Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit? website redirect for antivirus sites


  • This topic is locked This topic is locked
14 replies to this topic

#1 Robynsleo

Robynsleo

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 23 May 2009 - 06:40 PM

My niece has brought me her computer to "clean up", however this might be beyond my expertise (which isn't saying much). I have installed and run Avast, as she had NO antivirus on her computer. I've run MAM, SUPERAntispyware, spyware blaster, ad-aware and done some general clean up and updating. Things are coming out pretty clean in the scans, however there is something deeper lurking... When I open Internet Explorer to <hxxp://www.girlsense.com> or anything besides antivirus websites, everything opens as intended, but when I go to http://www.bleepingcomputer.com or anything that has to do with antivirus, I get the message "Internet Explorer cannot display the webpage" like I'm offline. But of course, i'm not.

I cannot get to any online scanners like F-secure or Kapsky. I have to load everything onto a flash drive and then run it on the infected machine.

Anyway, here's the logs....


DDS (Ver_09-05-14.01) - NTFSx86
Run by Hannah at 19:15:23.46 on Sat 05/23/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.76 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090523-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
F:\security\DDS-HJT.SCR

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.goodsearch.com
uSearch Page = hxxp://www.goodsearch.com
uStart Page = hxxp://www.bleepingcomputer.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {82315A18-6CFB-44a7-BDFD-90E36537C252} - No File
BHO: {8da5457f-a8aa-4ccf-a842-70e6fd274094} -
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\program files\icq\ICQ.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://www.activation.rr.com/install/download/tgctlcm.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - hxxp://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://download.toontown.com/sv1.0.13.16/ttinst.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-19 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-19 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-19 138680]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2006-12-30 53307]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-19 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-19 352920]
S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913D.sys [2007-12-26 29696]

=============== Created Last 30 ================

2009-05-23 18:35 <DIR> --d----- c:\windows\system32\XPSViewer
2009-05-23 18:34 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-05-23 18:34 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-23 18:34 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-23 18:34 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-23 18:34 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-05-23 18:34 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-05-23 18:34 117,760 -------- c:\windows\system32\prntvpt.dll
2009-05-23 18:34 <DIR> --d----- C:\d754fd0add41514d62ea7172e7ee5647
2009-05-19 10:13 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-05-19 09:59 <DIR> --dsh--- c:\documents and settings\hannah\IECompatCache
2009-05-19 09:58 <DIR> --dsh--- c:\documents and settings\hannah\PrivacIE
2009-05-19 09:56 <DIR> --dsh--- c:\documents and settings\hannah\IETldCache
2009-05-19 09:41 <DIR> --d----- c:\windows\ie8updates
2009-05-19 09:37 <DIR> -cd-h--- c:\windows\ie8
2009-05-19 09:34 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-19 09:20 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-19 02:21 <DIR> --d----- c:\windows\system32\scripting
2009-05-19 02:21 <DIR> --d----- c:\windows\system32\en
2009-05-19 02:21 <DIR> --d----- c:\windows\l2schemas
2009-05-19 01:46 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-19 01:40 <DIR> --d----- c:\program files\ToniArts
2009-05-18 23:30 <DIR> --d----- c:\windows\pss
2009-05-18 22:56 <DIR> --d----- c:\docume~1\hannah\applic~1\Malwarebytes
2009-05-18 22:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-18 22:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-18 22:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-18 22:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-05-19 02:25 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll

============= FINISH: 19:15:38.01 ===============

Edited by Orange Blossom, 11 February 2013 - 04:52 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Robynsleo

Robynsleo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 01 June 2009 - 05:51 PM

I'm sorry, I'm not trying to bump my topic, but was just wondering what the wait time was like. It's only been 1 week since I posted, but I'm thinking about wiping and reinstalling the OS so I could get it off my desk (and also out of your queue). Is that the best idea? I know you have a very busy team and I appreciate the pro bono work that you all do.

It's too bad there's not a way to get a number and see a banner on the website saying "Now serving number 428"

==================

Hello,

It's too bad there's not a way to get a number and see a banner on the website saying "Now serving number 428"


There'd be too many numbers flashing because of the sheer quantities of logs we work with at one time. In addition, it often happens that several logs are responded to practically simultaneously. Our license branch in Indiana has even quit using the "now serving number x" method.

I know how frustrating it is when your computer isn't working properly. Let me assure you that your topic isn't lost, forgotten, or ignored. We work with hundreds of logs every day, so we have devised a means of seeing only those topics that don't have responses yet. At the moment, we have over 500 unanswered topics, the oldest dated Tue May 19, 2009 12:22 pm Eastern Daylight Savings time in the U.S.A. Your HiJack This topic is dated May 23, 2009, 7:40 PM using the same time zone.

Our volunteer HJT team members have various levels of expertise and training, so while we try to take the oldest DDS/HJT logs, it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us would want someone to assist you who is not familiar with your issue and attempt to fix it.

Please be patient. It may take a while longer to get a response but your log will be reviewed and answered as soon as possible.


Orange Blossom ~ forum moderator

Edited by Orange Blossom, 01 June 2009 - 06:45 PM.


#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:20 AM

Posted 05 June 2009 - 10:08 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 Robynsleo

Robynsleo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 05 June 2009 - 10:38 PM

Thankfully the infected computer isn't mine, so it's not even connected to the internet right now, but I ran new logs anyway.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Hannah at 23:23:25.40 on Fri 06/05/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.99 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090526-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
F:\security\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.goodsearch.com
uSearch Page = hxxp://www.goodsearch.com
uStart Page = hxxp://www.bleepingcomputer.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {82315A18-6CFB-44a7-BDFD-90E36537C252} - No File
BHO: {8da5457f-a8aa-4ccf-a842-70e6fd274094} -
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRunOnce: [VcCleanUp.exe] c:\docume~1\hannah\locals~1\temp\vccleanup.exe /f c:\progra~1\common~1\symant~1\livereg\ /RemoveAll
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\program files\icq\ICQ.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://www.activation.rr.com/install/download/tgctlcm.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - hxxp://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://download.toontown.com/sv1.0.13.16/ttinst.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-19 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-19 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-19 138680]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2006-12-30 53307]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-19 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-19 352920]
S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913D.sys [2007-12-26 29696]

=============== Created Last 30 ================

2009-06-02 15:55 <DIR> --d----- c:\windows\system32\NtmsData
2009-05-26 15:57 <DIR> --d----- c:\docume~1\hannah\applic~1\Canneverbe_Limited
2009-05-26 13:47 31 a------- c:\windows\MCDB.ini
2009-05-26 13:47 31 a------- c:\windows\system32\dvdwincd20.dll
2009-05-26 13:47 45 a------- c:\windows\system32\DVDCD.dll
2009-05-24 11:14 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-05-23 19:14 4,194,918 a------- c:\windows\pfirewall.log.old
2009-05-23 18:35 <DIR> --d----- c:\windows\system32\XPSViewer
2009-05-23 18:34 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-05-23 18:34 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-23 18:34 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-23 18:34 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-23 18:34 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-05-23 18:34 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-05-23 18:34 117,760 -------- c:\windows\system32\prntvpt.dll
2009-05-23 18:34 <DIR> --d----- C:\d754fd0add41514d62ea7172e7ee5647
2009-05-19 10:13 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-05-19 09:59 <DIR> --dsh--- c:\documents and settings\hannah\IECompatCache
2009-05-19 09:58 <DIR> --dsh--- c:\documents and settings\hannah\PrivacIE
2009-05-19 09:56 <DIR> --dsh--- c:\documents and settings\hannah\IETldCache
2009-05-19 09:41 <DIR> --d----- c:\windows\ie8updates
2009-05-19 09:37 <DIR> -cd-h--- c:\windows\ie8
2009-05-19 09:34 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-19 09:20 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-19 02:21 <DIR> --d----- c:\windows\system32\scripting
2009-05-19 02:21 <DIR> --d----- c:\windows\system32\en
2009-05-19 02:21 <DIR> --d----- c:\windows\l2schemas
2009-05-19 01:46 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-19 01:40 <DIR> --d----- c:\program files\ToniArts
2009-05-18 23:30 <DIR> --d----- c:\windows\pss
2009-05-18 22:56 <DIR> --d----- c:\docume~1\hannah\applic~1\Malwarebytes
2009-05-18 22:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-18 22:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-18 22:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-18 22:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-05-19 02:25 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll

============= FINISH: 23:24:11.01 ===============

Attached Files



#5 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:20 AM

Posted 06 June 2009 - 10:19 PM

Hi Robynsleo,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, :thumbup2:
My name is sundavis, I will be helping you to deal with your Malware problems today.


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs, remove the following programs if present.

Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar




Step1

Please download GMER Rootkit Scanner from Here or Here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Step2

Disable the real-time protections of your antivirus and antispyware applications, usually via a right-click on the System Tray icon. Please re-enable them after the scan.
  • Download ToolBarSD and Save it to your Desktop.
  • Double-click ToolBarSD.exe to run it.
  • Type the letter of your chosen language and press Enter
  • Click OK to the prompt.
  • Type 1 and press Enter
  • Please post TB.txt, which was created at C:\TB.txt in your next reply.
Step3

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In your next reply, please post back:


1.GMER log
2.TB txt
3.OTL log Thanks.

#6 Robynsleo

Robynsleo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 07 June 2009 - 12:24 PM

GMER log -

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-07 12:48:40
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF0B416B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF0B41574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF0B41A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF0B4114C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF0B4164E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF0B4108C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF0B410F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF0B4176E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF0B4172E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF0B418AE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{248FCFB3-5914-AF2C-CCBA-9BB5E3C749D5}\InProcServer32@ %SystemRoot%\system32\msrating.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{248FCFB3-5914-AF2C-CCBA-9BB5E3C749D5}\InProcServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{3B6C15BE-F9FD-7E15-F865-ABA8E2A09915}\InprocServer32@ C:\WINDOWS\System32\capesnpn.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{3B6C15BE-F9FD-7E15-F865-ABA8E2A09915}\InprocServer32@ThreadingModel both
Reg HKLM\SOFTWARE\Classes\CLSID\{3B6C15BE-F9FD-7E15-F865-ABA8E2A09915}\ProgID@ Snapin.PolicySettingsAbout.1
Reg HKLM\SOFTWARE\Classes\CLSID\{3B6C15BE-F9FD-7E15-F865-ABA8E2A09915}\VersionIndependentProgID@ Snapin.PolicySettingsAbout

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- EOF - GMER 1.0.15 ----



------------------------------------------------------------------------------------------------------------------------------------------------------------------
TB txt


-----------\\ ToolBar S&D 1.2.8 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Uniprocessor Free : Intel® Pentium® 4 CPU 2.60GHz )
BIOS : )Phoenix - Award WorkstationBIOS v6.00PG
USER : Hannah ( Administrator )
BOOT : Normal boot
Antivirus : avast! antivirus 4.8.1335 [VPS 090526-0] 4.8.1335 (Not Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:74 Go (Free:10 Go)
D:\ (CD or DVD)
E:\ (CD or DVD)
F:\ (USB) - FAT - Total:976 Mo (Free:0 Go)

"C:\ToolBar SD" ( MAJ : 21-12-2008|20:47 )
Option : [1] ( Sun 06/07/2009|13:10 )

-----------\\ Searching for Files - Folders ...


-----------\\ [..\Internet Explorer\Main]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Bar"="http://www.goodsearch.com"
"Search Page"="http://www.goodsearch.com"
"Local Page"="C:\\WINDOWS\\system32\\blank.htm"
"Start Page Redirect Cache"="http://www.msn.com/"
"Start Page"="http://www.bleepingcomputer.com/"
"Url"="http://go.microsoft.com/fwlink/?LinkID=68928"
"Url"="http://go.microsoft.com/fwlink/?LinkID=68929"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://go.microsoft.com/fwlink/?LinkId=69157"
"Default_Search_URL"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Local Page"="C:\\WINDOWS\\system32\\blank.htm"
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"


--------------------\\ Searching for other infections


No other infections found !


1 - "C:\ToolBar SD\TB_1.txt" - Sun 06/07/2009|13:11 - Option : [1]

-----------\\ Scan completed at 13:11:07.04

-------------------------------------------------------------------------------------------------------------------------

OTL

OTL logfile created on: 6/7/2009 1:14:33 PM - Run 1
OTL by OldTimer - Version 2.1.1.0 Folder = F:\security
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

247.48 Mb Total Physical Memory | 37.29 Mb Available Physical Memory | 15.07% Memory free
606.64 Mb Paging File | 261.21 Mb Available in Paging File | 43.06% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 10.01 Gb Free Space | 13.43% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 976.13 Mb Total Space | 936.41 Mb Free Space | 95.93% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WILDCAT
Current User Name: Hannah
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/02/05 16:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/02/05 16:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2005/07/04 17:46:04 | 00,053,307 | ---- | M] (GEMTEKS) -- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
PRC - [2009/02/05 16:08:45 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2005/11/16 23:19:00 | 05,264,384 | ---- | M] (Linksys) -- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
PRC - [2009/06/07 12:10:42 | 00,501,760 | ---- | M] (OldTimer Tools) -- F:\security\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/02/05 16:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])
SRV - [2009/02/05 16:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])
SRV - [2009/02/05 16:08:26 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Stopped])
SRV - [2009/02/05 16:06:04 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/05/19 09:20:39 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2003/01/17 05:02:00 | 00,045,056 | ---- | M] ( ) -- C:\WINDOWS\system32\slserv.exe -- (SLService [Auto | Stopped])
SRV - [2002/11/06 16:49:38 | 00,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService [Auto | Stopped])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2005/07/04 17:46:04 | 00,053,307 | ---- | M] (GEMTEKS) -- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe -- (WUSB54Gv42SVC [Auto | Running])
SRV - [2008/10/20 22:18:26 | 00,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU [Auto | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009/02/05 16:05:11 | 00,026,944 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4 [System | Running])
DRV - [2006/12/30 17:45:24 | 00,020,747 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2003/04/01 20:51:30 | 00,719,052 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2009/02/05 16:07:12 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys -- (aswFsBlk [Auto | Running])
DRV - [2009/02/05 16:08:10 | 00,094,032 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])
DRV - [2009/02/05 16:06:10 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])
DRV - [2009/02/05 16:07:23 | 00,114,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP [System | Running])
DRV - [2009/02/05 16:06:20 | 00,051,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi [System | Running])
DRV - [2005/02/01 19:18:38 | 00,017,992 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\BCM42RLY.SYS -- (BCM42RLY [On_Demand | Stopped])
DRV - [2006/12/30 18:05:44 | 00,044,288 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp [System | Running])
DRV - [2002/12/17 15:32:46 | 00,023,436 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
DRV - [2002/12/17 15:27:32 | 00,241,152 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp [System | Running])
DRV - [2002/12/17 15:29:46 | 00,025,930 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K [On_Demand | Running])
DRV - [2005/06/21 17:12:34 | 00,807,998 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2002/12/17 15:29:44 | 00,030,630 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K [On_Demand | Stopped])
DRV - [2001/08/17 09:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2003/02/16 19:08:00 | 00,210,128 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\Mtlmnt5.sys -- (Mtlmnt5 [On_Demand | Running])
DRV - [2003/02/16 20:33:00 | 01,293,192 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\Mtlstrm.sys -- (Mtlstrm [On_Demand | Stopped])
DRV - [2003/02/05 20:25:00 | 00,162,136 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\NtMtlFax.sys -- (NtMtlFax [On_Demand | Stopped])
DRV - [2002/08/29 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2002/12/17 15:29:42 | 00,139,674 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k [System | Running])
DRV - [2004/08/04 01:41:39 | 00,013,776 | ---- | M] (Smart Link) -- C:\WINDOWS\System32\DRIVERS\RecAgent.sys -- (RecAgent [On_Demand | Stopped])
DRV - [2002/10/04 13:04:10 | 00,046,976 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\R8139n51.SYS -- (rtl8139 [On_Demand | Running])
DRV - [2001/08/23 15:00:00 | 00,022,400 | ---- | M] () -- C:\WINDOWS\system32\Drivers\SbcpHid.sys -- (SbcpHid [System | Running])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [Auto | Running])
DRV - [2003/02/16 19:11:00 | 00,516,616 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\slntamr.sys -- (Slntamr [On_Demand | Running])
DRV - [2003/02/16 19:12:00 | 00,085,520 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\Slnthal.sys -- (SlNtHal [On_Demand | Stopped])
DRV - [2003/01/17 04:19:00 | 00,039,348 | ---- | M] (Vireo Software) -- C:\WINDOWS\System32\DRIVERS\SlWdmSup.sys -- (SlWdmSup [On_Demand | Running])
DRV - [2007/06/21 10:45:08 | 00,029,696 | ---- | M] (Service & Quality Technology.) -- C:\WINDOWS\System32\Drivers\Capt913D.sys -- (SQTECH913D [On_Demand | Stopped])
DRV - [2002/12/17 15:27:58 | 00,206,464 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp [System | Running])
DRV - [2002/11/06 16:47:48 | 00,033,588 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\system32\DRIVERS\wanatw4.sys -- (wanatw [On_Demand | Running])
DRV - [2005/10/17 20:50:06 | 00,245,376 | ---- | M] (Ralink Technology Inc.) -- C:\WINDOWS\system32\DRIVERS\rt2500usb.sys -- (WUSB54GPV4SRV [On_Demand | Stopped])
DRV - [2003/04/15 13:40:54 | 00,113,504 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Stopped])
DRV - [2003/04/15 13:40:46 | 00,078,752 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com
IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com
IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1672673832-1852121158-1231752081-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1672673832-1852121158-1231752081-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1672673832-1852121158-1231752081-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.goodsearch.com
IE - HKU\S-1-5-21-1672673832-1852121158-1231752081-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/
IE - HKU\S-1-5-21-1672673832-1852121158-1231752081-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-1672673832-1852121158-1231752081-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1672673832-1852121158-1231752081-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1A 90 37 D1 FA DB C9 01 [binary data]
IE - HKU\S-1-5-21-1672673832-1852121158-1231752081-1007\S-1-5-21-1672673832-1852121158-1231752081-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\CompuServe 7.0\Extensions\\:
FF - HKLM\software\mozilla\CompuServe 7.0\Extensions\\Components: C:\PROGRAM FILES\COMMON FILES\CSSHARE\PLUGINS0942 [2009/06/07 12:07:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\CompuServe 7.0\Extensions\\Plugins: C:\PROGRAM FILES\COMMON FILES\CSSHARE\PLUGINS0942 [2009/06/07 12:07:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/05/19 09:20:39 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/05/23 18:37:46 | 00,000,000 | ---D | M]


O1 HOSTS File: (135496 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 00119922.com
O1 - Hosts: 127.0.0.1 098765.com
O1 - Hosts: 127.0.0.1 1.iitsv65.bij.pl
O1 - Hosts: 127.0.0.1 1.iitsv66.bij.pl
O1 - Hosts: 127.0.0.1 1.iitsv67.orge.pl
O1 - Hosts: 127.0.0.1 1.iitsv68.orge.pl
O1 - Hosts: 127.0.0.1 1.iitsv69.orge.pl
O1 - Hosts: 127.0.0.1 1.iitsv70.orge.pl
O1 - Hosts: 127.0.0.1 1.iitsv71.345.pl
O1 - Hosts: 127.0.0.1 1.iitsv72.345.pl
O1 - Hosts: 127.0.0.1 1.iitsv73.345.pl
O1 - Hosts: 127.0.0.1 1.iitsv74.345.pl
O1 - Hosts: 127.0.0.1 1.iitsv86.osa.pl
O1 - Hosts: 127.0.0.1 1.iitsv88.osa.pl
O1 - Hosts: 127.0.0.1 1.iitsv89.osa.pl
O1 - Hosts: 127.0.0.1 1.iitsv90.bee.pl
O1 - Hosts: 127.0.0.1 1.iitsv91.bee.pl
O1 - Hosts: 127.0.0.1 1.iitsv93.bee.pl
O1 - Hosts: 127.0.0.1 1.windowsperte.com
O1 - Hosts: 127.0.0.1 1000hotguys.com
O1 - Hosts: 127.0.0.1 2009022118.kuj2doo.bee.pl
O1 - Hosts: 127.0.0.1 2009antivirussoftware.com
O1 - Hosts: 127.0.0.1 2009virusremover.com
O1 - Hosts: 127.0.0.1 2020wyt.com
O1 - Hosts: 127.0.0.1 221044.ds.nac.net
O1 - Hosts: 3944 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O2 - BHO: () - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - Reg Error: Key error. File not found
O2 - BHO: () - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - Reg Error: Value error. File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - Reg Error: Key error. File not found
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-1672673832-1852121158-1231752081-1007\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\RunOnce: [VcCleanUp.exe] C:\DOCUME~1\Hannah\LOCALS~1\Temp\VcCleanUp.exe /F C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\ /RemoveAll (Symantec Corporation)
O4 - Startup: C:\Documents and Settings\Butch\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1672673832-1852121158-1231752081-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1672673832-1852121158-1231752081-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1672673832-1852121158-1231752081-1007_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra Button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe File not found
O9 - Extra 'Tools' menuitem : ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe File not found
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKU\S-1-5-21-1672673832-1852121158-1231752081-1007\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-1672673832-1852121158-1231752081-1007\..Trusted Domains: 26 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} http://www.activation.rr.com/install/download/tgctlcm.cab (Support.com Configuration Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} http://www.nick.com/common/groove/gx/GrooveAX27.cab (Groove Control)
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} http://download.toontown.com/sv1.0.13.16/ttinst.cab (Toontown Installer ActiveX Control)
O16 - DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.3.1/...all-131-win.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.3.1/...-131_02-win.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/07/07 14:26:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{90cff81f-b41b-11dc-96dd-0018390b15a6}\Shell - "" = AutoRun
O33 - MountPoints2\{90cff81f-b41b-11dc-96dd-0018390b15a6}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/05/23 10:30:54 | 00,000,000 | ---D | M]

========== Files/Folders - Created Within 30 Days ==========

[2009/06/07 13:09:33 | 00,000,000 | ---D | C] -- C:\ToolBar SD
[2009/06/02 15:55:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2009/06/01 19:53:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Hannah\Local Settings\Apps
[2009/05/26 15:57:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Hannah\Application Data\Canneverbe_Limited
[2009/05/26 15:57:26 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Hannah\My Documents\CDBurnerXP Projects
[2009/05/26 15:56:45 | 00,001,604 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\CDBurnerXP.lnk
[2009/05/26 15:56:43 | 00,000,000 | ---D | C] -- C:\Program Files\CDBurnerXP
[2009/05/26 15:14:27 | 36,343,1935 | ---- | C] () -- C:\DOCUME~1\Hannah\Desktop\openSUSE-11.1-DVD-x86_64.iso
[2009/05/26 13:47:30 | 00,000,031 | ---- | C] () -- C:\WINDOWS\MCDB.ini
[2009/05/26 13:47:17 | 00,000,031 | ---- | C] () -- C:\WINDOWS\System32\dvdwincd20.dll
[2009/05/26 13:47:05 | 00,000,045 | ---- | C] () -- C:\WINDOWS\System32\DVDCD.dll
[2009/05/24 18:59:37 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/05/24 11:14:32 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/05/23 18:35:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/05/23 18:35:42 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/05/23 18:35:29 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/05/23 18:34:02 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2009/05/23 18:34:02 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2009/05/23 18:34:02 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2009/05/23 18:34:02 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsshhdr.dll
[2009/05/23 18:34:02 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2009/05/23 18:34:02 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2009/05/23 18:34:02 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2009/05/23 18:34:00 | 00,000,000 | ---D | C] -- C:\d754fd0add41514d62ea7172e7ee5647
[2009/05/19 10:13:51 | 00,023,152 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/05/19 10:13:50 | 00,051,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/05/19 10:13:49 | 00,026,944 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/05/19 10:13:46 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2009/05/19 10:13:44 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/05/19 10:13:44 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/05/19 10:13:43 | 00,094,032 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/05/19 10:13:43 | 00,093,296 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/05/19 10:13:26 | 01,256,296 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/05/19 10:13:26 | 01,060,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MFC71.dll
[2009/05/19 10:13:26 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2009/05/19 10:13:23 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2009/05/19 09:59:39 | 00,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CCE3D12B-1D9A-4AB4-BDEC-7DE0A4CEB752}.job
[2009/05/19 09:41:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/05/19 09:37:21 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/05/19 09:34:49 | 00,102,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/05/19 08:54:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/05/19 02:36:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/05/19 02:21:50 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/05/19 02:21:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/05/19 02:21:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/05/19 01:40:35 | 00,000,000 | ---D | C] -- C:\Program Files\ToniArts
[2009/05/18 23:30:33 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/05/18 23:16:37 | 25,957,5808 | -HS- | C] () -- C:\hiberfil.sys
[2009/05/18 22:56:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Hannah\Application Data\Malwarebytes
[2009/05/18 22:56:21 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/18 22:56:18 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/18 22:56:17 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/18 22:56:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/18 21:32:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avg7
[2007/12/26 21:19:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PTWebCam.INI
[2007/03/07 14:30:02 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/12/30 17:45:21 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2006/12/30 17:45:04 | 00,001,668 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2006/12/29 21:30:32 | 00,000,068 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/04/23 14:46:23 | 00,000,150 | ---- | C] () -- C:\WINDOWS\Disney's Magic Artist.INI
[2005/08/12 17:57:09 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/06/28 14:20:14 | 00,131,072 | ---- | C] () -- C:\WINDOWS\System32\SCCD3X01.DLL
[2005/06/28 14:20:14 | 00,090,112 | ---- | C] ( ) -- C:\WINDOWS\System32\SCCD3X02.DLL
[2005/03/02 18:03:54 | 00,000,147 | ---- | C] () -- C:\WINDOWS\CareBear.ini
[2005/02/24 19:16:10 | 00,000,231 | ---- | C] () -- C:\WINDOWS\POWERPNT.INI
[2005/02/24 19:15:59 | 00,000,064 | ---- | C] () -- C:\WINDOWS\exchng32.ini
[2005/02/24 19:15:59 | 00,000,026 | ---- | C] () -- C:\WINDOWS\datalink.ini
[2005/02/24 19:15:39 | 00,000,032 | ---- | C] () -- C:\WINDOWS\GRAPH5.INI
[2005/02/24 19:15:35 | 00,000,000 | ---- | C] () -- C:\WINDOWS\WINHELP.INI
[2004/12/04 10:03:42 | 00,000,151 | ---- | C] () -- C:\WINDOWS\LMPS.INI
[2004/11/07 09:42:28 | 00,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2004/09/05 16:49:51 | 00,000,045 | ---- | C] () -- C:\WINDOWS\STORYMKR.INI
[2004/08/29 15:32:21 | 00,000,285 | ---- | C] () -- C:\WINDOWS\Clubhouse.ini
[2004/08/23 16:16:34 | 00,000,044 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2004/08/23 16:14:00 | 00,003,366 | ---- | C] () -- C:\WINDOWS\disney.ini
[2004/08/12 17:02:54 | 00,000,106 | ---- | C] () -- C:\WINDOWS\DMI.INI
[2004/08/11 19:04:45 | 00,001,331 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2004/08/07 19:02:46 | 00,000,846 | ---- | C] () -- C:\WINDOWS\ka.ini
[2004/07/25 19:17:03 | 00,000,093 | ---- | C] () -- C:\WINDOWS\Busytown.ini
[2004/06/08 01:19:30 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/07/08 05:08:19 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/07/08 04:09:19 | 00,000,132 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2003/07/08 04:08:43 | 00,000,310 | ---- | C] () -- C:\WINDOWS\net2fone.ini
[2003/07/08 03:52:51 | 00,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2003/07/07 14:13:21 | 00,516,616 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slntamr.sys
[2003/07/07 14:13:21 | 00,085,520 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slnthal.sys
[2003/07/07 14:13:20 | 01,293,192 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\mtlstrm.sys
[2003/07/07 14:13:20 | 00,210,128 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\mtlmnt5.sys
[2003/07/07 14:13:20 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\slextspk.dll
[2003/07/07 14:13:20 | 00,162,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\ntmtlfax.sys
[2003/07/07 14:13:20 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\SLGen.dll
[2003/07/07 14:13:20 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\coinst.dll
[2003/07/07 14:13:14 | 00,001,094 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/07/07 14:13:14 | 00,000,466 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2003/07/07 14:12:58 | 00,000,829 | ---- | C] () -- C:\WINDOWS\win.ini
[2003/07/07 14:12:56 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/07/07 07:19:27 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\SLLights.dll
[2003/07/07 07:19:27 | 00,151,552 | ---- | C] () -- C:\WINDOWS\System32\amr_cpl.dll
[2003/07/07 07:19:27 | 00,014,976 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\winddx.sys
[2001/08/23 15:00:00 | 00,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
[1995/09/27 01:00:00 | 00,151,040 | ---- | C] () -- C:\WINDOWS\System32\IR32.DLL
[1995/09/27 01:00:00 | 00,107,008 | ---- | C] () -- C:\WINDOWS\System32\TTEMB32.DLL
[1995/09/27 01:00:00 | 00,077,664 | ---- | C] () -- C:\WINDOWS\System32\IR21_R.DLL
[1995/09/27 01:00:00 | 00,068,096 | ---- | C] () -- C:\WINDOWS\System32\MSROUTE.DLL
[1995/09/27 01:00:00 | 00,053,760 | ---- | C] () -- C:\WINDOWS\System32\OPENENU.DLL
[1995/09/27 01:00:00 | 00,006,352 | ---- | C] () -- C:\WINDOWS\System32\VISXUTIL.DLL
[1995/09/27 01:00:00 | 00,002,041 | ---- | C] () -- C:\WINDOWS\MSFNTMAP.INI
[1995/09/27 01:00:00 | 00,000,586 | ---- | C] () -- C:\WINDOWS\MSTXTCNV.INI
[1995/09/27 01:00:00 | 00,000,280 | ---- | C] () -- C:\WINDOWS\TTEMBED.INI
[1995/09/27 01:00:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\BSHELF95.INI

========== Files - Modified Within 30 Days ==========

[2009/06/07 13:16:01 | 00,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CCE3D12B-1D9A-4AB4-BDEC-7DE0A4CEB752}.job
[2009/05/26 15:56:46 | 00,001,604 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\CDBurnerXP.lnk
[2009/05/26 15:49:34 | 00,000,031 | ---- | M] () -- C:\WINDOWS\MCDB.ini
[2009/05/26 15:25:48 | 36,343,1935 | ---- | M] () -- C:\DOCUME~1\Hannah\Desktop\openSUSE-11.1-DVD-x86_64.iso
[2009/05/26 13:47:17 | 00,000,031 | ---- | M] () -- C:\WINDOWS\System32\dvdwincd20.dll
[2009/05/23 21:27:07 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/23 18:50:33 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Hannah\Local Settings\desktop.ini
[2009/05/23 18:50:28 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/23 18:50:03 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/23 18:49:55 | 00,160,344 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/05/23 18:49:54 | 25,957,5808 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/23 18:42:40 | 00,488,068 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/05/23 18:42:40 | 00,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/05/23 18:42:40 | 00,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/05/19 21:23:28 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/05/19 10:13:44 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/05/19 09:56:46 | 00,000,077 | -HS- | M] () -- C:\DOCUME~1\Hannah\My Documents\desktop.ini
[2009/05/19 07:14:57 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/05/19 07:14:57 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/05/19 02:15:37 | 00,250,048 | RHS- | M] () -- C:\ntldr
[2009/05/18 23:31:22 | 00,000,829 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/05/18 23:31:22 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/05/18 23:31:22 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/05/18 21:53:59 | 00,135,496 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/05/18 21:53:58 | 00,136,052 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090518-215358.backup
[2009/05/18 21:53:58 | 00,135,590 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090518-215359.backup
[2009/05/18 21:41:48 | 00,135,966 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20090518-215357.backup

========== Alternate Data Streams ==========

@Alternate Data Stream - 2628 bytes -> C:\WINDOWS\System32\OEMLOGO.BMP:#Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

#7 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:20 AM

Posted 07 June 2009 - 02:46 PM

Hi Robynsleo,


Step1
  • Please start OTL on your desktop.
  • Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box.

    :otl
    PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
    O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - Reg Error: Key error. File not found
    O2 - BHO: () - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - Reg Error: Value error. File not found
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - Reg Error: Key error. File not found
    O3 - HKLM\..\Toolbar: (no name) - Locked - Reg Error: Key error. File not found
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    O3 - HKU\S-1-5-21-1672673832-1852121158-1231752081-1007\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab (Reg Error: Key error.)
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.3.1/...all-131-win.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.3.1/...-131_02-win.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Click Run Fix button on the top.
  • Click OK and let it run unhindered.
  • OTL will ask to reboot the machine. Please OK the prompt.
  • A report will open. Copy and Paste that report in your next reply.
Step2

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. You will see the below prompt when you first run ComboFix:


Posted Image


The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time. Once Recovery Console is installed, you should see a blue screen prompt like the one below:


Posted Image

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.



In your next reply, please post back:


1.OTL log
2.Combofix log

Tell me how your pc is running now.

Edited by sundavis, 07 June 2009 - 08:30 PM.


#8 Robynsleo

Robynsleo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 08 June 2009 - 02:20 PM

I can't tell a difference in it. I am still unable to even open the bleepingcomputer website on it.
Here's the logs you requested.

========== OTL ==========
Process Explorer.EXE killed successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82315A18-6CFB-44a7-BDFD-90E36537C252}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82315A18-6CFB-44a7-BDFD-90E36537C252}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DA5457F-A8AA-4CCF-A842-70E6FD274094}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DA5457F-A8AA-4CCF-A842-70E6FD274094}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry value HKEY_USERS\S-1-5-21-1672673832-1852121158-1231752081-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Starting removal of ActiveX control {33564D57-0000-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33564D57-0000-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {87067F04-DE4C-4688-BC3C-4FCF39D609E7}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}\ not found.
Starting removal of ActiveX control {87067F04-DE4C-4688-BC3C-4FCF39D609E7}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}
c:\winnt\Downloaded Program Files\jinstall_1_3_1.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}
c:\winnt\Downloaded Program Files\jinstall_1_3_1_02.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
File Animation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab not found.
Starting removal of ActiveX control DirectAnimation Java Classes
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_4c4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTL by OldTimer - Version 2.1.1.0 log created on 06082009_085226

Files moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_4c4.dat moved successfully.

Registry entries deleted on Reboot...

--------------------------------------------------------------------------------------------------------------------

ComboFix 09-06-07.07 - Hannah 06/08/2009 9:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.81 [GMT -4:00]
Running from: f:\security\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090526-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\cmd
c:\windows\system32\dvdwincd20.dll
c:\windows\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 )))))))))))))))))))))))))))))))
.

2009-06-07 17:09 . 2009-06-07 17:11 -------- d-----w- C:\ToolBar SD
2009-06-02 19:55 . 2009-06-02 19:56 -------- d-----w- c:\windows\system32\NtmsData
2009-05-26 19:57 . 2009-05-26 19:57 -------- d-----w- c:\documents and settings\Hannah\Application Data\Canneverbe_Limited
2009-05-26 19:56 . 2009-05-26 19:56 -------- d-----w- c:\program files\CDBurnerXP
2009-05-26 17:47 . 2007-09-29 18:10 45 ----a-w- c:\windows\system32\DVDCD.dll
2009-05-24 01:26 . 2009-05-24 01:26 -------- d-sh--w- c:\documents and settings\Butch\IETldCache
2009-05-23 22:35 . 2009-05-23 22:35 -------- d-----w- c:\windows\system32\XPSViewer
2009-05-23 22:35 . 2009-05-23 22:35 -------- d-----w- c:\program files\MSBuild
2009-05-23 22:35 . 2009-05-23 22:35 -------- d-----w- c:\program files\Reference Assemblies
2009-05-23 22:34 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-23 22:34 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-23 22:34 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-05-23 22:34 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-05-23 22:34 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-05-23 22:34 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-05-23 22:34 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-23 22:34 . 2009-05-23 22:35 -------- d-----w- C:\d754fd0add41514d62ea7172e7ee5647
2009-05-19 14:13 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-05-19 14:13 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-05-19 14:13 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-05-19 14:13 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-05-19 14:13 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-05-19 14:13 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-05-19 14:13 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-05-19 14:13 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-05-19 14:13 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-05-19 14:13 . 2003-03-18 20:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-05-19 14:13 . 2009-05-19 14:13 -------- d-----w- c:\program files\Alwil Software
2009-05-19 13:59 . 2009-05-19 13:59 -------- d-sh--w- c:\documents and settings\Hannah\IECompatCache
2009-05-19 13:58 . 2009-05-19 13:58 -------- d-sh--w- c:\documents and settings\Hannah\PrivacIE
2009-05-19 13:56 . 2009-05-19 13:56 -------- d-sh--w- c:\documents and settings\Hannah\IETldCache
2009-05-19 13:53 . 2009-05-19 13:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-19 13:41 . 2009-05-19 13:41 -------- d-----w- c:\windows\ie8updates
2009-05-19 13:37 . 2009-05-19 13:40 -------- dc-h--w- c:\windows\ie8
2009-05-19 13:34 . 2009-04-25 05:30 102400 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-05-19 12:54 . 2009-05-19 13:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-19 06:21 . 2009-05-19 06:21 -------- d-----w- c:\windows\system32\scripting
2009-05-19 06:21 . 2009-05-19 06:21 -------- d-----w- c:\windows\l2schemas
2009-05-19 06:21 . 2009-05-19 06:21 -------- d-----w- c:\windows\system32\en
2009-05-19 05:46 . 2009-05-19 13:20 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-19 05:45 . 2009-05-19 13:18 152576 ----a-w- c:\documents and settings\Hannah\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-19 05:40 . 2009-05-19 05:40 -------- d-----w- c:\program files\ToniArts
2009-05-19 02:56 . 2009-05-19 02:56 -------- d-----w- c:\documents and settings\Hannah\Application Data\Malwarebytes
2009-05-19 02:56 . 2009-04-06 19:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-19 02:56 . 2009-04-06 19:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 02:56 . 2009-05-19 02:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-19 02:56 . 2009-05-19 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 01:32 . 2009-05-19 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 23:44 . 2003-07-08 08:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-26 19:57 . 2004-10-24 22:14 36584 ----a-w- c:\documents and settings\Hannah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-19 13:20 . 2005-11-14 00:28 -------- d-----w- c:\program files\Java
2009-05-19 12:54 . 2004-06-12 19:28 -------- d-----w- c:\program files\SpywareBlaster
2009-05-19 06:25 . 2003-07-07 18:24 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-05-19 05:40 . 2003-07-08 07:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-19 03:19 . 2005-01-03 20:08 -------- d-----w- c:\program files\Yahoo!
2009-05-19 01:49 . 2005-11-17 23:55 -------- d-----w- c:\program files\Google
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/19/2009 10:13 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/19/2009 10:13 AM 20560]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [12/30/2006 5:45 PM 53307]
S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913D.sys [12/26/2007 9:11 PM 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\User_Feed_Synchronization-{CCE3D12B-1D9A-4AB4-BDEC-7DE0A4CEB752}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bleepingcomputer.com/
uInternet Connection Wizard,ShellNext = iexplore
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 09:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-08 9:20
ComboFix-quarantined-files.txt 2009-06-08 13:20

Pre-Run: 10,754,453,504 bytes free
Post-Run: 10,741,592,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

129 --- E O F --- 2009-05-24 23:01

#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:20 AM

Posted 08 June 2009 - 07:34 PM

Hi Robynsleo,


Step1

Please close all browsers and other windows while running GooredFix.
  • Please download GooredFix and save it to your Desktop.
  • Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
Note: Do not run Option #2 yet.


Step2
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
File::
C:\WINDOWS\System32\drivers\etc\hosts
C:\WINDOWS\System32\drivers\etc\hosts.20090518-215358.backup
C:\WINDOWS\System32\drivers\etc\hosts.20090518-215359.backup
C:\WINDOWS\System32\drivers\etc\hosts.20090518-215357.backup

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

DDS::
uInternet Connection Wizard,ShellNext = iexplore


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Step3

Please download the HostsXpert from Here
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • If the Hosts file does not exist, you will be prompted to create a new one. Just press "Ok". Exit the HostsXpert.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

In your next reply, please post back:


1.GooredFix log
2.Combofix log
3.New OTL log

Tell me how things are going now.

#10 Robynsleo

Robynsleo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 09 June 2009 - 08:12 AM

Woot!! For the first time, I can now go to bleepingcomputer without a "not connected" message. So was a BHO the culprit?

Logs you requested:

GooredFix v1.92 by jpshortstuff
Log created at 08:24 on 09/06/2009 running Option #1 (Hannah)
Firefox version [Unable to determine]

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

------------------------------------------------------------------------------------------

ComboFix 09-06-07.07 - Hannah 06/09/2009 8:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.86 [GMT -4:00]
Running from: f:\security\ComboFix.exe
Command switches used :: c:\documents and settings\Hannah\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090607-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\System32\drivers\etc\hosts"
"c:\windows\System32\drivers\etc\hosts.20090518-215357.backup"
"c:\windows\System32\drivers\etc\hosts.20090518-215358.backup"
"c:\windows\System32\drivers\etc\hosts.20090518-215359.backup"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\drivers\etc\hosts
c:\windows\System32\drivers\etc\hosts.20090518-215357.backup
c:\windows\System32\drivers\etc\hosts.20090518-215358.backup
c:\windows\System32\drivers\etc\hosts.20090518-215359.backup

.
((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))
.

2009-06-07 17:09 . 2009-06-07 17:11 -------- d-----w- C:\ToolBar SD
2009-06-02 19:55 . 2009-06-02 19:56 -------- d-----w- c:\windows\system32\NtmsData
2009-05-26 19:57 . 2009-05-26 19:57 -------- d-----w- c:\documents and settings\Hannah\Application Data\Canneverbe_Limited
2009-05-26 19:56 . 2009-05-26 19:56 -------- d-----w- c:\program files\CDBurnerXP
2009-05-26 17:47 . 2007-09-29 18:10 45 ----a-w- c:\windows\system32\DVDCD.dll
2009-05-24 01:26 . 2009-05-24 01:26 -------- d-sh--w- c:\documents and settings\Butch\IETldCache
2009-05-23 22:35 . 2009-05-23 22:35 -------- d-----w- c:\windows\system32\XPSViewer
2009-05-23 22:35 . 2009-05-23 22:35 -------- d-----w- c:\program files\MSBuild
2009-05-23 22:35 . 2009-05-23 22:35 -------- d-----w- c:\program files\Reference Assemblies
2009-05-23 22:34 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-23 22:34 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-23 22:34 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-05-23 22:34 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-05-23 22:34 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-05-23 22:34 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-05-23 22:34 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-23 22:34 . 2009-05-23 22:35 -------- d-----w- C:\d754fd0add41514d62ea7172e7ee5647
2009-05-19 14:13 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-05-19 14:13 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-05-19 14:13 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-05-19 14:13 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-05-19 14:13 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-05-19 14:13 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-05-19 14:13 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-05-19 14:13 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-05-19 14:13 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-05-19 14:13 . 2003-03-18 20:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-05-19 14:13 . 2009-05-19 14:13 -------- d-----w- c:\program files\Alwil Software
2009-05-19 13:59 . 2009-05-19 13:59 -------- d-sh--w- c:\documents and settings\Hannah\IECompatCache
2009-05-19 13:58 . 2009-05-19 13:58 -------- d-sh--w- c:\documents and settings\Hannah\PrivacIE
2009-05-19 13:56 . 2009-05-19 13:56 -------- d-sh--w- c:\documents and settings\Hannah\IETldCache
2009-05-19 13:53 . 2009-05-19 13:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-19 13:41 . 2009-05-19 13:41 -------- d-----w- c:\windows\ie8updates
2009-05-19 13:37 . 2009-05-19 13:40 -------- dc-h--w- c:\windows\ie8
2009-05-19 13:34 . 2009-04-25 05:30 102400 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-05-19 12:54 . 2009-05-19 13:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-19 06:21 . 2009-05-19 06:21 -------- d-----w- c:\windows\system32\scripting
2009-05-19 06:21 . 2009-05-19 06:21 -------- d-----w- c:\windows\l2schemas
2009-05-19 06:21 . 2009-05-19 06:21 -------- d-----w- c:\windows\system32\en
2009-05-19 05:46 . 2009-05-19 13:20 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-19 05:45 . 2009-05-19 13:18 152576 ----a-w- c:\documents and settings\Hannah\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-19 05:40 . 2009-05-19 05:40 -------- d-----w- c:\program files\ToniArts
2009-05-19 02:56 . 2009-05-19 02:56 -------- d-----w- c:\documents and settings\Hannah\Application Data\Malwarebytes
2009-05-19 02:56 . 2009-04-06 19:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-19 02:56 . 2009-04-06 19:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 02:56 . 2009-05-19 02:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-19 02:56 . 2009-05-19 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 01:32 . 2009-05-19 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 23:44 . 2003-07-08 08:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-26 19:57 . 2004-10-24 22:14 36584 ----a-w- c:\documents and settings\Hannah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-19 13:20 . 2005-11-14 00:28 -------- d-----w- c:\program files\Java
2009-05-19 12:54 . 2004-06-12 19:28 -------- d-----w- c:\program files\SpywareBlaster
2009-05-19 06:25 . 2003-07-07 18:24 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-05-19 05:40 . 2003-07-08 07:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-19 03:19 . 2005-01-03 20:08 -------- d-----w- c:\program files\Yahoo!
2009-05-19 01:49 . 2005-11-17 23:55 -------- d-----w- c:\program files\Google
.

((((((((((((((((((((((((((((( SnapShot@2009-06-08_13.13.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-08 13:27 . 2009-06-08 13:27 16384 c:\windows\temp\Perflib_Perfdata_4b4.dat
+ 2009-06-08 13:27 . 2009-06-08 13:27 16384 c:\windows\temp\Perflib_Perfdata_394.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/19/2009 10:13 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/19/2009 10:13 AM 20560]
S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913D.sys [12/26/2007 9:11 PM 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-09 c:\windows\Tasks\User_Feed_Synchronization-{CCE3D12B-1D9A-4AB4-BDEC-7DE0A4CEB752}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bleepingcomputer.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-09 08:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-09 8:43
ComboFix-quarantined-files.txt 2009-06-09 12:43
ComboFix2.txt 2009-06-08 13:20

Pre-Run: 10,796,998,656 bytes free
Post-Run: 10,783,981,568 bytes free

129 --- E O F --- 2009-05-24 23:01

---------------------------------------------------------------------------------------------------------------

OTL logfile created on: 6/9/2009 9:01:54 AM - Run 2
OTL by OldTimer - Version 2.1.1.0 Folder = F:\security
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

247.48 Mb Total Physical Memory | 124.73 Mb Available Physical Memory | 50.40% Memory free
606.64 Mb Paging File | 349.32 Mb Available in Paging File | 57.58% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 10.06 Gb Free Space | 13.49% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 976.13 Mb Total Space | 932.97 Mb Free Space | 95.58% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WILDCAT
Current User Name: Hannah
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/02/05 16:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/02/05 16:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/05/19 09:20:39 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/10/20 22:18:26 | 00,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2003/01/17 05:02:00 | 00,045,056 | ---- | M] ( ) -- C:\WINDOWS\system32\slserv.exe
PRC - [2002/11/06 16:49:38 | 00,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe
PRC - [2005/07/04 17:46:04 | 00,053,307 | ---- | M] (GEMTEKS) -- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
PRC - [2005/11/16 23:19:00 | 05,264,384 | ---- | M] (Linksys) -- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
PRC - [2009/02/05 16:08:26 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/02/05 16:06:04 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2005/06/21 16:48:18 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2009/02/05 16:08:45 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/06/07 12:10:42 | 00,501,760 | ---- | M] (OldTimer Tools) -- F:\security\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/02/05 16:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])
SRV - [2009/02/05 16:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])
SRV - [2009/02/05 16:08:26 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Running])
SRV - [2009/02/05 16:06:04 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/05/19 09:20:39 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/10/20 22:18:26 | 00,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU [Auto | Running])
SRV - [2003/01/17 05:02:00 | 00,045,056 | ---- | M] ( ) -- C:\WINDOWS\system32\slserv.exe -- (SLService [Auto | Running])
SRV - [2002/11/06 16:49:38 | 00,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService [Auto | Running])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2005/07/04 17:46:04 | 00,053,307 | ---- | M] (GEMTEKS) -- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe -- (WUSB54Gv42SVC [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2009/02/05 16:05:11 | 00,026,944 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4 [System | Running])
DRV - [2006/12/30 17:45:24 | 00,020,747 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2003/04/01 20:51:30 | 00,719,052 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2009/02/05 16:07:12 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys -- (aswFsBlk [Auto | Running])
DRV - [2009/02/05 16:08:10 | 00,094,032 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])
DRV - [2009/02/05 16:06:10 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])
DRV - [2009/02/05 16:07:23 | 00,114,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP [System | Running])
DRV - [2009/02/05 16:06:20 | 00,051,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi [System | Running])
DRV - [2005/02/01 19:18:38 | 00,017,992 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\BCM42RLY.SYS -- (BCM42RLY [On_Demand | Stopped])
DRV - [2006/12/30 18:05:44 | 00,044,288 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp [System | Running])
DRV - [2002/12/17 15:32:46 | 00,023,436 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
DRV - [2002/12/17 15:27:32 | 00,241,152 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp [System | Running])
DRV - [2002/12/17 15:29:46 | 00,025,930 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K [On_Demand | Running])
DRV - [2005/06/21 17:12:34 | 00,807,998 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2002/12/17 15:29:44 | 00,030,630 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K [On_Demand | Stopped])
DRV - [2001/08/17 09:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2003/02/16 19:08:00 | 00,210,128 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\Mtlmnt5.sys -- (Mtlmnt5 [On_Demand | Running])
DRV - [2003/02/16 20:33:00 | 01,293,192 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\Mtlstrm.sys -- (Mtlstrm [On_Demand | Stopped])
DRV - [2003/02/05 20:25:00 | 00,162,136 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\NtMtlFax.sys -- (NtMtlFax [On_Demand | Stopped])
DRV - [2002/08/29 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2002/12/17 15:29:42 | 00,139,674 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k [System | Running])
DRV - [2004/08/04 01:41:39 | 00,013,776 | ---- | M] (Smart Link) -- C:\WINDOWS\System32\DRIVERS\RecAgent.sys -- (RecAgent [On_Demand | Stopped])
DRV - [2002/10/04 13:04:10 | 00,046,976 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\R8139n51.SYS -- (rtl8139 [On_Demand | Running])
DRV - [2001/08/23 15:00:00 | 00,022,400 | ---- | M] () -- C:\WINDOWS\system32\Drivers\SbcpHid.sys -- (SbcpHid [System | Running])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [Auto | Running])
DRV - [2003/02/16 19:11:00 | 00,516,616 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\slntamr.sys -- (Slntamr [On_Demand | Running])
DRV - [2003/02/16 19:12:00 | 00,085,520 | ---- | M] ( ) -- C:\WINDOWS\System32\DRIVERS\Slnthal.sys -- (SlNtHal [On_Demand | Stopped])
DRV - [2003/01/17 04:19:00 | 00,039,348 | ---- | M] (Vireo Software) -- C:\WINDOWS\System32\DRIVERS\SlWdmSup.sys -- (SlWdmSup [On_Demand | Running])
DRV - [2007/06/21 10:45:08 | 00,029,696 | ---- | M] (Service & Quality Technology.) -- C:\WINDOWS\System32\Drivers\Capt913D.sys -- (SQTECH913D [On_Demand | Stopped])
DRV - [2002/12/17 15:27:58 | 00,206,464 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp [System | Running])
DRV - [2002/11/06 16:47:48 | 00,033,588 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\system32\DRIVERS\wanatw4.sys -- (wanatw [On_Demand | Running])
DRV - [2005/10/17 20:50:06 | 00,245,376 | ---- | M] (Ralink Technology Inc.) -- C:\WINDOWS\system32\DRIVERS\rt2500usb.sys -- (WUSB54GPV4SRV [On_Demand | Stopped])
DRV - [2003/04/15 13:40:54 | 00,113,504 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Stopped])
DRV - [2003/04/15 13:40:46 | 00,078,752 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1A 90 37 D1 FA DB C9 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\CompuServe 7.0\Extensions\\:
FF - HKLM\software\mozilla\CompuServe 7.0\Extensions\\Components: C:\PROGRAM FILES\COMMON FILES\CSSHARE\PLUGINS0942 [2009/06/07 12:07:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\CompuServe 7.0\Extensions\\Plugins: C:\PROGRAM FILES\COMMON FILES\CSSHARE\PLUGINS0942 [2009/06/07 12:07:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/05/19 09:20:39 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/05/23 18:37:46 | 00,000,000 | ---D | M]


O1 HOSTS File: (698 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O2 - BHO: () - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe File not found
O9 - Extra 'Tools' menuitem : ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe File not found
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: 26 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} http://www.activation.rr.com/install/download/tgctlcm.cab (Support.com Configuration Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} http://www.nick.com/common/groove/gx/GrooveAX27.cab (Groove Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} http://download.toontown.com/sv1.0.13.16/ttinst.cab (Toontown Installer ActiveX Control)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/07/07 14:26:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/05/23 10:30:54 | 00,000,000 | ---D | M]

========== Files/Folders - Created Within 30 Days ==========

[2009/06/09 08:53:55 | 00,000,000 | ---D | C] -- C:\HostsXpert
[2009/06/09 08:44:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Hannah\Local Settings\temp
[2009/06/09 08:26:55 | 00,000,364 | ---- | C] () -- C:\Documents and Settings\Hannah\Desktop\Shortcut to ComboFix.exe.lnk
[2009/06/09 08:24:06 | 00,094,208 | ---- | C] () -- C:\Documents and Settings\Hannah\Desktop\GooredFix.exe
[2009/06/08 09:01:58 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/06/08 09:01:50 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/06/08 09:01:38 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/06/08 08:59:05 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/06/08 08:59:05 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/06/08 08:59:05 | 00,155,136 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/06/08 08:59:05 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/06/08 08:59:05 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/06/08 08:59:05 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/06/08 08:59:05 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/06/08 08:59:05 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/06/08 08:58:58 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/06/08 08:58:21 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/06/07 13:09:33 | 00,000,000 | ---D | C] -- C:\ToolBar SD
[2009/06/02 15:55:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2009/06/01 19:53:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Hannah\Local Settings\Apps
[2009/05/26 15:57:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Hannah\Application Data\Canneverbe_Limited
[2009/05/26 15:57:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Hannah\My Documents\CDBurnerXP Projects
[2009/05/26 15:56:45 | 00,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CDBurnerXP.lnk
[2009/05/26 15:56:43 | 00,000,000 | ---D | C] -- C:\Program Files\CDBurnerXP
[2009/05/26 15:14:27 | 36,343,1935 | ---- | C] () -- C:\Documents and Settings\Hannah\Desktop\openSUSE-11.1-DVD-x86_64.iso
[2009/05/26 13:47:30 | 00,000,031 | ---- | C] () -- C:\WINDOWS\MCDB.ini
[2009/05/26 13:47:05 | 00,000,045 | ---- | C] () -- C:\WINDOWS\System32\DVDCD.dll
[2009/05/24 11:14:32 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/05/23 18:35:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/05/23 18:35:42 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/05/23 18:35:29 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/05/23 18:34:02 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2009/05/23 18:34:02 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2009/05/23 18:34:02 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2009/05/23 18:34:02 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsshhdr.dll
[2009/05/23 18:34:02 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2009/05/23 18:34:02 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2009/05/23 18:34:02 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2009/05/23 18:34:00 | 00,000,000 | ---D | C] -- C:\d754fd0add41514d62ea7172e7ee5647
[2009/05/19 10:13:51 | 00,023,152 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/05/19 10:13:50 | 00,051,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/05/19 10:13:49 | 00,026,944 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/05/19 10:13:46 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2009/05/19 10:13:44 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/05/19 10:13:44 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/05/19 10:13:43 | 00,094,032 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/05/19 10:13:43 | 00,093,296 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/05/19 10:13:26 | 01,256,296 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/05/19 10:13:26 | 01,060,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MFC71.dll
[2009/05/19 10:13:26 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2009/05/19 10:13:23 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2009/05/19 09:59:39 | 00,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CCE3D12B-1D9A-4AB4-BDEC-7DE0A4CEB752}.job
[2009/05/19 09:41:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/05/19 09:37:21 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/05/19 09:34:49 | 00,102,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/05/19 08:54:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/05/19 02:36:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/05/19 02:21:50 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/05/19 02:21:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/05/19 02:21:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/05/19 01:40:35 | 00,000,000 | ---D | C] -- C:\Program Files\ToniArts
[2009/05/18 23:30:33 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/05/18 23:16:37 | 25,957,5808 | -HS- | C] () -- C:\hiberfil.sys
[2009/05/18 22:56:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Hannah\Application Data\Malwarebytes
[2009/05/18 22:56:21 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/18 22:56:18 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/18 22:56:17 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/18 22:56:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/18 21:32:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avg7
[2007/12/26 21:19:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PTWebCam.INI
[2007/03/07 14:30:02 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/12/30 17:45:21 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2006/12/30 17:45:04 | 00,001,668 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2006/12/29 21:30:32 | 00,000,068 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/04/23 14:46:23 | 00,000,150 | ---- | C] () -- C:\WINDOWS\Disney's Magic Artist.INI
[2005/08/12 17:57:09 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/06/28 14:20:14 | 00,131,072 | ---- | C] () -- C:\WINDOWS\System32\SCCD3X01.DLL
[2005/06/28 14:20:14 | 00,090,112 | ---- | C] ( ) -- C:\WINDOWS\System32\SCCD3X02.DLL
[2005/03/02 18:03:54 | 00,000,147 | ---- | C] () -- C:\WINDOWS\CareBear.ini
[2005/02/24 19:16:10 | 00,000,231 | ---- | C] () -- C:\WINDOWS\POWERPNT.INI
[2005/02/24 19:15:59 | 00,000,064 | ---- | C] () -- C:\WINDOWS\exchng32.ini
[2005/02/24 19:15:59 | 00,000,026 | ---- | C] () -- C:\WINDOWS\datalink.ini
[2005/02/24 19:15:39 | 00,000,032 | ---- | C] () -- C:\WINDOWS\GRAPH5.INI
[2004/12/04 10:03:42 | 00,000,151 | ---- | C] () -- C:\WINDOWS\LMPS.INI
[2004/11/07 09:42:28 | 00,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2004/09/05 16:49:51 | 00,000,045 | ---- | C] () -- C:\WINDOWS\STORYMKR.INI
[2004/08/29 15:32:21 | 00,000,285 | ---- | C] () -- C:\WINDOWS\Clubhouse.ini
[2004/08/23 16:16:34 | 00,000,044 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2004/08/23 16:14:00 | 00,003,366 | ---- | C] () -- C:\WINDOWS\disney.ini
[2004/08/12 17:02:54 | 00,000,106 | ---- | C] () -- C:\WINDOWS\DMI.INI
[2004/08/11 19:04:45 | 00,001,331 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2004/08/07 19:02:46 | 00,000,846 | ---- | C] () -- C:\WINDOWS\ka.ini
[2004/07/25 19:17:03 | 00,000,093 | ---- | C] () -- C:\WINDOWS\Busytown.ini
[2004/06/08 01:19:30 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/07/08 05:08:19 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/07/08 04:09:19 | 00,000,132 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2003/07/08 04:08:43 | 00,000,310 | ---- | C] () -- C:\WINDOWS\net2fone.ini
[2003/07/08 03:52:51 | 00,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2003/07/07 14:13:21 | 00,516,616 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slntamr.sys
[2003/07/07 14:13:21 | 00,085,520 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slnthal.sys
[2003/07/07 14:13:20 | 01,293,192 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\mtlstrm.sys
[2003/07/07 14:13:20 | 00,210,128 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\mtlmnt5.sys
[2003/07/07 14:13:20 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\slextspk.dll
[2003/07/07 14:13:20 | 00,162,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\ntmtlfax.sys
[2003/07/07 14:13:20 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\SLGen.dll
[2003/07/07 14:13:20 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\coinst.dll
[2003/07/07 14:13:14 | 00,001,094 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/07/07 14:13:14 | 00,000,466 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2003/07/07 14:12:58 | 00,000,829 | ---- | C] () -- C:\WINDOWS\win.ini
[2003/07/07 14:12:56 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/07/07 07:19:27 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\SLLights.dll
[2003/07/07 07:19:27 | 00,151,552 | ---- | C] () -- C:\WINDOWS\System32\amr_cpl.dll
[2003/07/07 07:19:27 | 00,014,976 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\winddx.sys
[2001/08/23 15:00:00 | 00,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
[1995/09/27 01:00:00 | 00,151,040 | ---- | C] () -- C:\WINDOWS\System32\IR32.DLL
[1995/09/27 01:00:00 | 00,107,008 | ---- | C] () -- C:\WINDOWS\System32\TTEMB32.DLL
[1995/09/27 01:00:00 | 00,077,664 | ---- | C] () -- C:\WINDOWS\System32\IR21_R.DLL
[1995/09/27 01:00:00 | 00,068,096 | ---- | C] () -- C:\WINDOWS\System32\MSROUTE.DLL
[1995/09/27 01:00:00 | 00,053,760 | ---- | C] () -- C:\WINDOWS\System32\OPENENU.DLL
[1995/09/27 01:00:00 | 00,006,352 | ---- | C] () -- C:\WINDOWS\System32\VISXUTIL.DLL
[1995/09/27 01:00:00 | 00,002,041 | ---- | C] () -- C:\WINDOWS\MSFNTMAP.INI
[1995/09/27 01:00:00 | 00,000,586 | ---- | C] () -- C:\WINDOWS\MSTXTCNV.INI
[1995/09/27 01:00:00 | 00,000,280 | ---- | C] () -- C:\WINDOWS\TTEMBED.INI
[1995/09/27 01:00:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\BSHELF95.INI

========== Files - Modified Within 30 Days ==========

[2009/06/09 08:56:07 | 00,000,698 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2009/06/09 08:52:31 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/06/09 08:50:59 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Hannah\Local Settings\desktop.ini
[2009/06/09 08:50:56 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/06/09 08:50:47 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/06/09 08:50:46 | 25,957,5808 | -HS- | M] () -- C:\hiberfil.sys
[2009/06/09 08:37:17 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/06/09 08:26:55 | 00,000,364 | ---- | M] () -- C:\Documents and Settings\Hannah\Desktop\Shortcut to ComboFix.exe.lnk
[2009/06/09 08:18:42 | 00,094,208 | ---- | M] () -- C:\Documents and Settings\Hannah\Desktop\GooredFix.exe
[2009/06/09 07:45:23 | 00,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CCE3D12B-1D9A-4AB4-BDEC-7DE0A4CEB752}.job
[2009/06/08 09:01:59 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/06/08 08:10:10 | 00,155,136 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/05/26 15:56:46 | 00,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CDBurnerXP.lnk
[2009/05/26 15:49:34 | 00,000,031 | ---- | M] () -- C:\WINDOWS\MCDB.ini
[2009/05/26 15:25:48 | 36,343,1935 | ---- | M] () -- C:\Documents and Settings\Hannah\Desktop\openSUSE-11.1-DVD-x86_64.iso
[2009/05/23 18:49:55 | 00,160,344 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/05/23 18:42:40 | 00,488,068 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/05/23 18:42:40 | 00,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/05/23 18:42:40 | 00,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/05/19 21:23:28 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/05/19 10:13:44 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/05/19 09:56:46 | 00,000,077 | -HS- | M] () -- C:\Documents and Settings\Hannah\My Documents\desktop.ini
[2009/05/19 07:14:57 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/05/19 07:14:57 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/05/19 02:15:37 | 00,250,048 | RHS- | M] () -- C:\ntldr
[2009/05/18 23:31:22 | 00,000,829 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/05/18 23:31:22 | 00,000,211 | ---- | M] () -- C:\Boot.bak

========== Alternate Data Streams ==========

@Alternate Data Stream - 2628 bytes -> C:\WINDOWS\System32\OEMLOGO.BMP:#Q30lsldxJoudresxAaaqpcawXc
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:20 AM

Posted 09 June 2009 - 08:38 AM

Hi Robynsleo,



So was a BHO the culprit


The Hosts File was replaced by malware which caused your browser redirected and you can't access any antimalware forums asking for help. Since the culprit is gone, we need to do online scan for remnants.

Please be patient and do the following.


Step1


Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 14...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:
    • J2SE Runtime Environment 5.0 Update 3
      J2SE Runtime Environment 5.0 Update 5
      J2SE Runtime Environment 5.0 Update 6
      J2SE Runtime Environment 5.0 Update 9
      Java 2 Runtime Environment Standard Edition v1.3.1
      Java 2 Runtime Environment Standard Edition v1.3.1_02
      Java™ 6 Update 13
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.

Step2

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3


Please do an online scan with Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.


1.KAS Scan Report
2.Fresh HJT log

Tell me how your pc is running now.

#12 Robynsleo

Robynsleo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 09 June 2009 - 03:17 PM

the Kaspersky scan shut down at one point from lack of virtual memory so i had to make some corrections and then rescan.

Of course I don't know how this computer ran before, but seems sluggish. Might just be all the crap she has on here.


Here's the Kas scan....
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, June 9, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, June 09, 2009 18:04:41
Records in database: 2331770
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Hannah\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 62488
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:31:44

No malware has been detected. The scan area is clean.

The selected area was scanned.
-------------------------------------------------------------------------------

HJT scan coming...


DDS (Ver_09-05-14.01) - NTFSx86
Run by Hannah at 16:22:32.09 on Tue 06/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.82 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090608-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Hannah\Local Settings\Temporary Internet Files\Content.IE5\T01TSQ2T\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bleepingcomputer.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\program files\icq\ICQ.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://www.activation.rr.com/install/download/tgctlcm.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://download.toontown.com/sv1.0.13.16/ttinst.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-19 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-19 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-19 138680]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe [2006-12-30 53307]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-19 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-19 352920]
S3 SQTECH913D;913D Camera;c:\windows\system32\drivers\Capt913D.sys [2007-12-26 29696]

=============== Created Last 30 ================

2009-06-09 10:13 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-09 08:53 <DIR> --d----- C:\HostsXpert
2009-06-08 09:01 <DIR> a-dshr-- C:\cmdcons
2009-06-08 08:59 161,792 a------- c:\windows\SWREG.exe
2009-06-08 08:59 155,136 a------- c:\windows\PEV.exe
2009-06-08 08:59 98,816 a------- c:\windows\sed.exe
2009-06-07 13:09 <DIR> --d----- C:\ToolBar SD
2009-06-02 15:55 <DIR> --d----- c:\windows\system32\NtmsData
2009-05-26 15:57 <DIR> --d----- c:\docume~1\hannah\applic~1\Canneverbe_Limited
2009-05-26 13:47 31 a------- c:\windows\MCDB.ini
2009-05-26 13:47 45 a------- c:\windows\system32\DVDCD.dll
2009-05-24 11:14 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-05-23 19:14 4,194,918 a------- c:\windows\pfirewall.log.old
2009-05-23 18:35 <DIR> --d----- c:\windows\system32\XPSViewer
2009-05-23 18:34 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-05-23 18:34 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-23 18:34 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-23 18:34 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-23 18:34 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-05-23 18:34 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-05-23 18:34 117,760 -------- c:\windows\system32\prntvpt.dll
2009-05-23 18:34 <DIR> --d----- C:\d754fd0add41514d62ea7172e7ee5647
2009-05-19 10:13 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-05-19 09:59 <DIR> --dsh--- c:\documents and settings\hannah\IECompatCache
2009-05-19 09:58 <DIR> --dsh--- c:\documents and settings\hannah\PrivacIE
2009-05-19 09:56 <DIR> --dsh--- c:\documents and settings\hannah\IETldCache
2009-05-19 09:41 <DIR> --d----- c:\windows\ie8updates
2009-05-19 09:37 <DIR> -cd-h--- c:\windows\ie8
2009-05-19 09:34 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-19 02:21 <DIR> --d----- c:\windows\system32\scripting
2009-05-19 02:21 <DIR> --d----- c:\windows\system32\en
2009-05-19 02:21 <DIR> --d----- c:\windows\l2schemas
2009-05-19 01:46 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-19 01:40 <DIR> --d----- c:\program files\ToniArts
2009-05-18 23:30 <DIR> --d----- c:\windows\pss
2009-05-18 22:56 <DIR> --d----- c:\docume~1\hannah\applic~1\Malwarebytes
2009-05-18 22:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-18 22:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-18 22:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-18 22:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-05-19 02:25 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 16:23:25.53 ===============

Attached Files


Edited by Robynsleo, 09 June 2009 - 03:26 PM.


#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:20 AM

Posted 09 June 2009 - 07:41 PM

Hi Robynsleo,



The logs look good. Now, you are all clean. :thumbup2: If you have no remaining issues on your pc, let's do some tidy up.

Step1

Click START then RUN
Now copy/paste Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Step2
  • Please start OTLon your desktop.
  • Press the "Cleanup" button.
  • A message dialog will ask you if you want to proceed with the cleanup process, click Yes
  • Allow your system to reboot if asked.
Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:
  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Update your Your Adobe Acrobat Reader

    Old versions may render vulnerabilities that malware can use to infect your system. Please download Adobe Reader 9 to your desktop.
    Uninstall the old Adobe Reader from Start > Control Panel > Add/Remove Programs. Install the new one.

  • Install a-squared Free -a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers

    A tutorial on installing & using this product can be found here:

    Clean your PC with a-squared Free


  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#14 Robynsleo

Robynsleo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 10 June 2009 - 07:15 AM

Thank you so much!! You have been fabulous.

#15 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:20 AM

Posted 11 June 2009 - 03:02 PM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users