Intel® PRO Network Adapters and Drivers
"pta.MCCInstall" = Talk America Support Agent
"RealPlayer 6.0" = RealPlayer Basic
"StreetPlugin" = Learn2 Player (Uninstall Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"VIVAGplayer" = VIVA MEDIA GAME CENTER
"Winamp" = Winamp (remove only)
"Windows XP Service Pack" = Windows XP Service Pack 3
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Extras" = Yahoo! Browser Services
"Yahoo! Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Toolbar" = Yahoo! Toolbar
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{9863F141-7A33-4c9a-A5F2-96996461B216}" = KODAK EASYSHARE Gallery Easy Upload, v2.1

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/11/2009 1:37:08 PM | Computer Name = STUDYMAIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 5/11/2009 1:37:08 PM | Computer Name = STUDYMAIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/12/2009 6:45:12 PM | Computer Name = STUDYMAIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 5/12/2009 6:45:12 PM | Computer Name = STUDYMAIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/13/2009 7:11:33 PM | Computer Name = STUDYMAIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 5/13/2009 7:12:33 PM | Computer Name = STUDYMAIN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 5/16/2009 7:49:48 AM | Computer Name = STUDYMAIN | Source = .NET Runtime | ID = 0
Description =

Error - 5/16/2009 8:20:26 AM | Computer Name = STUDYMAIN | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Internet connection not detected.

Error - 5/16/2009 8:54:50 AM | Computer Name = STUDYMAIN | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/16/2009 9:57:05 AM | Computer Name = STUDYMAIN | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Internet connection not detected.

[ System Events ]
Error - 5/16/2009 9:50:47 AM | Computer Name = STUDYMAIN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/16/2009 9:52:03 AM | Computer Name = STUDYMAIN | Source = Service Control Manager | ID = 7000
Description = The AOL Connectivity Service service failed to start due to the following
error: %%3

Error - 5/16/2009 9:52:03 AM | Computer Name = STUDYMAIN | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 5/16/2009 10:00:53 AM | Computer Name = STUDYMAIN | Source = Service Control Manager | ID = 7000
Description = The AOL Connectivity Service service failed to start due to the following
error: %%3

Error - 5/16/2009 10:00:53 AM | Computer Name = STUDYMAIN | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 5/16/2009 10:00:55 AM | Computer Name = STUDYMAIN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p
asc3550
cbidf
cd20xrnt
CmdIde
Cpqarray
dac2w2k
dac960nt
dpti2o
hpn
i2omp
ini910u
IntelIde
mraid35x
perc2
perc2hib
ql1080
Ql10wnt
ql12160
ql1240
ql1280
sisagp
Sparrow
symc810
symc8xx
sym_hi
sym_u3
TosIde
ultra
viaagp
ViaIde

Error - 5/16/2009 10:02:51 AM | Computer Name = STUDYMAIN | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 000CF1EE8325 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 5/16/2009 10:02:57 AM | Computer Name = STUDYMAIN | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.3 for the Network Card with network
address 421731AA88CC has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 5/16/2009 10:09:16 AM | Computer Name = STUDYMAIN | Source = Service Control Manager | ID = 7000
Description = The AOL Connectivity Service service failed to start due to the following
error: %%3

Error - 5/16/2009 10:09:16 AM | Computer Name = STUDYMAIN | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2


< End of report >


The contents of checkup.txt:

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Disabled!
AuthentiumAntiVirusSDK-2
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java 2 Runtime Environment, SE v1.4.2
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Common Files Authentium AntiVirus dvpapi.exe
iolo System Mechanic Professional AntiVirus ioloAV.exe
iolo System Mechanic Professional AntiVirus iAVEmailScanner.exe
iolo System Mechanic Professional Personal Firewall ioloFW.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 34 seconds.
`````````End of Log```````````



Anything else I need to do?

#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:13 AM

Posted 16 May 2009 - 09:57 AM

Good going. There will be more to do. For now, see about setting System Mechanic Professional's SystemGuardAlerter to NOT startup with Windows. The less we have at startup that are in the nature of real-time monitors (but other than your antivirus )...the better.
See if you can set it to not auto-start.

Download the latest version of HijackThis Installer

Save the HJT Installer to your desktop or the folder of your choice, then navigate to that folder and double-click HJTInstall.exe to start the installation.

When the Trend Micro HJT install box appears, click Install.

HijackThis (HJT) will be installed in the C:\Program Files\Trend Micro\HijackThis folder by default and a desktop shortcut will be created.

Now, right click on hijackthis.exe in that folder, select Rename, and rename it to Bravo.exe
Then start Bravo. Do a Scan and Save log.

Reply with a copy of the Hijackthis log file (in-line of the reply box).

Then take a break. Give me some time to review and digest the last set of logs. I hope at least that DNS Changer has been squashed.
We will need to run a battery of scan tools later.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:13 AM

Posted 16 May 2009 - 10:43 AM

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member MarcAngeDraco only. If you are a guest reader, do NOT try this on your system!
If you are not MarcAngeDraco and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Sorry to have forgotten you already had HJT. We just need to rename the hijackthis exe

Your logs show 2 or more antivirus apps. Authentium AV, iolo antivirus, and traces of Symantec.
Do you have a current subscription to any Symantec product? otherwise, I'll be suggesting you run the Symantec/Norton removal tool.
Which AV did you intend as "the active/ real-time" for this system?

=
Place your USB flash-thumb drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.
The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:
http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
There is no GUI interface or log file produced.
=

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Drivers to delete:
    ovfsthx
    UACd.sys
    UACd
    gaopdxserv.sys
    gaopdxserv
    gaopdxl
    tdss
    tdssserv
    TDSSserv.SYS
    Service_TDSSSERV.SYS
    Legacy_TDSSSERV.SYS
    msqpdxserv.sys
    msqpdxserv
    
    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
    i:\recycler
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Not all the items will be found; so do not worry.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.
=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.
  • [/list][list]
  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

=

This system has an old version of Java Run-time.

Uninstall jre1.5 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.
If you see any other Java versions there,
such as
J2SE Runtime Environment 5.0
Java SE Runtime Environment
Java 6


uninstall all of them. After uninstalling, reboot if directed to do so.

In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.Do NOT delete C:\Program Files\JavaVM <=this folder, if found!
Open an IE window and go to http://java.sun.com/javase/downloads/index.jsp
> In top of the page (first in the list), click on the Download button to the right of Java Runtime Environment (JRE) 6 Update 13
> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content; You do not have to install the Java Web Start ActiveX Control
> Accept the license agreement
> Click on Windows Offline Installation, Multi-language and Save the file to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.
  • Tip: Choose Custom install to select only the part(s) you need/want.
Delete the downloaded installation file after completing the above procedure and reboot if prompted to do so.

If you were /not/ prompted to reboot, please do so now.

To test your Java Run-time, you may go to this page http://www.javatester.org/version.html
When all is well, you should see Java Version: 1.6.0_13 from Sun Microsystems Inc.

=
Get and run MBAM with the most current definitions database:
Start your MalwareBytes Anti-Malware program.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2139 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Now, RE-Enable your AntiVirus and AntiSpyware applications.

Run a new Bravo {Hijackthis} Scan and Save

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.

Reply with copies of contents of C:\Avenger.txt
C:\Combofix.txt
the Sysclean log
the latest MBAM scan log
the new HijackThis log
and tell me, How is your system now?

Edited by Maurice Naggar, 16 May 2009 - 10:46 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 MarcAngeDraco

MarcAngeDraco
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 16 May 2009 - 10:43 AM

Thanks again for your time, help, and patience!

Ok, I think I have System Guard so that it won't automatically start now.

I was able to download, install, and run HijackThis.

The contents of the HijackThis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:05 AM, on 5/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\iolo\System Mechanic Professional\IoloSGCtrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Bravo.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] C:\Program Files\iolo\System Mechanic Professional\SystemGuardAlerter.exe
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail.alticor.com/,DanaInfo=LNOT15.i...va+iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1237507492718
O16 - DPF: {707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11} (UltraMJCamX Class) - http://67.239.5.28:81/UltraMJCamX.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} (iolo.ProductDetector) - https://secure.iolo.com/app/ocx/UpgradeVerify.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Update Service (gupdate1c9b25c1220ff1c) (gupdate1c9b25c1220ff1c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

--
End of file - 10271 bytes

#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:13 AM

Posted 16 May 2009 - 10:48 AM

Marc,

It appears we posted close to the same time. Make sure you read my prior note and do those steps and go forward.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#11 MarcAngeDraco

MarcAngeDraco
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 16 May 2009 - 10:51 AM

Maurice, I just posted at nearly the same time you posted your latest. Should I proceed with the instructions from that post or do you want to review the HijackThis log first?

I do not have any current Symantec/Norton products. It was on here a long time ago. I thought it had been removed, but perhaps not thoroughly enough?

I think that iolo and authentium are really the same thing, but I'm not 100% positive. iolo AntiVirus is what I am intending to be current, but I'm not sure it is working properly due to all of these problems I'm having.

#12 MarcAngeDraco

MarcAngeDraco
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 16 May 2009 - 10:52 AM

Marc,

It appears we posted close to the same time. Make sure you read my prior note and do those steps and go forward.



Okay, I will proceed. Thanks!

#13 MarcAngeDraco

MarcAngeDraco
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 16 May 2009 - 02:13 PM

System seems to be working better. I just tried a Google search and didn't get redirected! Thanks so much for all your help! Now back to business...

Contents of the Avenger.txt file:


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

< Edited for highlighting and brevity ~ Maurice >

Hidden driver "gxvxcserv.sys" found!
ImagePath: \systemroot\system32\drivers\gxvxcoxsdtkltvenfvgrsogghloedjtiakaoj.sys
Start Type: 1 (System)


Rootkit scan completed.



Folder "C:\recycler" deleted successfully.


Completed script processing.

*******************

Finished! Terminate.


Contents of the Sysclean log:



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2009-05-16, 13:11:55, Auto-clean mode specified.
2009-05-16, 13:11:56, Initialized Rootkit Driver version 2.2.0.1004.
2009-05-16, 13:11:56, Running scanner "C:\Documents and Settings\Mark\Desktop\TM_sysclean\TSC.BIN"...
2009-05-16, 13:12:14, Scanner "C:\Documents and Settings\Mark\Desktop\TM_sysclean\TSC.BIN" has finished running.
2009-05-16, 13:12:14, TSC Log:

ÿþD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 0 ( B u i l d 1 1 7 2 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )




S t a r t t i m e : S a t M a y 1 6 2 0 0 9 1 3 : 1 1 : 5 7





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D o c u m e n t s a n d S e t t i n g s \ M a r k \ D e s k t o p \ T M _ s y s c l e a n \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D o c u m e n t s a n d S e t t i n g s \ M a r k \ D e s k t o p \ T M _ s y s c l e a n \ t s c . p t n " ( v e r s i o n 1 0 3 4 ) [ s u c c e s s ]





C o m p l e t e t i m e : S a t M a y 1 6 2 0 0 9 1 3 : 1 2 : 1 4


E x e c u t e p a t t e r n c o u n t ( 3 0 5 1 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-05-16, 13:12:14, Running scanner "C:\Documents and Settings\Mark\Desktop\TM_sysclean\VSCANTM.BIN"...
2009-05-16, 14:04:23, Scanner "C:\Documents and Settings\Mark\Desktop\TM_sysclean\VSCANTM.BIN" has finished running.
2009-05-16, 14:04:23, VSCANTM Log:

2009-05-16, 14:04:23, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/16/2009 13:12:14
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 133 (398052/398052 Patterns) (2009/05/15) (613300)

Command Line: C:\Documents and Settings\Mark\Desktop\TM_sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Documents and Settings\Mark\Desktop\TM_sysclean\lpt$vpn.133

C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcnuldrxnujdgpxxhyppuejeuydskmtnit.dll.vir [TROJ_TDSS.RG]
68272 files have been read.
68272 files have been checked.
68240 files have been scanned.
181738 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/16/2009 14:04:23 52 minutes 8 seconds (3127.88 seconds) has elapsed.(45.815 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-16, 14:04:23, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/16/2009 13:12:14
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 133 (398052/398052 Patterns) (2009/05/15) (613300)

Command Line: C:\Documents and Settings\Mark\Desktop\TM_sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Documents and Settings\Mark\Desktop\TM_sysclean\lpt$vpn.133

68272 files have been read.
68272 files have been checked.
68240 files have been scanned.
181738 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/16/2009 14:04:23 52 minutes 8 seconds (3127.88 seconds) has elapsed.(45.815 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-16, 14:04:23, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/16/2009 13:12:14
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 133 (398052/398052 Patterns) (2009/05/15) (613300)

Command Line: C:\Documents and Settings\Mark\Desktop\TM_sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Documents and Settings\Mark\Desktop\TM_sysclean\lpt$vpn.133

68272 files have been read.
68272 files have been checked.
68240 files have been scanned.
181738 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/16/2009 14:04:23 52 minutes 8 seconds (3127.88 seconds) has elapsed.(45.815 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-16, 14:04:23, Running SSAPI scanner ""...
2009-05-16, 14:31:58, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 7.67
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 05/16/2009 14:04:27


SSAPI requires the system to reboot.
Detected Items:
[CLEAN SUCCESS][Cookie_YieldManager] Internet Explorer Cache\ad.yieldmanager.com,Cookie:mark@ad.yieldmanager.com/,C:\Documents and Settings\Mark\Cookies\mark@ad.yieldmanager[2].txt
[CLEAN SUCCESS][Cookie_YieldManager] Internet Explorer Cache\ad.yieldmanager.com,Cookie:mark@ad.yieldmanager.com/,C:\Documents and Settings\Mark\Cookies\mark@ad.yieldmanager[3].txt
[CLEAN SUCCESS][Cookie_Pointroll] Internet Explorer Cache\ads.pointroll.com,Cookie:mark@ads.pointroll.com/,C:\Documents and Settings\Mark\Cookies\mark@ads.pointroll[2].txt
[CLEAN SUCCESS][Cookie_Advertising] Internet Explorer Cache\advertising.com,Cookie:mark@advertising.com/,C:\Documents and Settings\Mark\Cookies\mark@advertising[1].txt
[CLEAN SUCCESS][Cookie_Advertising] Internet Explorer Cache\advertising.com,Cookie:mark@advertising.com/,C:\Documents and Settings\Mark\Cookies\mark@advertising[2].txt
[CLEAN SUCCESS][Cookie_Apmebf] Internet Explorer Cache\apmebf.com,Cookie:mark@apmebf.com/,C:\Documents and Settings\Mark\Cookies\mark@apmebf[1].txt
[CLEAN SUCCESS][Cookie_Atdmt] Internet Explorer Cache\atdmt.com,Cookie:mark@atdmt.com/,C:\Documents and Settings\Mark\Cookies\mark@atdmt[1].txt
[CLEAN SUCCESS][Cookie_Atdmt] Internet Explorer Cache\atdmt.com,Cookie:mark@atdmt.com/,C:\Documents and Settings\Mark\Cookies\mark@atdmt[2].txt
[CLEAN SUCCESS][Cookie_Com] Internet Explorer Cache\com.com,Cookie:mark@com.com/,C:\Documents and Settings\Mark\Cookies\mark@com[1].txt
[CLEAN SUCCESS][Cookie_DoubleClick] Internet Explorer Cache\doubleclick.net,Cookie:mark@doubleclick.net/,C:\Documents and Settings\Mark\Cookies\mark@doubleclick[1].txt
[CLEAN SUCCESS][Cookie_Mediaplex] Internet Explorer Cache\mediaplex.com,Cookie:mark@mediaplex.com/,C:\Documents and Settings\Mark\Cookies\mark@mediaplex[1].txt
[CLEAN SUCCESS][Cookie_Revsci] Internet Explorer Cache\revsci.net,Cookie:mark@revsci.net/,C:\Documents and Settings\Mark\Cookies\mark@revsci[2].txt
[CLEAN SUCCESS][Cookie_Roia] Internet Explorer Cache\roia.biz,Cookie:mark@roia.biz/im,C:\Documents and Settings\Mark\Cookies\mark@roia[1].txt
[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\specificclick.net,Cookie:mark@specificclick.net/,C:\Documents and Settings\Mark\Cookies\mark@specificclick[2].txt
[CLEAN SUCCESS][Cookie_Tacoda] Internet Explorer Cache\tacoda.net,Cookie:mark@tacoda.net/,C:\Documents and Settings\Mark\Cookies\mark@tacoda[2].txt
[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\trafficmp.com,Cookie:mark@trafficmp.com/,C:\Documents and Settings\Mark\Cookies\mark@trafficmp[2].txt
[CLEAN SUCCESS][Cookie_Zedo] Internet Explorer Cache\zedo.com,Cookie:mark@zedo.com/,C:\Documents and Settings\Mark\Cookies\mark@zedo[2].txt
[CLEAN SUCCESS][Adware_Softomate] S-1-5-21-755074970-1307401525-2008287589-1006\Software\BestToolbars\
Detected: 18 items.
Cleaned Success: 18 items.
Clean Failed: 0 items.

Spyware Scan Ended: 05/16/2009 14:31:58
Scan Complete. Time=1654.198730.

To be continued....

Edited by Maurice Naggar, 16 May 2009 - 04:25 PM.


#14 MarcAngeDraco

MarcAngeDraco
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 16 May 2009 - 02:16 PM

Contents of the latest MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 2142
Windows 5.1.2600 Service Pack 3

5/16/2009 3:04:00 PM
mbam-log-2009-05-16 (15-04-00).txt

Scan type: Quick Scan
Objects scanned: 98859
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Contents of the latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:55 PM, on 5/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iolo\System Mechanic Professional\SystemGuardAlerter.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\iolo\System Mechanic Professional\IoloSGCtrl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\iAVEmailScanner.exe
C:\Program Files\Trend Micro\HijackThis\Bravo.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] C:\Program Files\iolo\System Mechanic Professional\SystemGuardAlerter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail.alticor.com/,DanaInfo=LNOT15.i...va+iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1237507492718
O16 - DPF: {707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11} (UltraMJCamX Class) - http://67.239.5.28:81/UltraMJCamX.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} (iolo.ProductDetector) - https://secure.iolo.com/app/ocx/UpgradeVerify.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Update Service (gupdate1c9b25c1220ff1c) (gupdate1c9b25c1220ff1c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

--
End of file - 10413 bytes

#15 MarcAngeDraco

MarcAngeDraco
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 16 May 2009 - 02:17 PM

After you have a chance to look all that over, please let me know if I need to do anything else.

Also, when this is all cleaned up, I'd like to talk with you regarding your reccomendations for preventing this from recurring.

Thanks again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users