Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32/Rootkit.Agent.ODG trojan on my operating memory (XP)


  • This topic is locked This topic is locked
19 replies to this topic

#1 cyellett

cyellett

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 12 January 2010 - 03:01 PM

I got a virus after I connected my Android smartphone (MyTouch) to my computer. The only reason I believe it was from my phone is because some of the sites that were accessed on my phone now magically appeared as desktop shortcuts AND my ESET finds a virus within 2 minutes of unconnecting my phone. (Thank you coworkers who look at porn!) So far, the only thing I've noticed different is when I go a google search and go to click on a link, i get redirected.

Here is my DDS report:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Chantel at 14:50:21.43 on Tue 01/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.128 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: ESET Smart Security 4.0 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Chantel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Windows Updates] c:\windows\system\Update.exe
uRun: [cdloader] "c:\documents and settings\chantel\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [twunk_32x.exe] c:\docume~1\chantel\locals~1\temp\twunk_32x.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236037679937
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236037670734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R4 BHDrvx86;BHDrvx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\bashdefs\20091013.001\bhdrvx86.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\bashdefs\20091013.001\BHDrvx86.sys [?]
R4 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1101000.013\cchpx86.sys --> c:\windows\system32\drivers\nav\1101000.013\ccHPx86.sys [?]
R4 IDSxpx86;IDSxpx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\ipsdefs\20090911.001\idsxpx86.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\ipsdefs\20090911.001\IDSxpx86.sys [?]
R4 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1101000.013\symds.sys --> c:\windows\system32\drivers\nav\1101000.013\SYMDS.SYS [?]
R4 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1101000.013\symefa.sys --> c:\windows\system32\drivers\nav\1101000.013\SYMEFA.SYS [?]
RUnknown SymIRON;SymIRON; [x]

=============== Created Last 30 ================

2010-01-12 02:50:43 0 d-sh--w- c:\documents and settings\chantel\IECompatCache
2010-01-12 02:32:25 0 d-----w- C:\_OTM
2010-01-12 01:59:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 23:36:52 0 d-----w- c:\program files\Norton AntiVirus
2010-01-11 23:05:48 0 d-----w- c:\docume~1\chantel\applic~1\Tific
2010-01-11 22:46:08 0 d-----w- c:\windows\system32\drivers\NAV
2010-01-11 22:45:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-01-11 22:45:36 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-01-11 22:07:55 0 d-----w- c:\docume~1\chantel\applic~1\AVG8

==================== Find3M ====================

2009-11-08 04:02:38 249856 ------w- c:\windows\Setup1.exe
2009-11-08 04:02:36 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-06-20 03:26:10 853860607 ----a-w- c:\program files\ADBEPHSPCS4_LS1.7z
2009-06-20 02:04:50 1228240 ----a-w- c:\program files\ADBEPHSPCS4_LS1.exe
2009-06-14 02:29:03 36116992 ----a-w- c:\program files\ess_nt32_enu.msi

============= FINISH: 14:53:13.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:25 PM

Posted 12 January 2010 - 06:56 PM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  • Click the "Run Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 cyellett

cyellett
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 12 January 2010 - 08:03 PM

Thanks Sam!
Its definately appreciated! thumbup.gif

Here is the OTL.txt log:
OTL logfile created on: 1/12/2010 8:00:22 PM - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Chantel\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 201.00 Mb Available Physical Memory | 39.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 24.03 Gb Free Space | 64.47% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL-29A5164C7E
Current User Name: Chantel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/12 19:59:16 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chantel\Desktop\OTL.exe
PRC - [2009/05/14 14:47:54 | 00,731,840 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2009/05/14 14:47:08 | 02,029,640 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/10/25 10:44:34 | 00,031,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/07/03 06:38:24 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/06/10 14:56:31 | 01,406,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
PRC - [2008/06/10 14:56:29 | 01,442,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2008/02/22 04:25:21 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
PRC - [2002/06/19 19:05:10 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe


========== Modules (SafeList) ==========

MOD - [2010/01/12 19:59:16 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chantel\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/05/14 14:54:22 | 00,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/05/14 14:47:54 | 00,731,840 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/25 10:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Unknown | Running] -- -- (SYMTDI)
DRV - File not found [Kernel | Unknown | Running] -- -- (SymIRON)
DRV - File not found [Kernel | Disabled | Running] -- -- (SymEvent)
DRV - File not found [File_System | Disabled | Running] -- -- (SymEFA)
DRV - File not found [Kernel | Disabled | Running] -- -- (SymDS)
DRV - File not found [Kernel | Disabled | Running] -- -- (IDSxpx86)
DRV - File not found [Kernel | Disabled | Running] -- -- (ccHP)
DRV - File not found [Kernel | Disabled | Running] -- -- (BHDrvx86)
DRV - [2009/05/14 14:49:26 | 00,055,768 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)
DRV - [2009/05/14 14:49:26 | 00,033,096 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2009/05/14 14:49:22 | 00,133,000 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)
DRV - [2009/05/14 14:47:14 | 00,107,256 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2009/05/14 14:41:10 | 00,114,472 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2009/05/09 00:14:20 | 00,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/06/10 15:04:26 | 00,031,048 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\point32.sys -- (Point32)
DRV - [2008/04/14 07:00:00 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/14 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2008/04/14 07:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM)
DRV - [2008/04/13 23:15:14 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 18:53:58 | 00,011,868 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2008/04/13 18:53:54 | 01,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFDPSP2.sys -- (HSF_DP)
DRV - [2008/04/13 18:53:52 | 00,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFCXTS2.sys -- (winachsf)
DRV - [2008/04/13 18:53:50 | 00,220,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFBS2S2.sys -- (HSFHWBS2)
DRV - [2008/04/13 17:05:40 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2007/01/18 09:24:58 | 00,026,496 | R--- | M] (Research in Motion Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RimSerial.sys -- (RimVSerPort)
DRV - [2002/06/21 11:45:58 | 00,069,792 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel® Graphics Chipset (KCH)
DRV - [2002/06/21 11:45:48 | 00,090,784 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E}) Intel® Graphics Platform (SoftBIOS)
DRV - [2002/06/21 11:44:46 | 00,078,877 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2002/05/28 15:18:46 | 00,500,568 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2002/04/01 13:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2001/08/22 08:42:58 | 00,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1229272821-573735546-842925246-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-1229272821-573735546-842925246-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1229272821-573735546-842925246-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = EC 74 19 25 2A 92 CA 01 [binary data]
IE - HKU\S-1-5-21-1229272821-573735546-842925246-1003\S-1-5-21-1229272821-573735546-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1229272821-573735546-842925246-1003\S-1-5-21-1229272821-573735546-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2009/06/13 21:41:50 | 00,000,000 | ---D | M]

[2009/03/05 10:01:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chantel\Application Data\Mozilla\Extensions
[2009/03/05 10:01:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chantel\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-1229272821-573735546-842925246-1003..\Run: [cdloader] C:\Documents and Settings\Chantel\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKU\S-1-5-21-1229272821-573735546-842925246-1003..\Run: [twunk_32x.exe] C:\DOCUME~1\Chantel\LOCALS~1\Temp\twunk_32x.exe File not found
O4 - HKU\S-1-5-21-1229272821-573735546-842925246-1003..\Run: [Windows Updates] c:\windows\system\Update.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1229272821-573735546-842925246-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.8.cab (DLM Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1236037679937 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1236037670734 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.95.21.12 64.13.46.12 64.13.115.12
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/21 13:25:36 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\F\Shell\phone\command - "" = F:\autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/01/21 13:24:33 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error starting restore point: 317
Error closing restore point: The sequence number is invalid.

========== Files/Folders - Created Within 30 Days ==========

[2010/01/12 19:59:02 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chantel\Desktop\OTL.exe
[2010/01/12 14:55:05 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Chantel\Desktop\RootRepeal.exe
[2010/01/11 21:50:43 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Chantel\IECompatCache
[2010/01/11 21:32:25 | 00,000,000 | ---D | C] -- C:\_OTM
[2010/01/11 20:59:15 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/11 18:51:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Local Settings\Application Data\Identities
[2010/01/11 18:37:16 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV\1101000.013
[2010/01/11 18:36:52 | 00,000,000 | ---D | C] -- C:\Program Files\Norton AntiVirus
[2010/01/11 18:11:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Local Settings\Application Data\Tific
[2010/01/11 18:05:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Application Data\Tific
[2010/01/11 17:46:08 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2010/01/11 17:46:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV
[2010/01/11 17:45:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2010/01/11 17:45:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2010/01/11 17:07:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Application Data\AVG8
[2010/01/06 15:49:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Local Settings\Application Data\magicJack
[2009/07/23 09:55:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/06/30 12:40:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
[2009/06/19 21:04:15 | 01,228,240 | ---- | C] (Adobe Systems Incorporated) -- C:\Program Files\ADBEPHSPCS4_LS1.exe
[2009/03/22 14:26:25 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/03/11 10:08:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/01/21 13:25:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/01/21 13:25:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/01/12 19:59:16 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chantel\Desktop\OTL.exe
[2010/01/12 14:55:51 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Chantel\Desktop\settings.dat
[2010/01/12 14:55:07 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Chantel\Desktop\RootRepeal.exe
[2010/01/12 14:50:09 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Chantel\Desktop\dds.scr
[2010/01/12 12:52:58 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/12 12:52:13 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/12 12:52:10 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/12 10:50:26 | 06,291,456 | -H-- | M] () -- C:\Documents and Settings\Chantel\Local Settings\Application Data\IconCache.db
[2010/01/12 10:44:23 | 00,001,016 | ---- | M] () -- C:\Documents and Settings\Chantel\Desktop\magicJack.lnk
[2010/01/11 21:34:28 | 02,621,440 | -H-- | M] () -- C:\Documents and Settings\Chantel\NTUSER.DAT
[2010/01/11 21:34:23 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Chantel\ntuser.ini
[2010/01/11 18:42:40 | 00,608,378 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1101000.013\Cat.DB
[2010/01/11 16:33:06 | 00,000,008 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/04 15:57:45 | 00,012,113 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resumecover.docx
[2010/01/04 15:56:37 | 00,011,925 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resumecover-onlinelisting.docx
[2010/01/04 00:01:31 | 00,044,032 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-regword.doc
[2010/01/04 00:01:02 | 00,044,032 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-onlinelisting-regword.doc
[2010/01/04 00:00:40 | 00,024,662 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-onlinelisting.docx
[2010/01/04 00:00:11 | 00,024,909 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010.docx
[2010/01/03 22:20:39 | 00,000,942 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\Shortcut to IMAG0038.lnk
[2010/01/03 15:51:03 | 00,413,578 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\daily_report_card.pdf

========== Files Created - No Company Name ==========

[2010/01/12 14:55:51 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Chantel\Desktop\settings.dat
[2010/01/12 14:50:04 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Chantel\Desktop\dds.scr
[2010/01/11 18:42:19 | 00,608,378 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1101000.013\Cat.DB
[2010/01/11 18:33:23 | 00,000,942 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\Shortcut to IMAG0038.lnk
[2010/01/11 16:33:06 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/04 15:57:45 | 00,012,113 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resumecover.docx
[2010/01/04 15:56:36 | 00,011,925 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resumecover-onlinelisting.docx
[2010/01/04 00:01:31 | 00,044,032 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-regword.doc
[2010/01/04 00:01:02 | 00,044,032 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-onlinelisting-regword.doc
[2010/01/03 23:58:03 | 00,024,662 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-onlinelisting.docx
[2010/01/03 23:56:44 | 00,024,909 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010.docx
[2010/01/03 15:51:03 | 00,413,578 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\daily_report_card.pdf
[2009/06/19 21:04:16 | 85,386,0607 | ---- | C] () -- C:\Program Files\ADBEPHSPCS4_LS1.7z
[2009/06/13 21:28:52 | 36,116,992 | ---- | C] () -- C:\Program Files\ess_nt32_enu.msi
[2009/04/30 21:55:36 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\Chantel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/21 13:47:46 | 00,266,240 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll
[2009/01/21 13:47:18 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\igfxdgps.dll
[2009/01/21 13:47:18 | 00,009,785 | ---- | C] () -- C:\WINDOWS\System32\drivers\a312.sys

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2009/04/05 15:34:06 | 52,644,3824 | ---- | M] (Microsoft Corporation) -- C:\Enterprise.exe


< MD5 for: ATAPI.SYS >
[2008/04/14 07:00:00 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 07:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 07:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/16 23:50:12 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=06CF9EEDB7E827205C6948C9DAF56974 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/16 23:50:12 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=06CF9EEDB7E827205C6948C9DAF56974 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 07:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 07:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 03:31:44 | 00,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 03:31:38 | 00,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FF9C44FE
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5AE33054
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0DFE2AE1
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0860D6D6
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7AF9CAEB
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6BD304B9
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:957E9765
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9026FFAC
< End of report >




And here is the Extras.txt log:
OTL Extras logfile created on: 1/12/2010 8:00:22 PM - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Chantel\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 201.00 Mb Available Physical Memory | 39.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 24.03 Gb Free Space | 64.47% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL-29A5164C7E
Current User Name: Chantel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MI1933~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Documents and Settings\Chantel\Application Data\mjusbsp\magicJack.exe" = C:\Documents and Settings\Chantel\Application Data\mjusbsp\magicJack.exe:*:Enabled:magicJack -- (magicJack L.P.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02F6993D-B763-4F40-8F93-2A9CD97586E3}" = Microsoft IntelliType Pro 6.3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{66A9D30D-1464-4C7F-B2F3-507DADAF2595}" = Microsoft IntelliPoint 6.3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{71CBF9BB-7E07-4A9D-BF30-84C11810B242}" = ESET Smart Security
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver Software
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}" = Windows Rights Management Client with Service Pack 2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management Client Backwards Compatibility SP2
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe Shockwave Player" = Adobe Shockwave Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ENTERPRISER" = Microsoft Office Enterprise 2007
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Silverlight" = Microsoft Silverlight
"ST6UNST #1" = Magic Berry
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Rights Management Client" = Windows Rights Management Client with Service Pack 2
"Windows Rights Management Client Backwards" = Windows Rights Management Client Backwards Compatibility SP2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/11/2010 5:44:02 PM | Computer Name = DELL-29A5164C7E | Source = Application Error | ID = 1001
Description = Fault bucket 1534630186.

Error - 1/11/2010 7:32:55 PM | Computer Name = DELL-29A5164C7E | Source = Application Error | ID = 1000
Description = Faulting application msiexec.exe, version 4.5.6001.22159, faulting
module msi77e9.tmp, version 1.42.8651.0, fault address 0x0000b116.

Error - 1/11/2010 7:33:03 PM | Computer Name = DELL-29A5164C7E | Source = Application Error | ID = 1001
Description = Fault bucket 1654642843.

Error - 1/11/2010 10:07:57 PM | Computer Name = DELL-29A5164C7E | Source = Application Hang | ID = 1002
Description = Hanging application mbam-setup[1].tmp, version 51.50.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/11/2010 10:08:02 PM | Computer Name = DELL-29A5164C7E | Source = Application Hang | ID = 1001
Description = Fault bucket 1590624153.

Error - 1/11/2010 10:48:33 PM | Computer Name = DELL-29A5164C7E | Source = Application Error | ID = 1000
Description = Faulting application vczftyjn.exe, version 1.0.15.15281, faulting
module vczftyjn.exe, version 1.0.15.15281, fault address 0x0000c4b1.

Error - 1/12/2010 2:41:40 PM | Computer Name = DELL-29A5164C7E | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x08a1fffb.

Error - 1/12/2010 2:41:44 PM | Computer Name = DELL-29A5164C7E | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x071afffb.

Error - 1/12/2010 2:41:55 PM | Computer Name = DELL-29A5164C7E | Source = Application Error | ID = 1001
Description = Fault bucket 1611107091.

Error - 1/12/2010 2:41:55 PM | Computer Name = DELL-29A5164C7E | Source = Application Error | ID = 1001
Description = Fault bucket 1648466159.

[ OSession Events ]
Error - 9/15/2009 12:20:32 PM | Computer Name = DELL-29A5164C7E | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 487
seconds with 180 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 1/11/2010 11:25:24 PM | Computer Name = DELL-29A5164C7E | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM
Service service to connect.

Error - 1/11/2010 11:25:24 PM | Computer Name = DELL-29A5164C7E | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1053

Error - 1/12/2010 11:44:31 AM | Computer Name = DELL-29A5164C7E | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Norton AntiVirus service
to connect.

Error - 1/12/2010 11:44:31 AM | Computer Name = DELL-29A5164C7E | Source = Service Control Manager | ID = 7000
Description = The Norton AntiVirus service failed to start due to the following
error: %%1053

Error - 1/12/2010 11:44:31 AM | Computer Name = DELL-29A5164C7E | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM
Service service to connect.

Error - 1/12/2010 11:44:31 AM | Computer Name = DELL-29A5164C7E | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1053

Error - 1/12/2010 1:53:39 PM | Computer Name = DELL-29A5164C7E | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Norton AntiVirus service
to connect.

Error - 1/12/2010 1:53:39 PM | Computer Name = DELL-29A5164C7E | Source = Service Control Manager | ID = 7000
Description = The Norton AntiVirus service failed to start due to the following
error: %%1053

Error - 1/12/2010 1:53:39 PM | Computer Name = DELL-29A5164C7E | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM
Service service to connect.

Error - 1/12/2010 1:53:39 PM | Computer Name = DELL-29A5164C7E | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1053


< End of report >



During the scan, my computer ran fine, but now, it seems my computer is "searching" for the keys i'm typing on my keyboard.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:25 PM

Posted 13 January 2010 - 08:03 AM


Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.



===================



Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    O4 - HKU\S-1-5-21-1229272821-573735546-842925246-1003..\Run: [twunk_32x.exe] C:\DOCUME~1\Chantel\LOCALS~1\Temp\twunk_32x.exe File not found
    O4 - HKU\S-1-5-21-1229272821-573735546-842925246-1003..\Run: [Windows Updates] c:\windows\system\Update.exe File not found
    @Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FF9C44FE
    @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5AE33054
    @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0DFE2AE1
    @Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0860D6D6
    @Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7AF9CAEB
    @Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6BD304B9
    @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:957E9765
    @Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9026FFAC

    :Commands
    [purity]
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.


==================



Download Kenco.exe to your desktop
  • Close all windows and run the program
  • It wont take long to run. Post the log it gives you ( it will also be saved in the same place as Kenco.exe

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 cyellett

cyellett
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 13 January 2010 - 10:03 AM

Sam,

At first it would not let my DL the new version of Java. But eventually (after about 6 tries) it did. (My IE would keep exiting.)

Here's the result of the custom OTL log: (I did not scan all users like before.)
All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1229272821-573735546-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Run\\twunk_32x.exe deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1229272821-573735546-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Updates not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:FF9C44FE deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5AE33054 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0DFE2AE1 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0860D6D6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7AF9CAEB deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:6BD304B9 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:957E9765 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9026FFAC deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 11540 bytes
->Temporary Internet Files folder emptied: 242508 bytes

User: All Users

User: Chantel
->Temp folder emptied: 695926 bytes
->Temporary Internet Files folder emptied: 56369536 bytes
->Java cache emptied: 13690431 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 29254855 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 96.00 mb


OTL by OldTimer - Version 3.1.24.0 log created on 01132010_095833

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...




And heres the result of OTL ran after the reboot: (I did not do a custom scan, and I did not scan all users)
OTL logfile created on: 1/13/2010 10:04:40 AM - Run 2
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Chantel\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 208.00 Mb Available Physical Memory | 41.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 23.99 Gb Free Space | 64.37% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL-29A5164C7E
Current User Name: Chantel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/13 09:57:09 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2010/01/13 09:57:09 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2010/01/12 19:59:16 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chantel\Desktop\OTL.exe
PRC - [2009/05/14 14:47:54 | 00,731,840 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2009/05/14 14:47:08 | 02,029,640 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/02/27 16:10:28 | 00,035,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
PRC - [2008/10/25 10:44:34 | 00,031,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/07/03 06:38:24 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/06/10 14:56:31 | 01,406,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
PRC - [2008/06/10 14:56:29 | 01,442,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2002/06/19 19:05:10 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe


========== Modules (SafeList) ==========

MOD - [2010/01/12 19:59:16 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chantel\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/01/13 09:57:09 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/05/14 14:54:22 | 00,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/05/14 14:47:54 | 00,731,840 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/25 10:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2009/05/14 14:49:26 | 00,055,768 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)
DRV - [2009/05/14 14:49:26 | 00,033,096 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2009/05/14 14:49:22 | 00,133,000 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)
DRV - [2009/05/14 14:47:14 | 00,107,256 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2009/05/14 14:41:10 | 00,114,472 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2009/05/09 00:14:20 | 00,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/06/10 15:04:26 | 00,031,048 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\point32.sys -- (Point32)
DRV - [2008/04/14 07:00:00 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/14 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2008/04/14 07:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM)
DRV - [2008/04/13 23:15:14 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 18:53:58 | 00,011,868 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2008/04/13 18:53:54 | 01,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFDPSP2.sys -- (HSF_DP)
DRV - [2008/04/13 18:53:52 | 00,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFCXTS2.sys -- (winachsf)
DRV - [2008/04/13 18:53:50 | 00,220,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFBS2S2.sys -- (HSFHWBS2)
DRV - [2008/04/13 17:05:40 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2007/01/18 09:24:58 | 00,026,496 | R--- | M] (Research in Motion Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RimSerial.sys -- (RimVSerPort)
DRV - [2002/06/21 11:45:58 | 00,069,792 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel® Graphics Chipset (KCH)
DRV - [2002/06/21 11:45:48 | 00,090,784 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E}) Intel® Graphics Platform (SoftBIOS)
DRV - [2002/06/21 11:44:46 | 00,078,877 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2002/05/28 15:18:46 | 00,500,568 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2002/04/01 13:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2001/08/22 08:42:58 | 00,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = EC 74 19 25 2A 92 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2009/06/13 21:41:50 | 00,000,000 | ---D | M]

[2009/03/05 10:01:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chantel\Application Data\Mozilla\Extensions
[2009/03/05 10:01:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chantel\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [cdloader] C:\Documents and Settings\Chantel\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKCU..\Run: [Windows Updates] c:\windows\system\Update.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.8.cab (DLM Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1236037679937 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1236037670734 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.95.21.12 64.13.46.12 64.13.115.12
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/21 13:25:36 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\F\Shell\phone\command - "" = F:\autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/13 09:58:33 | 00,000,000 | ---D | C] -- C:\_OTL
[2010/01/13 09:57:26 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/01/13 09:57:26 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/01/13 09:57:26 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/01/13 09:57:26 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/01/13 09:55:34 | 00,800,544 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Chantel\Desktop\JavaSetup6u17-rv.exe
[2010/01/13 09:47:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Desktop\JavaRa
[2010/01/12 19:59:02 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chantel\Desktop\OTL.exe
[2010/01/12 14:55:05 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Chantel\Desktop\RootRepeal.exe
[2010/01/11 21:50:43 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Chantel\IECompatCache
[2010/01/11 21:32:25 | 00,000,000 | ---D | C] -- C:\_OTM
[2010/01/11 20:59:15 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/11 18:51:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Local Settings\Application Data\Identities
[2010/01/11 18:37:16 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV\1101000.013
[2010/01/11 18:11:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Local Settings\Application Data\Tific
[2010/01/11 18:05:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Application Data\Tific
[2010/01/11 17:46:08 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2010/01/11 17:46:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV
[2010/01/11 17:45:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2010/01/11 17:45:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2010/01/11 17:07:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Application Data\AVG8
[2010/01/06 15:49:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Local Settings\Application Data\magicJack
[2009/07/23 09:55:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/06/30 12:40:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
[2009/06/19 21:04:15 | 01,228,240 | ---- | C] (Adobe Systems Incorporated) -- C:\Program Files\ADBEPHSPCS4_LS1.exe
[2009/03/22 14:26:25 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/03/11 10:08:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/01/21 13:25:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/01/21 13:25:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/01/13 10:01:58 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/13 10:01:33 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/13 10:01:30 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/13 10:00:46 | 02,621,440 | -H-- | M] () -- C:\Documents and Settings\Chantel\NTUSER.DAT
[2010/01/13 10:00:46 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Chantel\ntuser.ini
[2010/01/13 09:57:09 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/01/13 09:57:09 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/01/13 09:57:09 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/01/13 09:57:09 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/01/13 09:57:09 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/01/13 09:55:43 | 00,800,544 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Chantel\Desktop\JavaSetup6u17-rv.exe
[2010/01/13 09:47:25 | 00,071,798 | ---- | M] () -- C:\Documents and Settings\Chantel\Desktop\JavaRa.zip
[2010/01/13 09:46:05 | 14,452,040 | ---- | M] () -- C:\Documents and Settings\Chantel\Desktop\winzip140.exe
[2010/01/12 19:59:16 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chantel\Desktop\OTL.exe
[2010/01/12 14:55:51 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Chantel\Desktop\settings.dat
[2010/01/12 14:55:07 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Chantel\Desktop\RootRepeal.exe
[2010/01/12 14:50:09 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Chantel\Desktop\dds.scr
[2010/01/12 10:50:26 | 06,291,456 | -H-- | M] () -- C:\Documents and Settings\Chantel\Local Settings\Application Data\IconCache.db
[2010/01/12 10:44:23 | 00,001,016 | ---- | M] () -- C:\Documents and Settings\Chantel\Desktop\magicJack.lnk
[2010/01/11 18:42:40 | 00,608,378 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1101000.013\Cat.DB
[2010/01/11 16:33:06 | 00,000,008 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/04 15:57:45 | 00,012,113 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resumecover.docx
[2010/01/04 15:56:37 | 00,011,925 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resumecover-onlinelisting.docx
[2010/01/04 00:01:31 | 00,044,032 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-regword.doc
[2010/01/04 00:01:02 | 00,044,032 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-onlinelisting-regword.doc
[2010/01/04 00:00:40 | 00,024,662 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-onlinelisting.docx
[2010/01/04 00:00:11 | 00,024,909 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010.docx
[2010/01/03 22:20:39 | 00,000,942 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\Shortcut to IMAG0038.lnk
[2010/01/03 15:51:03 | 00,413,578 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\daily_report_card.pdf

========== Files Created - No Company Name ==========

[2010/01/13 09:47:25 | 00,071,798 | ---- | C] () -- C:\Documents and Settings\Chantel\Desktop\JavaRa.zip
[2010/01/13 09:34:52 | 14,452,040 | ---- | C] () -- C:\Documents and Settings\Chantel\Desktop\winzip140.exe
[2010/01/12 14:55:51 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Chantel\Desktop\settings.dat
[2010/01/12 14:50:04 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Chantel\Desktop\dds.scr
[2010/01/11 18:42:19 | 00,608,378 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1101000.013\Cat.DB
[2010/01/11 18:33:23 | 00,000,942 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\Shortcut to IMAG0038.lnk
[2010/01/11 16:33:06 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/04 15:57:45 | 00,012,113 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resumecover.docx
[2010/01/04 15:56:36 | 00,011,925 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resumecover-onlinelisting.docx
[2010/01/04 00:01:31 | 00,044,032 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-regword.doc
[2010/01/04 00:01:02 | 00,044,032 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-onlinelisting-regword.doc
[2010/01/03 23:58:03 | 00,024,662 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-onlinelisting.docx
[2010/01/03 23:56:44 | 00,024,909 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010.docx
[2010/01/03 15:51:03 | 00,413,578 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\daily_report_card.pdf
[2009/06/19 21:04:16 | 85,386,0607 | ---- | C] () -- C:\Program Files\ADBEPHSPCS4_LS1.7z
[2009/06/13 21:28:52 | 36,116,992 | ---- | C] () -- C:\Program Files\ess_nt32_enu.msi
[2009/04/30 21:55:36 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\Chantel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/21 13:47:46 | 00,266,240 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll
[2009/01/21 13:47:18 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\igfxdgps.dll
[2009/01/21 13:47:18 | 00,009,785 | ---- | C] () -- C:\WINDOWS\System32\drivers\a312.sys
< End of report >


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:25 PM

Posted 13 January 2010 - 07:18 PM

Did you miss my last set of instructions with Kenco?



Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    O4 - HKCU..\Run: [Windows Updates] c:\windows\system\Update.exe File not found

    :Commands
    [purity]
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 cyellett

cyellett
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 13 January 2010 - 08:38 PM

Sorry, I completely didn't see that Kenco part.

Here is the Kenco report:
Kenco by jpshortstuff (31.12.09.1)
Log created at 20:32 on 13/01/2010 (Chantel)

========== Task Unlocker ==========

========== KencoScan ==========

========== C:\WINDOWS\Tasks ==========

-=E.O.F=-



Here is the OTL Run Fix Report:
All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Updates not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Chantel
->Temp folder emptied: 14609 bytes
->Temporary Internet Files folder emptied: 13037792 bytes
->Java cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 511 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 13.00 mb

Error: Unable to interpret <[Reboot> in the current context!

OTL by OldTimer - Version 3.1.24.0 log created on 01132010_203445

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...




And here is the OTL log after both were completed:

OTL logfile created on: 1/13/2010 8:37:51 PM - Run 3
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Chantel\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 179.00 Mb Available Physical Memory | 35.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 23.99 Gb Free Space | 64.36% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL-29A5164C7E
Current User Name: Chantel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/13 09:57:09 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2010/01/13 09:57:09 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2010/01/12 19:59:16 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chantel\Desktop\OTL.exe
PRC - [2009/05/14 14:47:54 | 00,731,840 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2009/05/14 14:47:08 | 02,029,640 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/02/27 16:10:28 | 00,035,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
PRC - [2008/10/25 10:44:34 | 00,031,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/07/03 06:38:24 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/06/10 14:56:31 | 01,406,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
PRC - [2008/06/10 14:56:29 | 01,442,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2002/06/19 19:05:10 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe


========== Modules (SafeList) ==========

MOD - [2010/01/12 19:59:16 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chantel\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/01/13 09:57:09 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/05/14 14:54:22 | 00,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/05/14 14:47:54 | 00,731,840 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/25 10:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2009/05/14 14:49:26 | 00,055,768 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)
DRV - [2009/05/14 14:49:26 | 00,033,096 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2009/05/14 14:49:22 | 00,133,000 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)
DRV - [2009/05/14 14:47:14 | 00,107,256 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2009/05/14 14:41:10 | 00,114,472 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2009/05/09 00:14:20 | 00,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/06/10 15:04:26 | 00,031,048 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\point32.sys -- (Point32)
DRV - [2008/04/14 07:00:00 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/14 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2008/04/14 07:00:00 | 00,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM)
DRV - [2008/04/13 23:15:14 | 00,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 18:53:58 | 00,011,868 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2008/04/13 18:53:54 | 01,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFDPSP2.sys -- (HSF_DP)
DRV - [2008/04/13 18:53:52 | 00,685,056 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFCXTS2.sys -- (winachsf)
DRV - [2008/04/13 18:53:50 | 00,220,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFBS2S2.sys -- (HSFHWBS2)
DRV - [2008/04/13 17:05:40 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2007/01/18 09:24:58 | 00,026,496 | R--- | M] (Research in Motion Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RimSerial.sys -- (RimVSerPort)
DRV - [2002/06/21 11:45:58 | 00,069,792 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel® Graphics Chipset (KCH)
DRV - [2002/06/21 11:45:48 | 00,090,784 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E}) Intel® Graphics Platform (SoftBIOS)
DRV - [2002/06/21 11:44:46 | 00,078,877 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2002/05/28 15:18:46 | 00,500,568 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2002/04/01 13:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2001/08/22 08:42:58 | 00,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = EC 74 19 25 2A 92 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2009/06/13 21:41:50 | 00,000,000 | ---D | M]

[2009/03/05 10:01:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chantel\Application Data\Mozilla\Extensions
[2009/03/05 10:01:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Chantel\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [cdloader] C:\Documents and Settings\Chantel\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKCU..\Run: [Windows Updates] c:\windows\system\Update.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.8.cab (DLM Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1236037679937 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1236037670734 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.95.21.12 64.13.46.12 64.13.115.12
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/21 13:25:36 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\F\Shell\phone\command - "" = F:\autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/13 20:31:39 | 00,044,567 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Chantel\Desktop\Kenco.exe
[2010/01/13 09:58:33 | 00,000,000 | ---D | C] -- C:\_OTL
[2010/01/13 09:57:26 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/01/13 09:57:26 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/01/13 09:57:26 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/01/13 09:57:26 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/01/13 09:55:34 | 00,800,544 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Chantel\Desktop\JavaSetup6u17-rv.exe
[2010/01/13 09:47:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Desktop\JavaRa
[2010/01/12 19:59:02 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chantel\Desktop\OTL.exe
[2010/01/12 14:55:05 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Chantel\Desktop\RootRepeal.exe
[2010/01/11 21:50:43 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Chantel\IECompatCache
[2010/01/11 21:32:25 | 00,000,000 | ---D | C] -- C:\_OTM
[2010/01/11 20:59:15 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/11 18:51:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Local Settings\Application Data\Identities
[2010/01/11 18:37:16 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV\1101000.013
[2010/01/11 18:11:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Local Settings\Application Data\Tific
[2010/01/11 18:05:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Application Data\Tific
[2010/01/11 17:46:08 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2010/01/11 17:46:08 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV
[2010/01/11 17:45:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2010/01/11 17:45:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2010/01/11 17:07:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Application Data\AVG8
[2010/01/06 15:49:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Chantel\Local Settings\Application Data\magicJack
[2009/07/23 09:55:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/06/30 12:40:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
[2009/06/19 21:04:15 | 01,228,240 | ---- | C] (Adobe Systems Incorporated) -- C:\Program Files\ADBEPHSPCS4_LS1.exe
[2009/03/22 14:26:25 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/03/11 10:08:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/01/21 13:25:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/01/21 13:25:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/01/13 20:36:14 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/13 20:35:50 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/13 20:35:46 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/13 20:35:08 | 02,621,440 | -H-- | M] () -- C:\Documents and Settings\Chantel\NTUSER.DAT
[2010/01/13 20:35:06 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Chantel\ntuser.ini
[2010/01/13 20:31:39 | 00,044,567 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Chantel\Desktop\Kenco.exe
[2010/01/13 09:57:09 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/01/13 09:57:09 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/01/13 09:57:09 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/01/13 09:57:09 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/01/13 09:57:09 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/01/13 09:55:43 | 00,800,544 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Chantel\Desktop\JavaSetup6u17-rv.exe
[2010/01/13 09:47:25 | 00,071,798 | ---- | M] () -- C:\Documents and Settings\Chantel\Desktop\JavaRa.zip
[2010/01/13 09:46:05 | 14,452,040 | ---- | M] () -- C:\Documents and Settings\Chantel\Desktop\winzip140.exe
[2010/01/12 19:59:16 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chantel\Desktop\OTL.exe
[2010/01/12 14:55:51 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Chantel\Desktop\settings.dat
[2010/01/12 14:55:07 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Chantel\Desktop\RootRepeal.exe
[2010/01/12 14:50:09 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Chantel\Desktop\dds.scr
[2010/01/12 10:50:26 | 06,291,456 | -H-- | M] () -- C:\Documents and Settings\Chantel\Local Settings\Application Data\IconCache.db
[2010/01/12 10:44:23 | 00,001,016 | ---- | M] () -- C:\Documents and Settings\Chantel\Desktop\magicJack.lnk
[2010/01/11 18:42:40 | 00,608,378 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1101000.013\Cat.DB
[2010/01/11 16:33:06 | 00,000,008 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/04 15:57:45 | 00,012,113 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resumecover.docx
[2010/01/04 15:56:37 | 00,011,925 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resumecover-onlinelisting.docx
[2010/01/04 00:01:31 | 00,044,032 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-regword.doc
[2010/01/04 00:01:02 | 00,044,032 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-onlinelisting-regword.doc
[2010/01/04 00:00:40 | 00,024,662 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-onlinelisting.docx
[2010/01/04 00:00:11 | 00,024,909 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010.docx
[2010/01/03 22:20:39 | 00,000,942 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\Shortcut to IMAG0038.lnk
[2010/01/03 15:51:03 | 00,413,578 | ---- | M] () -- C:\Documents and Settings\Chantel\My Documents\daily_report_card.pdf

========== Files Created - No Company Name ==========

[2010/01/13 09:47:25 | 00,071,798 | ---- | C] () -- C:\Documents and Settings\Chantel\Desktop\JavaRa.zip
[2010/01/13 09:34:52 | 14,452,040 | ---- | C] () -- C:\Documents and Settings\Chantel\Desktop\winzip140.exe
[2010/01/12 14:55:51 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Chantel\Desktop\settings.dat
[2010/01/12 14:50:04 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Chantel\Desktop\dds.scr
[2010/01/11 18:42:19 | 00,608,378 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1101000.013\Cat.DB
[2010/01/11 18:33:23 | 00,000,942 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\Shortcut to IMAG0038.lnk
[2010/01/11 16:33:06 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/04 15:57:45 | 00,012,113 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resumecover.docx
[2010/01/04 15:56:36 | 00,011,925 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resumecover-onlinelisting.docx
[2010/01/04 00:01:31 | 00,044,032 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-regword.doc
[2010/01/04 00:01:02 | 00,044,032 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-onlinelisting-regword.doc
[2010/01/03 23:58:03 | 00,024,662 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010-onlinelisting.docx
[2010/01/03 23:56:44 | 00,024,909 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\resume-updated01012010.docx
[2010/01/03 15:51:03 | 00,413,578 | ---- | C] () -- C:\Documents and Settings\Chantel\My Documents\daily_report_card.pdf
[2009/06/19 21:04:16 | 85,386,0607 | ---- | C] () -- C:\Program Files\ADBEPHSPCS4_LS1.7z
[2009/06/13 21:28:52 | 36,116,992 | ---- | C] () -- C:\Program Files\ess_nt32_enu.msi
[2009/04/30 21:55:36 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\Chantel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/21 13:47:46 | 00,266,240 | ---- | C] () -- C:\WINDOWS\System32\shpshftr.dll
[2009/01/21 13:47:18 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\igfxdgps.dll
[2009/01/21 13:47:18 | 00,009,785 | ---- | C] () -- C:\WINDOWS\System32\drivers\a312.sys
< End of report >


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:25 PM

Posted 14 January 2010 - 08:38 AM

Please update Malwarebytes and run a Quick Scan for me.
Post the resulting log.

How is your computer behaving now?
Are your search results still being redirected?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 cyellett

cyellett
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 14 January 2010 - 06:21 PM

Google searches back to normal! clapping.gif thumbup.gif

Here is the MalwareBytes log.
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/14/2010 6:30:55 PM
mbam-log-2010-01-14 (18-30-49).txt

Scan type: Quick Scan
Objects scanned: 116387
Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\H8SRTgrwpavpnfn.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\H8SRTgrwpavpnfn.dll (Trojan.Vundo) -> No action taken.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:25 PM

Posted 15 January 2010 - 08:02 AM

We need to run Combofix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 cyellett

cyellett
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 15 January 2010 - 10:33 AM

Here is the combofix log:



ComboFix 10-01-14.06 - Chantel 01/15/2010 10:17:09.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.209 [GMT -5:00]
Running from: c:\documents and settings\Chantel\Desktop\ComboFix1.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\H8SRTjyrxoctyuu.sys
c:\windows\system32\H8SRTckmnbaqbrn.dat
c:\windows\system32\H8SRTdoucmodjrj.dll
c:\windows\system32\H8SRTgrwpavpnfn.dll
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTpxexyfynsh.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\H8SRTtoayvjfpor.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-15 to 2010-01-15 )))))))))))))))))))))))))))))))
.

2010-01-14 22:33 . 2010-01-14 22:33 -------- d-----w- c:\documents and settings\Chantel\Application Data\Malwarebytes
2010-01-14 17:41 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-14 17:37 . 2010-01-14 17:37 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-14 17:36 . 2010-01-14 17:36 -------- d-----w- c:\program files\Lavasoft
2010-01-14 17:36 . 2010-01-14 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-14 16:15 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 16:15 . 2010-01-14 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-14 16:15 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 14:58 . 2010-01-13 14:58 -------- d-----w- C:\_OTL
2010-01-13 14:57 . 2010-01-13 14:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-12 03:15 . 2010-01-12 03:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-01-12 03:09 . 2010-01-12 03:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-01-12 03:09 . 2010-01-12 03:09 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-12 02:50 . 2010-01-12 02:50 -------- d-sh--w- c:\documents and settings\Chantel\IECompatCache
2010-01-12 02:32 . 2010-01-12 02:32 -------- d-----w- C:\_OTM
2010-01-12 01:59 . 2010-01-14 22:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 23:51 . 2010-01-11 23:51 -------- d-----w- c:\documents and settings\Chantel\Local Settings\Application Data\Identities
2010-01-11 23:11 . 2010-01-11 23:11 -------- d-----w- c:\documents and settings\Chantel\Local Settings\Application Data\Tific
2010-01-11 23:05 . 2010-01-11 23:05 -------- d-----w- c:\documents and settings\Chantel\Application Data\Tific
2010-01-11 22:46 . 2010-01-11 23:27 -------- d-----w- c:\windows\system32\drivers\NAV
2010-01-11 22:46 . 2010-01-11 22:46 -------- d-----w- c:\program files\Windows Sidebar
2010-01-11 22:45 . 2010-01-13 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-11 22:45 . 2010-01-11 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-01-11 22:07 . 2010-01-11 22:07 -------- d-----w- c:\documents and settings\Chantel\Application Data\AVG8
2010-01-06 20:49 . 2010-01-06 20:49 -------- d-----w- c:\documents and settings\Chantel\Local Settings\Application Data\magicJack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-14 17:41 . 2010-01-14 17:41 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-14 17:41 . 2010-01-14 17:41 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-14 17:41 . 2010-01-14 17:41 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-14 17:41 . 2010-01-14 17:41 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-14 17:41 . 2010-01-14 17:41 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-14 17:41 . 2010-01-14 17:41 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-14 17:40 . 2010-01-14 17:40 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-14 17:40 . 2010-01-14 17:40 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-14 17:40 . 2010-01-14 17:40 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-14 17:40 . 2010-01-14 17:39 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-14 17:39 . 2010-01-14 17:39 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-14 17:39 . 2010-01-14 17:39 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-14 17:39 . 2010-01-14 17:39 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-14 08:04 . 2009-03-03 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-13 14:57 . 2009-03-04 01:05 -------- d-----w- c:\program files\Java
2010-01-13 14:56 . 2010-01-13 14:56 152576 ----a-w- c:\documents and settings\Chantel\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-13 14:55 . 2010-01-13 14:55 79488 ----a-w- c:\documents and settings\Chantel\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-12 17:53 . 2009-10-23 17:53 -------- d-----w- c:\documents and settings\Chantel\Application Data\mjusbsp
2010-01-11 23:33 . 2009-03-15 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-01-01 19:38 . 2009-03-05 15:01 -------- d-----w- c:\documents and settings\Chantel\Application Data\LimeWire
2009-12-24 16:59 . 2009-12-24 16:59 93016 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\ug00000\magicJack.dll
2009-12-24 16:58 . 2010-01-06 20:50 6515976 ---ha-w- c:\documents and settings\Chantel\Application Data\mjusbsp\Upgrade\setup2.exe
2009-12-24 16:58 . 2009-12-24 16:58 6515976 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\ug00000\setup.exe
2009-12-24 16:58 . 2009-12-24 16:58 416328 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\magicJackLoader.exe
2009-12-24 16:58 . 2009-12-24 16:58 480608 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\octvqe1_apiw.dll
2009-12-24 16:58 . 2009-12-24 16:58 214360 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\TjVista.dll
2009-12-24 16:58 . 2009-12-24 16:58 337240 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\TjIpSys.dll
2009-12-24 16:58 . 2009-12-24 16:58 607600 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\SJHandsetMagicJack.dll
2009-12-24 16:58 . 2009-12-24 16:58 87384 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\st00000\mjsetup.exe
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\st00000\magicJack.dll
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\magicJack.dll
2009-12-24 16:55 . 2009-12-24 16:55 12482904 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\magicJack.exe
2009-12-24 16:54 . 2010-01-12 17:52 730032 ---ha-w- c:\documents and settings\Chantel\Application Data\mjusbsp\ar00000\install.exe
2009-12-24 16:54 . 2010-01-06 20:50 730032 ---ha-w- c:\documents and settings\Chantel\Application Data\mjusbsp\Upgrade\install2.exe
2009-12-24 16:54 . 2009-12-24 16:54 730032 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\ug00000\install.exe
2009-12-24 16:53 . 2009-12-24 16:53 87384 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\in00000\mjsetup.exe
2009-12-24 16:53 . 2009-12-24 16:53 93016 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\in00000\magicJack.dll
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\st00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\in00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 50520 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\cdloader2.exe
2009-12-07 14:10 . 2010-01-14 17:37 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-08 04:02 . 2009-11-08 04:02 249856 ------w- c:\windows\Setup1.exe
2009-11-08 04:02 . 2009-11-08 04:02 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-10-31 15:30 . 2009-03-03 01:28 78608 ----a-w- c:\documents and settings\Chantel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:45 . 2008-06-23 16:01 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2008-04-14 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-18 00:22 . 2009-02-18 00:20 256 ----a-w- c:\windows\system32\pool.bin
2009-06-20 03:26 . 2009-06-20 02:04 853860607 ----a-w- c:\program files\ADBEPHSPCS4_LS1.7z
2009-06-20 02:04 . 2009-06-20 02:04 1228240 ----a-w- c:\program files\ADBEPHSPCS4_LS1.exe
2009-06-14 02:29 . 2009-06-14 02:28 36116992 ----a-w- c:\program files\ess_nt32_enu.msi
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Chantel\Application Data\mjusbsp\cdloader2.exe" [2009-12-24 50520]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-06-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-06-20 114688]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-13 149280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Chantel\\Application Data\\mjusbsp\\magicJack.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/14/2010 12:41 PM 64288]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 2:47 PM 731840]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
.
Contents of the 'Scheduled Tasks' folder

2010-01-15 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:40]

2010-01-15 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:40]

2010-01-15 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:40]

2010-01-15 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:40]

2010-01-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:40]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

AddRemove-com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 - c:\program files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-15 10:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xF86B7000]<< >>UNKNOWN [0xF86A7000]<< >>UNKNOWN [0xF8628000]<< >>UNKNOWN [0x806EE000]<< >>UNKNOWN [0xF85BA000]<< >>UNKNOWN [0xF8B7B000]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0xf86bbf28
\Driver\ACPI -> 0xf862ecb8
\Driver\atapi -> 0xf85c0852
IoDeviceObjectType -> DeleteProcedure -> 0x805a0598
ParseProcedure -> 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> 0x805a0598
ParseProcedure -> 0x8056ea15
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> 0xf84cdbd4
PacketIndicateHandler -> 0xf84d9b21
SendHandler -> 0xf84cdd44
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2324)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-15 10:40:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-15 15:40

Pre-Run: 25,108,819,968 bytes free
Post-Run: 25,133,211,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

- - End Of File - - E3130BB241B46CEB1219607939FFD822


#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:25 PM

Posted 16 January 2010 - 09:01 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

CODE
MBR::

Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.



This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 cyellett

cyellett
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 16 January 2010 - 10:41 AM

ComboFix 10-01-15.05 - Chantel 01/16/2010 10:15:40.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.248 [GMT -5:00]
Running from: c:\documents and settings\Chantel\Desktop\ComboFix1.exe
Command switches used :: c:\documents and settings\Chantel\Desktop\cfscript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.

2010-01-14 22:33 . 2010-01-14 22:33 -------- d-----w- c:\documents and settings\Chantel\Application Data\Malwarebytes
2010-01-14 17:41 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-14 17:37 . 2010-01-14 17:37 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-14 17:36 . 2010-01-14 17:36 -------- d-----w- c:\program files\Lavasoft
2010-01-14 17:36 . 2010-01-14 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-14 16:15 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 16:15 . 2010-01-14 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-14 16:15 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 14:58 . 2010-01-13 14:58 -------- d-----w- C:\_OTL
2010-01-13 14:57 . 2010-01-13 14:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-12 03:15 . 2010-01-12 03:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-01-12 03:09 . 2010-01-12 03:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-01-12 03:09 . 2010-01-12 03:09 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-12 02:50 . 2010-01-12 02:50 -------- d-sh--w- c:\documents and settings\Chantel\IECompatCache
2010-01-12 02:32 . 2010-01-12 02:32 -------- d-----w- C:\_OTM
2010-01-12 01:59 . 2010-01-14 22:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-11 23:51 . 2010-01-11 23:51 -------- d-----w- c:\documents and settings\Chantel\Local Settings\Application Data\Identities
2010-01-11 23:11 . 2010-01-11 23:11 -------- d-----w- c:\documents and settings\Chantel\Local Settings\Application Data\Tific
2010-01-11 23:05 . 2010-01-11 23:05 -------- d-----w- c:\documents and settings\Chantel\Application Data\Tific
2010-01-11 22:46 . 2010-01-11 23:27 -------- d-----w- c:\windows\system32\drivers\NAV
2010-01-11 22:46 . 2010-01-11 22:46 -------- d-----w- c:\program files\Windows Sidebar
2010-01-11 22:45 . 2010-01-13 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-11 22:45 . 2010-01-11 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-01-11 22:07 . 2010-01-11 22:07 -------- d-----w- c:\documents and settings\Chantel\Application Data\AVG8
2010-01-06 20:49 . 2010-01-06 20:49 -------- d-----w- c:\documents and settings\Chantel\Local Settings\Application Data\magicJack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-14 17:41 . 2010-01-14 17:41 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-14 17:41 . 2010-01-14 17:41 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-14 17:41 . 2010-01-14 17:41 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-14 17:41 . 2010-01-14 17:41 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-14 17:41 . 2010-01-14 17:41 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-14 17:41 . 2010-01-14 17:41 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-14 17:40 . 2010-01-14 17:40 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-14 17:40 . 2010-01-14 17:40 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-14 17:40 . 2010-01-14 17:40 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-14 17:40 . 2010-01-14 17:39 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-14 17:39 . 2010-01-14 17:39 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-14 17:39 . 2010-01-14 17:39 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-14 17:39 . 2010-01-14 17:39 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-14 08:04 . 2009-03-03 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-13 14:57 . 2009-03-04 01:05 -------- d-----w- c:\program files\Java
2010-01-13 14:56 . 2010-01-13 14:56 152576 ----a-w- c:\documents and settings\Chantel\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-13 14:55 . 2010-01-13 14:55 79488 ----a-w- c:\documents and settings\Chantel\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-12 17:53 . 2009-10-23 17:53 -------- d-----w- c:\documents and settings\Chantel\Application Data\mjusbsp
2010-01-11 23:33 . 2009-03-15 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-01-01 19:38 . 2009-03-05 15:01 -------- d-----w- c:\documents and settings\Chantel\Application Data\LimeWire
2009-12-24 16:59 . 2009-12-24 16:59 93016 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\ug00000\magicJack.dll
2009-12-24 16:58 . 2010-01-06 20:50 6515976 ---ha-w- c:\documents and settings\Chantel\Application Data\mjusbsp\Upgrade\setup2.exe
2009-12-24 16:58 . 2009-12-24 16:58 6515976 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\ug00000\setup.exe
2009-12-24 16:58 . 2009-12-24 16:58 416328 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\magicJackLoader.exe
2009-12-24 16:58 . 2009-12-24 16:58 480608 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\octvqe1_apiw.dll
2009-12-24 16:58 . 2009-12-24 16:58 214360 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\TjVista.dll
2009-12-24 16:58 . 2009-12-24 16:58 337240 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\TjIpSys.dll
2009-12-24 16:58 . 2009-12-24 16:58 607600 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\SJHandsetMagicJack.dll
2009-12-24 16:58 . 2009-12-24 16:58 87384 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\st00000\mjsetup.exe
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\st00000\magicJack.dll
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\magicJack.dll
2009-12-24 16:55 . 2009-12-24 16:55 12482904 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\magicJack.exe
2009-12-24 16:54 . 2010-01-12 17:52 730032 ---ha-w- c:\documents and settings\Chantel\Application Data\mjusbsp\ar00000\install.exe
2009-12-24 16:54 . 2010-01-06 20:50 730032 ---ha-w- c:\documents and settings\Chantel\Application Data\mjusbsp\Upgrade\install2.exe
2009-12-24 16:54 . 2009-12-24 16:54 730032 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\ug00000\install.exe
2009-12-24 16:53 . 2009-12-24 16:53 87384 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\in00000\mjsetup.exe
2009-12-24 16:53 . 2009-12-24 16:53 93016 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\in00000\magicJack.dll
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\st00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\in00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 50520 ----a-w- c:\documents and settings\Chantel\Application Data\mjusbsp\cdloader2.exe
2009-12-07 14:10 . 2010-01-14 17:37 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-08 04:02 . 2009-11-08 04:02 249856 ------w- c:\windows\Setup1.exe
2009-11-08 04:02 . 2009-11-08 04:02 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-10-31 15:30 . 2009-03-03 01:28 78608 ----a-w- c:\documents and settings\Chantel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:45 . 2008-06-23 16:01 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2008-04-14 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-06-20 03:26 . 2009-06-20 02:04 853860607 ----a-w- c:\program files\ADBEPHSPCS4_LS1.7z
2009-06-20 02:04 . 2009-06-20 02:04 1228240 ----a-w- c:\program files\ADBEPHSPCS4_LS1.exe
2009-06-14 02:29 . 2009-06-14 02:28 36116992 ----a-w- c:\program files\ess_nt32_enu.msi
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Chantel\Application Data\mjusbsp\cdloader2.exe" [2009-12-24 50520]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-06-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-06-20 114688]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-13 149280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Chantel\\Application Data\\mjusbsp\\magicJack.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/14/2010 12:41 PM 64288]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 2:47 PM 731840]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:40]

2010-01-16 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:40]

2010-01-16 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:40]

2010-01-16 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:40]

2010-01-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:40]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 10:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2352)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-01-16 10:41:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-16 15:41
ComboFix2.txt 2010-01-15 15:40

Pre-Run: 25,067,057,152 bytes free
Post-Run: 25,069,219,840 bytes free

- - End Of File - - 6B788069A26A37E4AEB5B37368CFC2AB


#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:25 PM

Posted 17 January 2010 - 12:43 PM

Looks good to me! thumbup2.gif

Now we'll remove OTL and some of the other tools we've used.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  2. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  3. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  4. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  5. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  6. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

thumbup.gif smile.gif





Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 cyellett

cyellett
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 17 January 2010 - 03:48 PM

Awesome!!! I followed all steps and the virus is gone! I should be able to hook my phone up and my computer should now be able to detect any prolems beforehand, correct?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users