Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Infection - InternetSecurity2010 and Broswer Re-directs


  • This topic is locked This topic is locked
65 replies to this topic

#31 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 27 December 2009 - 01:43 AM

DDS won't run. DOS window pops open briefly and then I get the Unknown Error - Program Terminating alert.

RSIT did run. Attached are the RSIT log.txt and info.txt reports.

On the positive side... I still have access to Task Manager, there have been no ISO2010 pop ups, *but* the browser redirects are still there. However, I opened three browser windows and it was on my 15th Google result click before it kicked in. I think we have this thing on the run now!

FYI, Combofix still won't kick in.

Attached Files


Edited by David-In-Chicago, 27 December 2009 - 01:49 AM.


BC AdBot (Login to Remove)

 


#32 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:24 PM

Posted 27 December 2009 - 12:14 PM

I guess you can tell your machine was and still to a point is heavily infected. I would suggest you consider any personal information you have as being compromised. If you have any passwords or use personal banking I strongly suggest you use a clean computer to change them.


SAS and MBAM find quite a bit but looks like we still have a ways to go. Check the following and let's see what we get back. I'm still looking over the RSIT log but I would like to get a return on the ones below.




Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
C:\WINDOWS\ojafowas.dll
Click Send.
Please post the results of this scan to this thread.

Do the same for :

C:\WINDOWS\system32\msaouahn.dll
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#33 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 27 December 2009 - 02:56 PM

OK, here is the report on the C:\WINDOWS\ojafowas.dll file. The C:\WINDOWS\system32\msaouahn.dll "dissappeared" last night. I think (80%) it was after one of the MBAM scans but it may have been earlier. I got a few missing dll alerts and was not diligent in noting all of them. The msaouahn.dll alert that the file is missing or can't be found is the only one that came up when I booted up today.

***********************************
VirusTotalReport
***********************************

File ojafowas.dll received on 2009.12.27 19:39:28 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 6/41 (14.64%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:


Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.27 Trojan.Win32.Hiloti!IK
AhnLab-V3 5.0.0.2 2009.12.26 -
AntiVir 7.9.1.122 2009.12.26 -
Antiy-AVL 2.0.3.7 2009.12.25 -
Authentium 5.2.0.5 2009.12.26 -
Avast 4.8.1351.0 2009.12.27 -
AVG 8.5.0.430 2009.12.27 -
BitDefender 7.2 2009.12.27 -
CAT-QuickHeal 10.00 2009.12.26 -
ClamAV 0.94.1 2009.12.27 -
Comodo 3388 2009.12.27 -
DrWeb 5.0.1.12222 2009.12.27 -
eSafe 7.0.17.0 2009.12.27 -
eTrust-Vet 35.1.7198 2009.12.25 -
F-Prot 4.5.1.85 2009.12.26 -
F-Secure 9.0.15370.0 2009.12.27 Trojan:W32/Hiloti.gen!C
Fortinet 4.0.14.0 2009.12.27 -
GData 19 2009.12.26 -
Ikarus T3.1.1.79.0 2009.12.27 Trojan.Win32.Hiloti
Jiangmin 13.0.900 2009.12.27 -
K7AntiVirus 7.10.931 2009.12.26 -
Kaspersky 7.0.0.125 2009.12.27 -
McAfee 5844 2009.12.27 -
McAfee+Artemis 5844 2009.12.27 -
McAfee-GW-Edition 6.8.5 2009.12.27 -
Microsoft 1.5302 2009.12.26 Trojan:Win32/Hiloti.gen!A
NOD32 4720 2009.12.27 -
Norman 6.04.03 2009.12.27 -
nProtect 2009.1.8.0 2009.12.27 -
Panda 10.0.2.2 2009.12.15 -
PCTools 7.0.3.5 2009.12.27 -
Prevx 3.0 2009.12.27 -
Rising 22.27.06.04 2009.12.27 -
Sophos 4.49.0 2009.12.27 Sus/UnkPack-C
Sunbelt 3.2.1858.2 2009.12.27 -
Symantec 1.4.4.12 2009.12.27 -
TheHacker 6.5.0.3.114 2009.12.27 -
TrendMicro 9.120.0.1004 2009.12.27 -
VBA32 3.12.12.0 2009.12.26 BScope.Trojan.Hiloti
ViRobot 2009.12.26.2109 2009.12.26 -
VirusBuster 5.0.21.0 2009.12.27 -
Additional information
File size: 166400 bytes
MD5...: 7822165cc1d74575775ee843b904729a
SHA1..: 7451dfaeac95e823bd916b5769bb42243a5f1548
SHA256: 66da1edb1aa24457722198ac395b915a791b07380b22eefbaff202b8e9af3f06
ssdeep: 3072:GNyklyieryZXFBr8s5EHA2m8gO85QD185CWmdsIY5dxvrvpy:WyieryZz15
6gefWjz

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x48a4
timedatestamp.....: 0x47a4f1a2 (Sat Feb 02 22:41:38 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2b000 0x15800 7.96 82e1a5cbab430dc6ef244953ca92eb9f
.data 0x2c000 0x13000 0x12800 4.67 fbccaa643f4d8b562ebd8eb4e40e5f9f
.rsrc 0x3f000 0x1000 0x400 3.12 922e06e78caad906dd14e4e8d15f8e71
.reloc 0x40000 0x1000 0x200 1.37 c814f462cb817de72a787b21f95255bf

( 4 imports )
> KERNEL32.dll: CloseHandle, ExitProcess, FindResourceA, GetACP, GetCommandLineA, GetCommandLineW, GetLastError, GetModuleHandleA, GetOEMCP, GetStartupInfoA, HeapAlloc, HeapCreate, HeapReAlloc, IsBadReadPtr, LCMapStringA, MapViewOfFile, MulDiv, MultiByteToWideChar, ResumeThread, RtlUnwind, SetEndOfFile, SetLastError, SetThreadAffinityMask, SetUnhandledExceptionFilter, lstrcmpA
> msvcrt.dll: vswprintf, __p__commode, __set_app_type, _exit, exit, rand, setlocale, __getmainargs
> user32.dll: CreateIconIndirect, SetWindowLongA, SetDlgItemTextA, PostQuitMessage, DeleteMenu, CheckMenuItem
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -

( 3 exports )
FindNextCaptureDevice, SelectionBoundsMEUED, SetSetupOpen

RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: eEye Digital Security
copyright....: Copyright 1997-2001 eEye Digital Security
product......: Iris
description..: eCapn DLL
original name: ecapn.dll
internal name: ecapn
file version.: 5.00.13.50
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned

trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

*************************************

In checking out the Hiloti Trojan, PC Tools - Spyware Doctor says they can remove it. I have SD on the machine, should I give them a crack at it?

*************************************
Awaiting your direction.

Edited by David-In-Chicago, 27 December 2009 - 03:04 PM.


#34 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:24 PM

Posted 27 December 2009 - 03:13 PM

If you ran RSIT after MBAM and SAS then the file is still on the computer according to the log it generated. Did you run it before you ran the other programs. This is important because it affects how I put the next part together.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#35 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 27 December 2009 - 03:32 PM

Per the file date/time stamp on the text files of the reports I did them in this order:

SAS Quick Scan - Generated 12/26/2009 at 09:41 PM

SAS Quick Scan - Generated 12/26/2009 at 10:14 PM

MBAM Full Scan - Yesterday, December 26, 2009, 11:40 PM

RSIT - Today, December 27, 2009, 12:28:43 AM

#36 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:24 PM

Posted 27 December 2009 - 03:40 PM

I understand the time stamps but from what you were saying it sounded as if maybe you had ran MBAM again and they had cleaned off the file in question. Just wanted to clear it up.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#37 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 27 December 2009 - 03:47 PM

Sorry to create the confusion. I only referenced the time stams because I'm slightly confused myself with only a 4 hour nap. :(
I forget why I ran the SAS twice but they were back-to-back before MBAM and RSIT.

#38 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:24 PM

Posted 27 December 2009 - 06:23 PM

OK, no problem. I have to put together something so I'll be back a little later with it.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#39 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:24 PM

Posted 27 December 2009 - 08:12 PM

Sorry, I meant to have you check some other files and I didn't put them in. Use the same procedure as in post #32 and check these.

C:\WINDOWS\system32\15350.exe
C:\WINDOWS\system32\6729.exe
C:\WINDOWS\system32\nl-NL
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#40 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 27 December 2009 - 08:41 PM

Both the WINDOWS\system32\15350.exe and WINDOWS\system32\6729.exe
scans came back with this:
0 bytes size received / Se ha recibido un archivo vacio

The C:\WINDOWS\system32\nl-NL was actually a folder with one file in it. The file was
C:\WINDOWS\system32\nl-NL\OGAAddin.dll.mui and its report is here:

File OGAAddin.dll.mui received on 2009.12.28 01:32:11 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:


Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.28 -
AhnLab-V3 5.0.0.2 2009.12.26 -
AntiVir 7.9.1.122 2009.12.26 -
Antiy-AVL 2.0.3.7 2009.12.25 -
Authentium 5.2.0.5 2009.12.27 -
Avast 4.8.1351.0 2009.12.27 -
AVG 8.5.0.430 2009.12.27 -
BitDefender 7.2 2009.12.28 -
CAT-QuickHeal 10.00 2009.12.26 -
ClamAV 0.94.1 2009.12.28 -
Comodo 3389 2009.12.27 -
DrWeb 5.0.1.12222 2009.12.28 -
eSafe 7.0.17.0 2009.12.27 -
eTrust-Vet 35.1.7198 2009.12.25 -
F-Prot 4.5.1.85 2009.12.27 -
F-Secure 9.0.15370.0 2009.12.28 -
Fortinet 4.0.14.0 2009.12.28 -
GData 19 2009.12.26 -
Ikarus T3.1.1.79.0 2009.12.27 -
Jiangmin 13.0.900 2009.12.27 -
K7AntiVirus 7.10.931 2009.12.26 -
Kaspersky 7.0.0.125 2009.12.28 -
McAfee 5844 2009.12.27 -
McAfee+Artemis 5844 2009.12.27 -
McAfee-GW-Edition 6.8.5 2009.12.27 -
Microsoft 1.5302 2009.12.26 -
NOD32 4720 2009.12.27 -
Norman 6.04.03 2009.12.27 -
nProtect 2009.1.8.0 2009.12.27 -
Panda 10.0.2.2 2009.12.15 -
PCTools 7.0.3.5 2009.12.28 -
Prevx 3.0 2009.12.28 -
Rising 22.27.06.04 2009.12.27 -
Sophos 4.49.0 2009.12.27 -
Sunbelt 3.2.1858.2 2009.12.27 -
Symantec 1.4.4.12 2009.12.28 -
TheHacker 6.5.0.3.114 2009.12.27 -
TrendMicro 9.120.0.1004 2009.12.27 -
VBA32 3.12.12.0 2009.12.26 -
ViRobot 2009.12.26.2109 2009.12.26 -
VirusBuster 5.0.21.0 2009.12.27 -
Additional information
File size: 53248 bytes
MD5...: a18c4a622672c142e6ab940bdf7734b7
SHA1..: d4268db8d9fb85e0b2bc381c7a551a96aa49ab0c
SHA256: 7efdffc05633bdbedf619a01cec457d5e47c6d460ed6092285e768f93ddce2b9
ssdeep: 384:kmGi0JigiC2izZ8Gpox8kFeU9IwispCpH7NWzQJ7jJ57OxDuWw:kmB0z92iL
poxLFe/wiFTjXOVA

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x0
timedatestamp.....: 0x4a775c8b (Mon Aug 03 21:54:19 2009)
machinetype.......: 0x14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.rsrc 0x1000 0xb000 0xb000 4.17 c135f6195eb3bd397f76ac144e2354ee
.reloc 0xc000 0x8 0x1000 0.00 3808644f11ba1ee3cb2b6326fcd2e01a

( 0 imports )

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © 1995-2009 Microsoft Corporation
product......: Office Genuine Advantage
description..: Office Genuine Advantage-invoegtoepassing
original name: OGAAddin.dll
internal name: OGAAddin.dll
file version.: 2.0.0048.0
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

******************************
Awaiting further directons...

#41 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:24 PM

Posted 27 December 2009 - 10:07 PM

I can tell I'm running on fumes. Long weekend has made me groggy. Glad you knew to open the folder and check the file out. Seems to be OK. The others we will take off unless you know of something legitimate that created them. Oftentimes 0 bytes is an indication of a Malware file.



We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "tqammy"=-
    "Sfopikazubijaxes"=-
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    :Files
    C:\WINDOWS\ojafowas.dll
    C:\WINDOWS\system32\msaouahn.dll
    C:\WINDOWS\system32\3548.exe
    C:\WINDOWS\system32\24393.exe
    C:\WINDOWS\system32\31101.exe
    C:\WINDOWS\system32\15006.exe
    C:\WINDOWS\system32\15350.exe
    C:\WINDOWS\system32\24370.exe
    C:\WINDOWS\system32\6729.exe
    C:\WINDOWS\system32\15890.exe
    C:\WINDOWS\system32\23805.exe
    C:\WINDOWS\system32\27446.exe
    C:\WINDOWS\system32\22648.exe
    C:\WINDOWS\system32\19264.exe
    C:\WINDOWS\system32\8942.exe
    C:\WINDOWS\system32\9040.exe
    C:\WINDOWS\system32\30106.exe
    C:\WINDOWS\system32\288.exe
    C:\WINDOWS\system32\1842.exe
    C:\WINDOWS\system32\22190.exe
    C:\WINDOWS\system32\3035.exe
    C:\WINDOWS\system32\12316.exe
    C:\WINDOWS\system32\778.exe
    C:\WINDOWS\system32\27529.exe
    C:\WINDOWS\system32\9741.exe
    C:\WINDOWS\system32\8723.exe
    C:\WINDOWS\system32\12859.exe
    C:\WINDOWS\system32\20037.exe
    C:\WINDOWS\system32\32757.exe
    C:\WINDOWS\system32\32662.exe
    C:\WINDOWS\system32\27644.exe
    C:\WINDOWS\system32\25547.exe
    C:\WINDOWS\system32\6868.exe
    C:\WINDOWS\system32\28253.exe
    C:\WINDOWS\system32\7711.exe
    C:\WINDOWS\system32\15141.exe
    C:\WINDOWS\system32\4664.exe
    C:\WINDOWS\system32\17673.exe
    C:\WINDOWS\system32\30333.exe
    C:\WINDOWS\system32\14771.exe
    C:\WINDOWS\system32\21726.exe
    C:\WINDOWS\system32\5447.exe
    C:\WINDOWS\system32\28145.exe
    C:\WINDOWS\system32\31322.exe
    C:\WINDOWS\system32\23811.exe
    C:\WINDOWS\system32\28703.exe
    C:\WINDOWS\system32\9894.exe
    C:\WINDOWS\system32\17035.exe
    C:\WINDOWS\system32\26299.exe
    C:\WINDOWS\system32\25667.exe
    C:\WINDOWS\system32\19912.exe
    C:\WINDOWS\system32\1869.exe
    C:\WINDOWS\system32\11538.exe
    C:\WINDOWS\system32\19895.exe
    C:\WINDOWS\system32\19718.exe
    C:\WINDOWS\system32\18716.exe
    C:\WINDOWS\system32\17421.exe
    C:\WINDOWS\system32\12382.exe
    C:\WINDOWS\system32\292.exe
    C:\WINDOWS\system32\153.exe
    C:\WINDOWS\system32\3902.exe
    C:\WINDOWS\system32\32391.exe
    C:\WINDOWS\system32\5436.exe
    C:\WINDOWS\system32\4827.exe
    C:\WINDOWS\system32\11942.exe
    C:\WINDOWS\system32\2995.exe
    C:\WINDOWS\system32\491.exe
    C:\WINDOWS\system32\9961.exe
    C:\WINDOWS\system32\23281.exe
    C:\WINDOWS\system32\5705.exe
    C:\WINDOWS\system32\24464.exe
    C:\WINDOWS\system32\26962.exe
    C:\WINDOWS\system32\29358.exe
    C:\WINDOWS\system32\11478.exe
    C:\WINDOWS\system32\15724.exe
    C:\WINDOWS\system32\19169.exe
    C:\WINDOWS\system32\26500.exe
    C:\WINDOWS\system32\18467.exe
    C:\WINDOWS\system32\6334.exe
    C:\cjtrke5hfg108.bat
    C:\WINDOWS\system32\41199921.BAT
    C:\jyjrjnrtm108.bat
    C:\cjtrke5hfg108.bat
    C:\WINDOWS\system32\2051671.BAT
    :Commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.









Run HijackThis which RSIT should have installed on your Desktop
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).

O4 - HKLM\..\Run: [Sfopikazubijaxes] rundll32.exe "C:\WINDOWS\ojafowas.dll",Startup
4 - HKUS\S-1-5-18\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\WINDOWS\TEMP\r1em5lc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\WINDOWS\TEMP\system.exe (User 'SYSTEM')



Then close all windows except HijackThis and click Fix Checked.

Restart




Open MBAM, update it and run another Quick Scan. If it finds anything please post the log it produces.




Run RSIT once again and attach the log.txt it generates.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#42 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 27 December 2009 - 11:07 PM

OTM ran without incident. here is the log:

All processes killed
Error: Unable to interpret < > in the current context!
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tqammy deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Sfopikazubijaxes deleted successfully.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
========== FILES ==========
DllUnregisterServer procedure not found in C:\WINDOWS\ojafowas.dll
C:\WINDOWS\ojafowas.dll moved successfully.
File/Folder C:\WINDOWS\system32\msaouahn.dll not found.
C:\WINDOWS\system32\3548.exe moved successfully.
C:\WINDOWS\system32\24393.exe moved successfully.
C:\WINDOWS\system32\31101.exe moved successfully.
C:\WINDOWS\system32\15006.exe moved successfully.
C:\WINDOWS\system32\15350.exe moved successfully.
C:\WINDOWS\system32\24370.exe moved successfully.
C:\WINDOWS\system32\6729.exe moved successfully.
C:\WINDOWS\system32\15890.exe moved successfully.
C:\WINDOWS\system32\23805.exe moved successfully.
C:\WINDOWS\system32\27446.exe moved successfully.
C:\WINDOWS\system32\22648.exe moved successfully.
C:\WINDOWS\system32\19264.exe moved successfully.
C:\WINDOWS\system32\8942.exe moved successfully.
C:\WINDOWS\system32\9040.exe moved successfully.
C:\WINDOWS\system32\30106.exe moved successfully.
C:\WINDOWS\system32\288.exe moved successfully.
C:\WINDOWS\system32\1842.exe moved successfully.
C:\WINDOWS\system32\22190.exe moved successfully.
C:\WINDOWS\system32\3035.exe moved successfully.
C:\WINDOWS\system32\12316.exe moved successfully.
C:\WINDOWS\system32\778.exe moved successfully.
C:\WINDOWS\system32\27529.exe moved successfully.
C:\WINDOWS\system32\9741.exe moved successfully.
C:\WINDOWS\system32\8723.exe moved successfully.
C:\WINDOWS\system32\12859.exe moved successfully.
C:\WINDOWS\system32\20037.exe moved successfully.
C:\WINDOWS\system32\32757.exe moved successfully.
C:\WINDOWS\system32\32662.exe moved successfully.
C:\WINDOWS\system32\27644.exe moved successfully.
C:\WINDOWS\system32\25547.exe moved successfully.
C:\WINDOWS\system32\6868.exe moved successfully.
C:\WINDOWS\system32\28253.exe moved successfully.
C:\WINDOWS\system32\7711.exe moved successfully.
C:\WINDOWS\system32\15141.exe moved successfully.
C:\WINDOWS\system32\4664.exe moved successfully.
C:\WINDOWS\system32\17673.exe moved successfully.
C:\WINDOWS\system32\30333.exe moved successfully.
C:\WINDOWS\system32\14771.exe moved successfully.
C:\WINDOWS\system32\21726.exe moved successfully.
C:\WINDOWS\system32\5447.exe moved successfully.
C:\WINDOWS\system32\28145.exe moved successfully.
C:\WINDOWS\system32\31322.exe moved successfully.
C:\WINDOWS\system32\23811.exe moved successfully.
C:\WINDOWS\system32\28703.exe moved successfully.
C:\WINDOWS\system32\9894.exe moved successfully.
C:\WINDOWS\system32\17035.exe moved successfully.
C:\WINDOWS\system32\26299.exe moved successfully.
C:\WINDOWS\system32\25667.exe moved successfully.
C:\WINDOWS\system32\19912.exe moved successfully.
C:\WINDOWS\system32\1869.exe moved successfully.
C:\WINDOWS\system32\11538.exe moved successfully.
C:\WINDOWS\system32\19895.exe moved successfully.
C:\WINDOWS\system32\19718.exe moved successfully.
C:\WINDOWS\system32\18716.exe moved successfully.
C:\WINDOWS\system32\17421.exe moved successfully.
C:\WINDOWS\system32\12382.exe moved successfully.
C:\WINDOWS\system32\292.exe moved successfully.
C:\WINDOWS\system32\153.exe moved successfully.
C:\WINDOWS\system32\3902.exe moved successfully.
C:\WINDOWS\system32\32391.exe moved successfully.
C:\WINDOWS\system32\5436.exe moved successfully.
C:\WINDOWS\system32\4827.exe moved successfully.
C:\WINDOWS\system32\11942.exe moved successfully.
C:\WINDOWS\system32\2995.exe moved successfully.
C:\WINDOWS\system32\491.exe moved successfully.
C:\WINDOWS\system32\9961.exe moved successfully.
C:\WINDOWS\system32\23281.exe moved successfully.
C:\WINDOWS\system32\5705.exe moved successfully.
C:\WINDOWS\system32\24464.exe moved successfully.
C:\WINDOWS\system32\26962.exe moved successfully.
C:\WINDOWS\system32\29358.exe moved successfully.
C:\WINDOWS\system32\11478.exe moved successfully.
C:\WINDOWS\system32\15724.exe moved successfully.
C:\WINDOWS\system32\19169.exe moved successfully.
C:\WINDOWS\system32\26500.exe moved successfully.
C:\WINDOWS\system32\18467.exe moved successfully.
C:\WINDOWS\system32\6334.exe moved successfully.
C:\cjtrke5hfg108.bat moved successfully.
C:\WINDOWS\system32\41199921.BAT moved successfully.
C:\jyjrjnrtm108.bat moved successfully.
File/Folder C:\cjtrke5hfg108.bat not found.
C:\WINDOWS\system32\2051671.BAT moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 7378568 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: owner
->Temp folder emptied: 4707220 bytes
->Temporary Internet Files folder emptied: 200025820 bytes
->Java cache emptied: 109214392 bytes
->FireFox cache emptied: 6605843 bytes
->Google Chrome cache emptied: 143438386 bytes

User: User

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 324 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 57689076 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10950376 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 372724 bytes
RecycleBin emptied: 1571083 bytes

Total Files Cleaned = 517.00 mb


OTM by OldTimer - Version 3.1.4.0 log created on 12272009_211808

Files moved on Reboot...

Registry entries deleted on Reboot...

**************************************
On the HiJack Scan I only saw the --- 4 - HKUS\S-1-5-18\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\WINDOWS\TEMP\r1em5lc.exe (User 'SYSTEM')--- file, checked it, and cleared out.
I did not see the other two files.

****************************************
Rebooted without incident. First time in a while that there wasn't any alerts popping up in regards to missing dll files. Particularly glad to not see the machine looking for the msaouahn.dll file.

****************************************

MBAM Quick Scan came back clean...

Malwarebytes' Anti-Malware 1.42
Database version: 3442
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/27/2009 9:52:56 PM
mbam-log-2009-12-27 (21-52-56).txt

Scan type: Quick Scan
Objects scanned: 121727
Time elapsed: 9 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

***********************************

RSIT came back with this report:


Logfile of random's system information tool 1.06 (written by random/random)
Run by owner at 2009-12-27 21:53:45
Microsoft Windows XP Professional Service Pack 3
System drive C: has 72 GB (64%) free of 113 GB
Total RAM: 1526 MB (61% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:51 PM, on 12/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Documents and Settings\owner\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RUNFBI] c:\windows\regedit.exe -s c:\appl.zip\wxpetool\fpp_xp.reg
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AutoLogon] regedit.exe /s \appl.zip\WXPetool\logon.reg
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [RCUI] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: $McRebootA5E6DEAA56$.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (MSN Games Matchmaking) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {2119940C-F1CE-4258-8B96-41ECCA2BB184} (FTUploaderCtlX Control) - http://fototime.com/ftweb/activeX/WebUploadControl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.8.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (MSN Games Game Chat) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1220024871875
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...k.cab102118.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Google Update Service (gupdate1c90e972ce72f2e) (gupdate1c90e972ce72f2e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 12222 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\OGALogon.job
C:\WINDOWS\tasks\ptwlioxp.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{4F92F8FE-2F1D-4C5C-94C0-322D7F327481}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2008-12-08 1067352]
{472734EA-242A-422B-ADF8-83D1E48CC825} - PC Tools Browser Guard - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll [2009-11-10 395216]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-09-02 185896]
"SynTPStart"=C:\Program Files\Synaptics\SynTP\SynTPStart.exe [2007-09-15 102400]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-09-15 1015808]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-06 148888]
"RUNFBI"=c:\windows\regedit.exe [2008-04-13 146432]
"Reminder"=C:\Windows\CREATOR [2007-07-27 201728]
"RecGuard"=C:\Windows\SMINST\RecGuard.exe []
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"QPService"=C:\Program Files\HP\QuickPlay\QPService.exe [2006-04-11 102400]
"QlbCtrl"=C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [2006-03-07 131072]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2006-08-14 94208]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-07-13 292128]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-08-11 81920]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2005-08-11 249856]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2006-08-14 98304]
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2006-02-15 454656]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2007-05-08 54840]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2006-08-14 114688]
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\CHDAudPropShortcut.exe [2006-06-02 61952]
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2006-02-22 40960]
"AutoLogon"=regedit.exe /s \appl.zip\WXPetool\logon.reg []
"ArcSoft Connection Service"=C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [2009-10-10 203264]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-09-21 520024]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2009-11-18 1243088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-12-17 2002160]
"RCUI"=C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe [2009-05-04 479232]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2008-12-02 3882312]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
$McRebootA5E6DEAA56$.lnk - C:\WINDOWS\system32\cmd.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2006-08-14 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=157
"NoActiveDesktopChanges"=0
"NoSetActiveDesktop"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoActiveDesktopChanges"=
"NoSetActiveDesktop"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"
"C:\WINDOWS\LMI15.tmp\lmi_rescue.exe"="C:\WINDOWS\LMI15.tmp\lmi_rescue.exe:*:Enabled:LogMeIn Rescue"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\Hp\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\Hp\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\Hp\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\Hp\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Documents and Settings\owner\Application Data\Facebook\facebook.exe"="C:\Documents and Settings\owner\Application Data\Facebook\facebook.exe:127.0.0.1/255.255.255.255:Enabled:Facebook"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe"="C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe:*:Enabled:RingCentral Call Controller"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:enabled:@shell32.dll,-1"
"C:\Program Files\McAfee\VirusScan\mcvsmap.exe"="C:\Program Files\McAfee\VirusScan\mcvsmap.exe:*:Enabled:mcvsmap"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:rundll32"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

======List of files/folders created in the last 1 months======

2009-12-27 21:18:08 ----D---- C:\_OTM
2009-12-27 02:26:36 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-12-27 00:44:15 ----D---- C:\32788R22FWJFW
2009-12-27 00:25:35 ----D---- C:\rsit
2009-12-26 11:51:33 ----D---- C:\Program Files\ESET
2009-12-25 12:45:23 ----HD---- C:\WINDOWS\PIF
2009-12-24 23:54:02 ----A---- C:\WINDOWS\system32\16827.exe
2009-12-24 23:20:21 ----A---- C:\TDSSKiller.2.1.1_24.12.2009_23.20.21_log.txt
2009-12-24 16:46:01 ----A---- C:\TDSSKiller.2.1.1_24.12.2009_16.46.01_log.txt
2009-12-23 09:12:32 ----D---- C:\Program Files\Trend Micro
2009-12-20 08:36:37 ----A---- C:\WINDOWS\PrimoPDF Uninstall Log.txt
2009-12-19 09:39:07 ----D---- C:\WINDOWS\system32\NtmsData
2009-12-18 14:00:17 ----D---- C:\Program Files\Avira
2009-12-18 14:00:17 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-12-17 18:48:20 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-17 17:46:14 ----HDC---- C:\WINDOWS\ie8
2009-12-17 17:42:36 ----HDC---- C:\WINDOWS\$NtUninstallKB971961$
2009-12-17 17:22:58 ----D---- C:\Documents and Settings\owner\Application Data\Office Genuine Advantage
2009-12-17 11:45:16 ----A---- C:\WINDOWS\SGDetectionTool.dll
2009-12-17 11:45:16 ----A---- C:\WINDOWS\PCTBDRes.dll
2009-12-17 11:45:16 ----A---- C:\WINDOWS\PCTBDCore.dll
2009-12-17 11:45:16 ----A---- C:\WINDOWS\BDTSupport.dll
2009-12-17 11:41:34 ----D---- C:\Program Files\Spyware Doctor
2009-12-17 11:41:34 ----D---- C:\Program Files\Common Files\PC Tools
2009-12-17 11:41:34 ----D---- C:\Documents and Settings\owner\Application Data\PC Tools
2009-12-17 11:41:34 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-12-17 11:41:14 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-12-17 05:14:19 ----A---- C:\WINDOWS\Restart.ini
2009-12-17 04:33:12 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2009-12-17 04:32:48 ----D---- C:\WINDOWS\system32\zh-TW
2009-12-17 04:32:48 ----D---- C:\WINDOWS\system32\zh-HK
2009-12-17 04:32:48 ----D---- C:\WINDOWS\system32\tr-TR
2009-12-17 04:32:48 ----D---- C:\WINDOWS\system32\sv-SE
2009-12-17 04:32:48 ----D---- C:\WINDOWS\system32\pt-BR
2009-12-17 04:32:48 ----D---- C:\WINDOWS\system32\nl-NL
2009-12-17 04:32:48 ----D---- C:\WINDOWS\system32\nb-NO
2009-12-17 04:32:48 ----D---- C:\WINDOWS\system32\ko-KR
2009-12-17 04:32:48 ----D---- C:\WINDOWS\system32\it-IT
2009-12-17 04:32:47 ----D---- C:\WINDOWS\system32\he-IL
2009-12-17 04:32:47 ----D---- C:\WINDOWS\system32\fr-FR
2009-12-17 04:32:47 ----D---- C:\WINDOWS\system32\fi-FI
2009-12-17 04:32:47 ----D---- C:\WINDOWS\system32\es-ES
2009-12-17 04:32:47 ----D---- C:\WINDOWS\system32\el-GR
2009-12-17 04:32:47 ----D---- C:\WINDOWS\system32\de-DE
2009-12-17 04:32:47 ----D---- C:\WINDOWS\system32\da-DK
2009-12-17 04:32:47 ----D---- C:\WINDOWS\system32\ar-SA
2009-12-15 20:13:27 ----A---- C:\WINDOWS\system32\igfxres.dll
2009-12-15 14:15:47 ----D---- C:\Documents and Settings\owner\Application Data\Malwarebytes
2009-12-15 14:15:39 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-12-15 08:26:03 ----HDC---- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-15 06:02:20 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-15 06:02:11 ----D---- C:\Program Files\SUPERAntiSpyware
2009-12-15 06:02:11 ----D---- C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com
2009-12-15 05:01:51 ----A---- C:\p2hhr.bat
2009-12-14 17:31:50 ----SHD---- C:\Documents and Settings\owner\Application Data\SystemProc
2009-12-14 17:30:18 ----D---- C:\Documents and Settings\All Users\Application Data\6e8d4c0
2009-12-09 07:44:03 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2009-12-09 07:43:29 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2009-12-09 07:41:49 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2009-12-09 07:41:41 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2009-12-09 07:41:25 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2009-12-06 07:07:21 ----D---- C:\swsetup

======List of files/folders modified in the last 1 months======

2009-12-27 21:53:48 ----D---- C:\WINDOWS\temp
2009-12-27 21:40:01 ----D---- C:\WINDOWS\system32\CatRoot2
2009-12-27 21:39:56 ----D---- C:\WINDOWS\system32
2009-12-27 21:39:53 ----A---- C:\hpqp.ini
2009-12-27 21:38:56 ----A---- C:\XP_TV.ini
2009-12-27 21:37:02 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-12-27 21:20:53 ----D---- C:\WINDOWS
2009-12-27 21:01:45 ----D---- C:\WINDOWS\Prefetch
2009-12-27 02:32:38 ----D---- C:\WINDOWS\system32\config
2009-12-27 02:32:04 ----D---- C:\WINDOWS\system32\wbem
2009-12-27 02:32:03 ----D---- C:\WINDOWS\Registration
2009-12-27 02:31:12 ----D---- C:\WINDOWS\system32\Restore
2009-12-27 02:29:20 ----SHD---- C:\System Volume Information
2009-12-26 23:44:22 ----RSD---- C:\WINDOWS\Fonts
2009-12-26 23:44:22 ----D---- C:\WINDOWS\system32\drivers
2009-12-26 21:48:22 ----D---- C:\Program Files
2009-12-26 11:51:36 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-12-26 11:00:45 ----SD---- C:\WINDOWS\Tasks
2009-12-25 19:38:18 ----D---- C:\Documents and Settings\owner\Application Data\Move Networks
2009-12-25 12:04:32 ----D---- C:\WINDOWS\Minidump
2009-12-24 14:37:20 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2009-12-24 14:37:17 ----D---- C:\Program Files\Common Files
2009-12-24 09:52:06 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-12-22 17:11:07 ----HD---- C:\Config.Msi
2009-12-20 08:42:33 ----D---- C:\Program Files\IrfanView
2009-12-20 08:42:05 ----SHD---- C:\WINDOWS\Installer
2009-12-20 08:42:05 ----D---- C:\Program Files\LegacyQQP_v_7.0.0
2009-12-20 08:41:50 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-12-20 08:40:43 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-12-20 08:36:22 ----D---- C:\Program Files\Google
2009-12-20 08:35:13 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2009-12-20 08:34:17 ----D---- C:\Program Files\V CAST Music with Rhapsody
2009-12-20 08:23:45 ----D---- C:\Documents and Settings\owner\Application Data\HpUpdate
2009-12-20 08:21:35 ----D---- C:\Documents and Settings\owner\Application Data\skypePM
2009-12-20 08:13:43 ----D---- C:\WINDOWS\java
2009-12-19 22:15:34 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-12-19 22:05:01 ----D---- C:\Program Files\Free FLV to AVI MP4 3GP WMV MP3 Converter
2009-12-19 22:03:58 ----HD---- C:\Program Files\InstallShield Installation Information
2009-12-19 22:03:56 ----D---- C:\Documents and Settings\owner\Application Data\FUJIFILM
2009-12-19 22:03:23 ----D---- C:\Documents and Settings\All Users\Application Data\eTakeoffProjects
2009-12-19 22:02:09 ----D---- C:\Program Files\Coupons
2009-12-19 21:23:28 ----D---- C:\Documents and Settings\owner\Application Data\Autodesk
2009-12-19 21:20:35 ----D---- C:\Program Files\ArcSoft
2009-12-19 21:15:57 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-12-19 21:15:56 ----HD---- C:\WINDOWS\inf
2009-12-19 21:15:45 ----D---- C:\Program Files\Common Files\Apple
2009-12-19 21:14:23 ----D---- C:\Program Files\AdvantageQQP
2009-12-19 21:13:23 ----D---- C:\Program Files\_uninstallation_info
2009-12-19 21:10:30 ----RSD---- C:\WINDOWS\assembly
2009-12-19 10:02:13 ----D---- C:\Program Files\iPod
2009-12-19 10:01:13 ----D---- C:\Program Files\Mozilla Firefox
2009-12-19 09:39:06 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-12-18 17:29:13 ----D---- C:\WINDOWS\system32\CatRoot
2009-12-18 17:29:09 ----D---- C:\WINDOWS\ie8updates
2009-12-18 13:57:58 ----D---- C:\WINDOWS\WinSxS
2009-12-18 07:29:39 ----D---- C:\WINDOWS\Sun
2009-12-17 18:36:20 ----N---- C:\WINDOWS\win.ini
2009-12-17 18:36:20 ----N---- C:\WINDOWS\system.ini
2009-12-17 18:36:20 ----ASH---- C:\boot.ini
2009-12-17 18:05:01 ----D---- C:\WINDOWS\system32\en-US
2009-12-17 18:05:00 ----D---- C:\WINDOWS\Media
2009-12-17 18:05:00 ----D---- C:\WINDOWS\Help
2009-12-17 18:05:00 ----D---- C:\Program Files\Internet Explorer
2009-12-17 17:53:24 ----A---- C:\WINDOWS\imsins.BAK
2009-12-17 17:52:43 ----HD---- C:\WINDOWS\$hf_mig$
2009-12-17 17:43:02 ----D---- C:\WINDOWS\ie7updates
2009-12-17 06:52:36 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2009-12-17 05:14:19 ----A---- C:\WINDOWS\rprtvwr.ini
2009-12-17 04:37:34 ----D---- C:\WINDOWS\AppPatch
2009-12-17 04:05:33 ----D---- C:\WINDOWS\Connection Wizard
2009-12-16 19:58:42 ----D---- C:\WINDOWS\Cache
2009-12-16 19:58:35 ----RD---- C:\WINDOWS\Web
2009-12-16 19:31:52 ----D---- C:\Program Files\Conduit
2009-12-15 20:06:57 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-12-15 14:31:21 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-12-15 06:37:47 ----A---- C:\WINDOWS\IE4 Error Log.txt
2009-12-09 09:13:41 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-12-06 07:08:43 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-12-02 03:52:38 ----A---- C:\WINDOWS\ODBC.INI
2009-12-02 03:50:32 ----D---- C:\Program Files\Microsoft Works

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 eabfiltr;eabfiltr; C:\WINDOWS\system32\DRIVERS\eabfiltr.sys [2005-09-19 7808]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-12-19 56816]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-02-15 12672]
R2 Sentinel;Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [2007-04-27 90688]
R3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2006-11-10 18688]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 E100B;Intel® PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2007-11-16 165496]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-03-19 23400]
R3 HBtnKey;HBtnKey; C:\WINDOWS\system32\DRIVERS\cpqbttn.sys [2008-04-28 9344]
R3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\CHDAud.sys [2007-05-01 630272]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-08-22 1035008]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2005-08-22 201600]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2006-08-14 1109568]
R3 NETw5x32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw5x32.sys [2008-11-17 3636864]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2007-09-15 213696]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2006-07-06 168448]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-08-22 718464]
S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys []
S3 ARCSOFTVIRTUALCAPTURE;Magic-i Virtual Driver; C:\WINDOWS\system32\DRIVERS\ArcSoftVirtualCapture.sys [2007-07-02 15616]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 eabusb;eabusb; C:\WINDOWS\system32\DRIVERS\eabusb.sys [2005-09-19 5760]
S3 FBIKB_NT;FBIKB_NT; \??\C:\WINDOWS\system32\Drivers\FBIKB_NT.Sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-01-31 49664]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-01-31 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2006-01-31 21568]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 NPF;Netgroup Packet Filter; C:\WINDOWS\system32\drivers\npf.sys []
S3 NuidFltr;NUID filter driver; C:\WINDOWS\system32\DRIVERS\NuidFltr.sys [2009-05-09 14736]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SNTNLUSB;SafeNet USB SuperPro/UltraPro/HardwareKey; C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS [2007-04-27 35328]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 STV680;USB Dual-mode Camera; C:\WINDOWS\system32\drivers\STV680.sys [2002-02-11 119536]
S3 STV680m;USB Dual-mode Cameram; C:\WINDOWS\system32\drivers\STV680m.sys [2002-02-11 9024]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-13 121984]
S3 UXDCMN;UXDCMN; \??\D:\UXDCMN.SYS []
S3 w39n51;Intel® PRO/Wireless 3945ABG Adapter Driver; C:\WINDOWS\system32\DRIVERS\w39n51.sys [2006-03-14 1428480]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-18 13952]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACDaemon;ArcSoft Connect Daemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2009-09-28 109056]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089]
R2 Browser Defender Update Service;Browser Defender Update Service; C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe [2009-11-10 112592]
R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2006-03-15 135168]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-06 152984]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-09-21 1028432]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-02-17 73728]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2007-08-09 73728]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-10-30 359624]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-11-06 1141712]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-05-19 240512]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-07-13 542496]
S2 gupdate1c90e972ce72f2e;Google Update Service (gupdate1c90e972ce72f2e); C:\Program Files\Google\Update\GoogleUpdate.exe [2008-09-04 133104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

********************************************
Out for now.

#43 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:24 PM

Posted 27 December 2009 - 11:27 PM

Sounds like we got some more of it. That should have gotten rid of the redirection problem, is it gone now and are you experiencing any other issues?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#44 David-In-Chicago

David-In-Chicago
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 28 December 2009 - 01:35 AM

I haven't had the ISO2010 fake warning popups when I'm offline. I've been online for a few minutes and haven't had the slew of popups. I did have one but it might have been associated with a foreign news website I was on.
I still dont' have the ability to Safe Boot. There is a BSOD that flashes way too briefly to ascertain what it calls out as the cause. I get to the selection screen for a safe boot option, but no matter if I select Safe Mode straight up, Netork, or Command line, it all starts to run - scrolling files - then wham - BSOD flashes for briefest second and it goes back to main selection screen for Normal vs Safe mode.
Leaves me feeling like something is still lurking deep in the system. Much, much better, but not feeling completely well.

#45 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:24 PM

Posted 28 December 2009 - 09:05 AM

Try the following:


We Need to Repair Safe Mode
  • Please download Safe Boot Key Repair and save it to your desktop.
  • Open Posted Image on your desktop.
  • Copy and paste the resultant log here in your next reply.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users