Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

need help please with my log


  • This topic is locked This topic is locked
28 replies to this topic

#1 PULLINGoutmyEYEBROWS

PULLINGoutmyEYEBROWS

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:messing up my computer
  • Local time:04:54 PM

Posted 11 August 2009 - 07:55 PM

hi

i am unsure what is wrong with my computer.
it started with system restore wouldnt work at all
i was told what to do and got it back
i was moved from there to " security an i infected what do i do section
here is the link to where i was in here:
http://www.bleepingcomputer.com/forums/ind...p;#entry1377791 if this helps

im sorry i ran the programs showed the logs but havent a clue as to what any of it means so i dont really know what i am infected with.

i know the drwebcureit found a bunch of Trojan.PWS.GoldSpy.origin;; stuff
after that i couldnt do the rootrepeal on my computer it just froze it up and shut my avast down (froze up when avast was off as well) nothing helped to get it to work
so i was sent to you guys from garmanma (a great help)

i am so thanful for your help and appreciate your time !!

Attached Files

  • Attached File  DDS.txt   7.09KB   2 downloads


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:54 PM

Posted 13 August 2009 - 12:38 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 PULLINGoutmyEYEBROWS

PULLINGoutmyEYEBROWS
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:messing up my computer
  • Local time:04:54 PM

Posted 16 August 2009 - 10:00 AM

hi sam pleased to meet you!

k this is what happens first with the OTL.
i got it dl and started scanning . it tried for a few then stopped where it says:
scanning service:RetroLauncher....

the error message box says on top :windows- no disc
inside box: exceptions processing messsage xooooo13 parameters 75b6bf9c 4 75b6bf9c 75b6bf9c
bottom of box: cancel try again continue

i tried again by clicking and it just dings but doesnt let me do any option not even close it i had to close it by rightclick close on the icon on the bottom taskbar

i tried by reinstalling the program and same thing happened again

for the 2nd program i cannot dl it by clicking "here"
it pulls up the new window to dl and i get the message that says:
internet explorer cannot display this webpage

i went to google and just looked up the main site to dl from and i get the same message again
weird?
i dont know if i should try from cnet or major geeks?
i think i can do it from there ok because it pulls up those sites no problem
but thought i would wait to see what you said first?

and sam thanks for helping beforehand - u may be pulling eyebrows b4 were done here as well lol!!

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:54 PM

Posted 16 August 2009 - 12:27 PM

It definitely seems as if something is blocking your access to the programs that we need. If you can get Gmer from another site(make sure it's reputable) go ahead and try that.

Additionally let's see if we can get Combofix to run for us.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 PULLINGoutmyEYEBROWS

PULLINGoutmyEYEBROWS
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:messing up my computer
  • Local time:04:54 PM

Posted 16 August 2009 - 03:34 PM

im an idiot
i just came to go back on my computer ans i noticed on my desktop a thumbs icon and a folder %PROFILEUSERS%
weird

i thought maybe the OTL program was working afterall so i tried it again and this time i just kept rehitting continue over and over until it finally did continue
weird

so here is the first of 2 OTL logs that came up after the scan. this one called OTL:
atatched

About GMER
i retried ticking on your "here" to dl GMER
this time the window opened in ie and the site was available so i d from it
when i scanned (i had the same error message on this program as well - but i just kept pushing continue until it finally did)
Here is the GMER log:
attached

last how do i rename a file?

i just went in to see why i had those two hidden files on my desktop and my hidden folders files had been changed
since this morning trying to run that OTL program
i think it may be why i couldnt open the GMER program either?

k i await you and thankyou!!


OTL logfile created on: 8/16/2009 4:12:24 PM - Run 2
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: | Country: | Language: | Date Format:

502.73 Mb Total Physical Memory | 170.77 Mb Available Physical Memory | 33.97% Memory free
1.20 Gb Paging File | 0.91 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 34.35 Gb Free Space | 46.09% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: S1100530576
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/02/16 00:10:22 | 02,402,184 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINNT\System32\ZoneLabs\vsmon.exe
PRC - [2009/02/05 17:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/02/05 17:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2007/06/13 06:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Explorer.EXE
PRC - [2007/10/18 16:53:41 | 00,098,984 | ---- | M] (Lexmark International, Inc.) -- C:\WINNT\System32\spool\DRIVERS\W32X86\3\lxdvserv.exe
PRC - [2009/02/05 17:08:45 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/02/16 00:10:22 | 00,981,384 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2007/10/18 16:53:53 | 00,594,600 | ---- | M] ( ) -- C:\WINNT\System32\lxdvcoms.exe
PRC - [2003/03/31 07:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\cidaemon.exe
PRC - [2004/08/04 03:56:57 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\wscntfy.exe
PRC - [2009/08/16 10:39:07 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/09/18 13:00:06 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
SRV - File not found -- -- (AOL ACS [Auto | Stopped])
SRV - File not found -- -- (AOL TopSpeedMonitor [Auto | Stopped])
SRV - [2007/10/24 02:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/02/05 17:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])
SRV - [2009/02/05 17:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])
SRV - [2009/02/05 17:08:26 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Stopped])
SRV - [2009/02/05 17:06:04 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Stopped])
SRV - [2007/10/24 02:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2004/08/04 03:56:44 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - File not found -- -- (iPod Service [On_Demand | Stopped])
SRV - [2007/10/18 16:53:41 | 00,098,984 | ---- | M] (Lexmark International, Inc.) -- C:\WINNT\System32\spool\DRIVERS\W32X86\3\lxdvserv.exe -- (lxdvCATSCustConnectService [Auto | Running])
SRV - [2007/10/18 16:53:53 | 00,594,600 | ---- | M] ( ) -- C:\WINNT\System32\lxdvcoms.exe -- (lxdv_device [Auto | Running])
SRV - [2006/10/09 22:11:08 | 00,724,992 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [On_Demand | Stopped])
SRV - [2003/03/03 14:33:40 | 00,143,360 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc [On_Demand | Stopped])
SRV - [2004/01/05 03:27:32 | 00,065,795 | ---- | M] (HP) -- C:\WINNT\System32\HPZipm12.exe -- (Pml Driver HPZ12 [On_Demand | Stopped])
SRV - File not found -- -- (RetroLauncher [Auto | Stopped])
SRV - [2004/08/04 03:56:44 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (uploadmgr [Auto | Stopped])
SRV - [2009/02/16 00:10:22 | 02,402,184 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINNT\System32\ZoneLabs\vsmon.exe -- (vsmon [Auto | Running])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009/02/05 17:05:11 | 00,026,944 | ---- | M] (ALWIL Software) -- C:\WINNT\System32\drivers\aavmker4.sys -- (Aavmker4 [System | Running])
DRV - [2001/08/17 13:20:04 | 00,096,256 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\drivers\ac97intc.sys -- (ac97intc [On_Demand | Stopped])
DRV - [2003/04/25 01:48:02 | 00,730,092 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINNT\System32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2009/02/05 17:07:12 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINNT\System32\DRIVERS\aswFsBlk.sys -- (aswFsBlk [Auto | Running])
DRV - [2009/02/05 17:08:10 | 00,094,032 | ---- | M] (ALWIL Software) -- C:\WINNT\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])
DRV - [2009/02/05 17:06:10 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINNT\System32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])
DRV - [2009/02/05 17:07:23 | 00,114,768 | ---- | M] (ALWIL Software) -- C:\WINNT\System32\drivers\aswSP.sys -- (aswSP [System | Running])
DRV - [2009/02/05 17:06:20 | 00,051,376 | ---- | M] (ALWIL Software) -- C:\WINNT\System32\drivers\aswTdi.sys -- (aswTdi [System | Running])
DRV - [2006/10/04 22:42:42 | 00,002,432 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\cdr4_xp.sys -- (Cdr4_xp [System | Stopped])
DRV - [2006/10/04 22:42:42 | 00,002,560 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Stopped])
DRV - [2007/11/16 19:55:00 | 00,165,496 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Running])
DRV - [2008/01/29 12:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- C:\WINNT\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2004/01/05 03:27:32 | 00,051,056 | R--- | M] (HP) -- C:\WINNT\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2004/01/05 03:27:34 | 00,016,496 | R--- | M] (HP) -- C:\WINNT\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2004/01/05 03:27:34 | 00,021,488 | ---- | M] (HP) -- C:\WINNT\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2003/11/20 10:25:14 | 00,095,579 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2003/03/21 02:00:00 | 00,201,088 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\iaStor.sys -- (iaStor [Boot | Running])
DRV - [2003/07/16 20:52:28 | 01,075,685 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\IntelC51.sys -- (IntelC51 [On_Demand | Running])
DRV - [2003/07/16 20:51:56 | 00,481,305 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\IntelC52.sys -- (IntelC52 [On_Demand | Running])
DRV - [2003/07/16 20:52:40 | 00,050,805 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\IntelC53.sys -- (IntelC53 [On_Demand | Running])
DRV - [2005/07/07 17:05:20 | 00,008,413 | ---- | M] (RealNetworks, Inc.) -- C:\WINNT\System32\drivers\mcstrm.sys -- (MCSTRM [Auto | Running])
DRV - [2003/07/16 20:51:28 | 00,031,440 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\DRIVERS\mohfilt.sys -- (mohfilt [On_Demand | Running])
DRV - [2005/01/21 19:15:16 | 00,028,352 | ---- | M] (MusicMatch, Inc.) -- C:\WINNT\System32\drivers\MxlW2k.sys -- (MxlW2k [On_Demand | Running])
DRV - [2004/08/04 01:29:54 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINNT\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Stopped])
DRV - [2009/01/11 17:29:21 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINNT\System32\Drivers\pcouffin.sys -- (pcouffin [On_Demand | Running])
DRV - [2003/03/31 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINNT\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/11/29 18:30:24 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINNT\System32\DRIVERS\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2009/07/28 10:53:16 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/07/28 10:53:16 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/07/28 10:53:14 | 00,072,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINNT\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/11/17 02:24:00 | 00,051,688 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINNT\system32\ZoneLabs\srescan.sys -- (srescan [Boot | Running])
DRV - [2001/08/17 14:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINNT\System32\DRIVERS\ultra.sys -- (ultra [Boot | Running])
DRV - [2009/02/16 00:10:26 | 00,353,672 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINNT\System32\vsdatant.sys -- (vsdatant [System | Running])
DRV - [2003/01/10 18:13:04 | 00,033,588 | ---- | M] (America Online, Inc.) -- C:\WINNT\System32\DRIVERS\wanatw4.sys -- (wanatw [On_Demand | Stopped])
DRV - [2003/11/20 10:26:20 | 00,122,110 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Running])
DRV - [2003/11/20 10:26:12 | 00,099,002 | ---- | M] (Intel Corporation) -- C:\WINNT\System32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.roadrunner.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.roadrunner.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:1280

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:1280

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-840668293-2092946328-2401134627-1003\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
IE - HKU\S-1-5-21-840668293-2092946328-2401134627-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKU\S-1-5-21-840668293-2092946328-2401134627-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-840668293-2092946328-2401134627-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-840668293-2092946328-2401134627-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-840668293-2092946328-2401134627-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-840668293-2092946328-2401134627-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/
IE - HKU\S-1-5-21-840668293-2092946328-2401134627-1003\S-1-5-21-840668293-2092946328-2401134627-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-840668293-2092946328-2401134627-1003\S-1-5-21-840668293-2092946328-2401134627-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:12080



O1 HOSTS File: (225454 bytes) - C:\WINNT\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 babe.the-killer.bz
O1 - Hosts: 127.0.0.1 www.babe.the-killer.bz
O1 - Hosts: 127.0.0.1 babe.k-lined.com
O1 - Hosts: 127.0.0.1 www.babe.k-lined.com
O1 - Hosts: 127.0.0.1 did.i-used.cc
O1 - Hosts: 127.0.0.1 www.did.i-used.cc
O1 - Hosts: 127.0.0.1 coolwwwsearch.com
O1 - Hosts: 127.0.0.1 www.coolwwwsearch.com
O1 - Hosts: 127.0.0.1 coolwebsearch.com
O1 - Hosts: 127.0.0.1 www.coolwebsearch.com
O1 - Hosts: 127.0.0.1 hi.studioaperto.net
O1 - Hosts: 127.0.0.1 www.hi.studioaperto.net
O1 - Hosts: 127.0.0.1 webbrowser.tv
O1 - Hosts: 127.0.0.1 www.webbrowser.tv
O1 - Hosts: 127.0.0.1 wazzupnet.com
O1 - Hosts: 127.0.0.1 www.wazzupnet.com
O1 - Hosts: 127.0.0.1 gueb.com
O1 - Hosts: 127.0.0.1 www.gueb.com
O1 - Hosts: 127.0.0.1 kabex.com
O1 - Hosts: 127.0.0.1 www.kabex.com
O1 - Hosts: 127.0.0.1 hityou.com
O1 - Hosts: 127.0.0.1 www.hityou.com
O1 - Hosts: 127.0.0.1 miosearch.com
O1 - Hosts: 127.0.0.1 www.miosearch.com
O1 - Hosts: 7914 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - Reg Error: Value error. File not found
O3 - HKU\S-1-5-21-840668293-2092946328-2401134627-1003\..\Toolbar\WebBrowser: (no name) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - Reg Error: Value error. File not found
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-840668293-2092946328-2401134627-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-840668293-2092946328-2401134627-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O7 - HKU\S-1-5-21-840668293-2092946328-2401134627-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O7 - HKU\S-1-5-21-840668293-2092946328-2401134627-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O15 - HKLM\..Trusted Domains: 33 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 32 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1141061328921 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1141933819203 (MUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.15.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/html - No CLSID value found
O20 - AppInit_DLLs: (C:\WINNT\system32\cssdll32.dll) - C:\WINNT\System32\cssdll32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\dimsntfy: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{72d2c275-2fea-11dd-acf8-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{72d2c275-2fea-11dd-acf8-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{72d2c275-2fea-11dd-acf8-00038a000015}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{e29e7859-b738-11dd-b173-00111132d3eb}\Shell - "" = AutoRun
O33 - MountPoints2\{e29e7859-b738-11dd-b173-00111132d3eb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e29e7859-b738-11dd-b173-00111132d3eb}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (p–`DM) - File not found
O34 - HKLM BootExecute: (M) - File not found
O34 - HKLM BootExecute: (D\M) - File not found
O34 - HKLM BootExecute: (Dpt`l<F) - File not found
O34 - HKLM BootExecute: () - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/08/16 16:10:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\things
[2009/08/16 10:28:55 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/08/11 20:57:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\DDS LOGS HJT BLEEP COMPUTER
[2009/08/10 22:08:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2009/08/10 22:08:03 | 00,000,000 | ---D | C] -- C:\Program Files\NOS
[2009/08/08 14:03:29 | 00,462,996 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\RootRepeal.zip
[2009/08/06 20:04:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\super antispyware stuff
[2009/08/06 17:13:39 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/08/03 11:22:21 | 00,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Owner\Desktop\ATF-Cleaner.exe
[2009/08/01 18:17:35 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2009/08/01 18:17:32 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2009/08/01 18:17:32 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/07/25 15:30:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\COMPUTER HELP
[2009/07/25 13:02:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\malwarbyte logs and info
[2009/07/23 21:54:50 | 00,000,000 | ---D | C] -- C:\regbackupjuly23
[2009/07/01 23:46:13 | 00,000,057 | ---- | C] () -- C:\WINNT\Easy DVD Creator.INI
[2009/01/11 15:08:30 | 00,524,288 | ---- | C] () -- C:\WINNT\System32\xvidcore.dll
[2009/01/11 15:08:30 | 00,139,264 | ---- | C] () -- C:\WINNT\System32\xvidvfw.dll
[2008/12/28 19:58:16 | 00,000,206 | ---- | C] () -- C:\WINNT\EurekaLog.ini
[2008/10/14 11:48:11 | 00,040,960 | ---- | C] () -- C:\WINNT\System32\lxdvvs.dll
[2008/10/14 11:48:00 | 00,348,160 | ---- | C] () -- C:\WINNT\System32\lxdvcoin.dll
[2008/10/14 11:46:25 | 00,692,224 | ---- | C] () -- C:\WINNT\System32\lxdvdrs.dll
[2008/10/14 11:46:25 | 00,065,536 | ---- | C] () -- C:\WINNT\System32\lxdvcaps.dll
[2008/10/14 11:46:24 | 00,069,632 | ---- | C] () -- C:\WINNT\System32\lxdvcnv4.dll
[2008/10/14 11:45:40 | 00,045,056 | ---- | C] () -- C:\WINNT\System32\LXDVPMON.DLL
[2008/10/14 11:45:40 | 00,032,768 | ---- | C] () -- C:\WINNT\System32\LXDVFXPU.DLL
[2008/10/14 11:45:19 | 00,069,632 | ---- | C] () -- C:\WINNT\System32\lxdvoem.dll
[2008/10/14 11:38:53 | 00,000,060 | -H-- | C] () -- C:\WINNT\System32\lxdvrwrd.ini
[2008/10/14 11:38:35 | 00,348,160 | ---- | C] () -- C:\WINNT\System32\LXDVinst.dll
[2008/10/14 11:38:34 | 00,438,272 | ---- | C] ( ) -- C:\WINNT\System32\LXDVhcp.dll
[2008/10/14 11:38:34 | 00,360,448 | ---- | C] ( ) -- C:\WINNT\System32\lxdvinpa.dll
[2008/10/14 11:38:34 | 00,339,968 | ---- | C] ( ) -- C:\WINNT\System32\lxdviesc.dll
[2008/10/14 11:38:32 | 01,069,056 | ---- | C] ( ) -- C:\WINNT\System32\lxdvserv.dll
[2008/10/14 11:38:32 | 00,954,368 | ---- | C] ( ) -- C:\WINNT\System32\lxdvusb1.dll
[2008/10/14 11:38:31 | 00,053,248 | ---- | C] ( ) -- C:\WINNT\System32\lxdvprox.dll
[2008/10/14 11:38:30 | 00,643,072 | ---- | C] ( ) -- C:\WINNT\System32\lxdvpmui.dll
[2008/10/14 11:38:30 | 00,569,344 | ---- | C] ( ) -- C:\WINNT\System32\lxdvlmpm.dll
[2008/10/14 11:38:27 | 00,663,552 | ---- | C] ( ) -- C:\WINNT\System32\lxdvhbn3.dll
[2008/10/14 11:38:25 | 00,208,896 | ---- | C] () -- C:\WINNT\System32\lxdvgrd.dll
[2008/10/14 11:38:22 | 00,851,968 | ---- | C] ( ) -- C:\WINNT\System32\lxdvcomc.dll
[2008/10/14 11:38:22 | 00,364,544 | ---- | C] ( ) -- C:\WINNT\System32\lxdvcomm.dll
[2008/04/17 21:07:43 | 00,000,000 | ---- | C] () -- C:\WINNT\pestpatrol5.INI
[2008/03/21 16:30:08 | 03,596,288 | ---- | C] () -- C:\WINNT\System32\qt-dx331.dll
[2008/03/21 16:28:54 | 00,000,416 | ---- | C] () -- C:\WINNT\System32\dtu100.dll.manifest
[2008/03/21 16:28:54 | 00,000,416 | ---- | C] () -- C:\WINNT\System32\dpl100.dll.manifest
[2008/03/16 17:13:18 | 00,077,312 | ---- | C] () -- C:\WINNT\System32\ztvunace26.dll
[2008/03/16 17:13:17 | 00,162,304 | ---- | C] () -- C:\WINNT\System32\ztvunrar36.dll
[2008/03/16 17:13:17 | 00,153,088 | ---- | C] () -- C:\WINNT\System32\UNRAR3.dll
[2008/03/16 17:13:17 | 00,075,264 | ---- | C] () -- C:\WINNT\System32\unacev2.dll
[2008/02/24 03:01:11 | 00,000,277 | ---- | C] () -- C:\WINNT\maketorrent.ini
[2007/12/30 23:46:13 | 00,000,151 | ---- | C] () -- C:\WINNT\PhotoSnapViewer.INI
[2006/05/23 12:37:19 | 00,293,281 | -HS- | C] () -- C:\WINNT\System32\mocbew.ini
[2006/02/27 13:47:40 | 01,287,680 | ---- | C] () -- C:\WINNT\System32\quartz(2).dll
[2005/12/15 10:28:19 | 00,000,754 | ---- | C] () -- C:\WINNT\WORDPAD.INI
[2005/10/28 17:12:30 | 00,001,666 | ---- | C] () -- C:\WINNT\eb18136f2b24292d715ba0e4a5642b05.ini
[2005/08/24 17:08:47 | 00,000,000 | ---- | C] () -- C:\WINNT\MSDraw.ini
[2005/07/23 20:43:55 | 00,012,288 | ---- | C] () -- C:\WINNT\impborl.dll
[2004/11/18 12:44:29 | 00,000,099 | ---- | C] () -- C:\WINNT\upst.ini
[2004/10/03 00:30:16 | 00,000,000 | ---- | C] () -- C:\WINNT\hpqEmlSz.INI
[2004/10/01 00:56:33 | 00,000,029 | ---- | C] () -- C:\WINNT\atid.ini
[2004/10/01 00:56:32 | 00,000,027 | ---- | C] () -- C:\WINNT\upth.ini
[2004/09/23 22:40:25 | 00,000,045 | ---- | C] () -- C:\WINNT\AEDFEJGN.ini
[2004/09/23 22:39:55 | 00,000,018 | ---- | C] () -- C:\WINNT\wininit.ini
[2004/08/31 20:02:27 | 00,000,229 | ---- | C] () -- C:\WINNT\NeroDigital.ini
[2004/08/29 17:36:05 | 00,002,977 | ---- | C] () -- C:\WINNT\cdPlayer.ini
[2004/08/13 11:27:31 | 00,000,061 | ---- | C] () -- C:\WINNT\smscfg.ini
[2004/05/25 17:01:09 | 00,000,970 | ---- | C] () -- C:\WINNT\QUICKEN.INI
[2004/05/25 16:57:39 | 00,086,016 | ---- | C] () -- C:\WINNT\System32\PCDrKernelModeServices.dll
[2004/05/25 16:57:39 | 00,065,536 | ---- | C] () -- C:\WINNT\System32\ProgressTrace.dll
[2004/05/25 16:55:09 | 00,000,570 | ---- | C] () -- C:\WINNT\System32\OEMINFO.INI
[2003/10/06 15:57:12 | 00,000,770 | ---- | C] () -- C:\WINNT\orun32.ini
[2003/10/06 15:40:33 | 00,363,520 | ---- | C] () -- C:\WINNT\System32\psisdecd.dll
[1980/01/01 01:00:00 | 00,000,702 | ---- | C] () -- C:\WINNT\win.ini
[1980/01/01 01:00:00 | 00,000,274 | ---- | C] () -- C:\WINNT\system.ini

========== Files - Modified Within 30 Days ==========

[690 C:\WINNT\System32\*.tmp files]
[6 C:\WINNT\*.tmp files]
[2009/08/16 16:05:09 | 00,004,212 | -H-- | M] () -- C:\WINNT\System32\zllictbl.dat
[2009/08/16 10:39:07 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/08/16 10:08:45 | 00,000,229 | ---- | M] () -- C:\WINNT\NeroDigital.ini
[2009/08/15 20:25:05 | 00,208,896 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/14 20:57:18 | 00,001,158 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2009/08/14 20:57:05 | 00,350,191 | ---- | M] () -- C:\WINNT\System32\vsconfig.xml
[2009/08/14 20:56:40 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2009/08/14 20:56:29 | 00,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2009/08/14 11:54:17 | 03,083,436 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/08/08 14:03:30 | 00,462,996 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\RootRepeal.zip
[2009/08/03 11:22:21 | 00,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Owner\Desktop\ATF-Cleaner.exe
[2009/08/01 18:09:02 | 00,002,626 | ---- | M] () -- C:\WINNT\System32\CONFIG.NT
[2009/07/28 20:46:04 | 00,042,224 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/07/20 20:16:04 | 00,000,754 | ---- | M] () -- C:\WINNT\WORDPAD.INI
[2009/07/19 20:36:00 | 00,170,688 | ---- | M] () -- C:\WINNT\System32\FNTCACHE.DAT

========== Files - Unicode (All) ==========
[2005/07/02 16:46:43 | 00,000,000 | ---D | C](C:\WINNT\System32\??stem) -- C:\WINNT\System32\ѕуstem
[2005/07/03 00:16:52 | 00,000,000 | ---D | C](C:\WINNT\System32\F?nts) -- C:\WINNT\System32\Fоnts
[2005/07/16 09:20:07 | 00,000,000 | ---D | C](C:\WINNT\System32\??stem32) -- C:\WINNT\System32\ѕуstem32
[2005/07/16 09:20:07 | 00,000,000 | ---D | M](C:\WINNT\System32\??stem32) -- C:\WINNT\System32\ѕуstem32
[2005/07/27 18:38:54 | 00,000,000 | ---D | C](C:\WINNT\System32\??sks) -- C:\WINNT\System32\Таsks
[2005/07/27 18:38:54 | 00,000,000 | ---D | M](C:\WINNT\System32\??sks) -- C:\WINNT\System32\Таsks
[2008/03/05 14:57:39 | 00,000,000 | ---D | M](C:\WINNT\System32\F?nts) -- C:\WINNT\System32\Fоnts
[2008/04/21 11:47:20 | 00,000,000 | ---D | M](C:\WINNT\System32\??stem) -- C:\WINNT\System32\ѕуstem
< End of report >

Attached Files


Edited by Buckeye_Sam, 17 August 2009 - 10:08 AM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:54 PM

Posted 17 August 2009 - 10:12 AM

Well done! Good news is no rootkits appear to be present.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 PULLINGoutmyEYEBROWS

PULLINGoutmyEYEBROWS
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:messing up my computer
  • Local time:04:54 PM

Posted 29 August 2009 - 04:50 PM

hi now i seem to be having a problem with this combofix
i have done as directed and i was given this message box when it started running:

CAUTION
http||dowload bleepingcomputer.com\sUBs\combofix.exe
http\\www.forospyware.com\sUBs\Combofix.exe
Combofix.exe may be downlaoded from any of the above sites. if you have downloaded from some other site theres a likely chance that you may be tainted. for peace of mind i suggest that you delete the current copy and get a fresh one.

I have never gotten such a personal warning box like this before and find it quite disturbing
there isnt any sites above to download from either as it is in a warning box - the program was actually running

the next warning basically said no way affiliated to combofix.org or combofixdownload.com
so i did not agree to the agreements hit no and got out of the program
only i dont know what it has done to my computer at this point if anything

i pulled up the properties on the combofix icon and it says ::
hades.bleepingcomputer.com
shouldnt it say combofix.com?????

im really scared now and no way have deleted the combofix as instructed in first warning box due to having no idea what is going to happen next if i do.

when i was starting the program my za asking for the pings to connect to the internet
then it asked for combofix.exe to connect to internet
(if this helps or means anythin-not sure what a ping is)

thanks and sorry my COMPUTER is so stupid (lol - not me- lol)

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:54 PM

Posted 29 August 2009 - 05:45 PM

It's ok. If you downloaded it from the links that I gave you then you're fine. All that's saying is that if you went searching and found combofix from another unauthorized site then it may not be legit.

Go ahead and let it run. It will access the internet in order to download the recovery console for you.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 PULLINGoutmyEYEBROWS

PULLINGoutmyEYEBROWS
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:messing up my computer
  • Local time:04:54 PM

Posted 29 August 2009 - 08:36 PM

i ran the program but the recovery console is not on
according to the log
which is understandable because my internet connection is disabled automatically
when i disable my avast antivirus and antispyware

i noticed a warning in the combofix box that said do not manually reboot when
the program rebooted
do i need to worry?

after the program ran it left me an ie ion on my desktop that wssnt there before
and i actually pulled up my internet with avast disabled
so something good has happened !!

avast is back on and included is my log from the combofix::

thankyou!

ComboFix 09-08-29.01 - Owner 08/29/2009 21:05.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.247 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1351 [VPS 090829-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 0 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\inst.exe
c:\program files\livestream
c:\program files\livestream\img\p2e_1_3.bmp
c:\program files\livestream\img\p2e_2_3.bmp
c:\program files\livestream\img\p2e_3_3.bmp
c:\program files\livestream\img\p2e_go_3.bmp
c:\program files\livestream\img\p2e_logo_2.bmp
c:\program files\livestream\img\Thumbs.db
c:\program files\livestream\p2e\p2e_1.206.1.htm
c:\program files\livestream\p2e\p2eredir.htm
c:\winnt\assembly\rvs3pm.bak2
c:\winnt\Cursors\cbdolru.bak1
c:\winnt\Cursors\cbdolru.bak2
c:\winnt\Cursors\cbdolru.ini
c:\winnt\Cursors\picm.bak2
c:\winnt\Cursors\yalprvs.bak1
c:\winnt\Cursors\yalprvs.bak2
c:\winnt\Cursors\yalprvs.ini
c:\winnt\Fonts\acrsec.fon
c:\winnt\inf\pava.bak1
c:\winnt\inf\pava.bak2
c:\winnt\inf\pava.ini
c:\winnt\msagent\chars\gersmw.bak1
c:\winnt\msagent\chars\gersmw.bak2
c:\winnt\Registration\tnofitna.bak1
c:\winnt\Registration\tnofitna.bak2
c:\winnt\system32\_006911_.tmp.dll
c:\winnt\system32\_006912_.tmp.dll
c:\winnt\system32\_006913_.tmp.dll
c:\winnt\system32\_006914_.tmp.dll
c:\winnt\system32\_006921_.tmp.dll
c:\winnt\system32\_006922_.tmp.dll
c:\winnt\system32\_006923_.tmp.dll
c:\winnt\system32\_006925_.tmp.dll
c:\winnt\system32\_006926_.tmp.dll
c:\winnt\system32\_006929_.tmp.dll
c:\winnt\system32\_006930_.tmp.dll
c:\winnt\system32\_006932_.tmp.dll
c:\winnt\system32\_006933_.tmp.dll
c:\winnt\system32\_006934_.tmp.dll
c:\winnt\system32\_006936_.tmp.dll
c:\winnt\system32\_006939_.tmp.dll
c:\winnt\system32\_006940_.tmp.dll
c:\winnt\system32\_006944_.tmp.dll
c:\winnt\system32\_006945_.tmp.dll
c:\winnt\system32\_006947_.tmp.dll
c:\winnt\system32\_006950_.tmp.dll
c:\winnt\system32\_006952_.tmp.dll
c:\winnt\system32\_006953_.tmp.dll
c:\winnt\system32\_006954_.tmp.dll
c:\winnt\system32\_006955_.tmp.dll
c:\winnt\system32\_006958_.tmp.dll
c:\winnt\system32\_006959_.tmp.dll
c:\winnt\system32\_006960_.tmp.dll
c:\winnt\system32\_006961_.tmp.dll
c:\winnt\system32\_006962_.tmp.dll
c:\winnt\system32\_006967_.tmp.dll
c:\winnt\system32\_006969_.tmp.dll
c:\winnt\system32\drivers\etc\lmhosts
c:\winnt\system32\fnts~1
c:\winnt\system32\mocbew.ini
c:\winnt\system32\sks~1
c:\winnt\system32\stem~1
c:\winnt\system32\stem32~1
c:\winnt\Tasks\lrubil.bak1
c:\winnt\Tasks\lrubil.bak2
c:\winnt\Tasks\lrubil.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ISEXENG


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.

2009-08-11 02:08 . 2009-08-14 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-11 02:08 . 2009-08-14 16:02 -------- d-----w- c:\program files\NOS
2009-08-07 00:46 . 2009-08-07 01:10 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2009-08-06 21:33 . 2009-08-30 00:47 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-06 21:13 . 2009-08-06 21:13 65024 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-08-06 21:13 . 2009-08-06 21:13 18944 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2009-08-06 21:13 . 2009-08-06 21:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-01 22:17 . 2009-07-13 17:36 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-08-01 22:17 . 2009-08-01 22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 22:17 . 2009-07-13 17:36 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 01:16 . 2008-02-06 03:22 4212 ---ha-w- c:\winnt\system32\zllictbl.dat
2009-08-29 20:24 . 2007-11-22 05:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Vso
2009-08-29 16:26 . 2008-04-19 00:16 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-08-17 16:10 . 2009-01-09 01:06 1279456 ----a-w- c:\winnt\system32\aswBoot.exe
2009-08-17 16:06 . 2009-01-09 01:07 93392 ----a-w- c:\winnt\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2009-01-09 01:07 94160 ----a-w- c:\winnt\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2009-01-09 01:07 114768 ----a-w- c:\winnt\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2009-01-09 01:07 20560 ----a-w- c:\winnt\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2009-01-09 01:07 51376 ----a-w- c:\winnt\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2009-01-09 01:07 23152 ----a-w- c:\winnt\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2009-01-09 01:07 26944 ----a-w- c:\winnt\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2009-01-09 01:07 97480 ----a-w- c:\winnt\system32\AvastSS.scr
2009-08-16 14:23 . 2008-06-01 18:26 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-08-06 21:07 . 2008-03-22 22:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-02 07:05 . 2008-10-18 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ThumbnailCache4R
2009-07-29 00:46 . 2004-09-18 02:39 42224 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-15 19:14 . 2004-08-27 19:09 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-13 17:57 . 2004-05-25 21:01 -------- d-----w- c:\program files\Microsoft Works
2009-07-13 03:41 . 2009-07-13 03:41 -------- d-----w- c:\documents and settings\Owner\Application Data\Doblon
2009-07-06 21:22 . 2009-07-06 21:22 -------- d-----w- c:\program files\Common Files\Common Share
2009-07-05 17:51 . 2008-02-05 15:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-16 14:55 . 1980-01-01 05:00 82432 ----a-w- c:\winnt\system32\fontsub.dll
2009-06-16 14:55 . 1980-01-01 05:00 119808 ----a-w- c:\winnt\system32\t2embed.dll
2009-06-03 19:27 . 2006-02-27 17:47 1290752 ----a-w- c:\winnt\system32\quartz.dll
2004-11-20 05:06 . 2004-11-17 18:58 142066630 -csha-w- c:\winnt\Driver Cache\tens.bak1
2004-11-20 07:09 . 2004-11-20 07:03 426199856 -csh--w- c:\winnt\Driver Cache\tens.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\winnt\system32\cssdll32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ p–`DM\0M\0D\M\0Dpt`l<F\0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINNT\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Lexmark X5400 Series\\lxdvamon.exe"=
"c:\\Program Files\\Lexmark X5400 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark X5400 Series\\lxdvmon.exe"=
"c:\\WINNT\\system32\\lxdvcoms.exe"=
"c:\\Program Files\\Lexmark X5400 Series\\LXDVFax.exe"=
"c:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\lxdvpswx.exe"=
"c:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\lxdvjswx.exe"=
"c:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\lxdvtime.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\lxdvwbgw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [1/8/2009 9:07 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/28/2009 10:53 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/28/2009 10:53 AM 72944]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [1/8/2009 9:07 PM 20560]
R2 lxdv_device;lxdv_device;c:\winnt\system32\lxdvcoms.exe -service --> c:\winnt\system32\lxdvcoms.exe -service [?]
R2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\winnt\system32\spool\drivers\w32x86\3\lxdvserv.exe [10/14/2008 11:47 AM 98984]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/28/2009 10:53 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2004-08-26 c:\winnt\Tasks\ISP signup reminder 3.job
- c:\winnt\System32\OOBE\oobebaln.exe [2003-10-06 07:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.roadrunner.com
uInternet Settings,ProxyServer = 127.0.0.1:12080
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-29 21:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-840668293-2092946328-2401134627-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3440)
c:\winnt\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\ZoneLabs\vsmon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\winnt\system32\lxdvcoms.exe
c:\winnt\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-30 21:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-30 01:22

Pre-Run: 23,531,208,704 bytes free
Post-Run: 23,278,063,616 bytes free

248 --- E O F --- 2009-07-17 14:02

Attached Files

  • Attached File  log.txt   13.67KB   2 downloads

Edited by Buckeye_Sam, 30 August 2009 - 10:24 AM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:54 PM

Posted 30 August 2009 - 10:33 AM

You did everything just fine. :thumbup2:
We do need to get the recovery console installed for you. Please follow the steps in this link.
http://www.bleepingcomputer.com/combofix/h...manual_recovery


Once you have the recovery console installed, let's proceed with the next fix.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\winnt\Driver Cache\tens.bak1
c:\winnt\Driver Cache\tens.bak2

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


=================


Next we're going to run a scan with Malwarebytes to pick up anything that's left over.


Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



After all that is done, let me know how your computer is behaving.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 PULLINGoutmyEYEBROWS

PULLINGoutmyEYEBROWS
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:messing up my computer
  • Local time:04:54 PM

Posted 07 September 2009 - 08:34 PM

Hi
everything has been done at last and here is my combofix log and then my maleware bytes log

thankyou!!

Attached Files



#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:54 PM

Posted 08 September 2009 - 10:05 AM

Looks pretty good to me. How are things on your end? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 PULLINGoutmyEYEBROWS

PULLINGoutmyEYEBROWS
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:messing up my computer
  • Local time:04:54 PM

Posted 09 September 2009 - 12:20 PM

hi!
everything as far as i can tell seems to be spot on :thumbup2:

on mbam i seem to get the same 13 in the registries. is that no big deal then?

and do i delete combo fix icon, windows home boot disc icon thats on my desktop?
or do i just leave that alone?

and i am so thankful for your help and patience with me to finally get here!!!! lol

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:54 PM

Posted 09 September 2009 - 02:07 PM

hmmm...Malwarebytes is not removing those registry entries?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :regfind
    mywebsearch
    funwebproducts
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 PULLINGoutmyEYEBROWS

PULLINGoutmyEYEBROWS
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:messing up my computer
  • Local time:04:54 PM

Posted 09 September 2009 - 08:15 PM

hi
heres my log

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users