Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR/Drop.Agent.gna.2


  • This topic is locked This topic is locked
18 replies to this topic

#1 awawia

awawia

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 30 July 2009 - 10:32 AM

:thumbup2:

Could someone please help me with this trojan. I have had this bugger for a while and cannot get rid of it. Thanks for your time.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:36 AM, on 7/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5181 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:54 AM

Posted 31 July 2009 - 04:32 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 awawia

awawia
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 01 August 2009 - 11:08 AM

These are very large files...so I have attached them.....I tried to copy and paste them but my computer kept freezing up. Okay...it won't upload the file. it's too big for the space available.

Attached Files



#4 awawia

awawia
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 01 August 2009 - 11:09 AM

I am going to do a clean up of my hard drive and then try again. Will that help??

#5 awawia

awawia
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 01 August 2009 - 12:00 PM

Ive cleaned up my computer a little...still have the same problem. Every time I open a window Avira opens up and warns that it's detected a virus or unknown program. C?\WINDOWS\chsha.qgm
Is the TR/Drop.Agent.gna.2 Trojan

Ive performed another scan with OTL and here is the result:

OTL logfile created on: 8/1/2009 12:46:00 PM - Run 2
OTL by OldTimer - Version 3.0.10.3 Folder = C:\Documents and Settings\Arlene\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.49 Gb Total Physical Memory | 1.04 Gb Available Physical Memory | 69.59% Memory free
3.34 Gb Paging File | 3.06 Gb Available in Paging File | 91.64% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.02 Gb Total Space | 21.88 Gb Free Space | 64.33% Space Free | Partition Type: NTFS
Drive D: | 33.68 Gb Total Space | 20.79 Gb Free Space | 61.73% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ARLENES
Current User Name: Arlene
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 13:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2005/11/16 10:00:00 | 00,122,880 | ---- | M] (WinZip Computing LP) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2009/05/11 10:15:50 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/16 22:12:48 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2006/12/14 21:49:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2008/04/13 20:12:30 | 00,420,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ntvdm.exe
PRC - [2009/08/01 10:54:00 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Arlene\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService [Auto | Running])
SRV - [2009/05/11 10:15:50 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService [Auto | Running])
SRV - [2005/09/23 11:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2005/09/23 11:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/03/03 14:53:08 | 00,033,176 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/11/14 05:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/05/16 22:12:48 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2006/12/14 21:49:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
SRV - [2003/07/28 15:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/04/14 14:04:54 | 00,087,840 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter [On_Demand | Stopped])
SRV - [2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
SRV - [2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009/02/13 12:35:05 | 00,011,608 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio [System | Running])
DRV - [2009/03/24 16:08:22 | 00,055,640 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\avgntflt.sys -- (avgntflt [Auto | Running])
DRV - [2009/03/30 10:33:07 | 00,096,104 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\avipbb.sys -- (avipbb [System | Running])
DRV - [2008/04/13 12:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2006/06/23 14:02:02 | 01,095,680 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\igxpmp32.sys -- (ialm [On_Demand | Running])
DRV - [2006/05/16 20:32:58 | 04,275,712 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2006/01/02 03:03:26 | 00,006,144 | ---- | M] (NewTech Infosystems, Inc.) -- C:\WINDOWS\System32\DRIVERS\NTIDrvr.sys -- (NTIDrvr [On_Demand | Running])
DRV - [2009/05/09 01:14:20 | 00,014,736 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\NuidFltr.sys -- (NuidFltr [On_Demand | Stopped])
DRV - [2004/08/04 01:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2009/04/28 11:33:42 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/04/28 11:33:44 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/04/28 11:33:40 | 00,072,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2008/04/13 12:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2009/05/11 10:12:24 | 00,028,520 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\DRIVERS\ssmdrv.sys -- (ssmdrv [System | Running])
DRV - [2004/07/15 19:18:00 | 00,386,688 | ---- | M] (Texas Instruments) -- C:\WINDOWS\System32\DRIVERS\tnet1130.sys -- (TNET1130 [On_Demand | Running])
DRV - [2006/08/28 06:30:04 | 00,013,952 | ---- | M] () -- C:\WINDOWS\System32\drivers\UBHelper.sys -- (UBHelper [Boot | Running])
DRV - [2008/04/13 14:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2006/06/29 11:53:00 | 00,244,864 | ---- | M] (Marvell) -- C:\WINDOWS\System32\DRIVERS\yk51x86.sys -- (yukonwxp [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1487421050-3647273824-3969193911-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1487421050-3647273824-3969193911-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1487421050-3647273824-3969193911-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1487421050-3647273824-3969193911-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1487421050-3647273824-3969193911-1008\SOFTWARE\Microsoft\Internet Explorer\Search,AutoSearch = http://ie.search.msn.com/{SUB_RFC1766}/src...autosearch.aspx
IE - HKU\S-1-5-21-1487421050-3647273824-3969193911-1008\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKU\S-1-5-21-1487421050-3647273824-3969193911-1008\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1487421050-3647273824-3969193911-1008\S-1-5-21-1487421050-3647273824-3969193911-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/05/16 22:12:48 | 00,000,000 | ---D | M]


O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1487421050-3647273824-3969193911-1008\..\Toolbar\ShellBrowser: (no name) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No CLSID value found.
O3 - HKU\S-1-5-21-1487421050-3647273824-3969193911-1008\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-1487421050-3647273824-3969193911-1008\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing LP)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1487421050-3647273824-3969193911-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/01/02 02:24:40 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/08/01 12:44:45 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Arlene\Desktop\OTL.exe
[2009/08/01 12:41:38 | 00,024,242 | ---- | C] () -- C:\Documents and Settings\Arlene\My Documents\cc_20090801_124137.reg
[2009/07/31 21:33:24 | 00,625,357 | ---- | C] () -- C:\Documents and Settings\Arlene\Desktop\KarenMom.jpg
[2009/07/31 21:31:54 | 00,001,697 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MP Navigator 3.1.lnk
[2009/07/31 21:31:49 | 00,000,000 | ---D | C] -- C:\Program Files\Canon
[2009/07/30 11:00:24 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/07/28 21:07:22 | 00,594,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2009/07/28 21:07:22 | 00,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2009/07/27 17:34:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2009/07/27 17:27:58 | 00,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Play Super Granny 3.lnk
[2009/07/25 17:03:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Arlene\Desktop\Susie
[2009/07/25 13:03:53 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/07/22 03:03:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2009/07/22 03:03:16 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2009/07/21 16:59:14 | 00,000,268 | -H-- | C] () -- C:\sqmdata00.sqm
[2009/07/21 16:59:14 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt00.sqm
[2009/07/21 12:08:51 | 00,268,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2009/07/21 12:08:51 | 00,208,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\muweb.dll
[2009/07/21 12:08:51 | 00,027,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2009/07/20 17:48:39 | 03,426,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_32.dll
[2009/07/20 17:48:15 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2009/07/20 17:46:41 | 00,001,831 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows Live Mail.lnk
[2009/07/20 17:35:44 | 00,000,000 | -HSD | C] -- C:\Program Files\Common Files\WindowsLiveInstaller
[2009/07/20 17:35:38 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2009/07/20 17:35:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WLInstaller
[2009/07/16 03:00:44 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2009/07/16 03:00:43 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2009/07/16 03:00:16 | 00,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\hidserv.dll
[2009/07/08 19:27:29 | 00,069,632 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\lfgif13n.dll
[2009/07/08 19:27:27 | 00,462,848 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\ltkrn13n.dll
[2009/07/08 19:27:27 | 00,450,560 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\ltimg13n.dll
[2009/07/08 19:27:27 | 00,401,408 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\lfcmp13n.dll
[2009/07/08 19:27:27 | 00,299,008 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\ltdis13n.dll
[2009/07/08 19:27:27 | 00,206,336 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\ltefx13n.dll
[2009/07/08 19:27:27 | 00,163,840 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\ltfil13n.dll
[2009/07/08 19:27:27 | 00,057,344 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\lfbmp13n.dll
[2009/07/03 12:02:47 | 00,001,522 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2009/07/03 12:02:47 | 00,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinZip.lnk
[2009/07/03 12:02:34 | 00,000,000 | ---D | C] -- C:\Program Files\WinZip
[2009/07/03 11:22:51 | 00,001,711 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/07/03 11:22:41 | 00,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2009/07/03 11:22:41 | 00,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2009/07/03 11:22:41 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2009/07/03 11:22:41 | 00,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2009/07/03 11:22:39 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2009/07/03 11:22:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2009/05/02 22:30:36 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2009/05/02 22:05:19 | 00,000,050 | ---- | C] () -- C:\WINDOWS\commercial.ini
[2009/05/02 21:06:07 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/05/02 20:44:56 | 00,348,880 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2009/05/02 20:44:56 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4624.dll
[2007/03/07 13:43:12 | 00,000,083 | ---- | C] () -- C:\WINDOWS\ALaunch.ini
[2006/08/28 06:30:04 | 00,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
[2006/01/02 03:28:20 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/01/02 03:08:24 | 00,000,603 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/01/02 03:04:26 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2006/01/02 03:03:30 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2006/01/02 03:03:30 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2006/01/02 03:03:30 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2006/01/01 18:19:42 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2005/10/25 04:25:28 | 00,008,073 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/04 01:00:00 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/12/26 19:12:30 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/04 02:46:38 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 19:33:56 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/24 01:04:36 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/08/01 12:41:42 | 00,024,242 | ---- | M] () -- C:\Documents and Settings\Arlene\My Documents\cc_20090801_124137.reg
[2009/08/01 12:18:07 | 00,000,664 | ---- | M] () -- C:\Documents and Settings\Arlene\Desktop\CCleaner.lnk
[2009/08/01 10:54:00 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Arlene\Desktop\OTL.exe
[2009/08/01 10:52:48 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/01 10:51:56 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/01 10:51:49 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/01 00:57:57 | 02,110,320 | -H-- | M] () -- C:\Documents and Settings\Arlene\Local Settings\Application Data\IconCache.db
[2009/07/31 21:33:24 | 00,625,357 | ---- | M] () -- C:\Documents and Settings\Arlene\Desktop\KarenMom.jpg
[2009/07/31 21:31:54 | 00,001,697 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MP Navigator 3.1.lnk
[2009/07/31 18:33:27 | 00,002,497 | ---- | M] () -- C:\Documents and Settings\Arlene\Desktop\Microsoft Office Word 2003.lnk
[2009/07/27 17:27:58 | 00,001,194 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\More Great Games.lnk
[2009/07/27 17:27:58 | 00,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Play Super Granny 3.lnk
[2009/07/27 17:23:57 | 00,001,576 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Play My Games.lnk
[2009/07/27 15:12:05 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/07/25 13:00:29 | 00,071,680 | ---- | M] () -- C:\Documents and Settings\Arlene\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/24 23:41:00 | 00,389,592 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/07/23 03:03:08 | 00,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/07/21 16:59:14 | 00,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2009/07/21 16:59:14 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/07/20 17:46:41 | 00,001,831 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows Live Mail.lnk
[2009/07/19 18:48:58 | 11,067,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieframe.dll
[2009/07/19 18:48:58 | 11,067,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2009/07/19 09:18:59 | 05,937,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll
[2009/07/19 09:18:59 | 05,937,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2009/07/16 03:00:44 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2009/07/16 03:00:43 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2009/07/07 11:10:56 | 24,539,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/07/03 13:09:28 | 00,915,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wininet.dll
[2009/07/03 13:09:28 | 00,915,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
[2009/07/03 13:09:28 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpshims.dll
[2009/07/03 13:09:27 | 01,208,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\urlmon.dll
[2009/07/03 13:09:27 | 01,208,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
[2009/07/03 13:09:27 | 00,206,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\occache.dll
[2009/07/03 13:09:27 | 00,206,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\occache.dll
[2009/07/03 13:09:25 | 00,594,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
[2009/07/03 13:09:25 | 00,594,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2009/07/03 13:09:25 | 00,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
[2009/07/03 13:09:25 | 00,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2009/07/03 13:09:24 | 01,985,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iertutil.dll
[2009/07/03 13:09:24 | 01,985,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2009/07/03 13:09:24 | 01,469,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcpl.cpl
[2009/07/03 13:09:24 | 01,469,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcpl.cpl
[2009/07/03 13:09:24 | 00,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\jsproxy.dll
[2009/07/03 13:09:24 | 00,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsproxy.dll
[2009/07/03 13:09:23 | 00,246,272 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieproxy.dll
[2009/07/03 13:09:23 | 00,184,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iepeers.dll
[2009/07/03 13:09:23 | 00,184,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iepeers.dll
[2009/07/03 13:09:21 | 00,386,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iedkcs32.dll
[2009/07/03 13:09:21 | 00,386,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedkcs32.dll
[2009/07/03 12:02:47 | 00,001,522 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2009/07/03 12:02:47 | 00,000,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinZip.lnk
[2009/07/03 11:22:51 | 00,001,711 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/07/03 07:01:06 | 00,173,056 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ie4uinit.exe
[2009/07/03 07:01:06 | 00,173,056 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ie4uinit.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 217 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0DACB2B7
@Alternate Data Stream - 206 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F264BECE
@Alternate Data Stream - 196 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6390D9FB
@Alternate Data Stream - 193 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:538B96B5
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:60A4BB64
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1409277B
< End of report >

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:54 AM

Posted 01 August 2009 - 12:46 PM

Ok, let's see what we can do about that.

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O3 - HKU\S-1-5-21-1487421050-3647273824-3969193911-1008\..\Toolbar\ShellBrowser: (no name) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No CLSID value found.
    O3 - HKU\S-1-5-21-1487421050-3647273824-3969193911-1008\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
    
    
    :Files
    C:\WINDOWS\chsha.qgm
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 awawia

awawia
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 01 August 2009 - 01:54 PM

Here is the log from GMER

GMER 1.0.15.15011 [38h1w75q[1].exe] - http://www.gmer.net
Rootkit scan 2009-08-01 14:52:00
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT BA6C7166 ZwCreateKey
SSDT BA6C715C ZwCreateThread
SSDT BA6C716B ZwDeleteKey
SSDT BA6C7175 ZwDeleteValueKey
SSDT BA6C717A ZwLoadKey
SSDT BA6C7148 ZwOpenProcess
SSDT BA6C714D ZwOpenThread
SSDT BA6C7184 ZwReplaceKey
SSDT BA6C717F ZwRestoreKey
SSDT BA6C7170 ZwSetValueKey
SSDT BA6C7157 ZwTerminateProcess

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\spoolsv.exe[256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\WINDOWS\system32\spoolsv.exe[256] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\WINDOWS\system32\spoolsv.exe[256] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\WINDOWS\system32\spoolsv.exe[256] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\WINDOWS\system32\spoolsv.exe[256] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\WINDOWS\system32\spoolsv.exe[256] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10014020
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[368] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10013F4C
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[368] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10013734
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[368] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10012D80
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[368] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10012CD0
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[368] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10013F14
.text C:\WINDOWS\system32\svchost.exe[488] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\WINDOWS\system32\svchost.exe[488] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\WINDOWS\system32\svchost.exe[488] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\WINDOWS\system32\svchost.exe[488] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\WINDOWS\system32\svchost.exe[488] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\WINDOWS\system32\svchost.exe[488] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14
.text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\WINDOWS\system32\winlogon.exe[872] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\WINDOWS\system32\winlogon.exe[872] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\WINDOWS\system32\winlogon.exe[872] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\WINDOWS\system32\winlogon.exe[872] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\WINDOWS\system32\winlogon.exe[872] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\WINDOWS\system32\lsass.exe[928] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\WINDOWS\system32\lsass.exe[928] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\WINDOWS\system32\lsass.exe[928] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\WINDOWS\system32\lsass.exe[928] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\WINDOWS\system32\lsass.exe[928] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\WINDOWS\system32\svchost.exe[1096] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\WINDOWS\system32\svchost.exe[1096] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\WINDOWS\system32\svchost.exe[1096] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\WINDOWS\system32\svchost.exe[1096] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\WINDOWS\system32\svchost.exe[1096] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\WINDOWS\system32\svchost.exe[1180] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\WINDOWS\system32\svchost.exe[1180] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\WINDOWS\system32\svchost.exe[1180] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\WINDOWS\system32\svchost.exe[1180] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\WINDOWS\system32\svchost.exe[1180] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14
.text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\WINDOWS\System32\svchost.exe[1228] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\WINDOWS\System32\svchost.exe[1228] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\WINDOWS\System32\svchost.exe[1228] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\WINDOWS\System32\svchost.exe[1228] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\WINDOWS\System32\svchost.exe[1228] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14
.text C:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\WINDOWS\system32\svchost.exe[1268] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\WINDOWS\system32\svchost.exe[1268] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\WINDOWS\system32\svchost.exe[1268] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\WINDOWS\system32\svchost.exe[1268] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\WINDOWS\system32\svchost.exe[1268] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\WINDOWS\system32\svchost.exe[1516] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\WINDOWS\system32\svchost.exe[1516] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\WINDOWS\system32\svchost.exe[1516] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\WINDOWS\system32\svchost.exe[1516] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\WINDOWS\system32\svchost.exe[1516] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\WINDOWS\system32\svchost.exe[1556] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\WINDOWS\system32\svchost.exe[1556] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\WINDOWS\system32\svchost.exe[1556] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\WINDOWS\system32\svchost.exe[1556] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\WINDOWS\system32\svchost.exe[1556] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14
.text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\WINDOWS\System32\svchost.exe[1568] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\WINDOWS\System32\svchost.exe[1568] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\WINDOWS\System32\svchost.exe[1568] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\WINDOWS\System32\svchost.exe[1568] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\WINDOWS\System32\svchost.exe[1568] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14
.text C:\WINDOWS\Explorer.EXE[1704] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\WINDOWS\Explorer.EXE[1704] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\WINDOWS\Explorer.EXE[1704] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\WINDOWS\Explorer.EXE[1704] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\WINDOWS\Explorer.EXE[1704] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\WINDOWS\Explorer.EXE[1704] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14
.text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\WINDOWS\system32\svchost.exe[1724] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\WINDOWS\system32\svchost.exe[1724] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\WINDOWS\system32\svchost.exe[1724] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\WINDOWS\system32\svchost.exe[1724] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\WINDOWS\system32\svchost.exe[1724] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\Program Files\Internet Explorer\iexplore.exe[1812] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14
.text C:\Program Files\Internet Explorer\iexplore.exe[2608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\Program Files\Internet Explorer\iexplore.exe[2608] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2608] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2608] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2608] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2608] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2608] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2608] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2608] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2608] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2608] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\Program Files\Internet Explorer\iexplore.exe[2608] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\Program Files\Internet Explorer\iexplore.exe[2608] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\Program Files\Internet Explorer\iexplore.exe[2608] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\Program Files\Internet Explorer\iexplore.exe[2608] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024020
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10023F4C
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10023734
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10022D80
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10022CD0
.text C:\Program Files\Internet Explorer\iexplore.exe[3096] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10023F14
.text C:\WINDOWS\system32\wuauclt.exe[3224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10004020
.text C:\WINDOWS\system32\wuauclt.exe[3224] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003F4C
.text C:\WINDOWS\system32\wuauclt.exe[3224] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003734
.text C:\WINDOWS\system32\wuauclt.exe[3224] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002D80
.text C:\WINDOWS\system32\wuauclt.exe[3224] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002CD0
.text C:\WINDOWS\system32\wuauclt.exe[3224] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003F14

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[1812] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[3096] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#8 awawia

awawia
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 01 August 2009 - 10:33 PM

I have ran the FIX with the posted code you provided...here is the result:

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1487421050-3647273824-3969193911-1008\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{5CBE3B7C-1E47-477E-A7DD-396DB0476E29} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}\ not found.
Registry value HKEY_USERS\S-1-5-21-1487421050-3647273824-3969193911-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
========== FILES ==========
C:\WINDOWS\chsha.qgm moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Arlene
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1336404 bytes
->Java cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 16786 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1.39 mb


OTL by OldTimer - Version 3.0.10.3 log created on 08012009_233053

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:54 AM

Posted 02 August 2009 - 11:09 AM

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 awawia

awawia
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 03 August 2009 - 08:00 AM

It's still doing the same thing. The file C:\WINDOWS\System\chsqgm cannot be removed. I have tried in safe mode and in regular....it keeps coming back. This is the file that Avira picks up as the Trojan. It's really annoying and I appreciate your help. I am thinking of doing a recovery on my computer..that will get rid of it.

#11 awawia

awawia
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 03 August 2009 - 08:12 AM

correction: C:\WINDOWS\System\chsha.qgm

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:54 AM

Posted 03 August 2009 - 10:25 AM

Let's see if we can more information about what we're dealing with here.

Please visit the online Jotti Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    C:\WINDOWS\System\chsha.qgm


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 awawia

awawia
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 04 August 2009 - 07:14 PM

Jotti's malware scan
Filename: chsha.qgm
Status: Scan finished. 17 out of 21 scanners reported malware.
Scan taken on: Wed 5 Aug 2009 02:12:38 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 18432 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: 6c3a72ec93a6f9c8e9900081616622d4
SHA1: 01552e55874f0e6e0837426c0d02b06193223a40




Scanners
2009-08-04 Found nothing 2009-08-05 Trojan.PWS.Agent.SHZ
2009-08-05 Trojan-PWS.Win32.Kates!IK 2009-08-04 Trojan-PWS.Win32.Kates
2009-08-04 Win32:Daonol-P 2009-08-04 Trojan-PSW.Win32.Kates.c
2009-08-04 Defiler 2009-08-04 Win32/Delf.OIQ
2009-08-04 TR/Drop.Agent.qna.2 2009-08-04 Found nothing
2009-08-04 Trojan.PWS.Agent.SHZ 2009-08-04 Trj/Daonol.D
2009-08-05 Found nothing 2009-08-04 TrojanPSW.Kates.c
2009-08-05 Found nothing 2009-08-05 Troj/Daonol-Fam
2009-08-05 Trojan.AuxSpy.19 2009-08-04 Trojan-PSW.Win32.Kates.c
2009-08-04 W32/Seekwel.A.gen!Eldorado 2009-08-04 Trojan.Daonol.Gen
2009-08-04 Trojan:W32/Daonol.gen!C

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:54 AM

Posted 05 August 2009 - 03:08 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 awawia

awawia
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 05 August 2009 - 05:26 PM

:thumbup2: I believe the file is gone. I do not get the message from Avira so far. I have included the log file from ComboFix.

Thanks

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users