Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ActiveSecurity Virus/WINCRYPTOR Virus


  • This topic is locked This topic is locked
15 replies to this topic

#1 NorCalMike

NorCalMike

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthBayArea,California
  • Local time:06:03 PM

Posted 08 November 2009 - 07:46 PM

DDS (Ver_09-10-26.01) - NTFSx86
Run by Mike Alford Jr at 15:11:52.79 on Sun 11/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1536.920 [GMT -8:00]

AV: Active Security *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\avgchsvx.exe
C:\Program Files\AVG\avgrsx.exe
C:\Program Files\AVG\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
svchost.exe
C:\Program Files\AVG\avgwdsvc.exe
C:\Program Files\AVG\avgnsx.exe
C:\Documents and Settings\Mike Alford Jr\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\avgemc.exe
C:\Program Files\AVG\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Documents and Settings\Mike Alford Jr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [cdloader] "c:\documents and settings\mike alford jr\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [lxczbmgr.exe] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avgtray.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: craigslist.org\sfbay
DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - hxxp://www.worldwinner.com/games/v47/scrabblecubes/scrabblecubes.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mikeal~1\applic~1\mozilla\firefox\profiles\f1vfata7.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-11-1 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-29 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-29 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avgemc.exe [2009-10-29 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avgwdsvc.exe [2009-10-29 285392]
R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service --> c:\windows\system32\lxczcoms.exe -service [?]
S2 gupdate1ca163d38ab5de;Google Update Service (gupdate1ca163d38ab5de);c:\program files\google\update\GoogleUpdate.exe [2009-8-5 133104]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-3 14336]

=============== Created Last 30 ================

2009-11-08 22:47:07 0 d-----w- c:\program files\Cobian Backup 8
2009-11-02 01:15:45 0 d-----w- c:\program files\Trend Micro
2009-11-01 23:21:50 0 d-----w- c:\program files\ACW
2009-11-01 16:47:42 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-01 16:47:19 0 d-----w- c:\program files\Panda Security
2009-11-01 16:33:34 1848336 ----a-w- C:\HousecallLauncher.exe
2009-11-01 16:25:43 401720 ----a-w- C:\HJT.exe
2009-10-29 17:21:44 0 d--h--w- C:\$AVG
2009-10-29 17:21:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-29 17:21:31 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-29 17:21:21 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-29 17:21:16 0 d-----w- c:\windows\system32\drivers\Avg
2009-10-29 17:20:59 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-10-29 02:02:23 3244 ----a-w- c:\windows\system32\wbem\Outlook_01ca583bdb2bc8f8.mof
2009-10-27 08:58:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 08:58:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-27 08:58:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 08:58:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-26 02:17:45 0 d-----w- C:\Inetpub
2009-10-16 00:14:40 127 ----a-w- c:\windows\system32\MRT.INI
2009-10-10 10:53:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-10-10 06:37:10 0 d-----w- c:\docume~1\mikeal~1\applic~1\Office Genuine Advantage

==================== Find3M ====================

2009-10-10 10:53:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll

============= FINISH: 15:13:09.26 ===============
Attached File  DDS.txt   9.12KB   8 downloadsAttached File  Attach.txt   4.07KB   13 downloadsAttached File  ark.txt   8.24KB   16 downloadsI've been directed to post my logs here, I dont remember which file i was supposed to 'zip' because it took me so long in the xp help center to realise how easy it is to zip a file, that by the time i got it, i didnt remember which one i was to zip. I have an idea which one it is (the attatch.txt one from the DDS report, i think) so here it goes. Thank you.

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:03 PM

Posted 09 November 2009 - 08:06 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 NorCalMike

NorCalMike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthBayArea,California
  • Local time:06:03 PM

Posted 15 November 2009 - 12:35 AM

Sam, first things first, THANK YOU for your time and attention. The reason it took me so long to reply is my computer just shut down. So, the attached DDS, and Pseudo HJT Log are from a computer that is not in operation. I will get back to it, as it is my primary (best) computer. The computer I am currently using IS THE SLOW ONE. (not the rogue/virus infected one) So in hopes that this is not a total loss, I will follow your instructions, and post the combofix in the following reply(which will be a normal reply, not a fast reply). Again, THANK YOU SINCERELY! Respectfully, Michael (norcalmike)

#4 NorCalMike

NorCalMike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthBayArea,California
  • Local time:06:03 PM

Posted 15 November 2009 - 06:14 AM

Attached File  ComboFix.txt   51.97KB   17 downloads Okay, again, THANK YOU. Here is the combofix report. It seems as though the lag is lessened a bit. Be notified, that this is 'my backup computer' (I try to indicate that by using the 'Computer 2' title). 'Computer 1' is still non-op. for now. THanks Again, Respectfully, Michael.

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:03 PM

Posted 15 November 2009 - 06:04 PM

Please do not attach log files unless specifically requested to do. Just copy the text in the log and then paste it directly into your reply.
It makes it much easier for me to review the information if I can see it all in one place.


You've got a me a bit confused with two computers here. From looking at the log that you posted I don't see any signs of malware. We really need to keep this topic confined to just one computer. If you have another computer that is giving you problems also it's best to start a new separate topic for it.

So keeping with the computer where you just ran Combofix and posted that log, what are the issues that you're having?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 NorCalMike

NorCalMike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthBayArea,California
  • Local time:06:03 PM

Posted 16 November 2009 - 12:05 PM

It just seems to REALLY LAG with any kind of view/graphic/window change. It also seems like a page,tab,window almost 'locks' really bad if i had been away for few minutes. Almost like explorer isnt refreshing itself. and that is the issue regarding 'slowness' it's more like a graphics lag, or lack of autorefresh. THANK YOU, Respectfully, Michael

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:03 PM

Posted 17 November 2009 - 09:00 AM

That doesn't sound much like malware to me, but let's take a look.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.




We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy both logs that created and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 NorCalMike

NorCalMike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthBayArea,California
  • Local time:06:03 PM

Posted 22 November 2009 - 03:06 PM

Malwarebytes' Anti-Malware 1.41
Database version: 3213
Windows 5.1.2600 Service Pack 3

11/22/2009 11:58:59
mbam-log-2009-11-22 (11-58-59).txt

Scan type: Quick Scan
Objects scanned: 113390
Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\UACaqppppmtka.dll (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACdxroyunsxl.dll (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uacd13d.tmp (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uacd14d.tmp (Rogue.ActiveSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uacd312.tmp (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uacd4c7.tmp (Rogue.ActiveSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uacd6cb.tmp (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uacd709.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uacd8ce.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uacda74.tmp (ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uace3df.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac1157.tmp (ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac1ed0.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac2141.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac2155.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac22e7.tmp (ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac248d.tmp (ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uac2652.tmp (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACtkaljyljmm.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACwpfkcxjtyw.db (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
Okay, here is the report, copied and pasted. I need to restart my computer in order for it to be completed sucessfully(i guess). So,I wanted to make sure i got this to you first. I will continue with the instructions you gave (the OTL Report) me after i restart my computer. Thanks again.

#9 NorCalMike

NorCalMike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthBayArea,California
  • Local time:06:03 PM

Posted 22 November 2009 - 05:32 PM

Attached File  OTL.Txt   85.75KB   11 downloadsAttached File  Extras.Txt   35.57KB   8 downloadsOkay, here's the OTL reports. I couldnt copy/paste them here cause when i copied the txt from my desktop and went to paste them here the 'paste' option wasnt allowed. when i dragged the txt file to this box, the entire window became the whole page for that file. So, i will need to do it as an attatchment.

OTL logfile created on: 11/22/2009 12:24:11 - Run 1
OTL by OldTimer - Version 3.1.6.3 Folder = C:\Documents and Settings\Mike Alford Jr\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 1.08 Gb Available Physical Memory | 71.83% Memory free
2.86 Gb Paging File | 2.55 Gb Available in Paging File | 89.30% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 62.84 Gb Free Space | 84.33% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 1.64 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 17.59 Mb Total Space | 16.97 Mb Free Space | 96.44% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MIKE
Current User Name: Mike Alford Jr
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/22 12:23:27 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mike Alford Jr\Desktop\OTL.exe
PRC - [2009/10/10 02:53:36 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/08/01 08:13:44 | 12,231,512 | ---- | M] (magicJack L.P.) -- C:\Documents and Settings\Mike Alford Jr\Application Data\mjusbsp\magicJack.exe
PRC - [2009/04/02 15:11:02 | 00,342,312 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/04/02 15:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/08/14 16:15:46 | 02,407,184 | ---- | M] () -- C:\Program Files\Logitech\QuickCam\Quickcam.exe
PRC - [2008/08/14 16:11:48 | 00,565,008 | ---- | M] () -- C:\Program Files\Common Files\Logishrd\LComMgr\Communications_Helper.exe
PRC - [2008/08/14 16:11:14 | 00,447,248 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
PRC - [2008/07/26 07:25:36 | 00,150,040 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
PRC - [2008/07/26 07:23:42 | 00,186,904 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logishrd\LVCOMSER\LVComSer.exe
PRC - [2008/07/26 07:23:42 | 00,186,904 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logishrd\LVCOMSER\LVComSer.exe
PRC - [2008/04/14 05:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/02/08 14:52:06 | 00,074,672 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 1200 Series\LXCZbmgr.exe
PRC - [2007/02/08 14:51:54 | 00,058,288 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark 1200 Series\LXCZbmon.exe
PRC - [2007/02/08 14:50:33 | 00,537,520 | ---- | M] ( ) -- C:\WINDOWS\system32\lxczcoms.exe
PRC - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PRC - [2002/09/20 16:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2009/11/22 12:23:27 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mike Alford Jr\Desktop\OTL.exe
MOD - [2008/07/26 07:25:24 | 00,109,080 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\Temp\logishrd\LVPrcInj01.dll
MOD - [2008/04/14 05:42:52 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/14 05:42:02 | 00,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mslbui.dll
MOD - [2008/04/14 05:41:54 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll
MOD - [2002/11/06 20:00:38 | 00,040,820 | ---- | M] (SoundMAX) -- C:\WINDOWS\system32\Syncor11.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/10/10 02:53:36 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/04/02 15:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/26 07:25:36 | 00,150,040 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2008/07/26 07:23:42 | 00,186,904 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe -- (LVCOMSer)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/04/14 05:42:04 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2007/02/08 14:50:33 | 00,537,520 | ---- | M] ( ) -- C:\WINDOWS\System32\lxczcoms.exe -- (lxcz_device)
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM)
SRV - [2002/09/20 16:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2009/05/09 00:14:20 | 00,014,736 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/03/19 15:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/01/19 12:43:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2008/12/04 06:18:00 | 00,043,520 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\system32\drivers\fetnd5bv.sys -- (FETND5BV)
DRV - [2008/12/04 06:18:00 | 00,043,520 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\system32\drivers\fetnd5bv.sys -- (FET5X86V)
DRV - [2008/07/26 14:25:48 | 00,627,864 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2008/07/26 07:25:02 | 00,025,624 | ---- | M] () -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2008/04/14 00:15:30 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 23:15:14 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 22:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2006/11/10 19:48:00 | 00,040,352 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2006/11/10 19:43:15 | 00,933,536 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\LV302V32.SYS -- (PID_PEPI) Logitech QuickCam IM(PID_PEPI)
DRV - [2006/11/10 19:43:15 | 00,013,344 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\lv302af.sys -- (pepifilter)
DRV - [2004/08/03 17:07:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/03 14:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/07/15 16:00:00 | 00,578,368 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2001/08/17 04:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-725345543-1123561945-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-725345543-1123561945-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-725345543-1123561945-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-725345543-1123561945-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-725345543-1123561945-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-725345543-1123561945-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-725345543-1123561945-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A6 F4 63 6A D4 55 CA 01 [binary data]
IE - HKU\S-1-5-21-725345543-1123561945-1801674531-1003\S-1-5-21-725345543-1123561945-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}:6.0.16
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:0.0.0
FF - prefs.js..extensions.enabledItems: extension@openitonline.com:2.5.1
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.696
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.69

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/07 02:00:39 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/10/10 02:53:36 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/10/08 03:18:40 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/17 00:47:13 | 00,000,000 | ---D | M]

[2009/01/19 13:45:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike Alford Jr\Application Data\Mozilla\Extensions
[2009/01/19 13:45:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike Alford Jr\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/10/12 18:07:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike Alford Jr\Application Data\Mozilla\Firefox\Profiles\f1vfata7.default\extensions
[2009/09/04 14:00:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike Alford Jr\Application Data\Mozilla\Firefox\Profiles\f1vfata7.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}(2)
[2009/09/17 23:45:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike Alford Jr\Application Data\Mozilla\Firefox\Profiles\f1vfata7.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2009/09/14 20:20:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike Alford Jr\Application Data\Mozilla\Firefox\Profiles\f1vfata7.default\extensions\extension@openitonline.com
[2009/09/14 20:20:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike Alford Jr\Application Data\Mozilla\Firefox\Profiles\f1vfata7.default\extensions\extension@openitonline.com\chrome
[2009/09/14 20:20:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike Alford Jr\Application Data\Mozilla\Firefox\Profiles\f1vfata7.default\extensions\extension@openitonline.com\components
[2009/09/14 20:20:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike Alford Jr\Application Data\Mozilla\Firefox\Profiles\f1vfata7.default\extensions\extension@openitonline.com\defaults
[2009/10/12 18:07:56 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/09/16 20:25:59 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/10 22:25:59 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
[2009/08/06 23:49:20 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/10/10 02:53:52 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
[2009/08/24 12:15:25 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/08/24 12:15:26 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/10/10 02:53:36 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2009/08/24 12:15:27 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2007/03/22 19:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
[2009/02/27 11:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2009/05/03 15:01:51 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2009/05/03 15:01:52 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2009/05/03 15:01:52 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2009/05/03 15:01:52 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2009/05/03 15:01:52 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2009/05/03 15:01:52 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2009/05/03 15:01:52 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2009/08/24 10:45:46 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/08/24 10:45:46 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/08/24 10:45:46 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/08/24 10:45:46 | 00,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/08/24 10:45:46 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/08/24 10:45:46 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe ()
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam\Quickcam.exe ()
O4 - HKLM..\Run: [lxczbmgr.exe] C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-725345543-1123561945-1801674531-1003..\Run: [cdloader] C:\Documents and Settings\Mike Alford Jr\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-725345543-1123561945-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKU\S-1-5-21-725345543-1123561945-1801674531-1003\..Trusted Domains: craigslist.org ([sfbay] http in Local intranet)
O15 - HKU\S-1-5-21-725345543-1123561945-1801674531-1003\..Trusted Domains: craigslist.org ([sfbay] https in Trusted sites)
O15 - HKU\S-1-5-21-725345543-1123561945-1801674531-1003\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} http://www.worldwinner.com/games/v47/scrab...rabblecubes.cab (ScrabbleCubes Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} http://www.worldwinner.com/games/v47/share...GamesLoader.cab (FunGamesLoader Object)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6796.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} http://www.worldwinner.com/games/v57/wof/wof.cab (WoF Control)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} http://www.worldwinner.com/games/v47/famil.../familyfeud.cab (FamilyFeud Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/18 18:30:38 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/02/29 05:13:53 | 00,575,080 | R--- | M] (magicJack L.P.) - F:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2008/02/29 05:13:53 | 00,016,158 | R--- | M] () - F:\autorun.ico -- [ CDFS ]
O32 - AutoRun File - [2008/02/29 05:13:53 | 00,000,308 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2008/01/04 18:17:30 | 00,000,270 | ---- | M] () - G:\autorun.inf -- [ FAT ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/22 12:23:27 | 00,528,896 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mike Alford Jr\Desktop\OTL.exe
[2009/11/22 11:02:13 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/22 11:02:11 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/22 11:02:11 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/11/22 11:02:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/11/22 11:00:08 | 04,045,528 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mike Alford Jr\Desktop\mbam-setup.exe
[2009/11/21 04:56:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike Alford Jr\Application Data\Malwarebytes
[2009/11/20 16:47:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/11/20 16:22:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2009/11/08 16:10:47 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Mike Alford Jr\Desktop\RootRepeal.exe
[2009/11/08 14:47:07 | 00,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 8
[2009/11/08 14:46:16 | 08,499,200 | ---- | C] (Luis Cobian) -- C:\Documents and Settings\Mike Alford Jr\My Documents\cbSetup8.exe
[2009/11/01 17:15:45 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/01 17:06:13 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Mike Alford Jr\Desktop\HijackThis.exe
[2009/11/01 17:05:58 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Mike Alford Jr\Desktop\HijackThisInstaller.exe
[2009/11/01 15:21:50 | 00,000,000 | ---D | C] -- C:\Program Files\ACW
[2009/11/01 08:47:19 | 00,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2009/11/01 08:33:42 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Mike Alford Jr\Local Settings\Application Data\housecall.guid.cache
[2009/11/01 08:33:34 | 01,848,336 | ---- | C] (Trend Micro) -- C:\HousecallLauncher.exe
[2009/11/01 08:25:43 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\HJT.exe
[2009/10/29 09:20:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/10/29 03:38:09 | 00,359,656 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Mike Alford Jr\My Documents\msicuu2.exe
[2009/10/28 19:26:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike Alford Jr\Desktop\Unused Desktop Shortcuts
[2009/10/25 18:17:45 | 00,000,000 | ---D | C] -- C:\Inetpub
[2009/01/23 12:30:45 | 00,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczinpa.dll
[2009/01/23 12:30:45 | 00,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcziesc.dll
[2009/01/23 12:30:45 | 00,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\LXCZhcp.dll
[2009/01/23 12:30:44 | 01,224,704 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczserv.dll
[2009/01/23 12:30:44 | 00,991,232 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczusb1.dll
[2009/01/23 12:30:44 | 00,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczpmui.dll
[2009/01/23 12:30:44 | 00,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczlmpm.dll
[2009/01/23 12:30:44 | 00,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczprox.dll
[2009/01/23 12:30:44 | 00,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczpplc.dll
[2009/01/23 12:30:43 | 00,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczhbn3.dll
[2009/01/23 12:30:42 | 00,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczcomc.dll
[2009/01/23 12:30:42 | 00,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\lxczcomm.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/22 12:23:27 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mike Alford Jr\Desktop\OTL.exe
[2009/11/22 12:08:06 | 00,001,053 | ---- | M] () -- C:\Documents and Settings\Mike Alford Jr\Desktop\magicJack.lnk
[2009/11/22 12:07:58 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/22 12:07:43 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/22 12:07:40 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/22 12:07:39 | 16,101,90848 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/22 12:07:07 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Mike Alford Jr\ntuser.ini
[2009/11/22 12:07:06 | 03,670,016 | ---- | M] () -- C:\Documents and Settings\Mike Alford Jr\ntuser.dat
[2009/11/22 12:07:01 | 05,357,380 | -H-- | M] () -- C:\Documents and Settings\Mike Alford Jr\Local Settings\Application Data\IconCache.db
[2009/11/22 11:02:15 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/22 11:00:19 | 04,045,528 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mike Alford Jr\Desktop\mbam-setup.exe
[2009/11/21 14:20:08 | 00,000,420 | ---- | M] () -- C:\WINDOWS\Lexstat.ini
[2009/11/21 12:57:25 | 00,000,440 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{298FC078-D054-4ED5-A745-0FE12A8074F3}.job
[2009/11/21 11:39:06 | 00,000,637 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/20 16:22:40 | 00,000,294 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/11/20 16:10:05 | 00,263,824 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/08 16:51:59 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/08 16:12:07 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Mike Alford Jr\Desktop\settings.dat
[2009/11/08 16:10:47 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Mike Alford Jr\Desktop\RootRepeal.exe
[2009/11/08 15:10:26 | 00,523,776 | ---- | M] () -- C:\Documents and Settings\Mike Alford Jr\Desktop\dds.scr
[2009/11/08 14:46:38 | 08,499,200 | ---- | M] (Luis Cobian) -- C:\Documents and Settings\Mike Alford Jr\My Documents\cbSetup8.exe
[2009/11/05 09:36:21 | 26,768,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/11/01 17:15:45 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Mike Alford Jr\Desktop\HijackThis.lnk
[2009/11/01 17:15:34 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Mike Alford Jr\Desktop\HijackThisInstaller.exe
[2009/11/01 17:06:13 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Mike Alford Jr\Desktop\HijackThis.exe
[2009/11/01 11:56:38 | 00,517,284 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/01 11:56:38 | 00,438,078 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/01 11:56:38 | 00,069,542 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/01 08:33:42 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Mike Alford Jr\Local Settings\Application Data\housecall.guid.cache
[2009/11/01 08:33:40 | 01,848,336 | ---- | M] (Trend Micro) -- C:\HousecallLauncher.exe
[2009/11/01 08:25:55 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\HJT.exe
[2009/10/29 03:38:10 | 00,359,656 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Mike Alford Jr\My Documents\msicuu2.exe
[2009/10/26 16:12:09 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/10/26 16:12:09 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/10/26 15:21:21 | 03,436,814 | ---- | M] () -- C:\Documents and Settings\Mike Alford Jr\Desktop\ComboFix.exe
[2009/10/26 14:42:17 | 00,068,256 | ---- | M] () -- C:\Documents and Settings\Mike Alford Jr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/10/25 00:35:10 | 00,013,272 | ---- | M] () -- C:\WINDOWS\System32\LexFiles.ulf
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/22 11:02:15 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/11/08 16:51:58 | 00,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/11/08 16:12:07 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Mike Alford Jr\Desktop\settings.dat
[2009/11/08 15:10:26 | 00,523,776 | ---- | C] () -- C:\Documents and Settings\Mike Alford Jr\Desktop\dds.scr
[2009/11/01 17:15:45 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Mike Alford Jr\Desktop\HijackThis.lnk
[2009/11/01 08:33:42 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Mike Alford Jr\Local Settings\Application Data\housecall.guid.cache
[2009/10/30 22:56:43 | 16,101,90848 | -HS- | C] () -- C:\hiberfil.sys
[2009/10/28 20:21:28 | 00,001,053 | ---- | C] () -- C:\Documents and Settings\Mike Alford Jr\Desktop\magicJack.lnk
[2009/10/26 15:21:02 | 03,436,814 | ---- | C] () -- C:\Documents and Settings\Mike Alford Jr\Desktop\ComboFix.exe
[2009/10/15 16:14:40 | 00,000,294 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/09/09 00:48:38 | 00,000,389 | ---- | C] () -- C:\WINDOWS\AcroChallenge.ini
[2009/08/08 23:10:31 | 00,000,000 | ---- | C] () -- C:\WINDOWS\UltimateBuddy.INI
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/05/05 01:35:38 | 00,240,128 | ---- | C] () -- C:\WINDOWS\System32\PDDLLW32.DLL
[2009/05/05 01:35:37 | 00,455,168 | ---- | C] () -- C:\WINDOWS\System32\redllw32.dll
[2009/04/30 15:00:12 | 00,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2009/03/13 03:33:25 | 00,068,256 | ---- | C] () -- C:\Documents and Settings\Mike Alford Jr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/01/26 07:20:54 | 00,030,720 | ---- | C] () -- C:\Documents and Settings\Mike Alford Jr\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/23 12:32:19 | 00,000,420 | ---- | C] () -- C:\WINDOWS\Lexstat.ini
[2009/01/23 12:31:46 | 00,344,064 | ---- | C] () -- C:\WINDOWS\System32\lxczcoin.dll
[2009/01/23 12:31:46 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxczvs.dll
[2009/01/23 12:31:22 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxczcnv7.dll
[2009/01/23 12:31:22 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxczcnv6.dll
[2009/01/23 12:31:22 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxczcnv5.dll
[2009/01/23 12:31:22 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxczcnv4.dll
[2009/01/23 12:31:22 | 00,039,899 | ---- | C] () -- C:\WINDOWS\System32\rtsicis.ini
[2009/01/23 12:30:45 | 00,413,696 | ---- | C] () -- C:\WINDOWS\System32\lxczutil.dll
[2009/01/23 12:30:45 | 00,274,432 | ---- | C] () -- C:\WINDOWS\System32\LXCZinst.dll
[2009/01/23 06:13:20 | 00,042,594 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/01/19 13:26:04 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/19 12:43:21 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2009/01/18 18:40:26 | 05,357,380 | -H-- | C] () -- C:\Documents and Settings\Mike Alford Jr\Local Settings\Application Data\IconCache.db
[2009/01/18 18:36:31 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Mike Alford Jr\Application Data\desktop.ini
[2009/01/18 18:30:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\control.ini
[2009/01/18 18:27:17 | 00,000,037 | ---- | C] () -- C:\WINDOWS\vbaddin.ini
[2009/01/18 18:27:17 | 00,000,036 | ---- | C] () -- C:\WINDOWS\vb.ini
[2009/01/18 18:26:42 | 00,013,223 | ---- | C] () -- C:\WINDOWS\System32\tslabels.ini
[2009/01/18 18:26:41 | 00,001,931 | ---- | C] () -- C:\WINDOWS\System32\msdtcprf.ini
[2009/01/18 10:19:44 | 00,517,284 | ---- | C] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/01/18 10:19:43 | 00,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/01/18 10:19:18 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2004/09/17 17:37:42 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2004/08/03 17:07:00 | 01,291,264 | ---- | C] () -- C:\WINDOWS\System32\quartz.dll
[2004/08/03 17:07:00 | 01,015,477 | ---- | C] () -- C:\WINDOWS\System32\esentprf.ini
[2004/08/03 17:07:00 | 00,733,696 | ---- | C] () -- C:\WINDOWS\System32\qedwipes.dll
[2004/08/03 17:07:00 | 00,562,176 | ---- | C] () -- C:\WINDOWS\System32\qedit.dll
[2004/08/03 17:07:00 | 00,498,742 | ---- | C] () -- C:\WINDOWS\System32\dxmasf.dll
[2004/08/03 17:07:00 | 00,386,048 | ---- | C] () -- C:\WINDOWS\System32\qdvd.dll
[2004/08/03 17:07:00 | 00,355,112 | ---- | C] () -- C:\WINDOWS\System32\msjetoledb40.dll
[2004/08/03 17:07:00 | 00,279,040 | ---- | C] () -- C:\WINDOWS\System32\qdv.dll
[2004/08/03 17:07:00 | 00,270,848 | ---- | C] () -- C:\WINDOWS\System32\sbe.dll
[2004/08/03 17:07:00 | 00,252,928 | ---- | C] () -- C:\WINDOWS\System32\compatui.dll
[2004/08/03 17:07:00 | 00,199,168 | ---- | C] () -- C:\WINDOWS\System32\ir32_32.dll
[2004/08/03 17:07:00 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\qcap.dll
[2004/08/03 17:07:00 | 00,186,880 | ---- | C] () -- C:\WINDOWS\System32\encdec.dll
[2004/08/03 17:07:00 | 00,094,282 | ---- | C] () -- C:\WINDOWS\System32\msencode.dll
[2004/08/03 17:07:00 | 00,070,656 | ---- | C] () -- C:\WINDOWS\System32\amstream.dll
[2004/08/03 17:07:00 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\devenum.dll
[2004/08/03 17:07:00 | 00,053,478 | ---- | C] () -- C:\WINDOWS\System32\tcpmon.ini
[2004/08/03 17:07:00 | 00,042,809 | ---- | C] () -- C:\WINDOWS\System32\key01.sys
[2004/08/03 17:07:00 | 00,042,537 | ---- | C] () -- C:\WINDOWS\System32\keyboard.sys
[2004/08/03 17:07:00 | 00,035,648 | ---- | C] () -- C:\WINDOWS\System32\ntio411.sys
[2004/08/03 17:07:00 | 00,035,424 | ---- | C] () -- C:\WINDOWS\System32\ntio412.sys
[2004/08/03 17:07:00 | 00,035,328 | ---- | C] () -- C:\WINDOWS\System32\mciqtz32.dll
[2004/08/03 17:07:00 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio804.sys
[2004/08/03 17:07:00 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio404.sys
[2004/08/03 17:07:00 | 00,033,840 | ---- | C] () -- C:\WINDOWS\System32\ntio.sys
[2004/08/03 17:07:00 | 00,029,370 | ---- | C] () -- C:\WINDOWS\System32\ntdos411.sys
[2004/08/03 17:07:00 | 00,029,274 | ---- | C] () -- C:\WINDOWS\System32\ntdos412.sys
[2004/08/03 17:07:00 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos804.sys
[2004/08/03 17:07:00 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos404.sys
[2004/08/03 17:07:00 | 00,027,866 | ---- | C] () -- C:\WINDOWS\System32\ntdos.sys
[2004/08/03 17:07:00 | 00,027,097 | ---- | C] () -- C:\WINDOWS\System32\country.sys
[2004/08/03 17:07:00 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\tsd32.dll
[2004/08/03 17:07:00 | 00,014,336 | ---- | C] () -- C:\WINDOWS\System32\msdmo.dll
[2004/08/03 17:07:00 | 00,013,312 | ---- | C] () -- C:\WINDOWS\System32\win87em.dll
[2004/08/03 17:07:00 | 00,012,082 | ---- | C] () -- C:\WINDOWS\System32\rsvp.ini
[2004/08/03 17:07:00 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\scriptpw.dll
[2004/08/03 17:07:00 | 00,010,110 | ---- | C] () -- C:\WINDOWS\System32\mqperf.ini
[2004/08/03 17:07:00 | 00,009,029 | ---- | C] () -- C:\WINDOWS\System32\ansi.sys
[2004/08/03 17:07:00 | 00,006,877 | ---- | C] () -- C:\WINDOWS\System32\pschdprf.ini
[2004/08/03 17:07:00 | 00,004,768 | ---- | C] () -- C:\WINDOWS\System32\himem.sys
[2004/08/03 17:07:00 | 00,004,126 | ---- | C] () -- C:\WINDOWS\System32\msdxmlc.dll
[2004/08/03 17:07:00 | 00,003,458 | ---- | C] () -- C:\WINDOWS\System32\rasctrs.ini
[2004/08/03 17:07:00 | 00,002,891 | ---- | C] () -- C:\WINDOWS\System32\perfci.ini
[2004/08/03 17:07:00 | 00,002,732 | ---- | C] () -- C:\WINDOWS\System32\perfwci.ini
[2004/08/03 17:07:00 | 00,002,656 | ---- | C] () -- C:\WINDOWS\System32\netware.drv
[2004/08/03 17:07:00 | 00,001,405 | ---- | C] () -- C:\WINDOWS\msdfmap.ini
[2004/08/03 17:07:00 | 00,001,152 | ---- | C] () -- C:\WINDOWS\System32\perffilt.ini
[2004/08/03 17:07:00 | 00,000,637 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/03 17:07:00 | 00,000,343 | ---- | C] () -- C:\WINDOWS\System32\prodspec.ini
[2004/08/03 17:07:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/17 14:36:28 | 00,157,696 | ---- | C] () -- C:\WINDOWS\System32\paqsp.dll
< End of report >

Edited by Buckeye_Sam, 22 November 2009 - 06:43 PM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:03 PM

Posted 22 November 2009 - 06:44 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 NorCalMike

NorCalMike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthBayArea,California
  • Local time:06:03 PM

Posted 22 November 2009 - 09:06 PM

ComboFix 09-11-22.04 - Mike Alford Jr 11/22/2009 17:46.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1536.1149 [GMT -8:00]
Running from: c:\documents and settings\Mike Alford Jr\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-725345543-1123561945-1801674531-501
c:\windows\system32\uactmp.db
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-23 01:53 . 2009-08-01 16:16 6256600 ---ha-w- c:\documents and settings\Mike Alford Jr\Application Data\mjusbsp\in00000\setup.exe
2009-11-23 01:53 . 2009-08-01 16:12 728600 ---ha-w- c:\documents and settings\Mike Alford Jr\Application Data\mjusbsp\ar00000\install.exe
2009-11-22 19:02 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-22 19:02 . 2009-11-22 19:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-22 19:02 . 2009-11-22 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-22 19:02 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 12:56 . 2009-11-21 12:56 -------- d-----w- c:\documents and settings\Mike Alford Jr\Application Data\Malwarebytes
2009-11-21 00:22 . 2009-11-21 00:22 -------- d-----w- c:\windows\system32\MpEngineStore
2009-11-20 20:27 . 2009-11-20 20:27 3963160 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\prepare\avgcorex.dll
2009-11-20 20:26 . 2009-10-29 17:21 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-20 20:26 . 2009-10-29 17:21 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-20 20:26 . 2009-10-29 17:21 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-08 22:47 . 2009-11-08 22:47 -------- d-----w- c:\program files\Cobian Backup 8
2009-11-02 01:15 . 2009-11-02 01:15 -------- d-----w- c:\program files\Trend Micro
2009-11-01 23:21 . 2009-11-01 23:24 -------- d-----w- c:\program files\ACW
2009-11-01 16:47 . 2009-11-22 11:20 -------- d-----w- c:\program files\Panda Security
2009-11-01 16:33 . 2009-11-01 16:33 1848336 ----a-w- C:\HousecallLauncher.exe
2009-11-01 16:25 . 2009-11-01 16:25 401720 ----a-w- C:\HJT.exe
2009-10-29 17:20 . 2009-11-21 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-29 03:54 . 2009-10-29 03:54 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-10-26 02:17 . 2009-10-26 02:17 -------- d-----w- C:\Inetpub

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 01:54 . 2009-01-22 20:26 -------- d-----w- c:\documents and settings\Mike Alford Jr\Application Data\mjusbsp
2009-11-21 12:47 . 2009-03-29 21:39 -------- d-----w- c:\program files\anywebcam
2009-11-21 00:47 . 2009-08-06 02:22 -------- d-----w- c:\program files\Google
2009-11-21 00:46 . 2009-01-19 17:36 -------- d-----w- c:\program files\AVG
2009-11-02 11:20 . 2009-09-05 05:01 -------- d-----w- c:\program files\UltimateBet
2009-11-02 10:42 . 2009-02-07 08:21 -------- d-----w- c:\program files\Full Tilt Poker
2009-10-29 04:17 . 2009-03-12 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-29 03:49 . 2009-10-08 11:25 68256 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-26 22:42 . 2009-03-13 11:33 68256 ----a-w- c:\documents and settings\Mike Alford Jr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-26 21:55 . 2009-05-06 04:10 -------- d-----w- c:\program files\Safari
2009-10-26 21:53 . 2009-05-11 20:07 -------- d-----w- c:\program files\AVS4YOU
2009-10-26 21:53 . 2009-05-11 20:07 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-25 08:33 . 2009-03-12 01:21 -------- d-----w- c:\program files\Common Files\Apple
2009-10-18 00:00 . 2009-01-23 14:09 -------- d-----w- c:\program files\Common Files\Logitech
2009-10-16 04:14 . 2009-10-08 23:02 -------- d-----w- c:\program files\CrossLoop
2009-10-10 10:53 . 2009-01-23 13:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-10 10:53 . 2009-10-04 12:14 152576 ----a-w- c:\documents and settings\Mike Alford Jr\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-10 06:37 . 2009-10-10 06:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-10 06:37 . 2009-10-10 06:37 -------- d-----w- c:\documents and settings\Mike Alford Jr\Application Data\Office Genuine Advantage
2009-10-09 22:55 . 2009-03-11 06:25 -------- d-----w- c:\program files\Java
2009-10-09 04:47 . 2009-08-28 22:32 -------- d-----w- c:\program files\Playwinpoker.com
2009-10-08 11:46 . 2009-01-22 21:12 -------- d-----w- c:\program files\PokerStars
2009-10-06 14:00 . 2009-10-06 14:00 -------- d-----w- c:\program files\Windows Live Safety Center
2009-09-29 07:18 . 2009-09-29 07:18 -------- d-----w- c:\program files\FriendFinder
2009-09-24 06:08 . 2009-09-24 06:08 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-09-11 14:18 . 2004-08-04 01:07 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-05 05:15 . 2009-09-05 05:15 159744 ----a-w- c:\documents and settings\Mike Alford Jr\Application Data\UltimateBet\DownLoad\liveupdate.exe
2009-09-04 21:03 . 2004-08-04 01:07 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 01:07 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 01:07 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Mike Alford Jr\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-15 2407184]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-15 565008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Documents and Settings\\Mike Alford Jr\\Application Data\\mjusbsp\\magicJack.exe"=

S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/3/2004 17:07 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-11-22 c:\windows\Tasks\User_Feed_Synchronization-{298FC078-D054-4ED5-A745-0FE12A8074F3}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: craigslist.org\sfbay
FF - ProfilePath - c:\documents and settings\Mike Alford Jr\Application Data\Mozilla\Firefox\Profiles\f1vfata7.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 17:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\MIKEAL~1\LOCALS~1\Temp\nsk9.tmp\nsMagicJack2.dll 100704 bytes executable
c:\docume~1\MIKEAL~1\LOCALS~1\Temp\nsk9.tmp\nsPatch.dll 206168 bytes executable
c:\docume~1\MIKEAL~1\LOCALS~1\Temp\nsk9.tmp\nsSJphone.dll 12120 bytes executable
c:\docume~1\MIKEAL~1\LOCALS~1\Temp\nsk9.tmp\nsStorageRWD.dll 104288 bytes executable
c:\docume~1\MIKEAL~1\LOCALS~1\Temp\nsk9.tmp\System.dll 15192 bytes executable

scan completed successfully
hidden files: 5

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1123561945-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3880)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\windows\system32\lxczcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\documents and settings\Mike Alford Jr\Application Data\mjusbsp\st00000\mjsetup.exe
c:\documents and settings\Mike Alford Jr\Application Data\mjusbsp\magicJack.exe
.
**************************************************************************
.
Completion time: 2009-11-22 17:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-23 01:58

Pre-Run: 67,431,976,960 bytes free
Post-Run: 67,650,617,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - BD9D6ADE93E9F18DFA29A367533695D7

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:03 PM

Posted 23 November 2009 - 09:11 AM

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 NorCalMike

NorCalMike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthBayArea,California
  • Local time:06:03 PM

Posted 23 November 2009 - 11:23 AM

seems to be doing very well. I haven't tried 'disc clean-up', or 'defragment' for 2 reasons. 1) you may have more instructions for me after reading/evaluating the reports. 2) i'm basically afraid i'm gonna hear that scary "bonk" music that windows plays when i have some kind of fatal error, and before, i couldnt clean disc, defragment, etc. But the instructions you left for me seem to be helping my computer be stable. I noticed that one of the reports said i had 24 viruses, (maybe just adware),but 2 were rootkits, and that scared me too. Getting back to your question, it(my computer) really seems to be running smoothly. A few things that i dont really know as far as sop is concerned, the things i have downloaded from the OTL, to the combofix, and the other 'diagnostic' exe.'s......should i delete/uninstall them? Or, dont worry about that till we are completely through with this? Just curious. Another thing, when i was doing the download from/for the OTL part, I received a pop-up indicating that it was a virus, or possibly malware. I am very greatful for this site, and all the help given from people like you, I went to the chatroom, told them (a person) in the chatroom about my concern, and they told me not to worry, that it is a false positive. Just thought i'd pass that on. Sincerely, Thanks For your help and support. And I look forward to your response.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:03 PM

Posted 23 November 2009 - 06:57 PM

It's not uncommon for OTL, Combofix, or some of the other tools we use here to be false identified as malware. The important thing to remember is that anything we tell you to download will be safe, as long as you download it from the links that we provide.

This next step will remove the tools that I had you download.

It's time to clean up.
  • Make sure you have an Internet Connection.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTL to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 NorCalMike

NorCalMike
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NorthBayArea,California
  • Local time:06:03 PM

Posted 24 November 2009 - 10:45 PM

funny you should ask, my computer seemed to be behaving okay, but as i was originally answering this I had mentioned being afraid to check other things such as 'system restore', 'disc clean up', and 'disc defragment', as these were things i could not do earlier, and right in the middle of my reply, the screen went blank, and i couldnt restart computer. Well, segue a couple days later, and i am able to boot up my hard drive now so i can answer this. So, there is still a couple of funny things going on. thank you Sam.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users