Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Redirection/Unable to access malware removal websites


  • This topic is locked This topic is locked
33 replies to this topic

#1 dwj1970

dwj1970

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 15 February 2010 - 10:41 AM

Referred from here: http://www.bleepingcomputer.com/forums/t/295029/google-search-redirects-and-malwarebytes-wont-update/ ~ OB

I was infected with AntiVirus Soft, and after completing the removal steps, I began having other problems. When searching on Google or other search engines, and clicking on the results, I get taken to random websites that have nothing to do with what I was searching for. Additionally, I attempted to scan my computer with Malwarebytes, but was unable to update the virus definitions. The sam thing happened when I attempted to use SuperAntiSpyware, I was unable to update the definitions.

I was also unable to access the Malwarebytes webpage, and unable to access the ESET webpage when I was instructed to run that scan from the Am I Infected forum.

Below are the scans/logs you ask for:


DDS (Ver_09-12-01.01) - NTFSx86
Run by dwasmer at 9:13:27.28 on Mon 02/15/2010
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\progra~1\messen~1\msmsgs.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [HRCAgent] c:\program files\paychex\hrcagent\HRCSync.exe
uRun: [Google Update] "c:\documents and settings\dwasmer\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxps://eservices.paychex.com/secure/Reserved.ReportViewerWebControl.axd?ReportSession=v5giu2ap0drtovrmumuldc55&ControlID=a9bffa4fba4e479392c605b3520dc1eb&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab
DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://10.10.20.40:100/RemoteWeb.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://paychexeservices.webex.com/client/T26L/support/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.162.103,93.188.166.85
TCP: {C90AA508-CF6E-4F7B-889F-9085B845B8F0} = 93.188.162.103,93.188.166.85
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-02-15 15:11:23 0 ----a-w- c:\documents and settings\dwasmer\defogger_reenable
2010-02-12 21:30:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-12 21:30:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-12 21:30:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 15:23:36 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-08 20:08:34 0 d-----w- c:\documents and settings\dwasmer\MatHome
2010-01-28 13:43:30 0 d-----w- c:\documents and settings\dwasmer\LatStV

==================== Find3M ====================

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-24 13:30:48 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-10-18 15:49:33 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-08-24 13:30:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-09-10 17:09:10 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091020080911\index.dat
2009-08-24 13:30:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 9:14:22.73 ===============

Attached Files


Edited by Orange Blossom, 15 February 2010 - 01:15 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:40 AM

Posted 16 February 2010 - 05:07 PM

Hi dwj1970,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Download ComboFix from one of these locations rename it to far.exe before saving it to the desktop :

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on far.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#3 dwj1970

dwj1970
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 17 February 2010 - 02:28 PM


Thanks for the quick response. I totally agree to not modify anything on this computer without your instructions.

I began following your instructinns, dowloaded Combofix, and changed the name. I disabled all the anti-spyware, anti-virus programs, then began running it. It said there was a newer version of Combofix, so I let it update, it installed the Micorsoft Windows Recovery Console and began scanning the computer.

After about five minutes, I got a Blue Screen, saying that Windows had been stopped, and gave the message {RQL_NOT_LESS_OR_EQUAL The message suggested that I uninstall any new programs and check BIOS settings, it then provided the following technical information


**STOP:OXOOOOOOOA (OxFFFFFFFO,OxOOOOOOO2,OxOOOOOOOO,Ox804EFC2C)

I restarted the computer, and have the anti-virus programs disabled, but have not proceeded to attempt to run Combofix again.

I figured I would check with you before I did anything else. Also, a new shortcut to Internet explorer appeared on my desktop, I looked at the properties, and the security setting is on a custom level, so instead of using that to open a browser, I used the old window's explorer that was already there (version 6.0.2900.2180--i know it is out of date).



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:40 AM

Posted 17 February 2010 - 02:42 PM

The IE icon is made when ComboFix restores some default settings. Don't worry about it.

Please download OTL by OldTimer.
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Set Standard Registry and Extra Registry to All.
  • Click Run Scan button.
  • Two reports will open, copy and paste them to your reply:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


#5 dwj1970

dwj1970
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 17 February 2010 - 03:00 PM

I just got finished running OTL, the logs are below:


OTL logfile created on: 2/17/2010 1:48:26 PM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\dwasmer\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 136.00 Mb Available Physical Memory | 27.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 61.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 7.39 Gb Free Space | 19.85% Space Free | Partition Type: NTFS
Drive D: | 7.76 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive P: | 67.81 Gb Total Space | 2.49 Gb Free Space | 3.67% Space Free | Partition Type: NTFS
Drive Q: | 67.81 Gb Total Space | 2.49 Gb Free Space | 3.67% Space Free | Partition Type: NTFS

Computer Name: 1-6
Current User Name: dwasmer
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/17 13:46:24 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\dwasmer\Desktop\OTL.exe
PRC - [2009/12/23 14:34:13 | 000,409,600 | ---- | M] () -- C:\Program Files\Paychex\HRCAgent\HRCSync.exe
PRC - [2009/09/14 11:50:58 | 000,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe
PRC - [2009/09/14 11:50:58 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/09/14 11:50:58 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/09/30 16:41:14 | 000,125,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2008/09/30 16:41:08 | 000,116,664 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
PRC - [2008/09/30 16:41:04 | 001,956,792 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2008/09/30 16:40:56 | 000,031,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2008/06/24 17:17:38 | 000,169,320 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2008/06/24 17:17:36 | 000,191,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2008/06/24 17:17:34 | 000,053,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/26 18:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2006/01/20 14:35:58 | 000,196,296 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
PRC - [2005/09/20 08:36:20 | 000,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2005/09/20 08:32:24 | 000,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2004/08/04 06:00:00 | 000,093,184 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\dwasmer\Desktop\IEXPLORE.EXE


========== Modules (SafeList) ==========

MOD - [2010/02/17 13:46:24 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\dwasmer\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (PEVSystemStart)
SRV - [2009/09/14 11:50:58 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/09/30 16:41:08 | 000,116,664 | ---- | M] (symantec) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2008/09/30 16:41:04 | 001,956,792 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2008/09/30 16:40:56 | 000,031,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2008/08/20 14:50:30 | 000,214,408 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2008/06/24 17:17:38 | 000,169,320 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2008/06/24 17:17:36 | 000,191,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2007/09/12 17:27:24 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2007/07/26 18:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2006/09/21 09:59:24 | 000,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)
SRV - [2003/07/28 11:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2010/01/05 07:56:06 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/01/05 07:56:04 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/05 07:56:02 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/12/02 12:16:05 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100216.005\NAVEX15.SYS -- (NAVEX15)
DRV - [2009/12/02 12:15:56 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100216.005\NAVENG.SYS -- (NAVENG)
DRV - [2009/08/27 02:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/08/17 18:15:34 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/04/01 09:17:06 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2008/08/20 14:50:02 | 000,188,808 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2008/08/20 14:49:56 | 000,023,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2008/05/28 10:31:24 | 000,337,280 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2008/05/28 10:31:24 | 000,054,656 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2007/11/13 04:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/07/26 18:25:18 | 000,400,216 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/09/20 09:00:54 | 001,302,332 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005/06/29 08:49:04 | 000,163,840 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1000325.sys -- (E1000) Intel®
DRV - [2004/08/04 06:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2003/02/28 08:17:18 | 000,545,024 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2002/04/01 12:15:00 | 000,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2001/08/17 11:11:18 | 000,020,160 | ---- | M] (ADMtek Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ADM8511.SYS -- (ADM8511)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\S-1-5-21-1683287766-4180362047-48305124-1144\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\S-1-5-21-1683287766-4180362047-48305124-1144\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\S-1-5-21-1683287766-4180362047-48305124-1144\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/06 03:00:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/09/14 11:51:00 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009/08/24 07:30:56 | 000,000,755 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 microsoft
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [awaavckl] C:\Documents and Settings\dwasmer\Local Settings\Application Data\jfkiob\kjijsftav.exe File not found
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINDOWS\System32\mobsync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144..\Run: [awaavckl] C:\Documents and Settings\dwasmer\Local Settings\Application Data\jfkiob\kjijsftav.exe File not found
O4 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144..\Run: [Google Update] C:\Documents and Settings\dwasmer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144..\Run: [HRCAgent] C:\Program Files\Paychex\HRCAgent\HRCSync.exe ()
O4 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} https://eservices.paychex.com/secure/Reserv...OpType=PrintCab (RSClientPrint 2005 Class)
O16 - DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} http://10.10.20.40:100/RemoteWeb.cab (Remote200 Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://paychexeservices.webex.com/client/T...ort/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.10.20.3 10.10.20.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = saintvincenthome.org
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - CLSID or File not found.
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\dwasmer\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\dwasmer\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/21 10:03:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/17 13:46:25 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\dwasmer\Desktop\OTL.exe
[2010/02/17 13:07:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/02/17 13:02:05 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\proquota.exe
[2010/02/17 13:02:05 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\proquota.exe
[2010/02/17 12:55:13 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/17 12:51:24 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/17 12:51:24 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/17 12:51:24 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/17 12:51:24 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/17 12:51:14 | 000,000,000 | ---D | C] -- C:\far
[2010/02/17 12:48:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/17 12:48:02 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/15 09:18:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dwasmer\Desktop\gmer
[2010/02/14 21:27:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dwasmer\Application Data\Mozilla
[2010/02/13 09:39:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/02/12 15:30:42 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/12 15:30:40 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/12 15:30:40 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/12 15:30:05 | 005,061,512 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\dwasmer\Desktop\mbam-setup.exe
[2010/02/12 15:00:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/02/12 09:23:36 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/02/12 09:19:29 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\dwasmer\Desktop\ATF-Cleaner.exe
[2010/02/10 09:57:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/02/08 14:08:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dwasmer\MatHome
[2010/02/05 11:07:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dwasmer\Local Settings\Application Data\cnonfr
[2010/01/28 07:43:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dwasmer\LatStV
[2010/01/26 12:45:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dwasmer\Application Data\Apple Computer
[2008/09/08 19:06:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/01/17 15:56:34 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\Implode.dll
[2006/09/21 10:06:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2006/09/21 10:03:22 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/09/21 10:03:22 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/17 13:46:24 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\dwasmer\Desktop\OTL.exe
[2010/02/17 13:41:17 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\dwasmer\Desktop\Microsoft Office Outlook 2003.lnk
[2010/02/17 13:27:02 | 000,000,986 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1683287766-4180362047-48305124-1144UA.job
[2010/02/17 13:11:34 | 000,525,946 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/02/17 13:11:34 | 000,444,028 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/02/17 13:11:34 | 000,071,904 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/02/17 13:09:34 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/17 13:06:53 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/17 13:06:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/17 13:02:39 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/17 12:55:20 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/17 12:50:33 | 003,860,833 | R--- | M] () -- C:\Documents and Settings\dwasmer\Desktop\far.exe
[2010/02/17 12:04:48 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\dwasmer\Desktop\antidisc.doc
[2010/02/17 12:02:35 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\dwasmer\Desktop\Microsoft Office Word 2003.lnk
[2010/02/17 11:27:04 | 000,000,934 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1683287766-4180362047-48305124-1144Core.job
[2010/02/16 15:30:01 | 004,718,592 | -H-- | M] () -- C:\Documents and Settings\dwasmer\NTUSER.DAT
[2010/02/16 15:29:28 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\dwasmer\ntuser.ini
[2010/02/16 15:28:02 | 003,762,974 | -H-- | M] () -- C:\Documents and Settings\dwasmer\Local Settings\Application Data\IconCache.db
[2010/02/15 09:17:40 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\dwasmer\Desktop\gmer.zip
[2010/02/15 09:12:41 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\dwasmer\Desktop\dds.scr
[2010/02/15 09:11:23 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\dwasmer\defogger_reenable
[2010/02/15 09:10:48 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\dwasmer\Desktop\Defogger.exe
[2010/02/14 21:00:00 | 000,000,254 | ---- | M] () -- C:\WINDOWS\tasks\backup-pc.job
[2010/02/12 15:30:45 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/12 15:30:05 | 005,061,512 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\dwasmer\Desktop\mbam-setup.exe
[2010/02/12 09:24:17 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/02/12 09:19:29 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\dwasmer\Desktop\ATF-Cleaner.exe
[2010/02/12 09:19:00 | 000,363,008 | ---- | M] () -- C:\Documents and Settings\dwasmer\Desktop\rkill.pif
[2010/02/08 20:06:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/28 07:47:24 | 000,005,120 | ---- | M] () -- C:\Documents and Settings\dwasmer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/17 12:55:20 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/02/17 12:55:14 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/17 12:51:24 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/17 12:51:24 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/17 12:51:24 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/17 12:51:24 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/17 12:51:24 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/17 12:43:23 | 003,860,833 | R--- | C] () -- C:\Documents and Settings\dwasmer\Desktop\far.exe
[2010/02/17 12:04:48 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\dwasmer\Desktop\antidisc.doc
[2010/02/15 09:17:38 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\dwasmer\Desktop\gmer.zip
[2010/02/15 09:12:41 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\dwasmer\Desktop\dds.scr
[2010/02/15 09:11:23 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\dwasmer\defogger_reenable
[2010/02/15 09:10:59 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\dwasmer\Desktop\Defogger.exe
[2010/02/12 15:30:45 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/12 09:24:17 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/02/12 09:18:56 | 000,363,008 | ---- | C] () -- C:\Documents and Settings\dwasmer\Desktop\rkill.pif
[2010/01/05 15:36:34 | 000,000,268 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2009/04/01 09:33:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2009/03/23 09:19:56 | 000,013,022 | ---- | C] () -- C:\Documents and Settings\dwasmer\Application Data\Microsoft Excel.CAL
[2007/02/05 14:12:48 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\dwasmer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/01/17 15:56:39 | 000,041,472 | ---- | C] () -- C:\WINDOWS\System32\SH22W16.DLL
[2007/01/17 15:56:38 | 000,147,968 | ---- | C] () -- C:\WINDOWS\System32\AL21FVB.DLL
[2007/01/17 15:56:35 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\Ntlcc.dll
[2007/01/17 15:56:35 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Zmodnt.dll
[2007/01/17 15:56:34 | 000,233,472 | ---- | C] () -- C:\WINDOWS\System32\DBDeviceLimitConversion.dll
[2007/01/17 15:56:34 | 000,116,736 | ---- | C] () -- C:\WINDOWS\System32\Al21mfc.dll
[2007/01/17 15:56:34 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\fsplit.dll
[2007/01/17 15:15:34 | 000,013,248 | ---- | C] () -- C:\WINDOWS\DBU_SETU.DLL
[2006/12/11 10:29:15 | 000,007,532 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2006/09/21 13:36:42 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
< End of report >




OTL Extras logfile created on: 2/17/2010 1:48:26 PM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\dwasmer\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 136.00 Mb Available Physical Memory | 27.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 61.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 7.39 Gb Free Space | 19.85% Space Free | Partition Type: NTFS
Drive D: | 7.76 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive P: | 67.81 Gb Total Space | 2.49 Gb Free Space | 3.67% Space Free | Partition Type: NTFS
Drive Q: | 67.81 Gb Total Space | 2.49 Gb Free Space | 3.67% Space Free | Partition Type: NTFS

Computer Name: 1-6
Current User Name: dwasmer
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\WINDOWS\system32\ieframe.DLL (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"9471:TCP" = 9471:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"3246:TCP" = 3246:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"9471:TCP" = 9471:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"3246:TCP" = 3246:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Documents and Settings\dwasmer\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll" = C:\Documents and Settings\dwasmer\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin -- (Google)
"C:\Documents and Settings\dwasmer\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\dwasmer\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{043AD837-B62B-4660-BCCB-61BA39355C38}" = preview for Windows 7.2
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 15
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90190409-6000-11D3-8CFE-0050048383C9}" = Microsoft Publisher 2002
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{AC76BA86-7AD7-5464-3428-7050000000A7}" = Adobe Reader 7.0.5 Language Support
"{AD8A1013-4E46-4E02-85C2-3168C3328432}" = Symantec AntiVirus
"{B021A7CC-A7DB-42F8-9E65-17B5B7B169F6}" = Clover DVR
"{BBF6D0CD-A081-369F-B0B8-F168594CBB6B}" = Google Talk Plugin
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"ActiveTouchMeetingClient" = WebEx
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"DB Programming" = DB Programming
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Inter_Tel DB Programming 5.2F2" = Inter-Tel DB Programming 5.2F2
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Paychex eServices Update Agent" = Paychex eServices Update Agent
"PROSet" = Intel® PRO Network Connections Drivers
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/17/2010 1:02:03 PM | Computer Name = 1-6 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Backdoor.Tidserv!inf in File: C:\WINDOWS\system32\drivers\atapi.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 2/17/2010 1:03:40 PM | Computer Name = 1-6 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Backdoor.Tidserv!inf in File: C:\WINDOWS\system32\drivers\atapi.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 2/17/2010 1:03:51 PM | Computer Name = 1-6 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Backdoor.Tidserv!inf in File: C:\WINDOWS\system32\drivers\atapi.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 2/17/2010 2:11:00 PM | Computer Name = 1-6 | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The specified
domain either does not exist or could not be contacted. ). Group Policy processing
aborted.

Error - 2/17/2010 3:08:06 PM | Computer Name = 1-6 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Backdoor.Tidserv!inf in File: C:\WINDOWS\system32\drivers\atapi.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 2/17/2010 3:09:09 PM | Computer Name = 1-6 | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The specified
domain either does not exist or could not be contacted. ). Group Policy processing
aborted.

Error - 2/17/2010 3:09:24 PM | Computer Name = 1-6 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 2/17/2010 3:09:27 PM | Computer Name = 1-6 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 2/17/2010 3:52:30 PM | Computer Name = 1-6 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Backdoor.Tidserv!inf in File: C:\WINDOWS\system32\drivers\OLD3.tmp
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 2/17/2010 3:52:46 PM | Computer Name = 1-6 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Backdoor.Tidserv!inf in File: C:\WINDOWS\system32\drivers\OLD3.tmp
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.


< End of report >


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:40 AM

Posted 17 February 2010 - 05:03 PM

I see what has caused the BSOD. Even though you had disabled Symantec while ComboFix was dealing with the rootkit and made it possible to read the rootkit Symantec wanted to interfere and it caused the BSOD because the rootkit is on a patched system file. We are going to run ComboFix in safe mode to prevent the interference of Symantec.
  1. Please open OTL.
    • Copy the text in code box and paste it to Custom Scans/Fixes section:

      CODE
      :Processes
      :otl
      IE - HKU\S-1-5-21-1683287766-4180362047-48305124-1144\S-1-5-21-1683287766-4180362047-48305124-1144\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
      O4 - HKLM..\Run: [awaavckl] C:\Documents and Settings\dwasmer\Local Settings\Application Data\jfkiob\kjijsftav.exe File not found
      O4 - HKU\S-1-5-21-1683287766-4180362047-48305124-1144..\Run: [awaavckl] C:\Documents and Settings\dwasmer\Local Settings\Application Data\jfkiob\kjijsftav.exe File not found
      :files
      C:\Documents and Settings\dwasmer\Local Settings\Application Data\jfkiob
      :commands
      [resethosts]

    • Click Run Fix button.
    • If the fix needed a reboot please do it.
    • After finished a log will open. Copy and paste the log to your reply.

  2. Remove your copy of ComboFix and download a fresh one, rename it before saving it.

  3. Start in Safe Mode Using the F8 key:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.
    • Log to your usual account.

  4. Now run the renamed ComboFix from there, if it needed a reboot let it reboot to normal mode and post the log.


#7 dwj1970

dwj1970
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 17 February 2010 - 07:45 PM

Those steps seemed to work as they were supposed to. The logs are below. First is the OTL Log, then the ComboFix log


========== PROCESSES ==========
========== OTL ==========
HKU\S-1-5-21-1683287766-4180362047-48305124-1144\S-1-5-21-1683287766-4180362047-48305124-1144\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\awaavckl deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1683287766-4180362047-48305124-1144\Software\Microsoft\Windows\CurrentVersion\Run\\awaavckl deleted successfully.
========== FILES ==========
File\Folder C:\Documents and Settings\dwasmer\Local Settings\Application Data\jfkiob not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.1.28.0 log created on 02172010_180420







ComboFix 10-02-16.03 - DWasmer 02/17/2010 18:19:08.2.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.367 [GMT -6:00]
Running from: c:\documents and settings\dwasmer\Desktop\far.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {AE7C23E9-3AC5-4604-9E36-F0568D28A0F4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\docume~1\dwasmer\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\dwasmer\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\dwasmer\Local Settings\Application Data\jfkiob
c:\documents and settings\dwasmer\Local Settings\Application Data\jfkiob\kjijsftav.exe

-- Previous Run --

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

--------

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-01-18 to 2010-02-18 )))))))))))))))))))))))))))))))
.

2010-02-18 00:04 . 2010-02-18 00:04 -------- d-----w- C:\_OTL
2010-02-17 19:07 . 2010-02-17 19:07 -------- d-----w- c:\windows\LastGood
2010-02-17 19:02 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-02-17 19:02 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-02-17 15:06 . 2009-11-10 22:48 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\NAVEX32A.DLL
2010-02-17 15:06 . 2009-12-02 18:16 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\NAVEX15.SYS
2010-02-17 15:06 . 2009-12-02 18:15 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\NAVENG.SYS
2010-02-17 15:06 . 2009-11-10 22:48 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\NAVENG32.DLL
2010-02-17 15:06 . 2009-08-18 00:15 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\ERASER.SYS
2010-02-17 15:06 . 2010-02-12 09:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\ECMSVR32.DLL
2010-02-17 15:06 . 2009-08-18 00:15 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\EECTRL.SYS
2010-02-17 15:06 . 2009-12-08 00:01 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\CCERASER.DLL
2010-02-17 14:40 . 2009-11-10 22:48 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30a005.vdb\NAVEX32A.DLL
2010-02-17 14:40 . 2009-12-02 18:16 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30a005.vdb\NAVEX15.SYS
2010-02-17 14:40 . 2009-12-02 18:15 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30a005.vdb\NAVENG.SYS
2010-02-17 14:40 . 2009-11-10 22:48 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30a005.vdb\NAVENG32.DLL
2010-02-17 14:39 . 2009-08-18 00:15 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30a005.vdb\ERASER.SYS
2010-02-17 14:39 . 2009-08-18 00:15 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30a005.vdb\EECTRL.SYS
2010-02-17 14:39 . 2010-02-16 09:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30a005.vdb\ECMSVR32.DLL
2010-02-17 14:39 . 2009-12-08 00:01 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30a005.vdb\CCERASER.DLL
2010-02-16 15:18 . 2010-02-16 15:18 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-02-12 21:30 . 2009-12-30 20:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-12 21:30 . 2010-02-12 21:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 21:30 . 2009-12-30 20:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-12 21:00 . 2010-02-12 21:00 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-12 21:00 . 2010-02-13 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-12 15:24 . 2010-02-12 15:24 52224 ----a-w- c:\documents and settings\dwasmer\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 15:24 . 2010-02-12 15:24 117760 ----a-w- c:\documents and settings\dwasmer\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-12 15:23 . 2010-02-12 15:23 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-10 16:02 . 2010-02-10 16:03 -------- d-----w- c:\documents and settings\HelpAssistant\Yathome
2010-02-10 16:02 . 2010-02-10 16:02 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-02-10 16:02 . 2010-02-10 16:02 -------- d-----w- c:\documents and settings\HelpAssistant\SatSv
2010-02-10 16:02 . 2010-02-10 16:02 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-10 16:02 . 2010-02-10 16:02 -------- d-----w- c:\documents and settings\HelpAssistant\MatHome
2010-02-10 15:59 . 2010-02-10 15:59 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
2010-02-10 15:59 . 2010-02-10 15:59 -------- d-----w- c:\documents and settings\HelpAssistant\DatStV
2010-02-10 15:59 . 2007-02-28 21:05 299 ----a-w- c:\documents and settings\HelpAssistant\backup-pc.bat
2010-02-09 02:06 . 2010-02-09 02:06 -------- d-----w- c:\documents and settings\Administrator.SAINTVINCENTHOM\Local Settings\Application Data\Apple
2010-02-08 20:08 . 2010-02-08 21:25 -------- d-----w- c:\documents and settings\dwasmer\MatHome
2010-02-08 19:29 . 2006-12-14 16:00 110592 ----a-w- c:\documents and settings\Administrator.SAINTVINCENTHOM\Application Data\U3\temp\cleanup.exe
2010-02-08 19:28 . 2007-02-12 23:46 3096576 ---ha-w- c:\documents and settings\Administrator.SAINTVINCENTHOM\Application Data\U3\temp\Launchpad Removal.exe
2010-02-08 19:28 . 2010-02-08 19:28 -------- d-----w- c:\documents and settings\Administrator.SAINTVINCENTHOM\Application Data\U3
2010-02-08 19:24 . 2010-02-08 19:24 -------- d-----w- c:\documents and settings\Administrator.SAINTVINCENTHOM\Local Settings\Application Data\Symantec
2010-02-08 19:23 . 2010-02-08 19:23 -------- d-sh--w- c:\documents and settings\Administrator.SAINTVINCENTHOM\IETldCache
2010-02-05 17:07 . 2010-02-07 06:27 -------- d-----w- c:\documents and settings\dwasmer\Local Settings\Application Data\cnonfr
2010-02-05 16:39 . 2010-02-05 16:39 251376 ----a-w- c:\documents and settings\dwasmer\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-28 13:43 . 2010-01-28 14:03 -------- d-----w- c:\documents and settings\dwasmer\LatStV
2010-01-26 18:45 . 2010-01-26 18:45 -------- d-----w- c:\documents and settings\dwasmer\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 00:09 . 2009-04-01 15:16 -------- d-----w- c:\program files\Symantec AntiVirus
2010-02-12 15:24 . 2009-08-31 13:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-12 15:24 . 2009-08-31 13:33 -------- d-----w- c:\documents and settings\dwasmer\Application Data\SUPERAntiSpyware.com
2010-02-08 14:32 . 2007-01-19 19:40 -------- d-----w- c:\documents and settings\dwasmer\Application Data\AdobeUM
2010-01-05 21:37 . 2007-01-29 17:16 -------- d-----w- c:\program files\Common Files\Logitech
2010-01-05 20:35 . 2007-01-29 17:12 -------- d-----w- c:\program files\Logitech
2010-01-05 20:35 . 2006-09-21 19:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-04 17:33 . 2007-12-26 18:06 -------- d-----w- c:\documents and settings\All Users\Application Data\RPCache
2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\progra~1\MESSEN~1\msmsgs.exe" [2008-04-14 1695232]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]
"HRCAgent"="c:\program files\Paychex\HRCAgent\HRCSync.exe" [2009-12-23 409600]
"Google Update"="c:\documents and settings\dwasmer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-25 135664]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-14 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-05 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-09-30 125368]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"9471:TCP"= 9471:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3246:TCP"= 3246:TCP:Services

S0 hggn;hggn;c:\windows\system32\drivers\xiuui.sys --> c:\windows\system32\drivers\xiuui.sys [?]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
S2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 4:41 PM 116664]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [9/21/2006 10:15 AM 20160]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 9:50 AM 102448]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2010-02-15 c:\windows\Tasks\backup-pc.job
- c:\documents and settings\dwasmer\backup-pc.bat [2007-02-28 21:05]

2010-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1683287766-4180362047-48305124-1144Core.job
- c:\documents and settings\dwasmer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-25 17:22]

2010-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1683287766-4180362047-48305124-1144UA.job
- c:\documents and settings\dwasmer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-25 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
TCP: {C90AA508-CF6E-4F7B-889F-9085B845B8F0} = 93.188.162.103,93.188.166.85
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxps://eservices.paychex.com/secure/Reserved.ReportViewerWebControl.axd?ReportSession=v5giu2ap0drtovrmumuldc55&ControlID=a9bffa4fba4e479392c605b3520dc1eb&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab
DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://10.10.20.40:100/RemoteWeb.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 18:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x82A9EE90]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf877cf28
\Driver\ACPI -> ACPI.sys @ 0xf86efcb8
\Driver\atapi -> 0x82a9ee90
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel® PRO/1000 MT Network Connection -> SendCompleteHandler -> 0x82b2d330
PacketIndicateHandler -> NDIS.sys @ 0xf859aa21
SendHandler -> NDIS.sys @ 0xf857887b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(444)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-02-17 18:28:39
ComboFix-quarantined-files.txt 2010-02-18 00:28

Pre-Run: 7,923,421,184 bytes free
Post-Run: 7,871,070,208 bytes free

- - End Of File - - 656561E51D3781BAA1ECEDBE91166111







I am back in normal mode again, so the anti-virus programs are running, I will disable them prior to the next step.

Again, thanks for all your help


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:40 AM

Posted 18 February 2010 - 02:35 PM

One or more of the identified infections is a backdoor trojan. There are multiple rootkit infections, DNS hijacker, and more. It looks one of the infections even has made a user account (HelpAssistant).

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still try to clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to remove the infection please let me know.

#9 dwj1970

dwj1970
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 18 February 2010 - 03:07 PM

At this point, I would like to attempt to clean this computer. This computer was donated with the software already installed, and I don't have the disks to do a restore or reformat. I don't use this computer for any personal financial business, but am contacting the appropriate places just in case any passwords have been compromised.



#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:40 AM

Posted 18 February 2010 - 06:09 PM

Please keep the computer disconnected to internet and only use it for disinfection when needed.
  1. Go to start => Control Panel => open "System"
    Select Advanced tab. Under User Profiles section select HelpAssistant.
    Press Delete and confirm to delete anything.
    Tell me if you get any error and proceed with the next step anyway.

  2. Download noahdfear profiles.exe and run it.
    Copy and paste the content of the log to your reply.

  3. Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c dir /a /b /o "c:\documents and settings" >log.txt &start log.txt

    A text file (log.txt) will be open. Please post its content to your reply.




#11 dwj1970

dwj1970
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 19 February 2010 - 10:17 AM

Thanks for the continued assistance. I followed the steps and below are the results


1. When I attempted to delete the HelpAssistant Profile, I got the following error "Error Not Able to Delete Profile Folder Not Empty"

On the list of user profiles, there were 6 profiles listed as Unkown User, with a total size of 48MB. I am wondering if I should delete those also?


2. I ran the exe file and got the following log:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1683287766-4180362047-48305124-1141
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\CBLAKE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1683287766-4180362047-48305124-1142
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\pkoch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1683287766-4180362047-48305124-1144
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\dwasmer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1683287766-4180362047-48305124-1150
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\drussell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1683287766-4180362047-48305124-1175
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\jkelsey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1683287766-4180362047-48305124-1635
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\moore

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1683287766-4180362047-48305124-1735
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\byokley

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1683287766-4180362047-48305124-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator.SAINTVINCENTHOM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-329068152-1292428093-725345543-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

SystemRoot REG_SZ C:\WINDOWS



3. I copied the line your had me run, and got the following log:



Administrator
Administrator.SAINTVINCENTHOM
All Users
byokley
CBLAKE
Default User
drussell
dwasmer
HelpAssistant
jkelsey
LocalService
moore
NetworkService
pkoch

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:40 AM

Posted 19 February 2010 - 11:02 AM

  1. From the following users accounts the bold one is the one you are logged in. If it is your user account you may follow the instruction on previous post and remove the rest of the profiles.

    QUOTE
    byokley
    CBLAKE
    drussell
    dwasmer
    jkelsey
    moore
    pkoch


  2. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @ECHO OFF
    reg add HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr /v Start /t REG_DWORD /d 0x0 /f
    net stop RDSessMgr
    net user HelpAssistant /active:no >nul 2>&1
    net localgroup Administrators HelpAssistant /delete >nul 2>&1
    attrib -s -h -r C:\docume~\HelpAssistant\* /s /d
    attrib -s -h -r C:\docume~\HelpAssistant.*\* /s /d
    del  /a /f /q C:\docume~\HelpAssistant\*.*
    rmdir /s /q C:\docume~\HelpAssistant
    reg add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d ^%systemroot^%\System32\termsrv.dll /f
    Reg delete HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List /v 3389:TCP /f
    Reg delete HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /f
    reg add HKLM\SYSTEM\CurrentControlSet\Services\TermService /v Start /t REG_DWORD /d 0x3 /f
    del %0

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate dirlook.bat on the desktop. It should look like this:
    • In Windows XP: Double-click to run it. In Windows Vista: Right-click to run it as administrator.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  3. Make sure the following setting is set as it is supposed to be set:
    • Go to Start -> Control Panel -> Double click on Network Connections.
    • Right click on your default connection (usually Local Area Connection) and select Properties.
    • Select the General tab.
    • Double click on Internet Protocol (TCP/IP).
      Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".
    • Click OK twice to save the settings.
    • Reboot if you had to change any setting.

  4. Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    CODE
    DDS::
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    TCP: {C90AA508-CF6E-4F7B-889F-9085B845B8F0} = 93.188.162.103,93.188.166.85
    MBR::
    Folder::
    c:\documents and settings\HelpAssistant
    Driver::
    hggn


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  5. Run profiles.exe and copy/paste the content of the log to your reply.

  6. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @ECHO OFF
    dir /a /b /o "c:\documents and settings" >log.txt
    sc query type= driver group= "SCSI Miniport" >> Log.txt
    start log.txt
    del %0

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate dirlook.bat on the desktop.
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.


#13 dwj1970

dwj1970
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 19 February 2010 - 03:33 PM

I just finished that set of instructions, and hopefully I did the right things.

I deleted all the other profiles, except mine, then started your instructions

I ran the first dirlook.bat, but no log file was ever created. It went by incredibly quickly, but on the black box I could only catch some of the words ..."ran successfully....more help can be found" I could not capture the entire message.

I then attempted to check my network settings. I tried to access it through the control panel, network connections, then properties of the LAN network and I got a new window that said "An unexpected error occurred" and the window you wanted me to look at never came up.

I went on and ran combofix, as instructed and the second dirlook.bat. Those logs follow:


ComboFix 10-02-18.09 - dwasmer 02/19/2010 13:56:29.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.86 [GMT -6:00]
Running from: c:\documents and settings\dwasmer\Desktop\far.exe
Command switches used :: c:\documents and settings\dwasmer\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {AE7C23E9-3AC5-4604-9E36-F0568D28A0F4}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
original MBR restored successfully !
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hggn


((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))
.

2010-02-19 15:31 . 2010-02-19 15:31 -------- d-----w- c:\documents and settings\dwasmer\GSatSTv
2010-02-19 15:08 . 2010-02-19 15:09 -------- d-----w- c:\documents and settings\HelpAssistant\Yathome
2010-02-19 15:08 . 2010-02-19 15:08 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-02-19 15:08 . 2010-02-19 15:08 -------- d-----w- c:\documents and settings\HelpAssistant\SatSv
2010-02-19 15:08 . 2010-02-19 15:08 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-19 15:08 . 2010-02-19 15:08 -------- d-----w- c:\documents and settings\HelpAssistant\MatHome
2010-02-18 15:03 . 2010-02-18 15:11 -------- d-----w- c:\documents and settings\dwasmer\DAatH
2010-02-18 00:17 . 2010-02-18 00:28 -------- d-----w- C:\far
2010-02-18 00:04 . 2010-02-18 00:04 -------- d-----w- C:\_OTL
2010-02-17 19:02 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-02-17 19:02 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-02-16 15:18 . 2010-02-16 15:18 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-02-12 21:30 . 2009-12-30 20:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-12 21:30 . 2010-02-12 21:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 21:30 . 2009-12-30 20:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-12 21:00 . 2010-02-13 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-12 15:23 . 2010-02-12 15:23 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-10 15:58 . 2010-02-19 16:49 -------- d-----w- c:\documents and settings\HelpAssistant
2010-02-08 20:08 . 2010-02-08 21:25 -------- d-----w- c:\documents and settings\dwasmer\MatHome
2010-02-05 17:07 . 2010-02-07 06:27 -------- d-----w- c:\documents and settings\dwasmer\Local Settings\Application Data\cnonfr
2010-01-28 13:43 . 2010-01-28 14:03 -------- d-----w- c:\documents and settings\dwasmer\LatStV
2010-01-26 18:45 . 2010-01-26 18:45 -------- d-----w- c:\documents and settings\dwasmer\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 20:06 . 2009-04-01 15:16 -------- d-----w- c:\program files\Symantec AntiVirus
2010-02-18 09:00 . 2010-02-19 14:45 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30a410.vdb\ECMSVR32.DLL
2010-02-14 09:00 . 2010-02-19 14:57 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309c04.vdb\ECMSVR32.DLL
2010-02-12 21:00 . 2010-02-12 21:00 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-12 15:24 . 2010-02-12 15:24 52224 ----a-w- c:\documents and settings\dwasmer\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 15:24 . 2010-02-12 15:24 117760 ----a-w- c:\documents and settings\dwasmer\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-12 15:24 . 2009-08-31 13:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-12 15:24 . 2009-08-31 13:33 -------- d-----w- c:\documents and settings\dwasmer\Application Data\SUPERAntiSpyware.com
2010-02-08 14:32 . 2007-01-19 19:40 -------- d-----w- c:\documents and settings\dwasmer\Application Data\AdobeUM
2010-02-05 16:39 . 2010-02-05 16:39 251376 ----a-w- c:\documents and settings\dwasmer\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-05 21:37 . 2007-01-29 17:16 -------- d-----w- c:\program files\Common Files\Logitech
2010-01-05 20:35 . 2007-01-29 17:12 -------- d-----w- c:\program files\Logitech
2010-01-05 20:35 . 2006-09-21 19:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-04 17:33 . 2007-12-26 18:06 -------- d-----w- c:\documents and settings\All Users\Application Data\RPCache
2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-08 00:01 . 2010-02-19 14:57 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309c04.vdb\CCERASER.DLL
2009-12-08 00:01 . 2010-02-19 14:45 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30a410.vdb\CCERASER.DLL
2009-12-02 18:16 . 2010-02-19 14:57 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309c04.vdb\NAVEX15.SYS
2009-12-02 18:16 . 2010-02-19 14:45 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30a410.vdb\NAVEX15.SYS
2009-12-02 18:15 . 2010-02-19 14:57 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309c04.vdb\NAVENG.SYS
2009-12-02 18:15 . 2010-02-19 14:45 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd30a410.vdb\NAVENG.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\progra~1\MESSEN~1\msmsgs.exe" [2008-04-14 1695232]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]
"HRCAgent"="c:\program files\Paychex\HRCAgent\HRCSync.exe" [2009-12-23 409600]
"Google Update"="c:\documents and settings\dwasmer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-25 135664]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-14 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-05 413696]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-09-30 125368]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"9471:TCP"= 9471:TCP:Services
"3246:TCP"= 3246:TCP:Services
"9256:TCP"= 9256:TCP:Services

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 4:41 PM 116664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 9:50 AM 102448]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [9/21/2006 10:15 AM 20160]
.
Contents of the 'Scheduled Tasks' folder

2010-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2010-02-18 c:\windows\Tasks\backup-pc.job
- c:\documents and settings\dwasmer\backup-pc.bat [2007-02-28 21:05]

2010-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1683287766-4180362047-48305124-1144Core.job
- c:\documents and settings\dwasmer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-25 17:22]

2010-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1683287766-4180362047-48305124-1144UA.job
- c:\documents and settings\dwasmer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-25 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxps://eservices.paychex.com/secure/Reserved.ReportViewerWebControl.axd?ReportSession=v5giu2ap0drtovrmumuldc55&ControlID=a9bffa4fba4e479392c605b3520dc1eb&Culture=1033&UICulture=9&ReportStack=1&OpType=PrintCab
DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://10.10.20.40:100/RemoteWeb.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-19 14:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82D55BC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf877df28
\Driver\ACPI -> ACPI.sys @ 0xf86f0cb8
\Driver\atapi -> 0x82d55bc8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel® PRO/1000 MT Network Connection -> SendCompleteHandler -> 0x8288b330
PacketIndicateHandler -> NDIS.sys @ 0xf859ba21
SendHandler -> NDIS.sys @ 0xf857987b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3932)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-02-19 14:17:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-19 20:17
ComboFix2.txt 2010-02-18 00:28

Pre-Run: 7,978,835,968 bytes free
Post-Run: 7,881,252,864 bytes free

- - End Of File - - 4EC0779BCE19D10BC0A46719433B028B



All Users
Default User
dwasmer
HelpAssistant
HelpAssistant.1-6
LocalService
NetworkService

SERVICE_NAME: atapi
DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0





#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:40 AM

Posted 19 February 2010 - 05:40 PM

Well done. thumbup2.gif

I miss the log of the step 5.

#15 dwj1970

dwj1970
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 20 February 2010 - 12:15 PM

I am sorry. I completely missed step five. I just did it, and the log is below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1683287766-4180362047-48305124-1144
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\dwasmer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-329068152-1292428093-725345543-1000
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.1-6

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-329068152-1292428093-725345543-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

SystemRoot REG_SZ C:\WINDOWS





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users