Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting Clean - Virus Removal


  • This topic is locked This topic is locked
9 replies to this topic

#1 FraggleRockRyan

FraggleRockRyan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 05 January 2010 - 10:03 PM

All - first a quick note to say how much it is great that there are armies of "good guys" like you willing to help people out. I feel somewhat shy signing up and my first post asking for help, but I suppose that happens a lot around here. Anyways, I appreciate it.

My (humble) request is to ask if someone could scan the HJT log below and see if I'm now clean. I have searched this (and other) sites to gain as much info as I can. I'm fairly tech saavy, and have had a virus or two in years past, but these past few days have made me feel downright unclean, if you know what I mean. I spent hours and hours 3 days back cleaning my wife's computer of viruses, and re-checking everything. I thought I was done, until I got a form email from Comcast that they were shutting down my port 25 (email default) for spam. Ugh, just freaks me out that other people were using my computer(s) for their dirty deeds. Enough exposition and "woe is me", and on to the gritty details:

Windows XP Home SP3, Fully Patched, Behind 2wire Router (wired), Running AVG (free) and Windows Defender.

Sorry I'm lite on the details for this first part, I did not write everything down at first, my mistake. An unknown "Security" program showed up in the tray and started pushing pop ups. I booted into safe mode. Found 2 strange programs in my startup (msconfig), and one of the Security services had been disabled, whereby the XP "Security Center" no longer showed an antivirus option and was missing other details. Used CCleaner to clean cookies, startup, and registry. Reboot into safe mode again and ran full scan (with AVG). Found:
  • ...local settings{lots of characters}application datachromecontentoverlay.xul "Virus found JS/Redir"
  • c:windowstemp~TM231.tmp "Trojan Horse Sheur2.CDHB"
Used a combination of CCleaner, AVG, Windows Defender, and rebooting to finally clean everything. Got the Security Center service re-enabled, startup programs were clean, AVG ran clear, Windows Defender ran clear, thought I was good to go.

Next night's scan reveals:
  • two more overlay.xul (under two different users application data directory)
  • C:windowssr882388.exe
Now I'm back to not finding anything else, but I don't trust myself, my methods, or anything now. Below is a HijackThis log.

Thank you for any advice.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:06 PM, on 1/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesWindows DefenderMsMpEng.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesLexmark 3500-4500 Serieslxdimon.exe
C:Program FilesLexmark 3500-4500 Serieslxdiamon.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesMicrosoft IntelliType Proitype.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesSeagateSeagateManagerFreeAgent StatusStxMenuMgr.exe
C:Program FilesATI TechnologiesATI.ACECore-StaticMOM.EXE
C:Program FilesWindows DefenderMSASCui.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesLogitechSetPointSetPoint.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesSeagateSeagateManagerSyncFreeAgentService.exe
C:WINDOWSSystem32spoolDRIVERSW32X863lxdiserv.exe
C:Program FilesCommon FilesLogishrdKHAL2KHALMNPR.EXE
C:Program FilesATI TechnologiesATI.ACECore-Staticccc.exe
C:WINDOWSsystem32lxdicoms.exe
C:WINDOWSsystem32svchost.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesAVGAVG8avgui.exe
C:Program FilesAVGAVG8avgscanx.exe
C:Program FilesAVGAVG8avgcsrvx.exe
C:Program FilesAVGAVG8avgscanx.exe
C:Program FilesAVGAVG8avgcsrvx.exe
C:Documents and SettingsPattiDesktopHijackThis.exe
C:Documents and SettingsPattiLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsPattiLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsPattiLocal SettingsApplication DataGoogleChromeApplicationchrome.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O4 - HKLM..Run: [lxdimon.exe] "C:Program FilesLexmark 3500-4500 Serieslxdimon.exe"
O4 - HKLM..Run: [lxdiamon] "C:Program FilesLexmark 3500-4500 Serieslxdiamon.exe"
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKLM..Run: [itype] "C:Program FilesMicrosoft IntelliType Proitype.exe"
O4 - HKLM..Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [StartCCC] C:Program FilesATI TechnologiesATI.ACECore-StaticCLIStart.exe
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [Adobe ARM] "C:Program FilesCommon FilesAdobeARM1.0AdobeARM.exe"
O4 - HKLM..Run: [MaxMenuMgr] "C:Program FilesSeagateSeagateManagerFreeAgent StatusStxMenuMgr.exe"
O4 - HKLM..Run: [Windows Defender] "C:Program FilesWindows DefenderMSASCui.exe" -hide
O4 - HKCU..Run: [Google Update] "C:Documents and SettingsPattiLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe" /c
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-19..RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS.DEFAULT..RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:Program FilesLogitechSetPointSetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~3Office12EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~3Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:WINDOWSSYSTEM32avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSsystem32ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:Program FilesSeagateSeagateManagerSyncFreeAgentService.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:Program FilesCommon FilesLogishrdBluetoothLBTServ.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:WINDOWSSystem32spoolDRIVERSW32X863lxdiserv.exe
O23 - Service: lxdi_device - - C:WINDOWSsystem32lxdicoms.exe

--
End of file - 6945 bytes

One more strange behavior, the first time I accessed my (2wire) router (via browser) after discovering these viruses, it immediately rebooted on me, all by itself. It has never done that before. After that it appeared fine. I do not (and never have) had the default password enabled on it. Thanks!

Edited by garmanma, 05 January 2010 - 11:13 PM.


BC AdBot (Login to Remove)

 


#2 FraggleRockRyan

FraggleRockRyan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 06 January 2010 - 08:49 PM

Edit: Uploaded Attach.txt from DDS, and DDS.txt contents pasted below. Running RootRepeal consistently auto-reboots the computer.

One more symptom appeared today (note: I apologize this bumps the post and it's not my intention - I realize you guys are swamped and doing the best you can, and it is appreciated):
Windows Defender this morning caught (and automatically allowed as it didn't know what it was):
regkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Axoxat
runkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Axoxat
file: C:\WINDOWS\unahuyag.dll
And this is now in my startup:
Program: Axoxat
rundll32.exe "C:\windows\unahuyag.dll",Startup

thank you!


DDS (Ver_09-12-01.01) - NTFSx86
Run by Patti at 21:03:18.00 on Wed 01/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.966 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Patti\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
uRun: [Google Update] "c:\documents and settings\patti\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"
mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Axoxat] rundll32.exe "c:\windows\unahuyag.dll",Startup
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli kbctog.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\patti\applic~1\mozilla\firefox\profiles\j0nc36vq.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\patti\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {184FC9BE-23FD-44CF-858C-32ACE0186C5C} - c:\documents and settings\administrator\local settings\application data\{184fc9be-23fd-44cf-858c-32ace0186c5c}\
FF - HiddenExtension: XULRunner: {421D525E-C40A-4DD9-BCE8-C15D0F0CC179} - c:\documents and settings\patti\local settings\application data\{421D525E-C40A-4DD9-BCE8-C15D0F0CC179}
FF - HiddenExtension: XULRunner: {3A57380E-CB6C-46C2-B854-FA9DA1022ADC} - c:\documents and settings\administrator\local settings\application data\{3a57380e-cb6c-46c2-b854-fa9da1022adc}\
FF - HiddenExtension: XULRunner: {892C5245-153E-4157-BFBC-964D44419C64} - c:\documents and settings\patti\local settings\application data\{892C5245-153E-4157-BFBC-964D44419C64}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2009-9-2 116264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-4 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-4 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-4 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-4 297752]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-9-4 10384]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2009-9-4 99248]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2010-01-03 07:13:33 9216 ----a-w- c:\windows\system32\ffnd.exe
2010-01-03 07:04:31 0 d-----w- c:\docume~1\patti\applic~1\FreeFixer
2010-01-03 07:04:23 0 d-----w- c:\program files\FreeFixer
2010-01-03 06:55:16 195456 ------w- c:\windows\system32\MpSigStub.exe
2010-01-03 05:37:59 0 d-----w- c:\windows\pss
2010-01-03 05:34:21 0 ----a-w- c:\windows\Vzidoxewofesed.bin
2010-01-03 05:34:19 120 ----a-w- c:\windows\Cnifeqalux.dat
2010-01-03 05:30:25 763904 ----a-w- c:\windows\system32\drivers\slgcuzx.sys
2010-01-03 05:30:17 0 --sha-w- c:\windows\nvDrv.sy
2010-01-03 05:30:09 28 ----a-w- c:\docume~1\patti\applic~1\fvgqad.dat
2010-01-03 05:29:57 4 ----a-w- c:\docume~1\patti\applic~1\avdrn.dat
2009-12-27 02:39:21 56136 ---ha-w- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 21:03:43.64 ===============

Attached Files


Edited by FraggleRockRyan, 06 January 2010 - 09:14 PM.


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:59 PM

Posted 13 January 2010 - 09:16 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 FraggleRockRyan

FraggleRockRyan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 17 January 2010 - 10:29 AM

myrti - thanks your reply, and absolutely understand you guys are swamped. I appreciate the help!

Besides the stuff listed above that I found / did before, the only thing going on now is that
1) VirTool:WinNT/Rootkit.BV is found everyday by my (now Microsoft Security Essentials) Antivirus.
2) Trojan:Win32/Hiloti.gen!D was found yesterday.

I considered trying to load a live OS on disc (BartPE, Ubuntu, etc.) to remove the rootkit files if I could find them, but didn't get BartPE working with my SATA controller to read the drive, and ran out of time. I'll defer to your advice, just know I'm really interested in learning how to deal with this stuff. It's certainly been a punch in the gut to have computer issues in my house that my wife needs help for... and I can't seem to help! :(

OTL.Txt: --------------------------------------------------------------
OTL logfile created on: 1/17/2010 9:21:19 AM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Patti\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 220.50 Gb Free Space | 94.69% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 232.88 Gb Total Space | 213.45 Gb Free Space | 91.66% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GALADRIEL
Current User Name: Patti
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/17 09:20:34 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Patti\Desktop\OTL.exe
PRC - [2009/12/09 18:22:33 | 00,921,072 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/10/28 20:21:26 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/09/25 23:32:18 | 00,189,736 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
PRC - [2009/09/25 23:31:32 | 00,185,640 | ---- | M] (Seagate LLC) -- C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
PRC - [2009/09/13 18:52:50 | 01,048,392 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/07/20 11:30:50 | 00,813,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009/07/10 11:42:32 | 00,055,824 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2009/07/02 17:36:52 | 00,203,800 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
PRC - [2009/07/02 17:36:52 | 00,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/06/01 12:43:46 | 01,501,064 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/14 04:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/27 22:21:16 | 00,483,328 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2007/06/01 10:52:34 | 00,049,152 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PRC - [2007/06/01 10:52:10 | 00,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PRC - [2007/05/07 13:07:08 | 00,435,120 | ---- | M] () -- C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
PRC - [2007/04/26 10:38:38 | 00,517,040 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdicoms.exe
PRC - [2007/04/26 10:38:21 | 00,099,248 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdiserv.exe
PRC - [2007/03/05 07:40:25 | 00,020,480 | ---- | M] (Lexmark) -- C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe


========== Modules (SafeList) ==========

MOD - [2010/01/17 09:20:34 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Patti\Desktop\OTL.exe
MOD - [2009/07/20 11:29:06 | 00,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2009/07/12 01:12:06 | 00,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/09/25 23:32:18 | 00,189,736 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/07/20 11:28:10 | 00,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/07/02 17:36:52 | 00,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2007/07/27 22:21:16 | 00,483,328 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2007/07/27 21:05:00 | 00,593,920 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2007/04/26 10:38:38 | 00,517,040 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxdicoms.exe -- (lxdi_device)
SRV - [2007/04/26 10:38:21 | 00,099,248 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe -- (lxdiCATSCustConnectService)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2009/09/02 19:11:53 | 00,079,360 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2009/09/02 19:11:52 | 00,021,760 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2009/09/02 19:11:44 | 00,010,240 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvmpu401.sys -- (nvmpu401) Service for NVIDIA® nForce™
DRV - [2009/09/02 19:11:43 | 00,396,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA® nForce™
DRV - [2009/09/02 19:11:43 | 00,048,640 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA® nForce™
DRV - [2009/06/18 18:48:04 | 00,142,832 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2009/06/18 12:55:41 | 00,018,816 | ---- | M] (Sophos Plc) [Kernel | System | Running] -- C:\WINDOWS\system32\SAVRKBootTasks.sys -- (SAVRKBootTasks)
DRV - [2009/06/17 11:56:32 | 00,028,560 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2009/06/17 11:56:16 | 00,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/17 11:56:06 | 00,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2009/06/17 11:55:34 | 00,010,384 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2009/06/17 11:55:18 | 00,020,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2009/05/18 14:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/04/13 22:04:18 | 00,104,960 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinrvxx.sys -- (atinrvxx) ATI WDM Rage Theater Video (Microsoft Corporation)
DRV - [2008/04/13 22:04:18 | 00,013,824 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinmdxx.sys -- (MVDCODEC) ATI WDM Specialized MVD Codec (Microsoft Corporation)
DRV - [2008/04/13 21:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 19:15:30 | 00,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/08/29 02:04:04 | 00,116,264 | ---- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\si3112r.sys -- (Si3112r)
DRV - [2007/08/29 02:04:04 | 00,019,240 | ---- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys -- (SiFilter)
DRV - [2007/07/27 22:30:27 | 02,371,584 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/06/13 20:23:29 | 00,169,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinavt2.sys -- (ATIAVAIW)
DRV - [2004/07/09 04:26:38 | 00,015,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2004/01/29 00:45:50 | 00,093,764 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET)
DRV - [2001/08/18 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {184FC9BE-23FD-44CF-858C-32ACE0186C5C}:1.9.1
FF - prefs.js..extensions.enabledItems: {421D525E-C40A-4DD9-BCE8-C15D0F0CC179}:1.9.1
FF - prefs.js..extensions.enabledItems: {3A57380E-CB6C-46C2-B854-FA9DA1022ADC}:1.9.1
FF - prefs.js..extensions.enabledItems: {892C5245-153E-4157-BFBC-964D44419C64}:1.9.1
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.68

FF - HKLM\software\mozilla\Firefox\Extensions\\{184FC9BE-23FD-44CF-858C-32ACE0186C5C}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{184FC9BE-23FD-44CF-858C-32ACE0186C5C}\ [2010/01/03 00:35:39 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{421D525E-C40A-4DD9-BCE8-C15D0F0CC179}: C:\Documents and Settings\Patti\Local Settings\Application Data\{421D525E-C40A-4DD9-BCE8-C15D0F0CC179} [2010/01/03 01:22:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3A57380E-CB6C-46C2-B854-FA9DA1022ADC}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{3A57380E-CB6C-46C2-B854-FA9DA1022ADC}\ [2010/01/03 01:38:19 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{892C5245-153E-4157-BFBC-964D44419C64}: C:\Documents and Settings\Patti\Local Settings\Application Data\{892C5245-153E-4157-BFBC-964D44419C64} [2010/01/06 07:03:18 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/03 01:28:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/03 01:28:31 | 00,000,000 | ---D | M]

[2009/09/02 22:05:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Patti\Application Data\Mozilla\Extensions
[2010/01/08 00:25:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Patti\Application Data\Mozilla\Firefox\Profiles\j0nc36vq.default\extensions
[2009/09/04 16:55:00 | 00,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Documents and Settings\Patti\Application Data\Mozilla\Firefox\Profiles\j0nc36vq.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2009/09/02 22:05:28 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/18 02:43:04 | 00,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll

O1 HOSTS File: ([2001/08/18 07:00:00 | 00,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [lxdiamon] C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe (Lexmark)
O4 - HKLM..\Run: [lxdimon.exe] C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe ()
O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Patti\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Patti\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/02 21:04:10 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/11/23 20:45:09 | 00,000,062 | ---- | M] () - F:\Autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/17 09:20:26 | 00,547,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Patti\Desktop\OTL.exe
[2010/01/16 17:55:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Patti\My Documents\NEMTEC
[2010/01/08 00:48:40 | 00,018,816 | ---- | C] (Sophos Plc) -- C:\WINDOWS\System32\SAVRKBootTasks.sys
[2010/01/08 00:38:16 | 00,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010/01/08 00:28:29 | 00,000,000 | ---D | C] -- C:\Avenger
[2010/01/07 19:30:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/01/07 19:30:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/01/07 19:29:19 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/01/07 19:29:19 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/01/07 18:43:21 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/01/06 07:03:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Patti\Local Settings\Application Data\{892C5245-153E-4157-BFBC-964D44419C64}
[2010/01/03 15:06:08 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Patti\Recent
[2010/01/03 02:13:33 | 00,009,216 | ---- | C] (Kephyr) -- C:\WINDOWS\System32\ffnd.exe
[2010/01/03 02:04:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Patti\Local Settings\Application Data\FreeFixer
[2010/01/03 02:04:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Patti\Application Data\FreeFixer
[2010/01/03 02:04:23 | 00,000,000 | ---D | C] -- C:\Program Files\FreeFixer
[2010/01/03 01:55:16 | 00,181,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/01/03 01:22:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Patti\Local Settings\Application Data\{421D525E-C40A-4DD9-BCE8-C15D0F0CC179}
[2010/01/03 00:37:59 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/12/22 13:29:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Patti\Local Settings\Application Data\Adobe
[2009/12/22 13:28:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/12/22 13:28:21 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2009/12/22 13:28:21 | 00,000,000 | ---D | C] -- C:\Program Files\Adobe
[2009/09/04 18:44:03 | 00,942,080 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdiusb1.dll
[2009/09/04 18:44:03 | 00,356,352 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdiinpa.dll
[2009/09/04 18:44:03 | 00,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdiiesc.dll
[2009/09/04 18:44:03 | 00,311,296 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdihcp.dll
[2009/09/04 18:44:02 | 01,187,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdiserv.dll
[2009/09/04 18:44:02 | 00,614,400 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdipmui.dll
[2009/09/04 18:44:02 | 00,532,480 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdilmpm.dll
[2009/09/04 18:44:02 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdiprox.dll
[2009/09/04 18:44:02 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdipplc.dll
[2009/09/04 18:44:00 | 00,671,744 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdihbn3.dll
[2009/09/04 18:43:59 | 00,765,952 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdicomc.dll
[2009/09/04 18:43:59 | 00,360,448 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdicomm.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/17 09:22:59 | 00,763,904 | ---- | M] () -- C:\WINDOWS\System32\drivers\slgcuzx.sys
[2010/01/17 09:20:34 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Patti\Desktop\OTL.exe
[2010/01/17 09:17:00 | 00,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1202660629-1801674531-1003UA.job
[2010/01/17 07:07:23 | 00,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/17 07:06:48 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/17 07:06:47 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/17 07:06:44 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/16 23:52:21 | 03,145,728 | -H-- | M] () -- C:\Documents and Settings\Patti\NTUSER.DAT
[2010/01/16 23:52:21 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Patti\ntuser.ini
[2010/01/16 23:52:09 | 03,767,326 | -H-- | M] () -- C:\Documents and Settings\Patti\Local Settings\Application Data\IconCache.db
[2010/01/16 23:52:00 | 00,013,910 | ---- | M] () -- C:\Documents and Settings\All Users\lxdi
[2010/01/16 18:17:00 | 00,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-507921405-1202660629-1801674531-1003Core.job
[2010/01/14 11:12:06 | 00,181,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/01/13 07:43:06 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/12 18:10:56 | 00,011,491 | ---- | M] () -- C:\Documents and Settings\Patti\Desktop\Basket Ideas for Auction 2010.docx
[2010/01/11 21:46:55 | 05,987,328 | ---- | M] () -- C:\Documents and Settings\Patti\Desktop\Color Box 2.doc
[2010/01/11 18:05:01 | 00,549,931 | ---- | M] () -- C:\Documents and Settings\Patti\Desktop\bfc_icon2.zip
[2010/01/10 22:01:17 | 00,336,384 | ---- | M] () -- C:\Documents and Settings\Patti\Desktop\games night RSVP 1-24-09.doc
[2010/01/10 12:40:15 | 14,385,152 | ---- | M] () -- C:\Documents and Settings\Patti\Desktop\Color Box 2
[2010/01/10 11:47:22 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/01/10 11:15:11 | 00,560,640 | ---- | M] () -- C:\Documents and Settings\Patti\Desktop\37. Baric Tablets.doc
[2010/01/08 00:55:09 | 00,000,064 | ---- | M] () -- C:\Documents and Settings\Patti\Desktop\How to configure Windows XP to start in a -clean boot- state.url
[2010/01/08 00:37:57 | 01,339,288 | ---- | M] () -- C:\Documents and Settings\Patti\Desktop\sar_15_sfx.exe
[2010/01/07 21:58:40 | 00,025,600 | ---- | M] () -- C:\Documents and Settings\Patti\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/07 21:06:56 | 00,000,120 | ---- | M] () -- C:\WINDOWS\Cnifeqalux.dat
[2010/01/07 06:31:46 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Vzidoxewofesed.bin
[2010/01/06 18:53:27 | 00,010,434 | ---- | M] () -- C:\Documents and Settings\Patti\My Documents\intern letter.docx
[2010/01/05 17:18:17 | 05,540,352 | ---- | M] () -- C:\Documents and Settings\Patti\My Documents\fall newsletter.pub
[2010/01/04 22:24:11 | 00,349,548 | ---- | M] () -- C:\Documents and Settings\Patti\My Documents\Evy and Grandpa.jpg
[2010/01/03 13:03:14 | 00,084,480 | ---- | M] () -- C:\Documents and Settings\Patti\My Documents\2010.pub
[2010/01/03 02:02:55 | 00,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/03 02:02:55 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/03 02:02:55 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2010/01/03 01:27:37 | 00,006,206 | ---- | M] () -- C:\Documents and Settings\Patti\My Documents\cc_20100103_012727.reg
[2010/01/03 00:30:17 | 00,000,000 | -HS- | M] () -- C:\WINDOWS\nvDrv.sy
[2010/01/03 00:30:09 | 00,000,028 | ---- | M] () -- C:\Documents and Settings\Patti\Application Data\fvgqad.dat
[2010/01/03 00:29:57 | 00,000,004 | ---- | M] () -- C:\Documents and Settings\Patti\Application Data\avdrn.dat
[2009/12/26 21:39:21 | 00,056,136 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/21 11:49:46 | 00,283,334 | ---- | M] () -- C:\Documents and Settings\Patti\My Documents\xmas.docx
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/13 07:43:05 | 00,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/01/12 18:10:56 | 00,011,491 | ---- | C] () -- C:\Documents and Settings\Patti\Desktop\Basket Ideas for Auction 2010.docx
[2010/01/11 21:46:50 | 05,987,328 | ---- | C] () -- C:\Documents and Settings\Patti\Desktop\Color Box 2.doc
[2010/01/11 18:04:59 | 00,549,931 | ---- | C] () -- C:\Documents and Settings\Patti\Desktop\bfc_icon2.zip
[2010/01/10 12:39:54 | 14,385,152 | ---- | C] () -- C:\Documents and Settings\Patti\Desktop\Color Box 2
[2010/01/10 11:15:10 | 00,560,640 | ---- | C] () -- C:\Documents and Settings\Patti\Desktop\37. Baric Tablets.doc
[2010/01/08 00:55:09 | 00,000,064 | ---- | C] () -- C:\Documents and Settings\Patti\Desktop\How to configure Windows XP to start in a -clean boot- state.url
[2010/01/08 00:37:54 | 01,339,288 | ---- | C] () -- C:\Documents and Settings\Patti\Desktop\sar_15_sfx.exe
[2010/01/07 19:36:51 | 00,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/06 18:53:26 | 00,010,434 | ---- | C] () -- C:\Documents and Settings\Patti\My Documents\intern letter.docx
[2010/01/04 22:24:11 | 00,349,548 | ---- | C] () -- C:\Documents and Settings\Patti\My Documents\Evy and Grandpa.jpg
[2010/01/03 16:12:47 | 00,336,384 | ---- | C] () -- C:\Documents and Settings\Patti\Desktop\games night RSVP 1-24-09.doc
[2010/01/03 13:03:14 | 00,084,480 | ---- | C] () -- C:\Documents and Settings\Patti\My Documents\2010.pub
[2010/01/03 01:27:32 | 00,006,206 | ---- | C] () -- C:\Documents and Settings\Patti\My Documents\cc_20100103_012727.reg
[2010/01/03 00:34:21 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Vzidoxewofesed.bin
[2010/01/03 00:34:19 | 00,000,120 | ---- | C] () -- C:\WINDOWS\Cnifeqalux.dat
[2010/01/03 00:30:25 | 00,763,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\slgcuzx.sys
[2010/01/03 00:30:17 | 00,000,000 | -HS- | C] () -- C:\WINDOWS\nvDrv.sy
[2010/01/03 00:30:09 | 00,000,028 | ---- | C] () -- C:\Documents and Settings\Patti\Application Data\fvgqad.dat
[2010/01/03 00:29:57 | 00,000,004 | ---- | C] () -- C:\Documents and Settings\Patti\Application Data\avdrn.dat
[2009/12/26 21:39:21 | 00,056,136 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/21 11:49:45 | 00,283,334 | ---- | C] () -- C:\Documents and Settings\Patti\My Documents\xmas.docx
[2009/11/27 18:03:58 | 00,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/11/26 20:39:12 | 00,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/09/06 23:25:05 | 00,025,600 | ---- | C] () -- C:\Documents and Settings\Patti\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/04 18:48:46 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdivs.dll
[2009/09/04 18:48:43 | 00,344,064 | ---- | C] () -- C:\WINDOWS\System32\lxdicoin.dll
[2009/09/04 18:48:21 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxdicaps.dll
[2009/09/04 18:48:20 | 00,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxdidrs.dll
[2009/09/04 18:48:20 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdicnv4.dll
[2009/09/04 18:48:04 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXF3PMON.DLL
[2009/09/04 18:48:04 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\lxf3oem.dll
[2009/09/04 18:48:04 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXF3FXPU.DLL
[2009/09/04 18:48:04 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\LXF3PMRC.DLL
[2009/09/04 18:44:16 | 00,000,060 | -H-- | C] () -- C:\WINDOWS\System32\lxdirwrd.ini
[2009/09/04 18:44:03 | 00,294,912 | ---- | C] () -- C:\WINDOWS\System32\lxdiinst.dll
[2009/09/04 18:44:00 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdigrd.dll
< End of report >

-------------------------------------------------------------------------


Extras.Txt: --------------------------------------------------------------
OTL Extras logfile created on: 1/17/2010 9:21:19 AM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = C:\Documents and Settings\Patti\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 220.50 Gb Free Space | 94.69% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 232.88 Gb Total Space | 213.45 Gb Free Space | 91.66% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GALADRIEL
Current User Name: Patti
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k cd "%L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Lexmark 3500-4500 Series\app4r.exe" = C:\Program Files\Lexmark 3500-4500 Series\App4R.exe:*:Enabled:Lexmark Imaging Studio -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\lxdicoms.exe" = C:\WINDOWS\system32\lxdicoms.exe:*:Enabled:3500-4500 Series Server -- ( )
"C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe" = C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe:*:Enabled:Device Monitor -- ()
"C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe" = C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe:*:Enabled:Device Monitor Application -- (Lexmark)
"C:\Program Files\Lexmark 3500-4500 Series\App4R.exe" = C:\Program Files\Lexmark 3500-4500 Series\App4R.exe:*:Enabled:Printing Application -- ()
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdipswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdipswx.exe:*:Enabled:Printer Status Window Interface -- ()
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxditime.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxditime.exe:*:Enabled:Lexmark Connect Time Executable -- (Lexmark International, Inc.)
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdijswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdijswx.exe:*:Enabled:Job Status Window Interface -- ()
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdiwbgw.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdiwbgw.exe:*:Enabled:Lexmark Web Gateway -- ()
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Microsoft Games\Age of Empires III\age3.exe" = C:\Program Files\Microsoft Games\Age of Empires III\age3.exe:*:Enabled:Age of Empires III -- (Ensemble Studios)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01ED0835-5D97-BF31-6AF2-7553A87014F9}" = ccc-core-static
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{2A30052B-831C-41D3-8044-3C0388066350}" = Seagate Manager Installer
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{31180401-FE98-6EF7-9DB0-CB6509E5D44D}" = ccc-core-preinstall
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{38E8D32E-CD66-6D3B-5BDF-588B2AFB4656}" = CCC Help English
"{48B3FB4D-CE22-488C-8E9F-24EBB77EAC0F}" = Microsoft Security Essentials
"{57ED31E0-BCF4-67D3-DF6B-4239FDA77C11}" = Catalyst Control Center Graphics Full New
"{6759A77E-9163-F3BE-5602-D4DFD5CC8DD2}" = Skins
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{8830F934-C6FE-C47E-5840-E6FFBD68DCE2}" = ccc-utility
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{94A065E8-455D-41C1-AF1F-F0C1AF8F50F3}" = Microsoft IntelliType Pro 7.0
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{97915182-C85B-AF14-8B21-D900E0958A4E}" = Catalyst Control Center Core Implementation
"{9A87F497-A986-F862-E830-FCBBE3BDCA03}" = Catalyst Control Center Graphics Previews Common
"{A0A77CDC-2419-4D5C-AD2C-E09E5926B806}" = Microsoft Antimalware
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{AA668889-AA01-AA01-AADC-65462C3DE344}" = FreeFixer
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C9A84D37-5FAE-8317-1E6C-BAE79F15B88B}" = Catalyst Control Center Graphics Full Existing
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{DC0D1DD4-C894-341F-538E-5DD09F039D63}" = Catalyst Control Center Graphics Light
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner (remove only)
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"ENTERPRISER" = Microsoft Office Enterprise 2007
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"InstallShield_{2A30052B-831C-41D3-8044-3C0388066350}" = Seagate Manager Installer
"InstallShield_{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III
"Lexmark 3500-4500 Series" = Lexmark 3500-4500 Series
"Lexmark Fax Solutions" = Lexmark Fax Solutions
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"Mozilla Firefox (3.5.6)" = Mozilla Firefox (3.5.6)
"NVIDIA Drivers" = NVIDIA Drivers
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.0
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Encoder 9" = Windows Media Encoder 9 Series

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/6/2009 6:00:32 PM | Computer Name = GALADRIEL | Source = Application Hang | ID = 1002
Description = Hanging application chrome.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/9/2009 7:35:13 AM | Computer Name = GALADRIEL | Source = Application Hang | ID = 1002
Description = Hanging application chrome.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/9/2009 7:38:36 AM | Computer Name = GALADRIEL | Source = Application Hang | ID = 1002
Description = Hanging application chrome.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/15/2009 3:40:29 PM | Computer Name = GALADRIEL | Source = Application Hang | ID = 1002
Description = Hanging application chrome.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/5/2009 8:53:29 PM | Computer Name = GALADRIEL | Source = Application Hang | ID = 1002
Description = Hanging application iTunes.exe, version 9.0.2.25, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/16/2009 11:17:05 PM | Computer Name = GALADRIEL | Source = Google Update | ID = 20
Description =

Error - 1/3/2010 2:37:39 AM | Computer Name = GALADRIEL | Source = MsiInstaller | ID = 1008
Description = The installation of C:\Documents and Settings\Patti\Desktop\WindowsDefender.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

Error - 1/3/2010 2:39:12 AM | Computer Name = GALADRIEL | Source = MsiInstaller | ID = 1008
Description = The installation of C:\Documents and Settings\Patti\Desktop\WindowsDefender.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

Error - 1/7/2010 10:24:29 PM | Computer Name = GALADRIEL | Source = MSSecurityEssentials | ID = 5000
Description =

Error - 1/8/2010 12:33:55 AM | Computer Name = GALADRIEL | Source = MSSecurityEssentials | ID = 5000
Description =

[ System Events ]
Error - 1/14/2010 7:27:43 AM | Computer Name = GALADRIEL | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 1/14/2010 4:29:46 PM | Computer Name = GALADRIEL | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 1/14/2010 4:58:43 PM | Computer Name = GALADRIEL | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 1/14/2010 8:09:21 PM | Computer Name = GALADRIEL | Source = Microsoft Antimalware | ID = 1008
Description = %%861 has encountered an error when taking action on spyware or other
potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=370...atid=2147630632

User:
NT AUTHORITY\NETWORK SERVICE Name: VirTool:WinNT/Rootkit.BV ID: 2147630632 Severity:
Severe Category: Tool Path: Action: %%808 Error Code: 0x8007001f Error description:
A device attached to the system is not functioning. Status: Signature Version:
AV: 1.71.2212.0, AS: 1.71.2212.0 Engine Version: 1.1.5302.0

Error - 1/15/2010 7:45:34 AM | Computer Name = GALADRIEL | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 1/15/2010 7:37:27 PM | Computer Name = GALADRIEL | Source = Microsoft Antimalware | ID = 1008
Description = %%861 has encountered an error when taking action on spyware or other
potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=370...atid=2147630632

User:
NT AUTHORITY\NETWORK SERVICE Name: VirTool:WinNT/Rootkit.BV ID: 2147630632 Severity:
Severe Category: Tool Path: Action: %%808 Error Code: 0x8007001f Error description:
A device attached to the system is not functioning. Status: Signature Version:
AV: 1.71.2259.0, AS: 1.71.2259.0 Engine Version: 1.1.5302.0

Error - 1/15/2010 11:02:23 PM | Computer Name = GALADRIEL | Source = Print | ID = 6161
Description = The document Microsoft Word - Pillow foot matching-original work.doc
owned by Patti failed to print on printer Lexmark 3500-4500 Series. Data type:
LEMF. Size of the spool file in bytes: 40550542. Number of bytes printed: 40550542.
Total number of pages in the document: 4. Number of pages printed: 0. Client machine:
\\GALADRIEL. Win32 error code returned by the print processor: 0 (0x0).

Error - 1/16/2010 7:47:55 AM | Computer Name = GALADRIEL | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 1/16/2010 7:52:40 PM | Computer Name = GALADRIEL | Source = Microsoft Antimalware | ID = 1008
Description = %%861 has encountered an error when taking action on spyware or other
potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=370...atid=2147630632

User:
NT AUTHORITY\NETWORK SERVICE Name: VirTool:WinNT/Rootkit.BV ID: 2147630632 Severity:
Severe Category: Tool Path: Action: %%808 Error Code: 0x8007001f Error description:
A device attached to the system is not functioning. Status: Signature Version:
AV: 1.71.2314.0, AS: 1.71.2314.0 Engine Version: 1.1.5302.0

Error - 1/17/2010 8:06:55 AM | Computer Name = GALADRIEL | Source = ati2mtag | ID = 45062
Description = CRT invalid display type


< End of report >

-------------------------------------------------------------------------

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:59 PM

Posted 17 January 2010 - 12:06 PM

Hi,

please provide a log from gmer as well to check for rootkits:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 FraggleRockRyan

FraggleRockRyan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 17 January 2010 - 02:15 PM

GMER log below. Thanks!


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-17 14:11:39
Windows 5.1.2600 Service Pack 3
Running: nsjml207.exe; Driver: C:\DOCUME~1\Patti\LOCALS~1\Temp\pftyrpow.sys


---- Kernel code sections - GMER 1.0.15 ----

.pak2 C:\WINDOWS\system32\drivers\slgcuzx.sys entry point in ".pak2" section [0xBA7A6168]
? C:\WINDOWS\system32\drivers\slgcuzx.sys A device attached to the system is not functioning.
PAGE Ntfs.sys BA5B8E55 4 Bytes CALL 89827121
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xB9621B8D]

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Patti\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[804] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 898B2AB0

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] slgcuzx <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\slgcuzx@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\slgcuzx@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\slgcuzx@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\slgcuzx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\slgcuzx@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\slgcuzx@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\slgcuzx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\slgcuzx@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:59 PM

Posted 17 January 2010 - 02:37 PM

Hi,

you have been infected by a nasty rootkit. It may be a backdoor trojan.

This would allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 FraggleRockRyan

FraggleRockRyan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 17 January 2010 - 02:54 PM

Thank you, myrti! I will rebuild this computer from scratch asap. Please close this thread. I wish I knew how the rootkit got on there, I try to be very diligent.

Thanks again!

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:59 PM

Posted 17 January 2010 - 03:01 PM

Hi,

I can only take guesses as well, there is no easy reply to the "how" of the infection.

Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:Have a nice day
myrti

Edited by myrti, 17 January 2010 - 03:01 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:59 PM

Posted 23 January 2010 - 08:47 PM

Since the issue seems resolved, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users