Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit affecting firefox by redirecting to sephalo.com


  • This topic is locked This topic is locked
36 replies to this topic

#1 alternativeflip

alternativeflip

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 11 December 2009 - 06:27 PM

Referred from here: http://www.bleepingcomputer.com/forums/t/277751/address-bar-hijacked/ ~ OB

DDS (Ver_09-12-01.01) - NTFSx86
Run by Raf at 17:12:30.26 on Fri 12/11/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.261 [GMT -6:00]

AV: avast! antivirus 4.8.1368 [VPS 091211-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Raf\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.Google.com
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {E7D38ED4-2933-43B8-B0B9-52D11CE9CA10} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [AtiPTA] atiptaxx.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_17.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\raf\applic~1\mozilla\firefox\profiles\k069w8nj.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - component: c:\program files\mozilla firefox\components\-WVTpnJBT_k.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-9 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-23 114768]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-12-6 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-12-6 337000]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-23 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-23 138680]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-12-6 972008]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-23 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-23 352920]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-9-21 14424]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-12-1 119296]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\raf\locals~1\temp\aswarkrn.sys --> c:\docume~1\raf\locals~1\temp\aswArKrn.sys [?]
S3 cpuz130;cpuz130;\??\c:\docume~1\raf\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\raf\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1d.tmp --> c:\windows\system32\1D.tmp [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]

=============== Created Last 30 ================

2009-12-11 22:38:26 22036 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-11 04:13:26 0 d-----w- c:\documents and settings\raf\DoctorWeb
2009-12-11 03:19:46 1686 ----a-w- c:\windows\system32\tmp.reg
2009-12-10 08:25:02 0 d-----w- c:\program files\SpywareBlaster
2009-12-09 11:36:24 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-09 11:06:25 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-09 11:06:03 0 d-----w- c:\program files\Lavasoft
2009-12-08 09:09:50 42 ----a-w- c:\windows\system32\scud.udf
2009-12-08 01:22:47 0 d-----w- c:\program files\CCleaner
2009-12-06 05:34:12 0 d-----w- c:\program files\AOD
2009-12-06 05:34:04 0 d-----w- c:\program files\AIM
2009-12-04 22:09:35 27672 ----a-w- c:\windows\system32\drivers\Entech.sys
2009-12-04 22:09:35 0 d-----w- c:\windows\system32\Futuremark
2009-12-04 22:06:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-04 22:06:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-04 10:13:01 0 d-sh--w- C:\found.000
2009-12-03 21:42:30 0 d-sh--w- C:\Diskeeper
2009-12-03 20:37:37 0 d-----w- c:\program files\common files\Diskeeper Corporation
2009-12-03 20:37:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Diskeeper Corporation
2009-12-03 03:10:10 0 d-----w- c:\program files\Steam
2009-12-03 02:29:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Digsby
2009-12-03 02:27:45 0 d-----w- c:\docume~1\raf\applic~1\Digsby
2009-12-03 02:26:36 0 d-----w- c:\program files\Digsby
2009-12-02 11:50:35 0 d-----r- C:\Sandbox
2009-12-02 11:50:16 1368 ----a-w- c:\windows\Sandboxie.ini
2009-12-02 11:50:04 0 d-----w- c:\program files\Sandboxie
2009-12-02 11:05:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-02 11:01:51 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-02 11:01:51 0 d-----w- c:\docume~1\raf\applic~1\SUPERAntiSpyware.com
2009-12-02 09:31:40 0 d-----w- c:\docume~1\raf\applic~1\Malwarebytes
2009-12-02 09:31:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-02 09:31:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 09:31:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-02 09:31:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-27 18:07:47 20482 ----a-w- c:\documents and settings\raf\peerblock.dmp

==================== Find3M ====================

2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2008-10-26 18:29:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102620081027\index.dat

============= FINISH: 17:13:09.48 ===============

Attached Files


Edited by Orange Blossom, 11 December 2009 - 06:59 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:14 AM

Posted 12 December 2009 - 10:32 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 alternativeflip

alternativeflip
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 12 December 2009 - 10:01 PM

I was able to do the GMER scan, but the OTL scan kept freezing at "Scanning NetSvcs settings..."

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-12 20:50:08
Windows 5.1.2600 Service Pack 3
Running: 9ikezxd9.exe; Driver: C:\DOCUME~1\Raf\LOCALS~1\Temp\fxloraoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xBA661D36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xBA4FA6B8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xBA662442]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xBA4FA574]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xBA66258E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xBA665CC6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xBA4FAA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xBA4FA14C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xBA6624F2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xBA4FA64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xBA4FA08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xBA4FA0F0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xBA66219E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xBA4FA76E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xBA665D36]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xBA665D68]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xBA4FA72E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xBA661CE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xBA6625EE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xBA4FA8AE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xBA661C88]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateProcess [0xBA661BE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xBA661C2C]

INT 0x01 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F742A4F6
INT 0x03 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F742A59C
INT 0x93 \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys (RapportKE/Trusteer Ltd.) F79B3800

Code 869C8BAC ZwRequestPort
Code 869C8C4C ZwRequestWaitReplyPort
Code 869C8B0C ZwTraceEvent
Code 869C8BAB NtRequestPort
Code 869C8C4B NtRequestWaitReplyPort
Code 869C8B0B NtTraceEvent

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!NtTraceEvent 80545B10 5 Bytes JMP 869C8B10
PAGE ntoskrnl.exe!NtRequestWaitReplyPort 8056DA20 5 Bytes JMP 869C8C50
PAGE ntoskrnl.exe!NtRequestPort 805DD5EC 5 Bytes JMP 869C8BB0
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF72B4000, 0x175176, 0xE8000020]
.text win32k.sys!EngAcquireSemaphore + 20E2 BF8082E1 5 Bytes JMP 869C84D0
.text win32k.sys!EngFreeUserMem + 5BD2 BF80EE68 5 Bytes JMP 869C8430
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 322E BF81E77A 5 Bytes JMP 869C89D0
.text win32k.sys!EngSetLastError + 768F BF8286CB 5 Bytes JMP 869C8610
.text win32k.sys!EngCreateBitmap + DDB2 BF845CCB 5 Bytes JMP 869C86B0
.text win32k.sys!EngMultiByteToWideChar + 2F32 BF852C47 5 Bytes JMP 869C8890
.text win32k.sys!XLATEOBJ_iXlate + 3A50 BF86368D 5 Bytes JMP 869C8570
.text win32k.sys!FONTOBJ_pxoGetXform + CC3E BF8C31D6 5 Bytes JMP 869C8750
.text win32k.sys!PATHOBJ_vGetBounds + 74EE BF8F00FB 5 Bytes JMP 869C8930
.text win32k.sys!EngCreateClip + 19C1 BF91313E 5 Bytes JMP 869C8A70
.text win32k.sys!EngCreateClip + 2597 BF913D14 5 Bytes JMP 869C87F0

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1084] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 004112A0 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1084] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1084] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71650022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1084] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71680022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1472] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00434BF0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1472] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1472] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71680022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[1472] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 716E0022
.text C:\Program Files\PeerBlock\peerblock.exe[2856] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0041FBE0 C:\Program Files\PeerBlock\peerblock.exe (PeerBlock/PeerBlock, LLC)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3996] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 01476B00 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3996] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716C000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3996] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 6 Bytes PUSH 71590022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3996] GDI32.dll!BitBlt 77F16F79 6 Bytes PUSH 715C0022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3996] USER32.dll!TranslateMessage 7E418BF6 6 Bytes PUSH 714A0022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3996] USER32.dll!GetMessageW 7E4191C6 6 Bytes PUSH 71500022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3996] USER32.dll!RegisterClassExW 7E41AF7F 6 Bytes PUSH 716E0022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3996] USER32.dll!DdeInitializeW 7E4206D7 6 Bytes PUSH 71560022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3996] USER32.dll!GetWindowRect 7E4290B4 6 Bytes PUSH 714D0022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[3996] USER32.dll!GetClipboardData 7E430DBA 6 Bytes PUSH 71530022; RET

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[700] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[700] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbccgp \Device\0000007c RapportKELL.sys (RapportKE/Trusteer Ltd.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xF7 0x25 0xF5 0x19 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xF7 0x25 0xF5 0x19 ...

---- EOF - GMER 1.0.15 ----

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:14 AM

Posted 13 December 2009 - 11:26 AM

Remove netsvcs from the first line of the custom scan.
Then try OTL again.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 alternativeflip

alternativeflip
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 13 December 2009 - 04:28 PM

It still froze, but at "Scanning Session Manager AppCertDlls key..." I tried removing the next few items from the list with no luck. I scanned it without the list and it finished without a problem.

OTL logfile created on: 12/13/2009 3:20:53 PM - Run 3
OTL by OldTimer - Version 3.1.16.0 Folder = C:\Documents and Settings\Raf\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.53 Mb Total Physical Memory | 319.76 Mb Available Physical Memory | 31.24% Memory free
2.86 Gb Paging File | 2.12 Gb Available in Paging File | 74.33% Paging File free
Paging file location(s): C:\pagefile.sys 2000 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 114.48 Gb Total Space | 58.55 Gb Free Space | 51.14% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HAL9000TRES
Current User Name: Raf
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/12 17:41:04 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Raf\Desktop\OTL.exe
PRC - [2009/12/06 15:09:14 | 01,447,144 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2009/12/06 15:09:14 | 00,972,008 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2009/12/04 16:06:11 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/12/04 16:06:10 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\java.exe
PRC - [2009/12/01 07:55:10 | 00,389,120 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SbieCtrl.exe
PRC - [2009/12/01 07:55:10 | 00,066,560 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SbieSvc.exe
PRC - [2009/11/24 17:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 17:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 17:51:21 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 17:48:48 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 17:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/02 21:23:08 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/28 01:02:44 | 01,524,824 | ---- | M] (PeerBlock, LLC) -- C:\Program Files\PeerBlock\peerblock.exe
PRC - [2008/11/22 15:12:34 | 01,333,016 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2008/07/30 09:47:56 | 00,289,064 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2008/07/30 09:47:48 | 00,532,264 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/07/22 19:42:12 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/04 20:53:58 | 00,495,616 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2007/07/24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2003/05/15 17:45:54 | 00,114,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\type32.exe
PRC - [2003/05/15 17:41:15 | 00,163,840 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\point32.exe


========== Modules (SafeList) ==========

MOD - [2009/12/12 17:41:04 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Raf\Desktop\OTL.exe
MOD - [2009/12/06 15:09:26 | 00,484,584 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/09 05:25:01 | 01,184,912 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/12/06 15:09:14 | 00,972,008 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2009/12/04 16:06:11 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/12/01 07:55:10 | 00,066,560 | ---- | M] (tzuk) [Auto | Running] -- C:\Program Files\Sandboxie\SbieSvc.exe -- (SbieSvc)
SRV - [2009/11/24 17:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 17:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 17:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 17:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2008/11/22 15:12:34 | 01,333,016 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2008/07/30 09:47:48 | 00,532,264 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/07/22 19:42:12 | 00,116,040 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/12/04 20:53:58 | 00,495,616 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2007/09/28 20:05:00 | 00,593,920 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2007/07/24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2007/05/25 17:30:59 | 00,072,704 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-842925246-1275210071-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.Google.com
IE - HKU\S-1-5-21-842925246-1275210071-725345543-1003\S-1-5-21-842925246-1275210071-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-842925246-1275210071-725345543-1003\S-1-5-21-842925246-1275210071-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {c1970c0d-dbe6-4d91-804f-c9c0de643a57}:1.2.4
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.18
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20091028
FF - prefs.js..keyword.URL: "http://www.google.com/search?q="


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/07 04:49:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/07 04:49:21 | 00,000,000 | ---D | M]

[2009/12/07 04:50:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raf\Application Data\Mozilla\Extensions
[2009/12/12 16:21:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raf\Application Data\Mozilla\Firefox\Profiles\k069w8nj.default\extensions
[2009/12/07 04:52:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raf\Application Data\Mozilla\Firefox\Profiles\k069w8nj.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2009/12/10 02:39:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raf\Application Data\Mozilla\Firefox\Profiles\k069w8nj.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2009/12/09 03:18:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raf\Application Data\Mozilla\Firefox\Profiles\k069w8nj.default\extensions\{c1970c0d-dbe6-4d91-804f-c9c0de643a57}
[2009/12/12 16:21:46 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/19 06:07:02 | 01,261,568 | ---- | M] () -- C:\Program Files\Mozilla Firefox\components\-WVTpnJBT_k.dll
[2009/07/17 02:40:12 | 00,704,512 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
[2006/01/18 11:50:00 | 00,319,488 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll

O1 HOSTS File: (789 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-842925246-1275210071-725345543-1003\..\Toolbar\WebBrowser: (no name) - {E7D38ED4-2933-43B8-B0B9-52D11CE9CA10} - No CLSID value found.
O4 - HKLM..\Run: [AtiPTA] C:\WINDOWS\System32\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [type32] C:\Program Files\Microsoft IntelliType Pro\type32.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-842925246-1275210071-725345543-1003..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe (PeerBlock, LLC)
O4 - HKU\S-1-5-21-842925246-1275210071-725345543-1003..\Run: [SandboxieControl] C:\Program Files\Sandboxie\SbieCtrl.exe (tzuk)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-842925246-1275210071-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 33 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 33 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-842925246-1275210071-725345543-1003\..Trusted Domains: 64 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab (ijjiPlugin2 Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} http://gamedownload.ijjimax.com/gamedownlo...GPlugin7USA.cab (HGPlugin7USA Class)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} http://www.tricksteronline.com/control/tricksterActiveX.cab (TricksterActiveX Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} http://www.tricksteronline.com/control/KALogoutComponent.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/12/24 09:53:33 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{542ee7f9-a6fc-11dd-84a2-000d7268d535}\Shell\AutoRun\command - "" = .\Encryption Tool\MaxtorEncryption.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2009/12/12 17:41:03 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Raf\Desktop\OTL.exe
[2009/12/11 16:26:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raf\Desktop\Office XP
[2009/12/11 16:24:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Trusteer
[2009/12/10 22:13:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raf\DoctorWeb
[2009/12/10 21:51:32 | 24,815,568 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\Raf\Desktop\rt9nnd4t.exe
[2009/12/10 21:18:51 | 00,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.C.exe
[2009/12/10 21:18:51 | 00,080,384 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\o4Patch.exe
[2009/12/10 21:18:51 | 00,078,336 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\Agent.OMZ.Fix.exe
[2009/12/10 21:18:50 | 00,288,417 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\SrchSTS.exe
[2009/12/10 21:18:50 | 00,053,248 | ---- | C] (http://www.beyondlogic.org) -- C:\WINDOWS\System32\Process.exe
[2009/12/10 17:02:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raf\Desktop\GooredFix Backups
[2009/12/10 16:45:00 | 00,071,848 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Raf\Desktop\GooredFix.exe
[2009/12/10 16:43:49 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Raf\Desktop\RootRepeal.exe
[2009/12/10 02:26:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/12/10 02:25:02 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2009/12/10 01:55:22 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Raf\Recent
[2009/12/09 05:36:24 | 00,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/12/09 05:06:25 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
[2009/12/09 05:06:03 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/12/09 05:06:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/12/07 19:22:47 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/12/07 04:55:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raf\Application Data\vlc
[2009/12/07 04:49:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raf\Application Data\Mozilla
[2009/12/05 23:34:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raf\Application Data\Aim
[2009/12/05 23:34:12 | 00,000,000 | ---D | C] -- C:\Program Files\AOD
[2009/12/05 23:34:04 | 00,000,000 | ---D | C] -- C:\Program Files\AIM
[2009/12/04 16:09:35 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Futuremark
[2009/12/04 04:13:01 | 00,000,000 | -HSD | C] -- C:\found.000
[2009/12/03 15:42:30 | 00,000,000 | -HSD | C] -- C:\Diskeeper
[2009/12/03 14:37:37 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Diskeeper Corporation
[2009/12/03 14:37:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
[2009/12/02 21:10:10 | 00,000,000 | ---D | C] -- C:\Program Files\Steam
[2009/12/02 21:01:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raf\My Documents\Digsby Logs
[2009/12/02 20:29:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Digsby
[2009/12/02 20:27:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raf\Local Settings\Application Data\Digsby
[2009/12/02 20:27:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raf\Application Data\Digsby
[2009/12/02 20:26:36 | 00,000,000 | ---D | C] -- C:\Program Files\Digsby
[2009/12/02 18:27:05 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/12/02 15:27:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raf\My Documents\PC Cleanup
[2009/12/02 05:50:35 | 00,000,000 | R--D | C] -- C:\Sandbox
[2009/12/02 05:50:04 | 00,000,000 | ---D | C] -- C:\Program Files\Sandboxie
[2009/12/02 05:05:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/12/02 05:01:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raf\Application Data\SUPERAntiSpyware.com
[2009/12/02 05:01:51 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/12/02 03:31:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Raf\Application Data\Malwarebytes
[2009/12/02 03:31:27 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/02 03:31:25 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/02 03:31:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/02 03:31:24 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/10/22 01:22:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\MediaMonkey
[2009/01/08 18:33:33 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/01/08 18:33:33 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/01/08 18:33:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/01/08 18:33:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/12/24 14:50:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/13 14:51:31 | 00,021,032 | ---- | M] () -- C:\Documents and Settings\Raf\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/12/13 14:33:38 | 10,223,616 | -H-- | M] () -- C:\Documents and Settings\Raf\NTUSER.DAT
[2009/12/12 17:41:04 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Raf\Desktop\OTL.exe
[2009/12/12 16:57:43 | 00,292,864 | ---- | M] () -- C:\Documents and Settings\Raf\Desktop\9ikezxd9.exe
[2009/12/12 16:33:35 | 00,582,776 | ---- | M] () -- C:\Documents and Settings\Raf\Desktop\PHYSICS_1202.pdf
[2009/12/12 05:36:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/12/11 21:36:26 | 00,028,160 | ---- | M] () -- C:\Documents and Settings\Raf\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/11 20:43:04 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/11 20:34:20 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/11 20:34:13 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/11 20:34:10 | 10,733,19936 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/11 18:00:14 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Raf\ntuser.ini
[2009/12/11 17:48:13 | 00,227,579 | ---- | M] () -- C:\Documents and Settings\Raf\Desktop\HW_14_hints_1.pdf
[2009/12/11 16:38:26 | 00,022,036 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/11 08:36:29 | 04,318,190 | -H-- | M] () -- C:\Documents and Settings\Raf\Local Settings\Application Data\IconCache.db
[2009/12/11 07:42:09 | 00,000,989 | ---- | M] () -- C:\Documents and Settings\Raf\Desktop\DrWeb.csv
[2009/12/10 23:04:48 | 00,000,789 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/10 22:07:42 | 24,815,568 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\Raf\Desktop\rt9nnd4t.exe
[2009/12/10 17:25:48 | 00,001,368 | ---- | M] () -- C:\WINDOWS\Sandboxie.ini
[2009/12/10 16:48:53 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Raf\Desktop\settings.dat
[2009/12/10 16:45:02 | 00,071,848 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Raf\Desktop\GooredFix.exe
[2009/12/10 16:43:55 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Raf\Desktop\RootRepeal.exe
[2009/12/10 02:44:14 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/10 02:39:43 | 00,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/10 02:39:43 | 00,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/10 02:39:42 | 00,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/09 12:58:44 | 00,362,041 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS.MVP
[2009/12/09 12:37:14 | 00,006,300 | ---- | M] () -- C:\Documents and Settings\Raf\My Documents\cc_20091209_123636.reg
[2009/12/09 05:18:04 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/08 03:09:50 | 00,000,042 | ---- | M] () -- C:\WINDOWS\System32\scud.udf
[2009/12/07 20:16:21 | 00,000,037 | ---- | M] () -- C:\Documents and Settings\Raf\My Documents\rawr
[2009/12/07 19:59:28 | 00,004,500 | ---- | M] () -- C:\Documents and Settings\Raf\My Documents\cc_20091207_195853.reg
[2009/12/07 19:25:28 | 00,232,096 | ---- | M] () -- C:\Documents and Settings\Raf\My Documents\cc_20091207_192436.reg
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/03 09:27:17 | 00,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/03 09:27:17 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/03 09:27:17 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/12/02 18:57:20 | 00,020,482 | ---- | M] () -- C:\Documents and Settings\Raf\peerblock.dmp
[2009/12/01 16:29:58 | 00,000,296 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2009/11/29 23:55:10 | 00,146,944 | ---- | M] () -- C:\Documents and Settings\Raf\My Documents\Ch. 31 reading.doc
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/12 16:57:32 | 00,292,864 | ---- | C] () -- C:\Documents and Settings\Raf\Desktop\9ikezxd9.exe
[2009/12/12 16:33:35 | 00,582,776 | ---- | C] () -- C:\Documents and Settings\Raf\Desktop\PHYSICS_1202.pdf
[2009/12/11 17:48:12 | 00,227,579 | ---- | C] () -- C:\Documents and Settings\Raf\Desktop\HW_14_hints_1.pdf
[2009/12/11 16:38:26 | 00,022,036 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/11 07:46:07 | 10,733,19936 | -HS- | C] () -- C:\hiberfil.sys
[2009/12/11 07:40:19 | 00,000,989 | ---- | C] () -- C:\Documents and Settings\Raf\Desktop\DrWeb.csv
[2009/12/10 16:48:53 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Raf\Desktop\settings.dat
[2009/12/10 02:10:41 | 00,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/12/09 12:36:45 | 00,006,300 | ---- | C] () -- C:\Documents and Settings\Raf\My Documents\cc_20091209_123636.reg
[2009/12/09 05:36:54 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/12/08 03:09:50 | 00,000,042 | ---- | C] () -- C:\WINDOWS\System32\scud.udf
[2009/12/07 20:10:27 | 00,000,037 | ---- | C] () -- C:\Documents and Settings\Raf\My Documents\rawr
[2009/12/07 19:58:57 | 00,004,500 | ---- | C] () -- C:\Documents and Settings\Raf\My Documents\cc_20091207_195853.reg
[2009/12/07 19:24:47 | 00,232,096 | ---- | C] () -- C:\Documents and Settings\Raf\My Documents\cc_20091207_192436.reg
[2009/12/02 05:50:16 | 00,001,368 | ---- | C] () -- C:\WINDOWS\Sandboxie.ini
[2009/11/30 14:28:53 | 02,668,960 | ---- | C] () -- C:\Documents and Settings\Raf\My Documents\CIMG1705.JPG
[2009/11/29 23:55:09 | 00,146,944 | ---- | C] () -- C:\Documents and Settings\Raf\My Documents\Ch. 31 reading.doc
[2009/06/10 03:06:52 | 00,000,026 | ---- | C] () -- C:\WINDOWS\WAR2R.INI
[2009/05/28 22:38:22 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/05/28 22:38:22 | 00,383,238 | ---- | C] () -- C:\WINDOWS\System32\libmp3lame-0.dll
[2008/07/04 14:37:45 | 00,000,011 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.ini
[2008/07/04 14:35:19 | 00,000,082 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/06/21 23:32:57 | 00,000,053 | ---- | C] () -- C:\WINDOWS\EntPack.ini
[2008/01/24 16:57:51 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2006/07/02 16:13:21 | 00,000,394 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/04/22 17:00:10 | 00,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2006/01/24 12:08:29 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006/01/13 19:46:27 | 00,000,504 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2006/01/04 00:52:38 | 00,000,287 | ---- | C] () -- C:\WINDOWS\game.ini
[2005/12/27 04:45:11 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/12/27 04:28:27 | 00,028,160 | ---- | C] () -- C:\Documents and Settings\Raf\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/12/26 18:32:32 | 00,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/12/25 16:03:31 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2005/12/24 10:00:25 | 00,039,852 | ---- | C] () -- C:\Documents and Settings\Raf\Local Settings\Application Data\FASTWiz.log
[2005/08/12 15:57:09 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/06/17 11:41:14 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2002/10/15 16:54:04 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[1999/01/27 13:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== LOP Check ==========

[2009/01/08 18:33:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avg7
[2009/12/03 14:37:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
[2009/12/10 02:35:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/08/27 05:10:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2009/12/07 03:31:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/12/09 05:06:39 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
[2009/12/11 16:24:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Trusteer
[2009/06/17 00:05:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raf\Application Data\4Media Software Studio
[2009/12/05 23:36:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raf\Application Data\Aim
[2007/12/17 11:02:46 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Raf\Application Data\ijjigame
[2007/12/17 19:48:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raf\Application Data\Leadertech
[2007/07/26 19:52:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raf\Application Data\Nexon
[2007/08/24 16:18:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raf\Application Data\Snapfish
[2009/08/27 05:10:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raf\Application Data\Trusteer
[2009/12/13 14:51:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Raf\Application Data\uTorrent
[2009/12/12 05:36:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >






OTL Extras logfile created on: 12/13/2009 3:05:22 PM - Run 1
OTL by OldTimer - Version 3.1.16.0 Folder = C:\Documents and Settings\Raf\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.53 Mb Total Physical Memory | 349.74 Mb Available Physical Memory | 34.17% Memory free
2.86 Gb Paging File | 2.14 Gb Available in Paging File | 74.89% Paging File free
Paging file location(s): C:\pagefile.sys 2000 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 114.48 Gb Total Space | 58.55 Gb Free Space | 51.14% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HAL9000TRES
Current User Name: Raf
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [MediaMonkey.1Play] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.)
Directory [MediaMonkey.2PlayNext] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.)
Directory [MediaMonkey.3Enqueue] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"11027:TCP" = 11027:TCP:*:Enabled:BitComet 11027 TCP
"11027:UDP" = 11027:UDP:*:Enabled:BitComet 11027 UDP
"46615:TCP" = 46615:TCP:*:Disabled:torrent

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\AIM95\aim.exe" = C:\Program Files\AIM95\aim.exe:*:Enabled:AOL Instant Messenger -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Steam\SteamApps\alternativeflip\counter-strike source\hl2.exe" = C:\Program Files\Steam\SteamApps\alternativeflip\counter-strike source\hl2.exe:*:Enabled:hl2 -- File not found
"C:\Program Files\Activision\Call of Duty 2\CoD2MP_s.exe" = C:\Program Files\Activision\Call of Duty 2\CoD2MP_s.exe:*:Enabled:CoD2MP_s -- ()
"C:\Program Files\softnyx\GunboundWC\GunBound.gme" = C:\Program Files\softnyx\GunboundWC\GunBound.gme:*:Enabled:GunBound -- File not found
"C:\Program Files\Starcraft\StarCraft.exe" = C:\Program Files\Starcraft\StarCraft.exe:*:Enabled:Starcraft -- (Blizzard Entertainment)
"C:\Program Files\BitComet\BitComet.exe" = C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client -- File not found
"C:\ijji\ENGLISH\Gunbound Revolution\GunBound.gme" = C:\ijji\ENGLISH\Gunbound Revolution\GunBound.gme:*:Enabled:GunBound -- File not found
"C:\Program Files\Wizet\MapleStory\Patcher.exe" = C:\Program Files\Wizet\MapleStory\Patcher.exe:*:Enabled:Patcher MFC ?? ???? -- File not found
"C:\Program Files\Wizet\MapleStory\NewPatcher.exe" = C:\Program Files\Wizet\MapleStory\NewPatcher.exe:*:Enabled:Patcher MFC ?? ???? -- File not found
"C:\Nexon\MapleStory\Patcher.exe" = C:\Nexon\MapleStory\Patcher.exe:*:Enabled:Patcher MFC ?? ???? -- File not found
"C:\Nexon\MapleStory\NewPatcher.exe" = C:\Nexon\MapleStory\NewPatcher.exe:*:Enabled:Patcher MFC ?? ???? -- File not found
"C:\Documents and Settings\Raf\Local Settings\Temp\nst71.tmp\utorrent.exe" = C:\Documents and Settings\Raf\Local Settings\Temp\nst71.tmp\utorrent.exe:*:Enabled:µTorrent -- File not found
"C:\Documents and Settings\Raf\Local Settings\Temp\nsw75.tmp\utorrent.exe" = C:\Documents and Settings\Raf\Local Settings\Temp\nsw75.tmp\utorrent.exe:*:Enabled:µTorrent -- File not found
"C:\Nexon\MapleStory\MapleStory.exe" = C:\Nexon\MapleStory\MapleStory.exe:*:Enabled:MapleStory -- File not found
"C:\Program Files\AIM95\aim.exe" = C:\Program Files\AIM95\aim.exe:*:Enabled:AOL Instant Messenger -- File not found
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\Digsby\lib\digsby-app.exe" = C:\Program Files\Digsby\lib\digsby-app.exe:*:Enabled:Digsby IM -- (dotSyntax, LLC)
"C:\Documents and Settings\Raf\Local Settings\Temp\7zS16.tmp\SymNRT.exe" = C:\Documents and Settings\Raf\Local Settings\Temp\7zS16.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.0.0 (r181)
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3DE0053C-FD9A-483E-B7C9-B06E4392206E}" = iTunes
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}" = Apple Mobile Device Support
"{57EC14EF-9A27-11D6-85E9-F476176AA204}" = USB Card Reader
"{593D4F8A-5F11-4901-A74A-6E7971E45790}" = Diskeeper 2009 Pro Premier
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{81463B08-A929-4125-A5F4-1B053AC35A09}" = Microsoft IntelliType Pro 5.0
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3BC5D37-30F9-4CF7-BD5C-0DFF063E4B6D}" = 2Wire Wireless Client
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{AC76BA86-7AD7-1033-7B44-A70500000002}" = Adobe Reader 7.0.5
"{B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}" = Adobe Illustrator CS2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF6E7481-4487-46D3-810A-F73EEA232CE0}" = Microsoft IntelliPoint 5.0
"{D0A05794-48C2-4424-A15A-9F20FCFDD374}" = Call of Duty® 2
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"2Wire SetupWiz" = SBC Yahoo! DSL Home Networking Installer
"Ad-Aware" = Ad-Aware
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Illustrator CS2" = Adobe Illustrator CS2
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"ATI Display Driver" = ATI Display Driver (Omega 3.8.442)
"avast!" = avast! Antivirus
"CCleaner" = CCleaner
"Combined Community Codec Pack" = Combined Community Codec Pack 2006-01-18 (Remove Only)
"Digsby" = Digsby
"HP Photo & Imaging" = HP Image Zone 4.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{D0A05794-48C2-4424-A15A-9F20FCFDD374}" = Call of Duty® 2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaMonkey_is1" = MediaMonkey 3.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Radeon Omega Drivers for Windows XP/2kv4.8.442" = Radeon Omega Drivers v4.8.442 Setup Files and Tools
"RealPlayer 6.0" = RealPlayer
"Sandboxie" = Sandboxie 3.42
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.0
"SpywareBlaster_is1" = SpywareBlaster 4.2
"Starcraft" = Starcraft
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.3
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"VobSub" = VobSub v2.23 (Remove Only)
"Warcraft II BNE" = Warcraft II BNE
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 11/6/2009 9:10:52 PM | Computer Name = HAL9000TRES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://clients1.google.com/complete/search...t%20ni&cp=8 failed,
0000A413.

Error - 11/6/2009 9:13:11 PM | Computer Name = HAL9000TRES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://clients1.google.com/complete/search...0maga&cp=18
failed, 0000A413.

Error - 11/7/2009 4:16:42 PM | Computer Name = HAL9000TRES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://clients1.google.com/complete/search...20shr&cp=10
failed, 0000A413.

Error - 11/9/2009 2:25:15 PM | Computer Name = HAL9000TRES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://www.cbssports.com/data/fantasy/play...530&as=json failed,
0000A413.

Error - 11/17/2009 8:07:19 PM | Computer Name = HAL9000TRES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Raf\Application Data\Mozilla\Firefox\Profiles\jzueta3l.default\sessionstore-1.js
failed, 0000A413.

Error - 12/2/2009 8:20:28 PM | Computer Name = HAL9000TRES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: unhandled exception!,
65013D98.

Error - 12/2/2009 8:23:16 PM | Computer Name = HAL9000TRES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\WINDOWS\system32\mshearts.exe failed, 0000A413.

Error - 12/2/2009 8:23:27 PM | Computer Name = HAL9000TRES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: unhandled exception!,
65013D98.

Error - 12/2/2009 8:25:37 PM | Computer Name = HAL9000TRES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: unhandled exception!,
65013D98.

Error - 12/2/2009 8:25:46 PM | Computer Name = HAL9000TRES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: unhandled exception!,
65013D98.

[ Application Events ]
Error - 12/12/2009 10:58:26 PM | Computer Name = HAL9000TRES | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.1.16.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/12/2009 11:01:36 PM | Computer Name = HAL9000TRES | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.1.16.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/12/2009 11:02:38 PM | Computer Name = HAL9000TRES | Source = Application Hang | ID = 1002
Description = Hanging application 9ikezxd9.exe, version 1.0.15.15279, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/12/2009 11:28:48 PM | Computer Name = HAL9000TRES | Source = Application Hang | ID = 1002
Description = Hanging application 9ikezxd9.exe, version 1.0.15.15279, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/12/2009 11:29:51 PM | Computer Name = HAL9000TRES | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.1.16.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/12/2009 11:59:06 PM | Computer Name = HAL9000TRES | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.1.16.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/13/2009 4:46:21 PM | Computer Name = HAL9000TRES | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.1.16.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/13/2009 4:47:12 PM | Computer Name = HAL9000TRES | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.1.16.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/13/2009 4:51:04 PM | Computer Name = HAL9000TRES | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.1.3593, faulting module
jvm.dll, version 14.3.0.1, fault address 0x000c6542.

Error - 12/13/2009 4:52:32 PM | Computer Name = HAL9000TRES | Source = Application Hang | ID = 1002
Description = Hanging application AcroRd32.exe, version 7.0.5.172, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 12/11/2009 9:44:10 AM | Computer Name = HAL9000TRES | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 12/11/2009 9:44:37 AM | Computer Name = HAL9000TRES | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 12/11/2009 9:44:55 AM | Computer Name = HAL9000TRES | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 12/11/2009 9:45:05 AM | Computer Name = HAL9000TRES | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/11/2009 9:46:27 AM | Computer Name = HAL9000TRES | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 12/11/2009 9:46:39 AM | Computer Name = HAL9000TRES | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 12/11/2009 3:25:41 PM | Computer Name = HAL9000TRES | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 12/11/2009 3:25:42 PM | Computer Name = HAL9000TRES | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 12/11/2009 10:34:34 PM | Computer Name = HAL9000TRES | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 12/11/2009 10:34:38 PM | Computer Name = HAL9000TRES | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3


< End of report >

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:14 AM

Posted 14 December 2009 - 07:59 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 alternativeflip

alternativeflip
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 15 December 2009 - 09:32 PM

Combofix is still offline. Do you have an idea when the program will be fixed?

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:14 AM

Posted 16 December 2009 - 09:20 AM

I haven't been given a time when it will be available again. Let's work around it for now.

Open up Firefox and click Tools -> Add-ons
Select Extensions and let me know if you have this extension installed.

XUL Cache 1.0
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 alternativeflip

alternativeflip
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 16 December 2009 - 03:34 PM

I didn't see XUL cache 1.0 in my extensions.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:14 AM

Posted 16 December 2009 - 06:31 PM

We need to run this special tool.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • If prompted to reboot, please do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 alternativeflip

alternativeflip
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 17 December 2009 - 02:30 PM

Host Name: HAL9000TRES
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: Raf
Registered Organization: Rawr
Product ID: 76487-017-0813286-22042
Original Install Date: 12/24/2005, 9:56:15 AM
System Up Time: 0 Days, 0 Hours, 25 Minutes, 48 Seconds
System Manufacturer: Fujitsu Siemens
System Model: A7V600-F2
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 10 Stepping 0 AuthenticAMD ~2166 Mhz
BIOS Version: ASUS - 42302e31
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-06:00) Central Time (US & Canada)
Total Physical Memory: 1,024 MB
Available Physical Memory: 265 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 1,997 MB
Virtual Memory: In Use: 51 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\HAL9000TRES
Hotfix(s): 215 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: File 1
[81]: File 1
[82]: File 1
[83]: File 1
[84]: File 1
[85]: File 1
[86]: File 1
[87]: File 1
[88]: File 1
[89]: File 1
[90]: File 1
[91]: File 1
[92]: File 1
[93]: File 1
[94]: File 1
[95]: File 1
[96]: File 1
[97]: File 1
[98]: File 1
[99]: Q147222
[100]: Q927978
[101]: Q936181
[102]: Q954430
[103]: Q973688
[104]: IDNMitigationAPIs - Update
[105]: NLSDownlevelMapping - Update
[106]: KB952069_WM9
[107]: KB954155_WM9
[108]: KB968816_WM9
[109]: KB973540_WM9
[110]: KB911565
[111]: KB917734_WMP10
[112]: KB936782_WMP10
[113]: KB925398_WMP64
[114]: KB923689
[115]: KB941569
[116]: KB928090-IE7 - Update
[117]: KB929969 - Update
[118]: KB931768-IE7 - Update
[119]: KB933566-IE7 - Update
[120]: KB937143-IE7 - Update
[121]: KB938127-IE7 - Update
[122]: KB939653-IE7 - Update
[123]: KB942615-IE7 - Update
[124]: KB944533-IE7 - Update
[125]: KB947864-IE7 - Update
[126]: KB950759-IE7 - Update
[127]: KB953838-IE7 - Update
[128]: KB956390-IE7 - Update
[129]: KB958215-IE7 - Update
[130]: KB960714-IE7 - Update
[131]: KB961260-IE7 - Update
[132]: KB963027-IE7 - Update
[133]: KB969897-IE7 - Update
[134]: KB972260-IE7 - Update
[135]: KB974455-IE7 - Update
[136]: KB976325-IE7 - Update
[137]: KB976749-IE7 - Update
[138]: KB936929 - Service Pack
[139]: KB923561 - Update
[140]: KB938464 - Update
[141]: KB938464-v2 - Update
[142]: KB946648 - Update
[143]: KB950760 - Update
[144]: KB950762 - Update
[145]: KB950974 - Update
[146]: KB951066 - Update
[147]: KB951072-v2 - Update
[148]: KB951376 - Update
[149]: KB951376-v2 - Update
[150]: KB951698 - Update
[151]: KB951748 - Update
[152]: KB951978 - Update
[153]: KB952004 - Update
[154]: KB952287 - Update
[155]: KB952954 - Update
[156]: KB953839 - Update
[157]: KB954211 - Update
[158]: KB954459 - Update
[159]: KB954550-v5 - Update
[160]: KB954600 - Update
[161]: KB955069 - Update
[162]: KB955839 - Update
[163]: KB956391 - Update
[164]: KB956572 - Update
[165]: KB956744 - Update
[166]: KB956802 - Update
[167]: KB956803 - Update
[168]: KB956841 - Update
[169]: KB956844 - Update
[170]: KB957095 - Update
[171]: KB957097 - Update
[172]: KB958644 - Update
[173]: KB958687 - Update
[174]: KB958690 - Update
[175]: KB958869 - Update
[176]: KB959426 - Update
[177]: KB960225 - Update
[178]: KB960715 - Update
[179]: KB960803 - Update
[180]: KB960859 - Update
[181]: KB961118 - Update
[182]: KB961371 - Update
[183]: KB961373 - Update
[184]: KB961501 - Update
[185]: KB967715 - Update
[186]: KB968389 - Update
[187]: KB968537 - Update
[188]: KB969059 - Update
[189]: KB969898 - Update
[190]: KB969947 - Update
[191]: KB970238 - Update
[192]: KB970430 - Update
[193]: KB970653-v3 - Update
[194]: KB971486 - Update
[195]: KB971557 - Update
[196]: KB971633 - Update
[197]: KB971657 - Update
[198]: KB971737 - Update
[199]: KB971961 - Update
[200]: KB973346 - Update
[201]: KB973354 - Update
[202]: KB973507 - Update
[203]: KB973525 - Update
[204]: KB973687 - Update
[205]: KB973815 - Update
[206]: KB973869 - Update
[207]: KB973904 - Update
[208]: KB974112 - Update
[209]: KB974318 - Update
[21

NetWork Card(s): 2 NIC(s) Installed.
[01]: VIA Rhine II Fast Ethernet Adapter
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.1.254
IP address(es)
[01]: 192.168.1.67
[02]: 1394 Net Adapter
Connection Name: 1394 Connection
13:28:23:156 272 ForceUnloadDriver: NtUnloadDriver error 2
13:28:23:156 272 ForceUnloadDriver: NtUnloadDriver error 2
13:28:23:156 272 ForceUnloadDriver: NtUnloadDriver error 2
13:28:23:171 272 main: Driver KLMD successfully dropped
13:28:23:171 272 main: Driver KLMD successfully loaded
13:28:23:171 272
Scanning Registry ...
13:28:23:171 272 ScanServices: Searching service UACd.sys
13:28:23:171 272 ScanServices: Open/Create key error 2
13:28:23:171 272 ScanServices: Searching service TDSSserv.sys
13:28:23:171 272 ScanServices: Open/Create key error 2
13:28:23:171 272 ScanServices: Searching service gaopdxserv.sys
13:28:23:171 272 ScanServices: Open/Create key error 2
13:28:23:171 272 ScanServices: Searching service gxvxcserv.sys
13:28:23:171 272 ScanServices: Open/Create key error 2
13:28:23:171 272 ScanServices: Searching service MSIVXserv.sys
13:28:23:171 272 ScanServices: Open/Create key error 2
13:28:23:187 272 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000
13:28:23:187 272 UnhookRegistry: Kernel local addr: A40000
13:28:23:187 272 UnhookRegistry: KeServiceDescriptorTable addr: AC3220
13:28:23:187 272 UnhookRegistry: KiServiceTable addr: A4B6A8
13:28:23:187 272 UnhookRegistry: NtEnumerateKey service number (local): 47
13:28:23:187 272 UnhookRegistry: NtEnumerateKey local addr: ADC5A4
13:28:23:187 272 KLMD_OpenDevice: Trying to open KLMD device
13:28:23:187 272 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
13:28:23:187 272 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
13:28:23:187 272 KLMD_ReadMem: Trying to ReadMemory 0x804DCC49[0x4]
13:28:23:187 272 UnhookRegistry: NtEnumerateKey service number (kernel): 47
13:28:23:187 272 KLMD_ReadMem: Trying to ReadMemory 0x804E27C4[0x4]
13:28:23:187 272 UnhookRegistry: NtEnumerateKey real addr: 805735A4
13:28:23:187 272 UnhookRegistry: NtEnumerateKey calc addr: 805735A4
13:28:23:187 272 UnhookRegistry: No SDT hooks found on NtEnumerateKey
13:28:23:187 272 KLMD_ReadMem: Trying to ReadMemory 0x805735A4[0xA]
13:28:23:187 272 UnhookRegistry: No splicing found on NtEnumerateKey
13:28:23:187 272
Scanning Kernel memory ...
13:28:23:187 272 KLMD_OpenDevice: Trying to open KLMD device
13:28:23:187 272 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
13:28:23:187 272 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
13:28:23:187 272 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8732AA08
13:28:23:187 272 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
13:28:23:187 272 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8738BC68
13:28:23:187 272 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8738BC68
13:28:23:187 272 KLMD_ReadMem: Trying to ReadMemory 0x8738BC68[0x38]
13:28:23:187 272 DetectCureTDL3: DRIVER_OBJECT addr: 8732AA08
13:28:23:187 272 KLMD_ReadMem: Trying to ReadMemory 0x8732AA08[0xA8]
13:28:23:187 272 KLMD_ReadMem: Trying to ReadMemory 0xE18BD120[0x208]
13:28:23:187 272 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
13:28:23:187 272 DetectCureTDL3: IrpHandler (0) addr: F7814BB0
13:28:23:187 272 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (2) addr: F7814BB0
13:28:23:187 272 DetectCureTDL3: IrpHandler (3) addr: F780ED1F
13:28:23:187 272 DetectCureTDL3: IrpHandler (4) addr: F780ED1F
13:28:23:187 272 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (9) addr: F780F2E2
13:28:23:187 272 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (14) addr: F780F3BB
13:28:23:187 272 DetectCureTDL3: IrpHandler (15) addr: F7812F28
13:28:23:187 272 DetectCureTDL3: IrpHandler (16) addr: F780F2E2
13:28:23:187 272 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (22) addr: F7810C82
13:28:23:187 272 DetectCureTDL3: IrpHandler (23) addr: F781599E
13:28:23:187 272 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
13:28:23:187 272 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
13:28:23:187 272 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
13:28:23:187 272 KLMD_ReadMem: DeviceIoControl error 1
13:28:23:187 272 TDL3_StartIoHookDetect: Unable to get StartIo handler code
13:28:23:187 272 TDL3_FileDetect: Processing driver: Disk
13:28:23:187 272 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\tsk_disk.sys, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\tsk_disk.sys
13:28:23:187 272 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
13:28:23:187 272 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
13:28:23:203 272 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8738CAB8
13:28:23:203 272 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8738CAB8
13:28:23:203 272 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 87360968
13:28:23:203 272 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87360968
13:28:23:203 272 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 8732B940
13:28:23:203 272 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8732B940
13:28:23:203 272 KLMD_ReadMem: Trying to ReadMemory 0x8732B940[0x38]
13:28:23:203 272 DetectCureTDL3: DRIVER_OBJECT addr: 87390C28
13:28:23:203 272 KLMD_ReadMem: Trying to ReadMemory 0x87390C28[0xA8]
13:28:23:203 272 KLMD_ReadMem: Trying to ReadMemory 0xE101DA28[0x208]
13:28:23:203 272 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
13:28:23:203 272 DetectCureTDL3: IrpHandler (0) addr: F76FB6F2
13:28:23:203 272 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (2) addr: F76FB6F2
13:28:23:203 272 DetectCureTDL3: IrpHandler (3) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (4) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (9) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (14) addr: F76FB712
13:28:23:203 272 DetectCureTDL3: IrpHandler (15) addr: F76F7852
13:28:23:203 272 DetectCureTDL3: IrpHandler (16) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (22) addr: F76FB73C
13:28:23:203 272 DetectCureTDL3: IrpHandler (23) addr: F7702336
13:28:23:203 272 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
13:28:23:203 272 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
13:28:23:203 272 KLMD_ReadMem: Trying to ReadMemory 0xF76F8864[0x400]
13:28:23:203 272 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
13:28:23:203 272 TDL3_FileDetect: Processing driver: atapi
13:28:23:203 272 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\tsk_atapi.sys, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\tsk_atapi.sys
13:28:23:203 272 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
13:28:23:203 272 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
13:28:23:218 272
Completed

Results:
13:28:23:218 272 Infected objects in memory: 0
13:28:23:218 272 Cured objects in memory: 0
13:28:23:218 272 Infected objects on disk: 0
13:28:23:218 272 Objects on disk cured on reboot: 0
13:28:23:218 272 Objects on disk deleted on reboot: 0
13:28:23:218 272 Registry nodes deleted on reboot: 0
13:28:23:218 272

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:14 AM

Posted 18 December 2009 - 08:19 AM

A beta version of Combofix is now available.
http://download.bleepingcomputer.com/sUBs/Beta/KittyFix.exe

Go ahead and run it and then post back with the resulting log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 alternativeflip

alternativeflip
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 18 December 2009 - 04:38 PM

ComboFix 09-12-17.03 - Raf 12/18/2009 15:23:30.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1024.546 [GMT -6:00]
Running from: c:\documents and settings\Raf\Desktop\KittyFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091218-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
C:\test.txt
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_RKHIT
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-11-18 to 2009-12-18 )))))))))))))))))))))))))))))))
.

2009-12-11 22:38 . 2009-12-11 22:38 22036 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-11 22:24 . 2009-12-11 22:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer
2009-12-11 04:13 . 2009-12-11 05:04 -------- d-----w- c:\documents and settings\Raf\DoctorWeb
2009-12-10 08:26 . 2009-12-18 19:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-10 08:25 . 2009-12-15 11:41 -------- d-----w- c:\program files\SpywareBlaster
2009-12-09 11:36 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-09 11:35 . 2009-12-09 11:36 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-09 11:35 . 2009-12-09 11:35 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-12-09 11:35 . 2009-12-09 11:35 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-09 11:35 . 2009-12-09 11:35 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-09 11:35 . 2009-12-09 11:35 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-09 11:35 . 2009-12-09 11:35 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-09 11:35 . 2009-12-09 11:35 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-12-09 11:34 . 2009-12-09 11:35 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-09 11:29 . 2009-12-09 11:30 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-09 11:29 . 2009-12-09 11:29 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-12-09 11:29 . 2009-12-09 11:29 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-12-09 11:29 . 2009-12-09 11:29 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-09 11:29 . 2009-12-09 11:29 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-12-09 11:26 . 2009-12-09 11:26 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-09 11:26 . 2009-12-09 11:26 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-09 11:25 . 2009-12-09 11:26 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-09 11:25 . 2009-12-09 11:25 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-09 11:24 . 2009-12-09 11:25 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-09 11:06 . 2009-12-09 11:06 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-09 11:06 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-12-09 11:06 . 2009-12-09 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-09 11:06 . 2009-12-09 11:06 -------- d-----w- c:\program files\Lavasoft
2009-12-09 09:36 . 2009-12-09 09:36 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-08 01:22 . 2009-12-08 01:22 -------- d-----w- c:\program files\CCleaner
2009-12-07 10:55 . 2009-12-07 22:58 -------- d-----w- c:\documents and settings\Raf\Application Data\vlc
2009-12-06 05:34 . 2009-12-06 05:36 -------- d-----w- c:\documents and settings\Raf\Application Data\Aim
2009-12-06 05:34 . 2009-12-06 05:34 -------- d-----w- c:\program files\AOD
2009-12-06 05:34 . 2009-12-06 05:36 -------- d-----w- c:\program files\AIM
2009-12-04 22:09 . 2009-12-04 22:09 -------- d-----w- c:\windows\system32\Futuremark
2009-12-04 22:09 . 2007-08-20 17:05 27672 ----a-w- c:\windows\system32\drivers\Entech.sys
2009-12-04 22:06 . 2009-12-04 22:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-04 22:05 . 2009-12-04 22:05 152576 ----a-w- c:\documents and settings\Raf\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-04 22:00 . 2009-12-04 22:00 79488 ----a-w- c:\documents and settings\Raf\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-04 10:13 . 2009-12-04 10:13 -------- d-----w- C:\found.000
2009-12-03 21:42 . 2009-12-03 21:42 -------- d-----w- C:\Diskeeper
2009-12-03 20:37 . 2009-12-03 20:37 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation
2009-12-03 20:37 . 2009-12-03 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2009-12-03 03:10 . 2009-12-04 21:53 -------- d-----w- c:\program files\Steam
2009-12-03 02:29 . 2009-12-03 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Digsby
2009-12-03 02:27 . 2009-12-10 15:27 -------- d-----w- c:\documents and settings\Raf\Local Settings\Application Data\Digsby
2009-12-03 02:27 . 2009-12-03 02:29 -------- d-----w- c:\documents and settings\Raf\Application Data\Digsby
2009-12-03 02:26 . 2009-12-10 15:27 -------- d-----w- c:\program files\Digsby
2009-12-02 11:50 . 2009-12-02 11:50 -------- d-----r- C:\Sandbox
2009-12-02 11:50 . 2009-12-02 11:50 -------- d-----w- c:\program files\Sandboxie
2009-12-02 11:10 . 2009-12-09 09:42 117760 ----a-w- c:\documents and settings\Raf\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-02 11:05 . 2009-12-02 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-02 11:01 . 2009-12-02 11:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-02 11:01 . 2009-12-02 11:01 -------- d-----w- c:\documents and settings\Raf\Application Data\SUPERAntiSpyware.com
2009-12-02 09:31 . 2009-12-02 09:31 -------- d-----w- c:\documents and settings\Raf\Application Data\Malwarebytes
2009-12-02 09:31 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-02 09:31 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 09:31 . 2009-12-02 09:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-02 09:31 . 2009-12-09 09:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-18 07:13 . 2009-09-22 04:03 -------- d-----w- c:\program files\PeerBlock
2009-12-16 21:05 . 2007-07-02 01:29 -------- d-----w- c:\documents and settings\Raf\Application Data\uTorrent
2009-12-13 20:51 . 2005-12-25 21:07 21032 -c--a-w- c:\documents and settings\Raf\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-10 07:54 . 2005-12-27 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-07 22:59 . 2005-12-27 13:30 -------- d-----w- c:\program files\AIM95
2009-12-07 09:31 . 2005-12-25 10:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-07 09:31 . 2008-03-09 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-04 22:06 . 2006-01-01 00:09 -------- d-----w- c:\program files\Java
2009-12-03 20:37 . 2007-12-18 01:47 -------- d-----w- c:\program files\Diskeeper Corporation
2009-12-02 11:01 . 2006-08-15 00:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-01 15:24 . 2005-12-27 21:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-30 08:11 . 2008-01-25 10:58 -------- d-----w- c:\documents and settings\Raf\Application Data\Move Networks
2009-11-24 23:54 . 2009-07-23 16:49 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-07-23 16:49 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:49 . 2009-07-23 16:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-07-23 16:49 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-07-23 16:49 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-07-23 16:49 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-03 05:00 . 2006-05-28 23:54 -------- d-----w- c:\program files\Starcraft
2009-10-29 07:46 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-10-27 08:27 . 2009-10-27 08:27 -------- d-----w- c:\program files\uTorrent
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-11-19 12:07 . 2009-12-01 12:24 1261568 ----a-w- c:\program files\mozilla firefox\components\-WVTpnJBT_k.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2009-12-01 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"AtiPTA"="atiptaxx.exe" [2006-02-22 344064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=c:\windows\pss\Image Transfer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-23 01:42 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2007-12-05 02:55 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-30 15:47 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-12-03 22:14 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 15:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-12-15 00:06 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-12-03 03:15 1217808 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-01-02 03:07 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Digsby\\lib\\digsby-app.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11027:TCP"= 11027:TCP:BitComet 11027 TCP
"11027:UDP"= 11027:UDP:BitComet 11027 UDP
"46615:TCP"= 46615:TCP:*:Disabled:torrent

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/9/2009 5:36 AM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/23/2009 10:49 AM 114768]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [12/6/2009 3:09 PM 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [12/6/2009 3:09 PM 337000]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/23/2009 10:49 AM 20560]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [12/6/2009 3:09 PM 972008]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [9/21/2009 10:03 PM 14424]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [12/1/2009 7:55 AM 119296]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\Raf\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\Raf\LOCALS~1\Temp\aswArKrn.sys [?]
S3 cpuz130;cpuz130;\??\c:\docume~1\Raf\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Raf\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1184912]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1D.tmp --> c:\windows\system32\1D.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PBFILTER
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.Google.com
uInternet Settings,ProxyOverride = *.local
DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab
DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab
FF - ProfilePath - c:\documents and settings\Raf\Application Data\Mozilla\Firefox\Profiles\k069w8nj.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - component: c:\program files\Mozilla Firefox\components\-WVTpnJBT_k.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
MSConfigStartUp-CamWizard - c:\program files\Common Files\Logitech\QCDRV\BIN\CamWizrd.exe
MSConfigStartUp-DeadAIM - c:\progra~1\AIM95\\DeadAIM.ocm
MSConfigStartUp-Google Update - c:\documents and settings\Raf\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe
AddRemove-2kv4.8.442 - c:\windows\Radeon Omega Drivers v4.8.442



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-18 15:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\_av_proI.tm~a03560\onefile 648 bytes
c:\windows\TEMP\_av_proI.tm~a03560\setup.lok 0 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1D.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1340)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\program files\MediaMonkey\DeskPlayer.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-18 15:36:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-18 21:36

Pre-Run: 61,724,545,024 bytes free
Post-Run: 61,841,375,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - B7E1001B9CC116FB7B5E42B563BB2FE7

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:14 AM

Posted 18 December 2009 - 07:29 PM

Open Firefox and click Tools -> Add-ons
Select Extensions.
Let me know what you have listed there.


Are you still being redirected now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 alternativeflip

alternativeflip
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 19 December 2009 - 02:14 PM

Java Quick Starter 1.0

Microsoft .NET Framework Assistant 1.1

NoScript 1.9.9.27

WOT 20091028

I am no longer being redirected to sephalo.com, but I am being directed to a iamwired.net page.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users