Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack - Intermittant Redirect to Various Ad Sites


  • This topic is locked This topic is locked
17 replies to this topic

#1 csjoblom

csjoblom

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 01 December 2009 - 11:42 PM

For the past several days my browser (Firefox) will intermittently launch new windows with various ad sites, usually for satellite dish service, online gambling or work from home money making schemes. The hijack episodes can happen when I am at any site as far as I can tell. Sometimes only one new window launches, sometimes several launch one right after the other. Also, the windows may have only one tab or several. Clicking the "Stop Loading" button in the active window seems to stop the hijack episode, but if I just close the window before the loading stops a new window starts up immediately.


DDS LOG FOLLOWS:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Chris at 21:50:50.73 on Tue 12/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.136 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\S3apphk.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://srch-us5.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://srch-us5.hpwis.com/
mCustomizeSearch = hxxp://srch-us5.hpwis.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
TB: &hp toolkit: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\hp\explorebar\HPTOOLKT.DLL
EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Desktop Calendar] c:\program files\desktop calendar\Desktop Calendar.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [S3apphk] S3apphk.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
mRun: [nwiz] nwiz.exe /install
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231274630796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231274614687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\3ig68gkx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\progra~1\mozill~1\plugins\np_gp.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S3 trid3d;trid3d;c:\windows\system32\drivers\trid3dm.sys [2002-3-20 144860]

=============== Created Last 30 ================

2009-12-01 19:56:52 0 d-----w- c:\program files\Cobian Backup 8
2009-11-17 20:08:51 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-11-28 15:21:54 104567 ----a-w- c:\windows\hpoins04.dat
2001-08-18 12:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:02 551936 --sha-w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
2008-09-18 00:43:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat

============= FINISH: 21:53:25.85 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:07:37 AM

Posted 15 December 2009 - 10:59 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 csjoblom

csjoblom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 15 December 2009 - 02:10 PM

Thanks for getting back to me on this. I do still have the problem although I thought I had solved it yesterday by running Malwarebytes which found and cleaned a Trojan agent and a couple bad registry entries. After running the Malwarebytes scan and rebooting the computer, I reran a another complete scan with clean results and the browser redirects were gone. My computer was working at normal speed again as well. However, today the browser redirects have happened twice. The computer does not seem to be running slower yet, though.

Description of the problem: Intermittent browser redirects in Mozilla Firefox from any site. The redirects always open a new window, sometimes with one tab and other times with multiple tabs. This has been happening since November 30, and as time went on the browser redirects intermittently increased and decreased in frequency, but my computer slowed down more and more until yesterday it was extremely slow. That's when I downloaded Malwarebytes and did the scan.

I have included the text of my original MWB scan below so you can see what it found. The DDS log I just produced today is also included below, and the Attach log is attached.

Thanks again for your help.


Here is the MWB Scan Log from 12-14-09:

Malwarebytes' Anti-Malware 1.42
Database version: 3360
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/14/2009 4:13:35 PM
mbam-log-2009-12-14 (16-13-35).txt

Scan type: Quick Scan
Objects scanned: 118967
Time elapsed: 7 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vxto7cj3.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.



Here is the DDS Log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Chris at 12:39:51.40 on Tue 12/15/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.240 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\Documents and Settings\Chris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://srch-us5.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://srch-us5.hpwis.com/
mCustomizeSearch = hxxp://srch-us5.hpwis.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
TB: &hp toolkit: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\hp\explorebar\HPTOOLKT.DLL
EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Desktop Calendar] c:\program files\desktop calendar\Desktop Calendar.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [S3apphk] S3apphk.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
mRun: [nwiz] nwiz.exe /install
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231274630796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231274614687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\3ig68gkx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\progra~1\mozill~1\plugins\np_gp.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S3 trid3d;trid3d;c:\windows\system32\drivers\trid3dm.sys [2002-3-20 144860]

=============== Created Last 30 ================

2009-12-14 22:04:15 0 d-----w- c:\docume~1\chris\applic~1\Malwarebytes
2009-12-14 22:04:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-14 22:04:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-14 22:04:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-14 22:04:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-01 19:56:52 0 d-----w- c:\program files\Cobian Backup 8
2009-11-17 20:08:51 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-11-28 15:21:54 104567 ----a-w- c:\windows\hpoins04.dat
2001-08-18 12:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:02 551936 --sha-w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe

============= FINISH: 12:42:20.82 ===============

Attached Files



#4 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:07:37 AM

Posted 16 December 2009 - 08:35 AM

Hello csjoblom and welcome to Bleeping Computer!! :(

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate. In addition, since I am still in training all of my responses have to be reviewed by our excellent expert staff so there may be a delay in response time. The advantage is that your log will be evaluated by two sets of eyes and two brains.

If you haven't already, you can keep the link to this topic in your Favorites. Alternatively, you can click the Options button at the top bar of this topic and Track this Topic, where you can choose email notifications.

Please make sure Word Wrap in notepad is turned off when copying and pasting logs and only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.

Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Again, keep in mind that it may take a couple of days or more before I can reply but once we get started the process should speed up.

Thank you for your patience!!
PW

#5 csjoblom

csjoblom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 16 December 2009 - 08:54 AM

Hello pwgib,

I understand about the delays and am happy to have someone helping. I have followed the instructions to to show all hidden and system files, and my word wrap is turned off in notepad. I will await your next instructions.

#6 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:07:37 AM

Posted 16 December 2009 - 01:34 PM

Hello csjoblom :(

Step 1.

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
Step 2.

I notice you do not have an antivirus with real time protection running. In todays computing environment it is suicidal not to have
an active antivirus protecting your computer. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Two good antivirus programs free for non-commercial home use are: Note:
You should never have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Please install an antivirus program and post the results of the scan in your next reply.

Step 3.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Step 4.

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In your next reply please include:

Antivirus scan log
MBAM log
OTListIt.txt
<-- Will be opened
Extra.txt <-- Will be minimized[/b]

Thanks!!
PW

#7 csjoblom

csjoblom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 17 December 2009 - 08:24 AM

Hi pwgib,

I have disabled Tea Timer, installed Avira Antivirus, MWB and OTL and have run the scans you requested. The logs from those scans appear below. The day after my initial Avira scan, Avira detected an additional infection while operating in Guard Mode. This detection occurred after the Avira and MWB scans, but before the OTL scan. Here is the test from the event log for that detection:

Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]'
detected in file 'C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O40STXOT\2[1].htm.
Action performed: Deny access

I took no action on this detection so the infected file still exists in the form in which it was detected.




AVIRA LOG:

Avira AntiVir Personal
Report file date: Wednesday, December 16, 2009 13:37

Scanning for 1452463 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : FRED

Version information:
BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 17:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 13:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 19:33:57
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 19:33:57
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 19:33:57
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 19:33:57
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 19:33:57
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 19:33:57
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 19:33:57
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 19:33:57
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 19:33:57
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 19:33:57
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 19:33:57
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 19:33:57
VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 19:33:57
VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 19:33:58
VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 19:33:58
VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/2009 19:33:58
VBASE017.VDF : 7.10.1.247 182272 Bytes 12/15/2009 19:33:58
VBASE018.VDF : 7.10.1.248 2048 Bytes 12/15/2009 19:33:58
VBASE019.VDF : 7.10.1.249 2048 Bytes 12/15/2009 19:33:59
VBASE020.VDF : 7.10.1.250 2048 Bytes 12/15/2009 19:33:59
VBASE021.VDF : 7.10.1.251 2048 Bytes 12/15/2009 19:33:59
VBASE022.VDF : 7.10.1.252 2048 Bytes 12/15/2009 19:33:59
VBASE023.VDF : 7.10.1.253 2048 Bytes 12/15/2009 19:33:59
VBASE024.VDF : 7.10.1.254 2048 Bytes 12/15/2009 19:33:59
VBASE025.VDF : 7.10.1.255 2048 Bytes 12/15/2009 19:33:59
VBASE026.VDF : 7.10.2.0 2048 Bytes 12/15/2009 19:33:59
VBASE027.VDF : 7.10.2.1 2048 Bytes 12/15/2009 19:33:59
VBASE028.VDF : 7.10.2.2 2048 Bytes 12/15/2009 19:33:59
VBASE029.VDF : 7.10.2.3 2048 Bytes 12/15/2009 19:33:59
VBASE030.VDF : 7.10.2.4 2048 Bytes 12/15/2009 19:33:59
VBASE031.VDF : 7.10.2.11 96256 Bytes 12/16/2009 19:34:00
Engineversion : 8.2.1.114
AEVDF.DLL : 8.1.1.2 106867 Bytes 11/8/2009 13:38:52
AESCRIPT.DLL : 8.1.3.3 586106 Bytes 12/16/2009 19:34:02
AESCN.DLL : 8.1.3.0 127348 Bytes 12/16/2009 19:34:01
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 13:38:44
AERDL.DLL : 8.1.3.4 479605 Bytes 12/16/2009 19:34:01
AEPACK.DLL : 8.2.0.3 422261 Bytes 11/8/2009 13:38:40
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 13:38:38
AEHEUR.DLL : 8.1.0.186 2183544 Bytes 12/16/2009 19:34:01
AEHELP.DLL : 8.1.9.0 237943 Bytes 12/16/2009 19:34:00
AEGEN.DLL : 8.1.1.81 369014 Bytes 12/16/2009 19:34:00
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 13:38:26
AECORE.DLL : 8.1.9.1 180598 Bytes 12/16/2009 19:34:00
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 13:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 21:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 18:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Wednesday, December 16, 2009 13:37

Starting search for hidden objects.
'52336' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'KBD.EXE' - '1' Module(s) have been scanned
Scan process 'S3apphk.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '66' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Chris\.housecall6.6\Quarantine\381beve2.exe.bac_a00328
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\Chris\.housecall6.6\Quarantine\381beve2.exe.bac_a00328
[DETECTION] Is the TR/Dldr.Zlob.pea.1 Trojan
C:\Documents and Settings\Chris\.housecall6.6\Quarantine\7z87a7rv.exe.bac_a00328
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\Chris\.housecall6.6\Quarantine\7z87a7rv.exe.bac_a00328
[DETECTION] Is the TR/Agent.zvh Trojan
C:\Documents and Settings\Chris\.housecall6.6\Quarantine\ciq94k8t.exe.bac_a01292
[DETECTION] Is the TR/Dldr.Zlob.Gen Trojan
C:\Documents and Settings\Chris\.housecall6.6\Quarantine\e5e0nu51.exe.bac_a00328
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\Chris\.housecall6.6\Quarantine\e5e0nu51.exe.bac_a00328
[DETECTION] Is the TR/Agent.zvh Trojan
C:\Documents and Settings\Chris\.housecall6.6\Quarantine\llxfnkho.exe.bac_a00328
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\Chris\.housecall6.6\Quarantine\llxfnkho.exe.bac_a00328
--> Object
[DETECTION] Is the TR/Dldr.Zlob.AC.8.A Trojan
C:\Documents and Settings\Chris\.housecall6.6\Quarantine\sii8z2lt.exe.bac_a01292
[DETECTION] Is the TR/Dldr.Zlob.Gen Trojan
C:\Documents and Settings\Chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-54e206d6-2f51254e.zip
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
--> vmain.class
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.39 exploit
C:\Documents and Settings\Owner\Desktop\SpyInstall.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\Program Files\HPSelect\hp learning adventure.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP478\A0050345.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
Begin scan in 'D:\' <HP_RECOVERY>
D:\I386\APPS\APP18716\App18716.exe
[0] Archive type: ZIP SFX (self extracting)
--> hp/tmp/Desktop.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
--> hp/tmp/hp learning adventure.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan

Beginning disinfection:
C:\Documents and Settings\Chris\.housecall6.6\Quarantine\381beve2.exe.bac_a00328
[NOTE] The file was moved to '4b5a4af9.qua'!
C:\Documents and Settings\Chris\.housecall6.6\Quarantine\7z87a7rv.exe.bac_a00328
[NOTE] The file was moved to '4b614b3b.qua'!
C:\Documents and Settings\Chris\.housecall6.6\Quarantine\ciq94k8t.exe.bac_a01292
[DETECTION] Is the TR/Dldr.Zlob.Gen Trojan
[NOTE] The file was moved to '4b9a4b2b.qua'!
C:\Documents and Settings\Chris\.housecall6.6\Quarantine\e5e0nu51.exe.bac_a00328
[NOTE] The file was moved to '4b8e4af7.qua'!
C:\Documents and Settings\Chris\.housecall6.6\Quarantine\llxfnkho.exe.bac_a00328
[NOTE] The file was moved to '4ba14b2e.qua'!
C:\Documents and Settings\Chris\.housecall6.6\Quarantine\sii8z2lt.exe.bac_a01292
[DETECTION] Is the TR/Dldr.Zlob.Gen Trojan
[NOTE] The file was moved to '4b924b2b.qua'!
C:\Documents and Settings\Chris\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-54e206d6-2f51254e.zip
[DETECTION] Contains recognition pattern of the EXP/Java.Gimsh.A.41 exploit
[NOTE] The file was moved to '4b964b38.qua'!
C:\Documents and Settings\Owner\Desktop\SpyInstall.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4ba24b32.qua'!
C:\Program Files\HPSelect\hp learning adventure.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4b494b33.qua'!
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP478\A0050345.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4b594af3.qua'!
D:\I386\APPS\APP18716\App18716.exe
[NOTE] The file was moved to '4b994b33.qua'!


End of the scan: Wednesday, December 16, 2009 15:01
Used time: 1:24:00 Hour(s)

The scan has been done completely.

6468 Scanned directories
373928 Files were scanned
13 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
11 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
373913 Files not concerned
22416 Archives were scanned
2 Warnings
13 Notes
52336 Objects were scanned with rootkit scan
0 Hidden objects were found




MWB LOG:

Malwarebytes' Anti-Malware 1.42
Database version: 3360
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/16/2009 11:52:32 PM
mbam-log-2009-12-16 (23-52-32).txt

Scan type: Quick Scan
Objects scanned: 119540
Time elapsed: 8 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




OTL LOG:

OTL logfile created on: 12/17/2009 6:56:54 AM - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Chris\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.52 Mb Total Physical Memory | 179.59 Mb Available Physical Memory | 35.18% Memory free
864.73 Mb Paging File | 535.01 Mb Available in Paging File | 61.87% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 52.36 Gb Total Space | 35.54 Gb Free Space | 67.87% Space Free | Partition Type: NTFS
Drive D: | 4.87 Gb Total Space | 0.91 Gb Free Space | 18.76% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FRED
Current User Name: Chris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/17 06:55:20 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
PRC - [2009/12/16 21:41:32 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 12:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/04/13 18:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/05/28 22:31:38 | 00,241,664 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PRC - [2004/05/12 15:18:56 | 00,241,664 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
PRC - [2004/03/18 16:55:48 | 00,065,536 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2003/10/31 12:38:50 | 00,442,368 | ---- | M] (Home) -- C:\Program Files\Desktop Calendar\Desktop Calendar.exe
PRC - [2002/03/15 23:51:02 | 00,028,672 | ---- | M] () -- C:\WINDOWS\system32\S3apphk.exe
PRC - [2002/03/14 11:25:00 | 00,102,455 | ---- | M] (VERITAS Software, Inc.) -- C:\WINDOWS\system32\dla\tfswctrl.exe
PRC - [2002/03/12 04:28:06 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2002/03/12 04:20:02 | 00,106,496 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2001/07/06 21:56:56 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\hp\KBD\KBD.EXE
PRC - [1998/05/07 17:04:38 | 00,052,736 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system\hpsysdrv.exe


========== Modules (SafeList) ==========

MOD - [2009/12/17 06:55:20 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
MOD - [2002/03/15 23:51:02 | 00,045,056 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\S3appdll.dll
MOD - [2001/10/04 16:50:08 | 00,040,820 | ---- | M] (SoundMAX) -- C:\WINDOWS\system32\Syncor11.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/06 09:20:16 | 00,051,168 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2007/04/02 17:21:54 | 00,131,072 | ---- | M] (Sprint Spectrum, L.L.C) [Disabled | Stopped] -- C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe -- (SPCSUtilityService)
SRV - [2004/03/18 16:55:48 | 00,065,536 | ---- | M] (HP) [On_Demand | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2002/03/09 17:53:00 | 00,061,440 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)


========== Driver Services (SafeList) ==========

DRV - [2009/07/28 15:33:56 | 00,055,656 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 09:12:24 | 00,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 09:33:07 | 00,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 11:35:05 | 00,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/04/13 12:45:29 | 00,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/07/09 08:52:08 | 00,037,992 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CO_Mon.sys -- (CO_Mon)
DRV - [2007/02/22 16:26:46 | 00,071,168 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swmx00.sys -- (SWMX00) Sierra Wireless USB MUX Driver (#00)
DRV - [2007/01/12 13:26:42 | 00,102,144 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SWNC5E00.sys -- (SWNC5E00) Sierra Wireless MUX NDIS Driver (#00)
DRV - [2004/08/03 23:31:32 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/06/22 08:05:12 | 00,051,088 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2004/06/22 08:05:12 | 00,021,744 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2004/06/22 08:05:12 | 00,016,496 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2003/03/31 14:29:00 | 00,625,537 | ---- | M] (LT) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2002/04/03 17:24:26 | 00,459,944 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2002/03/27 16:17:20 | 00,069,472 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel® Graphics Chipset (KCH)
DRV - [2002/03/27 16:17:10 | 00,087,648 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E}) Intel® Graphics Platform (SoftBIOS)
DRV - [2002/03/27 16:16:08 | 00,077,181 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2002/03/26 19:20:22 | 00,013,780 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2002/03/20 23:35:56 | 00,144,860 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\trid3dm.sys -- (trid3d)
DRV - [2002/03/19 03:18:26 | 00,187,520 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2002/03/14 11:25:00 | 00,094,679 | ---- | M] (VERITAS Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2002/03/14 11:25:00 | 00,088,758 | ---- | M] (VERITAS Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2002/03/14 11:25:00 | 00,052,758 | ---- | M] (VERITAS Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2002/03/14 11:25:00 | 00,034,743 | ---- | M] (VERITAS Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2002/03/14 11:25:00 | 00,023,607 | ---- | M] (VERITAS Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2002/03/14 11:25:00 | 00,013,847 | ---- | M] (VERITAS Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2002/03/14 11:25:00 | 00,006,327 | ---- | M] (VERITAS Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2002/03/14 11:25:00 | 00,004,119 | ---- | M] (VERITAS Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2002/03/14 11:25:00 | 00,002,203 | ---- | M] (VERITAS Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2002/03/09 17:53:00 | 00,909,501 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2002/02/26 10:02:00 | 00,016,288 | ---- | M] (VERITAS Software, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys -- (PxHelp20)
DRV - [2002/02/15 11:21:00 | 00,078,048 | ---- | M] (VERITAS Software, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2002/02/12 10:56:00 | 00,040,096 | ---- | M] (VERITAS Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2002/01/29 01:04:04 | 00,005,589 | ---- | M] (VERITAS Software, Inc.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2002/01/29 01:03:18 | 00,022,963 | ---- | M] (VERITAS Software, Inc.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2001/12/27 04:52:58 | 00,027,136 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\SISAGP.sys -- (SISAGP)
DRV - [2001/12/07 22:26:00 | 00,013,502 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2001/08/18 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/17 22:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [2001/08/17 13:50:26 | 00,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4.sys -- (nv4)
DRV - [2001/08/17 13:12:10 | 00,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [2001/08/08 14:13:36 | 00,158,140 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2001/08/08 14:13:30 | 00,012,479 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV01nt.sys -- (iAimFP0)
DRV - [2001/08/08 14:13:30 | 00,012,031 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV02NT.sys -- (iAimFP1)
DRV - [2001/08/08 14:13:30 | 00,011,679 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV05NT.sys -- (iAimFP2)
DRV - [2001/08/08 14:13:28 | 00,019,359 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wVchNTxx.sys -- (iAimFP4)
DRV - [2001/08/08 14:13:28 | 00,011,999 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wSiINTxx.sys -- (iAimFP3)
DRV - [2001/08/08 14:13:26 | 00,033,503 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV04nt.sys -- (iAimTV3)
DRV - [2001/08/08 14:13:24 | 00,029,215 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV01nt.sys -- (iAimTV0)
DRV - [2001/08/08 14:13:24 | 00,023,519 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys -- (iAimTV4)
DRV - [2001/08/08 14:13:24 | 00,019,199 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV02NT.sys -- (iAimTV1)
DRV - [2001/06/04 14:00:00 | 00,014,112 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us5.hpwis.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us5.hpwis.com/


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3410288154-3383965429-2669302297-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-3410288154-3383965429-2669302297-1006\S-1-5-21-3410288154-3383965429-2669302297-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/16 21:41:44 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/16 21:41:44 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/08/24 09:52:18 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2009/11/17 14:04:53 | 00,000,000 | ---D | M]

[2008/09/08 13:04:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Mozilla\Extensions
[2009/12/16 13:18:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\3ig68gkx.default\extensions
[2008/06/01 09:59:19 | 00,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\3ig68gkx.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}(2)
[2008/12/29 16:05:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\3ig68gkx.default\extensions\LogMeInClient@logmein(2).com
[2009/01/24 10:54:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\3ig68gkx.default\extensions\LogMeInClient@logmein.com
[2008/09/09 04:39:59 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2006/01/18 11:50:00 | 00,319,488 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll

O1 HOSTS File: (291955 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10055 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&hp toolkit) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company)
O3 - HKU\S-1-5-21-3410288154-3383965429-2669302297-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-3410288154-3383965429-2669302297-1006\..\Toolbar\ShellBrowser: (&hp toolkit) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL (Hewlett-Packard Company)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe (VERITAS Software, Inc.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [hpsysdrv] c:\WINDOWS\system\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [KBD] C:\hp\KBD\KBD.EXE (Hewlett-Packard Company)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe ()
O4 - HKLM..\Run: [PS2] C:\WINDOWS\System32\ps2.exe File not found
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [S3apphk] C:\WINDOWS\System32\S3apphk.exe ()
O4 - HKU\S-1-5-21-3410288154-3383965429-2669302297-1006..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe (Home)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3410288154-3383965429-2669302297-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\NPJPI150_09.dll (Sun Microsystems, Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-3410288154-3383965429-2669302297-1006\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab (VerifyGMN Class)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab (SysData Class)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab (EPUImageControl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1231274630796 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1231274614687 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (Get_ActiveX Control)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.115.71.53 24.196.64.53 24.159.193.40
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/04/19 22:16:39 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 07:07:38 | 00,000,000 | ---- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/17 06:55:16 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
[2009/12/16 13:27:31 | 00,096,104 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2009/12/16 13:27:31 | 00,055,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2009/12/16 13:27:31 | 00,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2009/12/16 13:27:31 | 00,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2009/12/16 13:27:26 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2009/12/16 13:27:24 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2009/12/16 13:27:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2009/12/14 16:04:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Application Data\Malwarebytes
[2009/12/14 16:04:07 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/14 16:04:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/14 16:04:02 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/14 16:04:02 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/01 21:59:23 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Chris\Desktop\RootRepeal.exe
[2009/12/01 13:56:52 | 00,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 8
[2009/11/19 23:01:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chris\My Documents\Downloads
[2008/09/17 18:44:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/07/04 10:05:53 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/02/19 15:10:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2002/04/19 22:19:36 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/17 07:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2009/12/17 06:55:20 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
[2009/12/17 06:01:46 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/17 06:00:39 | 00,000,249 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2009/12/17 06:00:21 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/17 06:00:10 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/17 06:00:07 | 53,539,2256 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/16 23:54:14 | 07,340,032 | ---- | M] () -- C:\Documents and Settings\Chris\ntuser.dat
[2009/12/16 23:54:14 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Chris\ntuser.ini
[2009/12/16 23:53:46 | 06,418,728 | -H-- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\IconCache.db
[2009/12/16 23:37:58 | 00,002,473 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Microsoft Word.lnk
[2009/12/16 23:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2009/12/16 22:02:08 | 00,021,504 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Delivery List for Thursday 12-17.doc
[2009/12/16 22:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2009/12/16 21:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2009/12/16 20:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2009/12/16 19:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2009/12/16 18:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2009/12/16 17:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2009/12/16 16:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2009/12/16 15:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2009/12/16 14:00:02 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2009/12/16 13:28:12 | 00,001,718 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/12/16 13:07:54 | 00,016,896 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Truck Loading Chart.xls
[2009/12/16 13:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2009/12/16 09:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2009/12/16 08:41:19 | 00,030,208 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\To Do 12-16-09.doc
[2009/12/16 08:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2009/12/16 01:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2009/12/16 00:16:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2009/12/16 00:00:02 | 00,033,280 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Appliance Parts Needed.xls
[2009/12/15 15:40:15 | 00,023,552 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Delivery List for Saturday 12-19.doc
[2009/12/15 12:29:37 | 00,000,087 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Fisher Paykel Dryer DE05-US2 - Appliance Service Manual Requests - Do-It-Yourself Appliance Repair Help - ApplianceGuru.com .URL
[2009/12/15 12:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2009/12/15 11:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2009/12/15 10:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2009/12/14 16:04:10 | 00,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/14 16:02:48 | 00,037,376 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\firefox hijack removal.doc
[2009/12/13 10:15:14 | 00,022,528 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\GE Profile Dryer 549.doc
[2009/12/11 08:19:27 | 00,019,456 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Jim's list for 12-11.doc
[2009/12/10 06:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2009/12/08 15:20:31 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Notes for Board Meeting.doc
[2009/12/08 13:10:30 | 00,000,063 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Bing Maps.URL
[2009/12/06 09:21:41 | 00,000,748 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Ad Copy.lnk
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/01 22:03:05 | 00,000,015 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\settings.dat
[2009/12/01 21:59:23 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Chris\Desktop\RootRepeal.exe
[2009/12/01 21:47:21 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\dds.scr
[2009/11/30 10:34:58 | 02,784,361 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Use and Care Guide - 8535541.pdf
[2009/11/30 10:32:37 | 00,881,478 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Installation Instructions - 8573158.pdf
[2009/11/30 10:30:49 | 01,452,939 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Repair Part List - 8194240.pdf
[2009/11/28 09:21:54 | 00,104,567 | ---- | M] () -- C:\WINDOWS\hpoins04.dat
[2009/11/28 09:21:16 | 00,000,675 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/20 20:14:50 | 00,002,471 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Microsoft Excel.lnk
[2009/11/19 23:04:16 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\housecall.guid.cache
[2009/11/19 22:49:14 | 00,358,194 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/19 22:49:14 | 00,312,946 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/19 22:49:14 | 00,040,664 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/18 11:43:55 | 00,001,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/11/18 11:33:03 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\FVIR Water Heater Troubleshooting.prn
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/16 13:28:12 | 00,001,718 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2009/12/15 23:09:03 | 00,030,208 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\To Do 12-16-09.doc
[2009/12/15 12:29:37 | 00,000,087 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Fisher Paykel Dryer DE05-US2 - Appliance Service Manual Requests - Do-It-Yourself Appliance Repair Help - ApplianceGuru.com .URL
[2009/12/14 16:04:10 | 00,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/14 16:02:46 | 00,037,376 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\firefox hijack removal.doc
[2009/12/13 10:15:13 | 00,022,528 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\GE Profile Dryer 549.doc
[2009/12/10 20:43:49 | 00,019,456 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Jim's list for 12-11.doc
[2009/12/08 15:20:31 | 00,020,992 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Notes for Board Meeting.doc
[2009/12/08 13:10:30 | 00,000,063 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Bing Maps.URL
[2009/12/06 09:21:41 | 00,000,748 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Ad Copy.lnk
[2009/12/01 21:59:36 | 00,000,015 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\settings.dat
[2009/12/01 21:47:20 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\dds.scr
[2009/11/30 10:34:56 | 02,784,361 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Use and Care Guide - 8535541.pdf
[2009/11/30 10:32:36 | 00,881,478 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Installation Instructions - 8573158.pdf
[2009/11/30 10:30:45 | 01,452,939 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Repair Part List - 8194240.pdf
[2009/11/19 23:04:16 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\housecall.guid.cache
[2009/11/18 11:43:55 | 00,001,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/11/18 11:33:03 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\FVIR Water Heater Troubleshooting.prn
[2009/03/22 16:26:21 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SMMVSplitter.INI
[2009/03/22 13:48:47 | 00,000,035 | ---- | C] () -- C:\WINDOWS\System32\winitn.dll
[2009/03/22 13:48:32 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2009/02/28 16:07:40 | 00,000,107 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2009/02/28 16:06:56 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll
[2009/02/28 16:06:56 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2008/02/28 14:30:08 | 00,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/07/09 08:52:08 | 00,037,992 | ---- | C] () -- C:\WINDOWS\System32\drivers\CO_Mon.sys
[2007/03/09 23:21:22 | 00,002,162 | ---- | C] () -- C:\WINDOWS\System32\tmmute.ini
[2007/02/19 12:16:35 | 00,002,150 | ---- | C] () -- C:\WINDOWS\System32\ssmute.ini
[2007/02/19 11:31:11 | 00,000,106 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/02/19 11:18:18 | 00,002,642 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/02/19 09:41:40 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2002/04/25 21:23:36 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2002/04/20 18:16:42 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpREG.DLL
[2002/04/20 18:16:42 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll
[2002/04/20 00:28:06 | 00,000,449 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2002/04/20 00:19:46 | 00,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2002/04/19 23:25:32 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2002/04/19 22:20:31 | 00,000,799 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2002/04/19 22:12:23 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2002/04/19 22:04:05 | 00,000,666 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2002/03/29 19:49:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2002/03/27 15:37:52 | 00,262,144 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll
[2002/03/12 04:25:02 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\igfxdgps.dll
[2001/08/31 23:33:58 | 00,425,984 | ---- | C] () -- C:\WINDOWS\System32\VxDMDcDlg.dll
[2001/08/08 14:13:22 | 00,012,351 | ---- | C] () -- C:\WINDOWS\System32\i81xcoin.dll
[1999/01/22 12:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 02:00:00 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Chris\My Documents\USB Wireless Adapter Manual.zip:SummaryInformation
< End of report >




OTL EXTRAS LOG:

OTL Extras logfile created on: 12/17/2009 6:56:54 AM - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Chris\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.52 Mb Total Physical Memory | 179.59 Mb Available Physical Memory | 35.18% Memory free
864.73 Mb Paging File | 535.01 Mb Available in Paging File | 61.87% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 52.36 Gb Total Space | 35.54 Gb Free Space | 67.87% Space Free | Partition Type: NTFS
Drive D: | 4.87 Gb Total Space | 0.91 Gb Free Space | 18.76% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FRED
Current User Name: Chris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-3410288154-3383965429-2669302297-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\hp center\137903\Program\BackWeb-137903.exe" = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe:*:Disabled:BackWeb-137903 -- File not found
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox -- (Mozilla Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = HP DLA
"{1EBB57D4-63FF-87CC-A0F0-D73982CF6008}" = Adobe Media Player
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{21E75254-410E-49C4-8981-2E1A2A2221F2}" = HP Diagnostic Assistant
"{2405665A-16C9-4D3A-B70E-F006220E1472}" = Overland
"{267868CE-6DFF-40F7-9C58-C01119B7B117}" = Fax
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{2F71F2BA-B513-4113-969C-18A84D238E27}" = 1310
"{31F60389-C3FA-4C7D-86C5-225937ACA63A}" = TaxCut Wisconsin 2008
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{33AE85D9-0386-41AD-BD99-FDF3ABC19DBB}" =
"{34A59AC3-6C5C-4A09-A7F5-369A37176C8A}" = AiOSoftware
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{3E908702-AF35-4611-9518-955DA24B7E07}" = Microsoft XML Parser and SDK
"{41254D7B-EADF-4078-AE4A-BD73B300EE86}" = Unload
"{4732D4A0-5A47-44D8-9B84-B3BD4906D30D}" = TaxCut Premium 2007
"{597D73A8-5FDB-4bc1-9893-40B54459F1BC}" = ProductContext
"{6DCBB845-0FA4-4723-A40A-1F320C221C30}" = Sprint Mobile Broadband (Sierra)
"{80413011-029C-4D6B-B3AD-725DDE60B81C}" = 1310Trb
"{8214CC02-6271-4DC8-B8DD-779933450264}" = HP RecordNow
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{87791AF4-4D4C-43DC-97BF-05EEEE5187F2}" = e-Sword
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® 845G Chipset Graphics Driver Software
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2
"{A2500497-FD32-493e-B8E5-28D6728DBEF5}" = Readme
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B3D5D4E0-E965-41C4-ABFD-A7B1AD0663C2}" = Director
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BBB33AD6-BCF7-4002-B6A0-6DC679AE5C18}" = TaxCut Premium + State + Efile 2008
"{BF018D2F-C788-4AB1-AB95-1280EAB8F13E}" = TrayApp
"{C1939820-A945-11D4-86F6-0001031E5712}" = InterVideo WinDVD
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{DC19E750-988B-4005-A355-85EF66055EFE}" = Works Suite OS Pack
"{E21658D0-8C83-4ADD-937B-6ED07F335ABA}" = 1310Tour
"{E90BEB5B-CFA0-418E-9ABB-4C4A7B0D9483}" = 1310_Help
"{EC8673DA-F96B-497E-B2DB-BC7B029FD680}" = BufferChm
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F4F47155-5B4D-42AA-97F8-490BC52EA7F3}" = Destinations
"{F65787F3-B356-45EC-8DD0-0E6758EDBCEE}" = WebReg
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"Desktop Calendar_is1" = Desktop Calendar 0.42b
"EPSON Printer and Utilities" = EPSON Printer Software
"HP Instant Support" = HP Instant Support
"HP Photo & Imaging" = HP Image Zone 4.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Inactive HP Printer Drivers (Remove only)" = Inactive HP Printer Drivers (Remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)
"Mozilla Thunderbird (2.0.0.23)" = Mozilla Thunderbird (2.0.0.23)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"OLYMPUS CAMEDIA Master 1.0" = OLYMPUS CAMEDIA Master 1.0
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"SolveigMM Video Splitter" = SolveigMM Video Splitter
"TaxCut Premium 2006" = TaxCut Premium 2006
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3410288154-3383965429-2669302297-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Juniper_Networks_Cache_Cleaner 5.4.0" = Juniper Networks Cache Cleaner 5.4.0
"Neoteris_Host_Checker" = Juniper Networks Host Checker

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/9/2009 8:21:03 AM | Computer Name = FRED | Source = MsiInstaller | ID = 11919
Description = Product: Microsoft Office 2000 Professional -- Error 1919. Error configuring
ODBC data source: dBase Files - Word, ODBC error 6: Component not found in the
registry. Verify that the file dBase Files - Word exists and that you can access
it.

Error - 6/9/2009 8:21:03 AM | Computer Name = FRED | Source = MsiInstaller | ID = 11919
Description = Product: Microsoft Office 2000 Professional -- Error 1919. Error configuring
ODBC data source: FoxPro Files - Word, ODBC error 6: Component not found in the
registry. Verify that the file FoxPro Files - Word exists and that you can access
it.

Error - 6/9/2009 8:21:25 AM | Computer Name = FRED | Source = MsiInstaller | ID = 11919
Description = Product: Microsoft Office 2000 Professional -- Error 1919. Error configuring
ODBC data source: MS Access Database, ODBC error 6: Component not found in the
registry. Verify that the file MS Access Database exists and that you can access
it.

Error - 6/9/2009 8:21:26 AM | Computer Name = FRED | Source = MsiInstaller | ID = 11919
Description = Product: Microsoft Office 2000 Professional -- Error 1919. Error configuring
ODBC data source: dBASE Files, ODBC error 6: Component not found in the registry.
Verify that the file dBASE Files exists and that you can access it.

Error - 6/9/2009 8:21:27 AM | Computer Name = FRED | Source = MsiInstaller | ID = 11919
Description = Product: Microsoft Office 2000 Professional -- Error 1919. Error configuring
ODBC data source: Excel Files, ODBC error 6: Component not found in the registry.
Verify that the file Excel Files exists and that you can access it.

Error - 6/9/2009 8:21:28 AM | Computer Name = FRED | Source = MsiInstaller | ID = 11919
Description = Product: Microsoft Office 2000 Professional -- Error 1919. Error configuring
ODBC data source: Visual FoxPro Database, ODBC error 6: Component not found in
the registry. Verify that the file Visual FoxPro Database exists and that you can
access it.

Error - 6/9/2009 8:21:29 AM | Computer Name = FRED | Source = MsiInstaller | ID = 11919
Description = Product: Microsoft Office 2000 Professional -- Error 1919. Error configuring
ODBC data source: Visual FoxPro Tables, ODBC error 6: Component not found in the
registry. Verify that the file Visual FoxPro Tables exists and that you can access
it.

Error - 6/9/2009 8:21:30 AM | Computer Name = FRED | Source = MsiInstaller | ID = 11919
Description = Product: Microsoft Office 2000 Professional -- Error 1919. Error configuring
ODBC data source: dBase Files - Word, ODBC error 6: Component not found in the
registry. Verify that the file dBase Files - Word exists and that you can access
it.

Error - 6/9/2009 8:21:31 AM | Computer Name = FRED | Source = MsiInstaller | ID = 11919
Description = Product: Microsoft Office 2000 Professional -- Error 1919. Error configuring
ODBC data source: FoxPro Files - Word, ODBC error 6: Component not found in the
registry. Verify that the file FoxPro Files - Word exists and that you can access
it.

Error - 6/10/2009 8:21:33 AM | Computer Name = FRED | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Professional -- Error 1706. No valid
source could be found for product Microsoft Office 2000 Professional. The Windows
installer cannot continue.

[ System Events ]
Error - 12/16/2009 7:00:00 PM | Computer Name = FRED | Source = Schedule | ID = 7901
Description = The At18.job command failed to start due to the following error: %%2147942402

Error - 12/16/2009 8:00:00 PM | Computer Name = FRED | Source = Schedule | ID = 7901
Description = The At19.job command failed to start due to the following error: %%2147942402

Error - 12/16/2009 9:00:00 PM | Computer Name = FRED | Source = Schedule | ID = 7901
Description = The At20.job command failed to start due to the following error: %%2147942402

Error - 12/16/2009 10:00:00 PM | Computer Name = FRED | Source = Schedule | ID = 7901
Description = The At21.job command failed to start due to the following error: %%2147942402

Error - 12/16/2009 11:00:01 PM | Computer Name = FRED | Source = Schedule | ID = 7901
Description = The At22.job command failed to start due to the following error: %%2147942402

Error - 12/17/2009 | Computer Name = FRED | Source = Schedule | ID = 7901
Description = The At23.job command failed to start due to the following error: %%2147942402

Error - 12/17/2009 1:00:00 AM | Computer Name = FRED | Source = Schedule | ID = 7901
Description = The At24.job command failed to start due to the following error: %%2147942402

Error - 12/17/2009 8:00:36 AM | Computer Name = FRED | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/17/2009 8:00:36 AM | Computer Name = FRED | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 12/17/2009 9:00:00 AM | Computer Name = FRED | Source = Schedule | ID = 7901
Description = The At8.job command failed to start due to the following error: %%2147942402


< End of report >

#8 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:07:37 AM

Posted 20 December 2009 - 04:30 PM

Hello csjoblom

Are you still getting redirected in Firefox?

Step 1.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Step 2.

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    :OTL
    O3 - HKU\S-1-5-21-3410288154-3383965429-2669302297-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O4 - HKLM..\Run: [PS2] C:\WINDOWS\System32\ps2.exe File not found
    
    :Files
    [2009/12/17 07:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
    [2009/12/16 23:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
    [2009/12/16 22:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
    [2009/12/16 21:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
    [2009/12/16 20:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
    [2009/12/16 19:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
    [2009/12/16 18:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
    [2009/12/16 17:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
    [2009/12/16 16:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
    [2009/12/16 15:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
    [2009/12/16 14:00:02 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
    [2009/12/16 13:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
    [2009/12/16 09:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
    [2009/12/16 08:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
    [2009/12/16 01:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
    [2009/12/16 00:16:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
    [2009/12/15 12:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
    [2009/12/15 11:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
    [2009/12/15 10:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
    [2009/12/10 06:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
    
    :commands
    [EmptyTemp]
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
Step 3.

Please go to Start | Control Panel | Network Connections
  • Open Network Connections
  • Right click your default connection.
  • Click on Properties
Under the General tab in the Local Area Connection Properties Window
  • Double Click Internet Protocol (TCP/IP)
  • Click the two radio buttons that say
  • Obtain an IP address automatically
  • Obtain DNS server address automatically
  • click OK to close any open windows
[/list]
  • Reboot
In your next reply please include:

Jotti/VirusTotal results
OTL Fix report


Any problems? How is your computer running?

Thanks!!
PW

#9 csjoblom

csjoblom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 21 December 2009 - 06:21 PM

Hi pwgib,

Thanks for your help. I followed your most recent instructions and that seems to have taken care of the browser redirects (as well as a lot of phantom hard drive activity that had also been going on). My computer is running faster now as well. As the browser redirects were intermittent I can't say for sure if they are gone for good, but I haven't experienced one since yesterday afternoon when I implemented the fixes you sent me. I am including the text from the Jotti/VirusTotal results and the OTL Fix report below.

If you have additional instructions or suggestions for me please let me know. If not, I thank you sincerely for your help. I appreciate your time and effort, and wish you a very Merry Christmas!



Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.


Filename: AUTOPLAY.0XE
Status: Scan finished. 6 out of 21 scanners reported malware.
Scan taken on: Sun 27 Sep 2009 16:05:05 (CET) Permalink


Additional info
File size: 36864 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: cba42f5e4fefdc19295def916586bbda
SHA1: e6aecab8323d9107e00f3876c06dad22d046177d


Scanners
2009-09-26 Found nothing 2009-09-27 Trojan.Generic.1869566
2009-09-27 Virus.Win32.Trojan!IK 2009-09-27 Virus.Win32.Trojan
2009-09-26 Found nothing 2009-09-27 Found nothing
2009-09-27 Found nothing 2009-09-27 Win32/Agent.NVP
2009-09-25 Found nothing 2009-09-26 Found nothing
2009-09-27 Trojan.Generic.1869566 2009-09-26 Found nothing
2009-09-27 Found nothing 2009-09-26 Found nothing
2009-09-27 Found nothing 2009-09-27 Found nothing
2009-09-27 Found nothing 2009-09-25 Win32.Agent.NVP
2009-09-26 Found nothing 2009-09-26 Found nothing
2009-09-26 Found nothing



OTL FIX REPORT:

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-3410288154-3383965429-2669302297-1006\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\PS2 deleted successfully.
========== FILES ==========
Invalid time flag! [ 17 07:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At8.job ]. Must be numerical.
Invalid time flag! [ 16 23:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At24.job ]. Must be numerical.
Invalid time flag! [ 16 22:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At23.job ]. Must be numerical.
Invalid time flag! [ 16 21:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At22.job ]. Must be numerical.
Invalid time flag! [ 16 20:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At21.job ]. Must be numerical.
Invalid time flag! [ 16 19:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At20.job ]. Must be numerical.
Invalid time flag! [ 16 18:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At19.job ]. Must be numerical.
Invalid time flag! [ 16 17:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At18.job ]. Must be numerical.
Invalid time flag! [ 16 16:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At17.job ]. Must be numerical.
Invalid time flag! [ 16 15:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At16.job ]. Must be numerical.
Invalid time flag! [ 16 14:00:02 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At15.job ]. Must be numerical.
Invalid time flag! [ 16 13:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At14.job ]. Must be numerical.
Invalid time flag! [ 16 09:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At10.job ]. Must be numerical.
Invalid time flag! [ 16 08:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At9.job ]. Must be numerical.
Invalid time flag! [ 16 01:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At2.job ]. Must be numerical.
Invalid time flag! [ 16 00:16:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At1.job ]. Must be numerical.
Invalid time flag! [ 15 12:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At13.job ]. Must be numerical.
Invalid time flag! [ 15 11:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At12.job ]. Must be numerical.
Invalid time flag! [ 15 10:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At11.job ]. Must be numerical.
Invalid time flag! [ 10 06:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At7.job ]. Must be numerical.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Chris
->Temp folder emptied: 29581850 bytes
->Temporary Internet Files folder emptied: 4737261 bytes
->Java cache emptied: 2593967 bytes
->FireFox cache emptied: 50384697 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Eileen
->Temp folder emptied: 24683140 bytes
->Temporary Internet Files folder emptied: 32302525 bytes
->Java cache emptied: 470328 bytes
->FireFox cache emptied: 49568499 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 96213 bytes
->Temporary Internet Files folder emptied: 9243538 bytes
->Java cache emptied: 109819 bytes
->FireFox cache emptied: 3292884 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 39097 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 3046816 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 4086856 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 51991061 bytes
RecycleBin emptied: 4196395 bytes

Total Files Cleaned = 258.06 mb


OTL by OldTimer - Version 3.1.17.0 log created on 12202009_155058

Files\Folders moved on Reboot...
C:\WINDOWS\temp\fla1D.tmp moved successfully.
C:\WINDOWS\temp\fla22.tmp moved successfully.

Registry entries deleted on Reboot...

#10 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:07:37 AM

Posted 22 December 2009 - 06:02 PM

Hello csjoblom,

If you have additional instructions or suggestions for me please let me know. If not, I thank you sincerely for your help. I appreciate your time and effort, and wish you a very Merry Christmas!


We are not finished yet. I'll let you know. :(

Step 1.

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    
    :files
    C:\WINDOWS\tasks\At*.job
    
    :commands
    [EmptyTemp]
    [StartExplorer]
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
Step 2.

You have a number of outdated programs installed. It is important to keep your programs up to date as a number of the updates fix security flaws.

Update programs.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Adobe Flash Player
Please go here to update Adobe Flash Player.

Mozilla Thunderbird
Please go here to update Mozilla Thunderbid.

Your Adobe Reader is up to date but you have an older copy still installed. Please go to Add/Remove Programs and uninstall Adobe Reader 9.1.3 . Instructions on using Add/Remove Programs are here: http://www.bleepingcomputer.com/forums/t/42133/how-to-remove-an-installed-program-from-your-computer/

Step 3.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Step 4.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

In your next reply please include:

OTL report
Eset Scan report
gmer.log


Any problems? How is your computer running?

Thanks!!

Edited by pwgib, 22 December 2009 - 06:03 PM.

PW

#11 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:07:37 AM

Posted 26 December 2009 - 09:55 AM

Hello csjoblom,

Do you still need help?
PW

#12 csjoblom

csjoblom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 27 December 2009 - 06:39 PM

Hello pwgib,

Yes, I still need some help. I'm sorry for the delay in responding, but the Christmas holiday combined with quite a bit of extra activity at my work cut my tome short this past week.

I followed the latest instructions you gave me, but two of the tasks failed. They were:
(1) I was unable to uninstall Adobe Reader 9.1.3 I received the following message when I tried: "This patch package could not be opened. Verify that the patch package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer patch package."
(2) I was not able to complete the ESET Scan. I tried twice, and both times it went to 7% complete with 1771 files scanned, then stalled out for over 1/2 hour each time. My hard drive LED indicated drive activity during that time, but no advances were made either in % completed or in number of files scanned. I finally canceled the scan. The files being scanned at the time of the stall seemed to be email files in Thunderbird.

The most recent OTL log and GMER log appear below:


OTL:

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
========== FILES ==========
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Chris
->Temp folder emptied: 364189 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 33482178 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Eileen
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 1496618 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 1122133 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 34.84 mb

Error: Unable to interpret <[StartExplorer]> in the current context!

OTL by OldTimer - Version 3.1.17.0 log created on 12232009_071319

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



GMER Log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-27 17:12:28
Windows 5.1.2600 Service Pack 3
Running: 2c2c47eo.exe; Driver: C:\DOCUME~1\Chris\LOCALS~1\Temp\uxldypog.sys


---- System - GMER 1.0.15 ----

SSDT B223AF36 ZwCreateKey
SSDT B223AF2C ZwCreateThread
SSDT B223AF3B ZwDeleteKey
SSDT B223AF45 ZwDeleteValueKey
SSDT B223AF4A ZwLoadKey
SSDT B223AF18 ZwOpenProcess
SSDT B223AF1D ZwOpenThread
SSDT B223AF54 ZwReplaceKey
SSDT B223AF4F ZwRestoreKey
SSDT B223AF40 ZwSetValueKey
SSDT B223AF27 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF85367A4]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[748] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D9000A

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


My computer is running somewhat slower than it did a few days ago, but the browser redirects are not too frequent (Still happening, though)

#13 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:07:37 AM

Posted 28 December 2009 - 12:40 PM

Hello csjoblom,

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

In your next reply please include:

ComboFix.txt


Thanks!!
PW

#14 csjoblom

csjoblom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 28 December 2009 - 02:57 PM

Hi pwgib,

Thanks for your quick reply. I followed the instructions to install and run Combofix and the log appears below:


ComboFix 09-12-27.04 - Chris 12/28/2009 12:11:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.289 [GMT -6:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Default User\Start Menu\Programs\StartUp\AutoPlay.exe
c:\windows\system32\reboot.txt

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-23 13:39 . 2009-12-23 13:38 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-23 13:38 . 2009-12-23 13:38 -------- d-----w- c:\program files\Java
2009-12-20 21:50 . 2009-12-20 21:50 -------- d-----w- C:\_OTL
2009-12-16 19:27 . 2009-12-17 22:07 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-16 19:27 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-12-16 19:27 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-12-16 19:27 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-12-16 19:27 . 2009-12-16 19:27 -------- d-----w- c:\program files\Avira
2009-12-16 19:27 . 2009-12-16 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-12-14 22:04 . 2009-12-14 22:04 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2009-12-14 22:04 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-14 22:04 . 2009-12-14 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-14 22:04 . 2009-12-14 22:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-14 22:04 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-01 19:56 . 2009-12-02 00:16 -------- d-----w- c:\program files\Cobian Backup 8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 13:49 . 2007-02-20 22:23 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-12-23 14:03 . 2007-02-20 22:23 -------- d-----w- c:\documents and settings\Chris\Application Data\Thunderbird
2009-12-16 21:01 . 2002-04-20 06:05 -------- d-----w- c:\program files\HPSelect
2009-12-02 03:46 . 2007-03-10 05:21 -------- d-----w- c:\program files\Trend Micro
2009-11-28 20:51 . 2009-01-28 14:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-28 15:21 . 2007-02-19 17:18 104567 ----a-w- c:\windows\hpoins04.dat
2009-11-28 15:20 . 2008-04-09 23:57 -------- d-----w- c:\program files\PDF995
2009-11-24 23:17 . 2007-02-21 00:44 71552 ----a-w- c:\documents and settings\Eileen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-19 11:54 . 2009-04-15 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-18 17:43 . 2002-04-20 06:04 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-18 17:40 . 2009-04-15 19:27 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-18 17:37 . 2009-11-18 17:37 86016 ------w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-10-10 07:07 . 2009-04-15 19:30 38208 ------w- c:\documents and settings\Chris\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2001-08-18 12:00 . 2002-04-30 13:39 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2002-04-30 13:39 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:12 . 2002-04-30 13:37 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2002-04-30 13:37 551936 --sha-w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2002-04-30 13:37 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2002-04-30 13:38 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Calendar"="c:\program files\Desktop Calendar\Desktop Calendar.exe" [2003-10-31 442368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3apphk"="S3apphk.exe" [2002-03-16 28672]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-12-19 212992]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-13 36864]
"nwiz"="nwiz.exe" [2002-03-09 364544]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-07 61440]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-03-12 155648]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-03-12 106496]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2002-03-14 102455]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-23 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/16/2009 1:27 PM 108289]
S3 trid3d;trid3d;c:\windows\system32\drivers\trid3dm.sys [3/20/2002 11:35 PM 144860]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://srch-us5.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\3ig68gkx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Adobe Acrobat 5.0 - c:\program files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 12:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3360)
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\S3apphk.exe
c:\windows\System32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2009-12-28 12:33:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-28 18:33

Pre-Run: 37,461,086,208 bytes free
Post-Run: 37,931,417,600 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - EAD2C23F247EE79C24C40257174E594C


I await your next instructions. :(

#15 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:07:37 AM

Posted 29 December 2009 - 09:37 AM

Hello csjoblom,

Step 1.

I need you to run another MBAM scan.
  • Open MBAM
  • Click on the UpdateTab before performing a scan. Click on the Check for Updates button. If an update is found, the program will automatically update itself. After the update press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Complete Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Step 2.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
In your next reply please include

MBAM log
Bitdefender report


Thanks!!
PW




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users