Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet trouble ...due to virus/trojan what ????


  • Please log in to reply
63 replies to this topic

#1 jose_007

jose_007

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 07 February 2010 - 09:24 AM

My problem is really complex.....10 days back my PC reported on startup an error and shut down....I found a suspect file in startup "siszyd32" in disabled it from msconfig
Though my PC started in normal manner since then, but my internet(Broadband 256 kbps) has been giving a lot of trouble
Whenever I connect to net, the bandwidth gets used very quickly...For eg almost 3 MBs are exchanged (down.up) within 1 min without having opened any browser(firefox) or messenger(gtalk)...and if unstopped it rises so quickly in range of 20-25 MB in a few mins

Since then I have tried everything:
1)Changed my password (with fear of someone hacking my net line)
2)Reinstalled Firefox
3)Ran MBAM,Anti spyware and removed(quarantined) all the trojans/spware it detected
4)Tried Trojan remover

But still problem remains same ...Later i also found a file "wwwpos32" ..I removed it but i now realise that it may already have affected others..
Please help me at the earliest since this problem rather than hurting my PC is hurting my pocket with internet bill

I am attaching DDS log (conducted it in offline mode)
I am also attaching image of command prompt which showed all the networks in use (netstat -a)
I am also attaching Hijackthis log(conducted in online mode)


**My AVG is outdated and coudnt update it due to above problem
**Rootappeal didnt work on my Pc..everytime i tried to run it my PC crahsed sad.gif So i am not attahcing its report

Edited by jose_007, 07 February 2010 - 09:25 AM.


BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:16 PM

Posted 10 February 2010 - 05:44 AM

Hi jose and welcome to Bleeping Computer.

Ok, let's see what we can do for you.

Step 1

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Step 2
  • Download OTL to your desktop.
    if you have problems, try this download link:
    OTL
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check
.

.
    Now copy the lines in the codebox below.
    CODE
    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    CREATERESTOREPOINT
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


    .
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

In your next reply, please submit:
Otl.txt
Extras.txt (this one will be minimized)

Please copy/paste the reports, don't attach them ( it's a lot easier to read)

Thanks.

BBPP6nz.png


#3 jose_007

jose_007
  • Topic Starter

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 10 February 2010 - 01:01 PM

First of all ,thanks for replying sir smile.gif

here is OTL log

OTL logfile created on: 2/6/2010 7:44:03 AM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Administrator\Desktop\Prog shortcuts
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

191.00 Mb Total Physical Memory | 64.00 Mb Available Physical Memory | 33.00% Memory free
467.00 Mb Paging File | 169.00 Mb Available in Paging File | 36.00% Paging File free
Paging file location(s): C:\pagefile.sys 288 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 11.79 Gb Free Space | 63.33% Space Free | Partition Type: FAT32
Drive D: | 19.65 Gb Total Space | 13.94 Gb Free Space | 70.96% Space Free | Partition Type: FAT32
Drive E: | 102.53 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COMPAQ-5B8D674A
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\Prog shortcuts\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\Prog shortcuts\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (avg8wd) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg8emc) -- C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (NMIndexingService) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (Nero AG)
SRV - (NBService) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (Nero AG)
SRV - (LightScribeService) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys ()
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (SiS315) -- C:\WINDOWS\system32\drivers\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (SiSkp) -- C:\WINDOWS\system32\drivers\srvkp.sys (Silicon Integrated Systems Corporation)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSFDPSP2.sys (Conexant Systems, Inc.)
DRV - (mdmxsdk) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys (Conexant)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSFCXTS2.sys (Conexant Systems, Inc.)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFBS2S2.sys (Conexant Systems, Inc.)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (ALCXSENS) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS (Sensaura)
DRV - (SiS300i) -- C:\WINDOWS\system32\drivers\sis300ip.sys (Silicon Integrated Systems Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/02 09:30:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/02 09:30:18 | 000,000,000 | ---D | M]

[2010/02/02 09:30:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/02/02 09:30:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8hscxe3h.default\extensions
[2010/02/02 09:30:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/02/05 10:02:34 | 000,000,894 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O3 - HKCU\..\Toolbar\ShellBrowser: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe (Simply Super Software)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70001000000}\SC_Reader.exe ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/04 19:03:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O33 - MountPoints2\{220dbabc-6d5c-11de-84f7-000d87125990}\Shell\AutoplaY\CommanD - "" = abblnt.pif
O33 - MountPoints2\{220dbabc-6d5c-11de-84f7-000d87125990}\Shell\AutoRun\command - "" = abblnt.pif
O33 - MountPoints2\{220dbabc-6d5c-11de-84f7-000d87125990}\Shell\expLorE\CommaND - "" = abblnt.pif
O33 - MountPoints2\{220dbabc-6d5c-11de-84f7-000d87125990}\Shell\opEn\commaNd - "" = abblnt.pif
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/01/04 18:45:02 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^siszyd32.exe - C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\siszyd32.exe - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^wwwpos32.exe - C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\wwwpos32.exe - File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (53765113575899136)

========== Files/Folders - Created Within 30 Days ==========

[2010/02/06 06:51:03 | 000,439,808 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/02/05 10:16:16 | 000,000,000 | -HSD | C] -- C:\FOUND.065
[2010/02/05 09:08:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/05 09:08:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Simply Super Software
[2010/02/05 09:07:55 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ztvcabinet.dll
[2010/02/05 09:07:52 | 000,000,000 | ---D | C] -- C:\Program Files\Trojan Remover
[2010/02/05 09:07:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software
[2010/02/05 09:07:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
[2010/02/05 05:06:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[2010/02/05 00:18:47 | 000,105,720 | ---- | C] (Doctor Web, Ltd.) -- C:\WINDOWS\System32\drivers\dwprot.sys
[2010/02/05 00:14:31 | 000,000,000 | ---D | C] -- C:\Dr.Web.AntiVirus.v5.0.8.11100.Regged-EAT
[2010/02/02 14:06:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera
[2010/02/02 14:06:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Opera
[2010/02/02 14:03:12 | 000,000,000 | ---D | C] -- C:\Program Files\Opera
[2010/02/02 13:00:01 | 000,000,000 | ---D | C] -- C:\Program Files\DrWeb
[2010/02/02 12:55:36 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\.#
[2010/02/02 10:13:08 | 000,000,000 | -HSD | C] -- C:\FOUND.064
[2010/02/02 09:30:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
[2010/02/02 09:30:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mozilla
[2010/02/02 09:30:16 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/02/02 00:01:13 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/02/01 22:41:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/02/01 22:39:59 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/02/01 22:39:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
[2010/02/01 22:36:03 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/01/30 16:18:18 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/01/30 11:57:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\FreeFixer
[2010/01/30 11:57:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\FreeFixer
[2010/01/26 14:50:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Prog shortcuts
[2010/01/26 11:27:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Desktop
[2010/01/25 23:54:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/01/25 23:53:23 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/25 23:53:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/25 23:53:17 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/25 23:53:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/10 15:01:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\arvind chauhan
[2010/01/10 03:28:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Graphs
[2010/01/10 03:25:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Magzines mtg
[2009/01/04 19:27:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/01/04 19:24:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/01/04 19:07:40 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/01/04 19:07:40 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/02/06 07:53:44 | 000,792,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\bbhkyhn.sys
[2010/02/06 07:39:40 | 000,002,325 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2010/02/06 07:37:32 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/06 07:37:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/06 07:36:04 | 004,456,448 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/02/06 07:36:04 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/02/06 06:51:18 | 000,439,808 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/02/06 03:09:08 | 000,013,685 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\efficincy.JPG
[2010/02/05 13:41:00 | 000,152,715 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\0211075.pdf
[2010/02/05 00:23:46 | 000,002,184 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/02 05:52:18 | 000,000,594 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/02 05:52:18 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/02 05:52:18 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/02/02 05:48:10 | 000,883,889 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\paper37.pdf
[2010/02/02 05:48:08 | 001,230,365 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\paper35.pdf
[2010/02/02 05:48:06 | 001,111,913 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\paper38.pdf
[2010/02/02 05:47:56 | 001,156,911 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\paper36.pdf
[2010/02/02 05:47:42 | 000,243,150 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\sol37.pdf
[2010/02/02 05:47:24 | 000,276,419 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\sol38.pdf
[2010/02/02 05:47:04 | 000,255,950 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\sol35.pdf
[2010/02/02 05:46:46 | 000,262,727 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\sol36.pdf
[2010/01/28 22:35:52 | 000,869,192 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Math%20Formula%20Sheet%20AIEEE.pdf
[2010/01/25 22:31:50 | 004,843,474 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/01/10 22:38:20 | 002,127,934 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\NEST-09-SetA.pdf
[2010/01/10 22:35:34 | 000,249,667 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\NESTbrochure-2010.pdf
[2010/01/10 22:02:28 | 000,049,431 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\ugmath.pdf
[2010/01/07 16:07:14 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 000,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2010/02/06 03:09:06 | 000,013,685 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\efficincy.JPG
[2010/02/05 13:40:59 | 000,152,715 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\0211075.pdf
[2010/02/05 09:07:55 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2010/02/05 09:07:55 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2010/02/05 09:07:55 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2010/02/05 09:07:55 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2010/02/02 05:47:31 | 000,883,889 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\paper37.pdf
[2010/02/02 05:47:24 | 000,243,150 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\sol37.pdf
[2010/02/02 05:47:13 | 001,111,913 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\paper38.pdf
[2010/02/02 05:47:05 | 000,276,419 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\sol38.pdf
[2010/02/02 05:46:57 | 001,230,365 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\paper35.pdf
[2010/02/02 05:46:49 | 000,255,950 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\sol35.pdf
[2010/02/02 05:46:41 | 001,156,911 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\paper36.pdf
[2010/02/02 05:46:34 | 000,262,727 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\sol36.pdf
[2010/01/28 22:35:47 | 000,869,192 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Math%20Formula%20Sheet%20AIEEE.pdf
[2010/01/26 00:27:48 | 013,926,788 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\strategic.pdf
[2010/01/26 00:27:45 | 009,469,264 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Elements of Synthesis Planning 3540792198.pdf
[2010/01/26 00:27:44 | 005,236,969 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Problems.In.Calculus.Of.One.Variable_Maron_1973.djvu
[2010/01/26 00:27:44 | 002,260,044 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\100.Great.Problems.Of.Elementary.Mathematics_Dorrie_0486613488.djvu
[2010/01/26 00:27:43 | 004,492,939 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Loney-Plane_trigonometry.djvu
[2010/01/26 00:27:43 | 003,278,731 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\MathematicalFallaciesFlawsandFlimflam.djvu
[2010/01/26 00:27:41 | 000,119,907 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\79.pdf
[2010/01/21 09:55:28 | 000,792,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\bbhkyhn.sys
[2010/01/10 22:38:13 | 002,127,934 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\NEST-09-SetA.pdf
[2010/01/10 22:35:32 | 000,249,667 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\NESTbrochure-2010.pdf
[2010/01/10 22:02:27 | 000,049,431 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\ugmath.pdf
[2009/07/08 13:22:20 | 000,000,127 | ---- | C] () -- C:\WINDOWS\sas.INI
[2009/06/12 12:52:36 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/06/12 12:52:36 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/06/11 23:49:59 | 000,000,036 | -H-- | C] () -- C:\WINDOWS\System32\swk.ini
[2009/04/20 19:30:29 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2009/01/06 17:18:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2009/01/06 11:18:50 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/06 11:14:44 | 000,000,038 | ---- | C] () -- C:\WINDOWS\System32\llbiirc.dll
[2009/01/06 11:12:36 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/01/04 19:45:32 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/04 19:37:28 | 000,103,172 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2009/01/04 19:37:28 | 000,034,788 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2006/02/28 12:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2006/02/28 12:00:00 | 000,027,443 | ---- | C] () -- C:\WINDOWS\System32\llba7k.dll
[2006/02/28 12:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2004/12/19 18:59:40 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/12/19 18:47:10 | 000,614,400 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/10/07 00:12:56 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002/10/05 04:34:24 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\VorbisEnc.dll
[2002/10/05 04:34:24 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2002/10/05 04:34:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2002/05/16 05:08:40 | 000,091,136 | ---- | C] () -- C:\WINDOWS\System32\mp4fil32.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2006/02/28 12:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\agp440.sys

< MD5 for: ATAPI.SYS >
[2006/02/28 12:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2006/02/28 12:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\atapi.sys
[2006/02/28 12:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2006/02/28 12:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\eventlog.dll
[2006/02/28 17:30:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2006/02/28 12:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2009/02/07 00:16:10 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944\sp2qfe\netlogon.dll
[2006/02/28 12:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\netlogon.dll
[2006/02/28 12:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\SoftwareDistribution\Download\8cb3a5dc2e5ce55afbfdfd38e49058d5\backup\sp2qfe\netlogon.dll
[2006/02/28 17:30:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2006/02/28 12:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2006/02/28 12:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\backup\scecli.dll
[2006/02/28 17:30:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2006/02/28 12:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/02/06 07:58:08 | 000,792,064 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\System32\drivers\bbhkyhn.sys
< End of report >


#4 jose_007

jose_007
  • Topic Starter

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 10 February 2010 - 01:02 PM

and here is extras.txt

OTL Extras logfile created on: 2/6/2010 7:44:03 AM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Administrator\Desktop\Prog shortcuts
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

191.00 Mb Total Physical Memory | 64.00 Mb Available Physical Memory | 33.00% Memory free
467.00 Mb Paging File | 169.00 Mb Available in Paging File | 36.00% Paging File free
Paging file location(s): C:\pagefile.sys 288 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 11.79 Gb Free Space | 63.33% Space Free | Partition Type: FAT32
Drive D: | 19.65 Gb Total Space | 13.94 Gb Free Space | 70.96% Space Free | Partition Type: FAT32
Drive E: | 102.53 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COMPAQ-5B8D674A
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"D:\Program Files\Yahoo!\Messenger\YPager.exe" = D:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger -- File not found
"D:\Program Files\Yahoo!\Messenger\YServer.exe" = D:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- File not found
"C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe" = C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:*:Disabled:Football Manager 2008 -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{0978A841-2E44-4A85-922B-36D96F0BAE0E}_is1" = 3GP Player 2009
"{2F881B56-CBDF-4EC6-A8D2-6412A879C66A}_is1" = AMR Player 1.3
"{39D7BD4A-5BE7-11D4-9D68-0020781864F1}" = CueClub
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{8473D2AB-42CC-49C0-896D-BEF49F6B599B}_is1" = 3GP Converter 2008
"{8A8C4EAC-9AB7-45FA-9480-5716FD261033}" = Nero 7 Essentials
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}" = Opera 9.64
"{AC76BA86-7AD7-1033-7B44-A70001000000}" = Adobe Reader 7.0
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}" = WinZip 12.0
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{E1180142-3B31-4DCC-9D27-7AC2D37662BF}" = LightScribe 1.4.124.1
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AVG8Uninstall" = AVG Free 8.5
"AVI Movie Player" = AVI Movie Player
"EqPlot_is1" = EqPlot
"Graph_is1" = Graph 4.3
"Jigsaw Puzzle Lite" = Jigsaw Puzzle Lite (remove only)
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.2.5 Standard
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.1)" = Mozilla Firefox (3.5.1)
"SiS VGA Driver" = SiS 650/651/740/661FX/741/760 series
"Trojan Remover_is1" = Trojan Remover 6.8.1
"WinDjView" = WinDjView 1.0.1
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/27/2009 8:21:00 PM | Computer Name = COMPAQ-5B8D674A | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.2180, faulting
module explorer.exe, version 6.0.2900.2180, fault address 0x00023aa9.

Error - 10/28/2009 7:59:07 AM | Computer Name = COMPAQ-5B8D674A | Source = Application Error | ID = 1000
Description = Faulting application fifawc.exe, version 0.0.0.0, faulting module
fifawc.exe, version 0.0.0.0, fault address 0x0019d76b.

Error - 10/28/2009 8:20:36 AM | Computer Name = COMPAQ-5B8D674A | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x000111de.

Error - 10/29/2009 5:53:27 AM | Computer Name = COMPAQ-5B8D674A | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x000111de.

Error - 11/12/2009 11:28:57 PM | Computer Name = COMPAQ-5B8D674A | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x000111de.

[ System Events ]
Error - 2/5/2010 5:21:33 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:22:35 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:22:35 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:24:10 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:24:10 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:39:19 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:39:19 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:41:22 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:41:22 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:48:45 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.


< End of report >


#5 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:16 PM

Posted 10 February 2010 - 01:45 PM

Hi jose

A couple of things for you to do:

Step 1
There's a file i'd like you to check out for me:

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\sas.INI

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Step 2
Double click on OTL.exe to run it.
Copy the lines in the codebox below. (make sure you include the first lot of : )
CODE
:otl
O33 - MountPoints2\{220dbabc-6d5c-11de-84f7-000d87125990}\Shell\AutoplaY\CommanD - "" = abblnt.pif
O33 - MountPoints2\{220dbabc-6d5c-11de-84f7-000d87125990}\Shell\AutoRun\command - "" = abblnt.pif
O33 - MountPoints2\{220dbabc-6d5c-11de-84f7-000d87125990}\Shell\expLorE\CommaND - "" = abblnt.pif
O33 - MountPoints2\{220dbabc-6d5c-11de-84f7-000d87125990}\Shell\opEn\commaNd - "" = abblnt.pif
MsConfig - StartUpFolder: C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^siszyd32.exe - C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\siszyd32.exe - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^wwwpos32.exe - C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\wwwpos32.exe - File not found
[2010/02/05 10:16:16 | 000,000,000 | -HSD | C] -- C:\FOUND.065
[2010/02/02 10:13:08 | 000,000,000 | -HSD | C] -- C:\FOUND.064
[2010/02/06 07:53:44 | 000,792,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\bbhkyhn.sys
[2010/01/21 09:55:28 | 000,792,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\bbhkyhn.sys
[2009/01/06 11:18:50 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:files
C:\WINDOWS\System32\drivers\bbhkyhn.sys
C:\FOUND.065
C:\FOUND.064

:commands
[emptytemp]
[purity]
  • Return to OTL,
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


  • Click the red Run Fix button.


  • OTL will reboot your system once the fix has completed.
  • After the reboot, you may need to double click OTL to launch the program and retrieve the log.
Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

Step 3
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2






This is an example, you may rename ComboFix to anything you want.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
    For more information read:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

    Then:

    Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    If running Vista, you may not see this screen
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


In your next reply, please submit:
Jotti scan report
Otl report that comes up after the fix.
Combofix.txt


Thanks.

Edited by Starbuck, 10 February 2010 - 01:47 PM.

BBPP6nz.png


#6 jose_007

jose_007
  • Topic Starter

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 10 February 2010 - 10:08 PM

here is what u requested.

Jotti report

Filename: sas.INI
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Thu 11 Feb 2010 04:13:02 (CET)

File size: 127 bytes
Filetype: ASCII text, with CRLF line terminators
MD5: cf5895abc87b5f85e4ec7602042d36c9
SHA1: 2b03cecbe44034896b41f250eccb01a1940695c1

Edited by jose_007, 10 February 2010 - 10:53 PM.


#7 jose_007

jose_007
  • Topic Starter

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 10 February 2010 - 10:53 PM

OTL report

All processes killed
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{220dbabc-6d5c-11de-84f7-000d87125990}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{220dbabc-6d5c-11de-84f7-000d87125990}\ not found.
File abblnt.pif not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{220dbabc-6d5c-11de-84f7-000d87125990}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{220dbabc-6d5c-11de-84f7-000d87125990}\ not found.
File abblnt.pif not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{220dbabc-6d5c-11de-84f7-000d87125990}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{220dbabc-6d5c-11de-84f7-000d87125990}\ not found.
File abblnt.pif not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{220dbabc-6d5c-11de-84f7-000d87125990}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{220dbabc-6d5c-11de-84f7-000d87125990}\ not found.
File abblnt.pif not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^siszyd32.exe\ deleted successfully.
File C:\WINDOWS\pss\siszyd32.exeStartup not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^wwwpos32.exe\ deleted successfully.
File C:\WINDOWS\pss\wwwpos32.exeStartup not found.
C:\FOUND.065 folder moved successfully.
C:\FOUND.064 folder moved successfully.
File C:\WINDOWS\System32\drivers\bbhkyhn.sys not found.
File C:\WINDOWS\System32\drivers\bbhkyhn.sys not found.
C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.
========== FILES ==========
File move failed. C:\WINDOWS\System32\drivers\bbhkyhn.sys scheduled to be moved on reboot.
File\Folder C:\FOUND.065 not found.
File\Folder C:\FOUND.064 not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 0 bytes
->Opera cache emptied: 4909579 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 272293 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 5.00 mb


OTL by OldTimer - Version 3.1.28.0 log created on 02062010_085149

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\System32\drivers\bbhkyhn.sys not found!

Registry entries deleted on Reboot...


#8 jose_007

jose_007
  • Topic Starter

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 10 February 2010 - 10:54 PM

Combofix report

ComboFix 10-02-10.04 - Administrator 02/11/2010 9:12.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.191.82 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\Prog shortcuts\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\program.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-11 to 2010-02-11 )))))))))))))))))))))))))))))))
.

2010-02-06 03:21 . 2010-02-06 03:21 -------- d-----w- C:\_OTL
2010-02-05 04:43 . 2010-02-05 04:43 152488 ----a-w- c:\documents and settings\All Users\Application Data\Simply Super Software\Trojan Remover\tr_util.exe
2010-02-05 04:42 . 2009-12-11 12:35 3613560 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\kiq1.exe
2010-02-05 03:38 . 2010-02-05 03:38 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-05 03:37 . 2006-06-19 06:31 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-02-05 03:37 . 2006-05-25 09:22 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-02-05 03:37 . 2005-08-25 19:20 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-02-05 03:37 . 2003-02-02 13:36 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-02-05 03:37 . 2002-03-05 18:30 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-02-05 03:37 . 2010-02-05 03:37 -------- d-----w- c:\program files\Trojan Remover
2010-02-05 03:37 . 2010-02-05 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-02-05 03:37 . 2010-02-05 03:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2010-02-04 23:36 . 2010-02-04 23:37 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-02-04 18:48 . 2009-10-27 06:15 105720 ----a-w- c:\windows\system32\drivers\dwprot.sys
2010-02-04 18:44 . 2009-11-26 06:39 -------- d-----w- C:\Dr.Web.AntiVirus.v5.0.8.11100.Regged-EAT
2010-02-02 08:36 . 2010-02-02 08:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera
2010-02-02 08:33 . 2010-02-02 08:33 -------- d-----w- c:\program files\Opera
2010-02-02 07:30 . 2010-02-02 07:30 -------- d-----w- c:\program files\DrWeb
2010-02-02 07:25 . 2010-02-02 07:25 -------- d-sh--w- c:\documents and settings\Administrator\Local Settings\Application Data\.#
2010-02-02 04:00 . 2010-02-02 04:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-01 18:31 . 2010-02-01 18:31 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-01 18:31 . 2010-02-01 18:31 -------- d-----w- c:\program files\TrendMicro
2010-02-01 17:13 . 2010-02-01 17:13 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-01 17:12 . 2010-02-02 02:32 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-01 17:11 . 2010-02-01 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-01 17:09 . 2010-02-01 17:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-01 17:09 . 2010-02-01 17:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-01 17:06 . 2010-02-01 17:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-30 10:48 . 2010-01-30 10:48 -------- d--h--w- c:\windows\PIF
2010-01-30 06:27 . 2010-01-30 06:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\FreeFixer
2010-01-30 06:27 . 2010-01-30 06:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\FreeFixer
2010-01-25 18:24 . 2010-01-25 18:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-25 18:23 . 2010-01-07 10:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 18:23 . 2010-01-25 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-25 18:23 . 2010-01-07 10:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 18:23 . 2010-01-25 18:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 04:23 . 2010-01-21 04:23 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\anvkgp.dat
2010-01-02 05:30 . 2010-01-02 05:30 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 67072]
"SiSPower"="SiSPower.dll" [2004-09-01 49152]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-20 1947928]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-10-17 1070984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A70001000000}\SC_Reader.exe [2009-1-4 25214]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 08:51 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-20 04:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/4/2009 7:56 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/4/2009 7:56 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/4/2009 7:56 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/4/2009 7:56 PM 298776]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - bbhkyhn
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Save with Download Manager... - file://c:\program files\J River\Media Center 11\DMDownload.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8hscxe3h.default\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Jigsaw Puzzle Lite - c:\documents and settings\Administrator\Desktop\Jigsaw Puzzle Lite\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-11 09:18
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bbhkyhn]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2010-02-11 09:19:17
ComboFix-quarantined-files.txt 2010-02-11 03:49

Pre-Run: 12,557,533,184 bytes free
Post-Run: 12,524,240,896 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - DF3F1200AADC9234F4D29C7F31506789


#9 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:16 PM

Posted 11 February 2010 - 12:50 AM

Hi jose,

Can you let me have a fresh set of Otl reports using the following instructions:

Double click on OTL.exe to run it.
  • Under Extra Registry section, select Use SafeList.
  • Don't check the boxes beside 'LOP Check' and 'Purity Check' this time.
    Copy the lines in the codebox below.
    CODE
    %systemroot%\system32\drivers\*.sys /lockedfiles
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open. Please post the contents of these 2 Notepad files in your next reply.

Also let me know how the system is running now.

Thanks

BBPP6nz.png


#10 jose_007

jose_007
  • Topic Starter

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 11 February 2010 - 02:23 AM

here is OTL

OTL logfile created on: 2/11/2010 12:49:04 PM - Run 2
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Administrator\Desktop\Prog shortcuts
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

191.00 Mb Total Physical Memory | 77.00 Mb Available Physical Memory | 40.00% Memory free
467.00 Mb Paging File | 162.00 Mb Available in Paging File | 35.00% Paging File free
Paging file location(s): C:\pagefile.sys 288 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 11.68 Gb Free Space | 62.72% Space Free | Partition Type: FAT32
Drive D: | 19.65 Gb Total Space | 13.94 Gb Free Space | 70.96% Space Free | Partition Type: FAT32
Drive E: | 102.53 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COMPAQ-5B8D674A
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\Prog shortcuts\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\Prog shortcuts\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (avg8wd) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg8emc) -- C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (NMIndexingService) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (Nero AG)
SRV - (NBService) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (Nero AG)
SRV - (LightScribeService) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys ()
DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (SiS315) -- C:\WINDOWS\system32\drivers\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (SiSkp) -- C:\WINDOWS\system32\drivers\srvkp.sys (Silicon Integrated Systems Corporation)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSFDPSP2.sys (Conexant Systems, Inc.)
DRV - (mdmxsdk) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys (Conexant)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSFCXTS2.sys (Conexant Systems, Inc.)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFBS2S2.sys (Conexant Systems, Inc.)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (ALCXSENS) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS (Sensaura)
DRV - (SiS300i) -- C:\WINDOWS\system32\drivers\sis300ip.sys (Silicon Integrated Systems Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/02 09:30:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/02 09:30:18 | 000,000,000 | ---D | M]

[2010/02/02 09:30:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/02/02 09:30:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8hscxe3h.default\extensions
[2010/02/02 09:30:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/02/05 10:02:34 | 000,000,894 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O3 - HKCU\..\Toolbar\ShellBrowser: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe (Simply Super Software)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70001000000}\SC_Reader.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/04 19:03:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/11 09:19:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/02/11 09:09:16 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/11 09:06:43 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/11 09:06:43 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/11 09:06:43 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/11 09:06:43 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/06 09:05:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/06 09:02:42 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/06 08:51:49 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/02/06 06:51:03 | 000,439,808 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/02/05 09:08:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/05 09:08:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Simply Super Software
[2010/02/05 09:07:55 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ztvcabinet.dll
[2010/02/05 09:07:52 | 000,000,000 | ---D | C] -- C:\Program Files\Trojan Remover
[2010/02/05 09:07:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software
[2010/02/05 09:07:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
[2010/02/05 05:06:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[2010/02/05 00:18:47 | 000,105,720 | ---- | C] (Doctor Web, Ltd.) -- C:\WINDOWS\System32\drivers\dwprot.sys
[2010/02/05 00:14:31 | 000,000,000 | ---D | C] -- C:\Dr.Web.AntiVirus.v5.0.8.11100.Regged-EAT
[2010/02/02 14:06:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera
[2010/02/02 14:06:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Opera
[2010/02/02 14:03:12 | 000,000,000 | ---D | C] -- C:\Program Files\Opera
[2010/02/02 13:00:01 | 000,000,000 | ---D | C] -- C:\Program Files\DrWeb
[2010/02/02 12:55:36 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\.#
[2010/02/02 09:30:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
[2010/02/02 09:30:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mozilla
[2010/02/02 09:30:16 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/02/02 00:01:13 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/02/01 22:41:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/02/01 22:39:59 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/02/01 22:39:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
[2010/02/01 22:36:03 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/01/30 16:18:18 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/01/30 11:57:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\FreeFixer
[2010/01/30 11:57:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\FreeFixer
[2010/01/26 14:50:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Prog shortcuts
[2010/01/26 11:27:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Desktop
[2010/01/25 23:54:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/01/25 23:53:23 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/25 23:53:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/25 23:53:17 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/25 23:53:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/01/04 19:27:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/01/04 19:24:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/01/04 19:07:40 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/01/04 19:07:40 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/02/11 12:51:00 | 000,792,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\bbhkyhn.sys
[2010/02/11 12:47:20 | 000,064,181 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\otl snapshot.JPG
[2010/02/11 12:40:02 | 000,002,325 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2010/02/11 12:39:24 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/11 12:39:18 | 000,002,184 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/11 12:39:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/11 09:36:04 | 004,456,448 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/02/11 09:36:04 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/02/11 09:17:30 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/11 09:09:24 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/06 06:51:18 | 000,439,808 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/02/06 03:09:08 | 000,013,685 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\efficincy.JPG
[2010/02/05 13:41:00 | 000,152,715 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\0211075.pdf
[2010/02/02 05:52:18 | 000,000,594 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/02 05:52:18 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/02/02 05:48:10 | 000,883,889 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\paper37.pdf
[2010/02/02 05:48:08 | 001,230,365 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\paper35.pdf
[2010/02/02 05:48:06 | 001,111,913 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\paper38.pdf
[2010/02/02 05:47:56 | 001,156,911 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\paper36.pdf
[2010/02/02 05:47:42 | 000,243,150 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\sol37.pdf
[2010/02/02 05:47:24 | 000,276,419 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\sol38.pdf
[2010/02/02 05:47:04 | 000,255,950 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\sol35.pdf
[2010/02/02 05:46:46 | 000,262,727 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\sol36.pdf
[2010/01/28 22:35:52 | 000,869,192 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Math%20Formula%20Sheet%20AIEEE.pdf
[2010/01/25 22:31:50 | 004,843,474 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db

========== Files Created - No Company Name ==========

[2010/02/11 12:47:19 | 000,064,181 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\otl snapshot.JPG
[2010/02/11 09:09:23 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/02/11 09:09:21 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/11 09:06:43 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/11 09:06:43 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/11 09:06:43 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/11 09:06:43 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/11 09:06:43 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/06 03:09:06 | 000,013,685 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\efficincy.JPG
[2010/02/05 13:40:59 | 000,152,715 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\0211075.pdf
[2010/02/05 09:07:55 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2010/02/05 09:07:55 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2010/02/05 09:07:55 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2010/02/05 09:07:55 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2010/02/02 05:47:31 | 000,883,889 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\paper37.pdf
[2010/02/02 05:47:24 | 000,243,150 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\sol37.pdf
[2010/02/02 05:47:13 | 001,111,913 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\paper38.pdf
[2010/02/02 05:47:05 | 000,276,419 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\sol38.pdf
[2010/02/02 05:46:57 | 001,230,365 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\paper35.pdf
[2010/02/02 05:46:49 | 000,255,950 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\sol35.pdf
[2010/02/02 05:46:41 | 001,156,911 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\paper36.pdf
[2010/02/02 05:46:34 | 000,262,727 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\sol36.pdf
[2010/01/28 22:35:47 | 000,869,192 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Math%20Formula%20Sheet%20AIEEE.pdf
[2010/01/26 00:27:48 | 013,926,788 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\strategic.pdf
[2010/01/26 00:27:45 | 009,469,264 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Elements of Synthesis Planning 3540792198.pdf
[2010/01/26 00:27:44 | 005,236,969 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Problems.In.Calculus.Of.One.Variable_Maron_1973.djvu
[2010/01/26 00:27:44 | 002,260,044 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\100.Great.Problems.Of.Elementary.Mathematics_Dorrie_0486613488.djvu
[2010/01/26 00:27:43 | 004,492,939 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Loney-Plane_trigonometry.djvu
[2010/01/26 00:27:43 | 003,278,731 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\MathematicalFallaciesFlawsandFlimflam.djvu
[2010/01/26 00:27:41 | 000,119,907 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\79.pdf
[2010/01/21 09:55:28 | 000,792,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\bbhkyhn.sys
[2009/07/08 13:22:20 | 000,000,127 | ---- | C] () -- C:\WINDOWS\sas.INI
[2009/06/12 12:52:36 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/06/12 12:52:36 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/06/11 23:49:59 | 000,000,036 | -H-- | C] () -- C:\WINDOWS\System32\swk.ini
[2009/04/20 19:30:29 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2009/01/06 17:18:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2009/01/06 11:14:44 | 000,000,038 | ---- | C] () -- C:\WINDOWS\System32\llbiirc.dll
[2009/01/06 11:12:36 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/01/04 19:45:32 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/04 19:37:28 | 000,103,172 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2009/01/04 19:37:28 | 000,034,788 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2006/02/28 12:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2006/02/28 12:00:00 | 000,027,443 | ---- | C] () -- C:\WINDOWS\System32\llba7k.dll
[2006/02/28 12:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2004/12/19 18:59:40 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/12/19 18:47:10 | 000,614,400 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/10/07 00:12:56 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2002/10/05 04:34:24 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\VorbisEnc.dll
[2002/10/05 04:34:24 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2002/10/05 04:34:16 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2002/05/16 05:08:40 | 000,091,136 | ---- | C] () -- C:\WINDOWS\System32\mp4fil32.dll

========== Custom Scans ==========


< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/02/11 12:51:36 | 000,792,064 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\System32\drivers\bbhkyhn.sys
< End of report >


#11 jose_007

jose_007
  • Topic Starter

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 11 February 2010 - 02:25 AM

here is extras

OTL Extras logfile created on: 2/11/2010 12:49:04 PM - Run 2
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Administrator\Desktop\Prog shortcuts
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

191.00 Mb Total Physical Memory | 77.00 Mb Available Physical Memory | 40.00% Memory free
467.00 Mb Paging File | 162.00 Mb Available in Paging File | 35.00% Paging File free
Paging file location(s): C:\pagefile.sys 288 576 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 11.68 Gb Free Space | 62.72% Space Free | Partition Type: FAT32
Drive D: | 19.65 Gb Total Space | 13.94 Gb Free Space | 70.96% Space Free | Partition Type: FAT32
Drive E: | 102.53 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COMPAQ-5B8D674A
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{0978A841-2E44-4A85-922B-36D96F0BAE0E}_is1" = 3GP Player 2009
"{2F881B56-CBDF-4EC6-A8D2-6412A879C66A}_is1" = AMR Player 1.3
"{39D7BD4A-5BE7-11D4-9D68-0020781864F1}" = CueClub
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{8473D2AB-42CC-49C0-896D-BEF49F6B599B}_is1" = 3GP Converter 2008
"{8A8C4EAC-9AB7-45FA-9480-5716FD261033}" = Nero 7 Essentials
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}" = Opera 9.64
"{AC76BA86-7AD7-1033-7B44-A70001000000}" = Adobe Reader 7.0
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}" = WinZip 12.0
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{E1180142-3B31-4DCC-9D27-7AC2D37662BF}" = LightScribe 1.4.124.1
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AVG8Uninstall" = AVG Free 8.5
"AVI Movie Player" = AVI Movie Player
"EqPlot_is1" = EqPlot
"Graph_is1" = Graph 4.3
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.2.5 Standard
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.1)" = Mozilla Firefox (3.5.1)
"SiS VGA Driver" = SiS 650/651/740/661FX/741/760 series
"Trojan Remover_is1" = Trojan Remover 6.8.1
"WinDjView" = WinDjView 1.0.1
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/27/2009 8:21:00 PM | Computer Name = COMPAQ-5B8D674A | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.2180, faulting
module explorer.exe, version 6.0.2900.2180, fault address 0x00023aa9.

Error - 10/28/2009 7:59:07 AM | Computer Name = COMPAQ-5B8D674A | Source = Application Error | ID = 1000
Description = Faulting application fifawc.exe, version 0.0.0.0, faulting module
fifawc.exe, version 0.0.0.0, fault address 0x0019d76b.

Error - 10/28/2009 8:20:36 AM | Computer Name = COMPAQ-5B8D674A | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x000111de.

Error - 10/29/2009 5:53:27 AM | Computer Name = COMPAQ-5B8D674A | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x000111de.

Error - 11/12/2009 11:28:57 PM | Computer Name = COMPAQ-5B8D674A | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x000111de.

Error - 11/18/2009 7:07:27 PM | Computer Name = COMPAQ-5B8D674A | Source = Application Error | ID = 1000
Description = Faulting application fifawc.exe, version 0.0.0.0, faulting module
fifawc.exe, version 0.0.0.0, fault address 0x0019d76b.

[ System Events ]
Error - 2/5/2010 5:22:35 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:24:10 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:24:10 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:39:19 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:39:19 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:41:22 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:41:22 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/5/2010 5:48:45 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/10/2010 11:37:20 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 2/10/2010 11:37:20 PM | Computer Name = COMPAQ-5B8D674A | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.


< End of report >




btw sir in earlier two scans of OTL..i forgot to check the boxes beside LOP Check and Purity Check...so should I submit the reports again here after correction ?


#12 jose_007

jose_007
  • Topic Starter

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 11 February 2010 - 02:29 AM

regarding PC ..it looked Okay at first look.But after a couple of restarts .the problem remains same...Bumping of net still exists sad.gif

Edited by jose_007, 11 February 2010 - 02:40 AM.


#13 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:16 PM

Posted 11 February 2010 - 04:17 PM

Hi jose,

let's see if we can remove this file another way.

Step 1

Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
CODE
File::
C:\WINDOWS\System32\drivers\bbhkyhn.sys

Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.


If combofix asks if you want to update, click yes.

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash


Step 2
We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  3. Open on your desktop.
  4. Click the tab.
  5. Click the button.
  6. Check all seven boxes:
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
In your next reply, please submit:
New combofix.txt
RootRepeal.txt


Thanks.

Edited by Starbuck, 11 February 2010 - 04:21 PM.

BBPP6nz.png


#14 jose_007

jose_007
  • Topic Starter

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 12 February 2010 - 12:04 AM

Here is new combofix report

ComboFix 10-02-10.04 - Administrator 02/12/2010 10:03:04.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.191.75 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\System32\drivers\bbhkyhn.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\drivers\bbhkyhn.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_bbhkyhn
-------\Service_bbhkyhn


((((((((((((((((((((((((( Files Created from 2010-01-12 to 2010-02-12 )))))))))))))))))))))))))))))))
.

2010-02-06 03:21 . 2010-02-06 03:21 -------- d-----w- C:\_OTL
2010-02-05 03:38 . 2010-02-05 03:38 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-05 03:37 . 2006-06-19 06:31 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-02-05 03:37 . 2006-05-25 09:22 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-02-05 03:37 . 2005-08-25 19:20 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-02-05 03:37 . 2003-02-02 13:36 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-02-05 03:37 . 2002-03-05 18:30 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-02-05 03:37 . 2010-02-05 03:37 -------- d-----w- c:\program files\Trojan Remover
2010-02-05 03:37 . 2010-02-05 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-02-05 03:37 . 2010-02-05 03:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2010-02-04 23:36 . 2010-02-04 23:37 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-02-04 18:48 . 2009-10-27 06:15 105720 ----a-w- c:\windows\system32\drivers\dwprot.sys
2010-02-04 18:44 . 2009-11-26 06:39 -------- d-----w- C:\Dr.Web.AntiVirus.v5.0.8.11100.Regged-EAT
2010-02-02 08:36 . 2010-02-02 08:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera
2010-02-02 08:33 . 2010-02-02 08:33 -------- d-----w- c:\program files\Opera
2010-02-02 07:30 . 2010-02-02 07:30 -------- d-----w- c:\program files\DrWeb
2010-02-02 07:25 . 2010-02-02 07:25 -------- d-sh--w- c:\documents and settings\Administrator\Local Settings\Application Data\.#
2010-02-02 04:00 . 2010-02-02 04:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-01 18:31 . 2010-02-01 18:31 -------- d-----w- c:\program files\TrendMicro
2010-02-01 17:11 . 2010-02-01 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-01 17:09 . 2010-02-01 17:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-01 17:09 . 2010-02-01 17:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-01 17:06 . 2010-02-01 17:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-30 10:48 . 2010-01-30 10:48 -------- d--h--w- c:\windows\PIF
2010-01-30 06:27 . 2010-01-30 06:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\FreeFixer
2010-01-30 06:27 . 2010-01-30 06:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\FreeFixer
2010-01-25 18:24 . 2010-01-25 18:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-25 18:23 . 2010-01-07 10:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 18:23 . 2010-01-25 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-25 18:23 . 2010-01-07 10:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 18:23 . 2010-01-25 18:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 04:43 . 2010-02-05 04:43 152488 ----a-w- c:\documents and settings\All Users\Application Data\Simply Super Software\Trojan Remover\tr_util.exe
2010-02-02 02:32 . 2010-02-01 17:12 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-01 18:31 . 2010-02-01 18:31 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-01 17:13 . 2010-02-01 17:13 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-21 04:23 . 2010-01-21 04:23 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\anvkgp.dat
2010-01-02 05:30 . 2010-01-02 05:30 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
2009-12-11 12:35 . 2010-02-05 04:42 3613560 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\kiq1.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 67072]
"SiSPower"="SiSPower.dll" [2004-09-01 49152]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-20 1947928]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-10-17 1070984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A70001000000}\SC_Reader.exe [2009-1-4 25214]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 08:51 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-20 04:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/4/2009 7:56 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/4/2009 7:56 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/4/2009 7:56 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/4/2009 7:56 PM 298776]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Save with Download Manager... - file://c:\program files\J River\Media Center 11\DMDownload.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8hscxe3h.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-12 10:13
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2010-02-12 10:16:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-12 04:46
ComboFix2.txt 2010-02-11 03:49

Pre-Run: 12,474,515,456 bytes free
Post-Run: 12,391,645,184 bytes free

- - End Of File - - 503A77D75EBFEAB4461D9CB535237C9B


#15 jose_007

jose_007
  • Topic Starter

  • Members
  • 160 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 12 February 2010 - 12:05 AM

Here is root appeal report

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/02/12 10:28
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\Combo-Fix\catchme.sys
Address: 0xFAEDC000 Size: 31744 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF53FC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xFB06E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xFB114000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF4B42000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf55ef0b0

==EOF==




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users