Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect ???


  • This topic is locked This topic is locked
23 replies to this topic

#1 razor49

razor49

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 15 February 2010 - 10:56 PM

Hello,
I'm new at this, so let me know if I need to change anything. Recently my computer became infected with Antivirus Soft and it wreaked havoc for awhile. I finally got rid of it, but at the expense of messing up my Antivirus (Iolo). Therefore, I had no antivirus for a few days, unbeknownst to me.

Here's the problem. I went to my online banking sight yesterday, entered my user ID and then was redirected to a page that told me that my bank did not recognize my computer and that I needed to enter my card number, 3 digit security number, and PIIN. ( I did NOT do this.) This is very unusual. My bank has never asked for this information online before and there are no announcements on their web page that indicate they would ask for this information online. What's more, I can gain access from any other computer I'm on, so I suspect I have a virus that is redirecting me to a phishing page. I ran a hijackthis log and am pasting it here. Please help. This is very disturbing. Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:35 PM, on 2/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\csrss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
G:\Program Files\iolo\common\lib\ioloServiceManager.exe
G:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\iolo\System Mechanic\SystemGuardAlerter.exe
G:\Program Files\iolo\AntiVirus\ioloAV.exe
G:\Program Files\Messenger\msmsgs.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
G:\WINDOWS\system32\ctfmon.exe
G:\WINDOWS\System32\alg.exe
G:\Program Files\iolo\AntiVirus\iAVEmailScanner.exe
G:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe
G:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - G:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - G:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - G:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - G:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SystemGuardAlerter] "G:\Program Files\iolo\System Mechanic\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "G:\Program Files\iolo\AntiVirus\ioloAV.exe"
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: g:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: g:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: g:\windows\system32\iavlsp.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219206213795
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} (iolo.ProductDetector) - http://www.iolo.com/app/ocx/UpgradeVerify.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - G:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - G:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Update Service (gupdate1ca14b9eb9694e0) (gupdate1ca14b9eb9694e0) - Google Inc. - G:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - G:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - G:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - G:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - G:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6464 bytes


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:07 PM

Posted 19 February 2010 - 01:25 PM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log

Thanks

unite.jpg


#3 razor49

razor49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 20 February 2010 - 10:47 AM

Hello Syler,

Thanks for the reply. I will tell you that I have made some changes to the computer since I first posted. I ran Malwarebytes and it removed trojan.fakealert and broken.opencommand. I am posting that malwarebytes log first just in case you need to see that. Secondly, I reverted back to an earlier registry backup. When I did that, the redirect page on my bank account went away. Nonetheless, posted are the logs you requested along with the malwarebytes log:

Malwarebytes' Anti-Malware 1.44
Database version: 3754
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/18/2010 8:40:20 PM
mbam-log-2010-02-18 (20-40-20).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 204142
Time elapsed: 58 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
G:\Documents and Settings\HelpAssistant\Local Settings\Application Data\mreibs\NSJXSFTAV.INFECTED (Trojan.FakeAlert) -> Quarantined and deleted successfully.
G:\Documents and Settings\HelpAssistant.HOME-DPI79WZ4NF\Local Settings\Application Data\mreibs\NSJXSFTAV.INFECTED (Trojan.FakeAlert) -> Quarantined and deleted successfully.
G:\Documents and Settings\Todd\Local Settings\Application Data\mreibs\NSJXSFTAV.INFECTED (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Log.txt

Logfile of random's system information tool 1.06 (written by random/random)
Run by Todd at 2010-02-20 10:20:55
Microsoft Windows XP Home Edition Service Pack 3
System drive G: has 9 GB (46%) free of 19 GB
Total RAM: 255 MB (14% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:10 AM, on 2/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\csrss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
G:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
G:\Program Files\iolo\common\lib\ioloServiceManager.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\alg.exe
G:\Program Files\iolo\System Mechanic\SMSystemAnalyzer.exe
G:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
G:\Program Files\iolo\AntiVirus\iAVEmailScanner.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
G:\Documents and Settings\Todd\Desktop\RSIT.exe
G:\WINDOWS\system32\wbem\wmiprvse.exe
G:\Program Files\trend micro\Todd.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - G:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - G:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - G:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - G:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iolo AntiVirus] "G:\Program Files\iolo\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] G:\Program Files\iolo\System Mechanic\SystemGuardAlerter.exe
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: g:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: g:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: g:\windows\system32\iavlsp.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219206213795
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} (iolo.ProductDetector) - http://www.iolo.com/app/ocx/UpgradeVerify.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - G:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - G:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Update Service (gupdate1ca14b9eb9694e0) (gupdate1ca14b9eb9694e0) - Google Inc. - G:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - G:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - G:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - G:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - G:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6386 bytes

======Scheduled tasks folder======

G:\WINDOWS\tasks\AppleSoftwareUpdate.job
G:\WINDOWS\tasks\Google Software Updater.job
G:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
G:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
G:\WINDOWS\tasks\User_Feed_Synchronization-{CB6942EA-8A04-446A-9506-836B3F88626C}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - G:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - G:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-19 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - G:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll [2009-12-04 764912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - G:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-05-05 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - G:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-06-19 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=G:\WINDOWS\system32\NvCpl.dll [2003-07-28 4841472]
"nwiz"=nwiz.exe /install []
"iolo AntiVirus"=G:\Program Files\iolo\AntiVirus\ioloAV.exe [2008-03-05 1095520]
"SystemGuardAlerter"=G:\Program Files\iolo\System Mechanic\SystemGuardAlerter.exe [2010-02-09 489896]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SMRequiresRestart"= []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=G:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"swg"=G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-08-29 39408]
"ctfmon.exe"=G:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

G:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFileSharing"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"G:\Program Files\LimeWire\LimeWire.exe"="G:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"G:\Documents and Settings\Todd\Local Settings\Application Data\Abacast\Abaclient.exe"="G:\Documents and Settings\Todd\Local Settings\Application Data\Abacast\Abaclient.exe:*:Enabled:Abaclient"
"G:\Documents and Settings\Todd\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe"="G:\Documents and Settings\Todd\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe:*:Enabled:Abacast Distributed On-Demand"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
shell\AutoRun\command - E:\autorun.exe


======File associations======

.js - open - NOTEPAD.EXE %1
.reg - open - NOTEPAD.EXE %1
.scr - open - NOTEPAD.EXE %1
.vbs - open - NOTEPAD.EXE %1

======List of files/folders created in the last 2 months======

2010-02-20 10:20:55 ----D---- G:\rsit
2010-02-18 20:44:35 ----A---- G:\WINDOWS\system32\iolo.ini
2010-02-17 22:58:54 ----SHD---- G:\found.001
2010-02-15 21:46:41 ----D---- G:\Documents and Settings\Todd\Application Data\Yahoo!
2010-02-15 21:46:34 ----D---- G:\Program Files\Yahoo!
2010-02-15 21:46:28 ----D---- G:\Program Files\CCleaner
2010-02-15 21:26:28 ----D---- G:\Program Files\Trend Micro
2010-02-13 17:46:40 ----D---- G:\Documents and Settings\Todd\Application Data\Uniblue
2010-02-11 03:06:49 ----HDC---- G:\WINDOWS\$NtUninstallKB978262$
2010-02-11 03:06:34 ----HDC---- G:\WINDOWS\$NtUninstallKB971468$
2010-02-11 03:02:50 ----HDC---- G:\WINDOWS\$NtUninstallKB978037$
2010-02-11 03:02:38 ----HDC---- G:\WINDOWS\$NtUninstallKB975713$
2010-02-11 03:02:27 ----HDC---- G:\WINDOWS\$NtUninstallKB978251$
2010-02-11 03:02:16 ----HDC---- G:\WINDOWS\$NtUninstallKB975560$
2010-02-11 03:02:03 ----HDC---- G:\WINDOWS\$NtUninstallKB977914$
2010-02-11 03:01:50 ----HDC---- G:\WINDOWS\$NtUninstallKB978706$
2010-02-11 03:01:25 ----HDC---- G:\WINDOWS\$NtUninstallKB977165$
2010-02-06 20:06:10 ----D---- G:\Documents and Settings\All Users\Application Data\PopCap
2010-02-01 20:37:43 ----HD---- G:\WINDOWS\PIF
2010-01-13 03:05:53 ----HDC---- G:\WINDOWS\$NtUninstallKB955759$
2010-01-13 03:05:22 ----HDC---- G:\WINDOWS\$NtUninstallKB972270$
2010-01-03 11:08:22 ----N---- G:\WINDOWS\system32\spmsg.dll
2010-01-03 11:08:22 ----N---- G:\WINDOWS\system32\_000007_.tmp.dll

======List of files/folders modified in the last 2 months======

2010-02-20 10:20:41 ----D---- G:\WINDOWS\Prefetch
2010-02-20 08:10:00 ----A---- G:\WINDOWS\SchedLgU.Txt
2010-02-20 02:44:02 ----SHD---- G:\WINDOWS\Installer
2010-02-20 02:25:10 ----SD---- G:\WINDOWS\Tasks
2010-02-19 15:54:04 ----D---- G:\WINDOWS\Temp
2010-02-19 02:43:12 ----D---- G:\Documents and Settings\All Users\Application Data\iolo
2010-02-18 21:53:00 ----D---- G:\WINDOWS\Minidump
2010-02-18 21:53:00 ----D---- G:\WINDOWS
2010-02-18 20:44:35 ----D---- G:\WINDOWS\system32
2010-02-18 20:43:04 ----D---- G:\WINDOWS\system32\CatRoot2
2010-02-18 20:42:52 ----D---- G:\WINDOWS\system32\drivers
2010-02-18 20:42:06 ----D---- G:\WINDOWS\peernet
2010-02-18 06:15:45 ----D---- G:\WINDOWS\system32\CatRoot
2010-02-18 03:00:39 ----HD---- G:\WINDOWS\inf
2010-02-18 00:51:06 ----D---- G:\Documents and Settings
2010-02-18 00:34:32 ----SHD---- G:\Config.Msi
2010-02-18 00:27:51 ----A---- G:\WINDOWS\system32\PerfStringBackup.INI
2010-02-18 00:21:56 ----D---- G:\WINDOWS\system32\config
2010-02-17 22:51:21 ----D---- G:\WINDOWS\Help
2010-02-17 22:41:15 ----HD---- G:\Program Files\InstallShield Installation Information
2010-02-17 22:29:05 ----RD---- G:\Program Files
2010-02-17 22:26:35 ----D---- G:\Program Files\Google
2010-02-16 16:26:19 ----D---- G:\WINDOWS\network diagnostic
2010-02-15 21:50:24 ----D---- G:\WINDOWS\Debug
2010-02-15 20:15:45 ----D---- G:\Program Files\iolo
2010-02-15 18:40:51 ----RSHDC---- G:\WINDOWS\system32\dllcache
2010-02-15 14:43:17 ----D---- G:\WINDOWS\system32\Restore
2010-02-14 09:16:00 ----D---- G:\Documents and Settings\Todd\Application Data\LimeWire
2010-02-11 03:06:48 ----HD---- G:\WINDOWS\$hf_mig$
2010-02-09 17:02:04 ----A---- G:\WINDOWS\system32\IncContxMenu.dll
2010-02-09 17:01:48 ----A---- G:\WINDOWS\system32\Incinerator.dll
2010-02-02 06:21:33 ----HDC---- G:\WINDOWS\$NtUninstallKB956803$
2010-02-02 00:49:40 ----HDC---- G:\WINDOWS\$NtUninstallKB954459$
2010-02-01 22:09:39 ----D---- G:\Program Files\Malwarebytes' Anti-Malware
2010-02-01 22:01:48 ----SHD---- G:\RECYCLER
2010-02-01 20:38:00 ----A---- G:\WINDOWS\system.ini
2010-02-01 14:26:20 ----A---- G:\WINDOWS\system32\MRT.exe
2010-01-31 03:23:43 ----D---- G:\WINDOWS\AppPatch
2010-01-28 17:13:18 ----A---- G:\WINDOWS\system32\smrgdf.exe
2010-01-28 17:13:18 ----A---- G:\WINDOWS\system32\iolobtdfg.exe
2010-01-22 03:02:40 ----D---- G:\Program Files\Internet Explorer
2010-01-13 16:30:38 ----SD---- G:\WINDOWS\Downloaded Program Files
2010-01-03 11:41:15 ----D---- G:\Program Files\Common Files\Microsoft Shared
2010-01-03 11:38:23 ----D---- G:\Program Files\AOL
2010-01-03 11:38:21 ----D---- G:\Program Files\Common Files\AOL
2010-01-03 10:14:58 ----SD---- G:\Documents and Settings\Todd\Application Data\Microsoft
2009-12-21 14:14:05 ----A---- G:\WINDOWS\system32\wininet.dll
2009-12-21 14:14:05 ----A---- G:\WINDOWS\system32\urlmon.dll
2009-12-21 14:14:04 ----N---- G:\WINDOWS\system32\occache.dll
2009-12-21 14:14:04 ----A---- G:\WINDOWS\system32\mshtml.dll
2009-12-21 14:14:03 ----N---- G:\WINDOWS\system32\jsproxy.dll
2009-12-21 14:14:03 ----N---- G:\WINDOWS\system32\iepeers.dll
2009-12-21 14:14:03 ----A---- G:\WINDOWS\system32\msfeedsbs.dll
2009-12-21 14:14:03 ----A---- G:\WINDOWS\system32\msfeeds.dll
2009-12-21 14:14:03 ----A---- G:\WINDOWS\system32\iertutil.dll
2009-12-21 14:14:02 ----A---- G:\WINDOWS\system32\ieframe.dll
2009-12-21 14:14:01 ----N---- G:\WINDOWS\system32\iedkcs32.dll
2009-12-21 08:19:18 ----N---- G:\WINDOWS\system32\ie4uinit.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_xp;Cdr4_xp; G:\WINDOWS\system32\drivers\Cdr4_xp.sys [2008-08-19 55216]
R1 Cdralw2k;Cdralw2k; G:\WINDOWS\system32\drivers\Cdralw2k.sys [2008-08-19 22713]
R1 cdudf_xp;cdudf_xp; G:\WINDOWS\system32\drivers\cdudf_xp.sys [2001-09-04 233344]
R1 OMCI;OMCI; G:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-05-14 10368]
R1 pwd_2K;pwd_2K; G:\WINDOWS\system32\drivers\pwd_2K.sys [2001-09-04 78454]
R1 UdfReadr_xp;UdfReadr_xp; G:\WINDOWS\system32\drivers\UdfReadr_xp.sys [2001-09-10 205824]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; G:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-18 12032]
R2 CSS DVP;Dynamic Virus Protection; G:\WINDOWS\system32\DRIVERS\css-dvp.sys [2007-07-09 834448]
R2 Fallback;Fallback; G:\WINDOWS\System32\DRIVERS\fallback.sys [2001-09-07 310899]
R2 Fsks;Fsks; G:\WINDOWS\System32\DRIVERS\fsksnt.sys [2001-09-07 127405]
R2 K56;K56; G:\WINDOWS\System32\DRIVERS\k56nt.sys [2001-09-07 426783]
R2 SoftFax;SoftFax; G:\WINDOWS\System32\DRIVERS\faxnt.sys [2001-09-07 217019]
R2 SpeakerPhone;SpeakerPhone; G:\WINDOWS\System32\DRIVERS\spkpnt.sys [2001-09-07 80449]
R2 Tones;Tones; G:\WINDOWS\System32\DRIVERS\tonesnt.sys [2001-09-07 56607]
R2 V124;V124; G:\WINDOWS\System32\DRIVERS\v124nt.sys [2001-09-07 534125]
R3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); G:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 basic2;basic2; G:\WINDOWS\System32\DRIVERS\basic2.sys [2001-09-07 77426]
R3 DM9102;DAVICOM 9102(A) PCI Fast Ethernet Based NT Driver; G:\WINDOWS\System32\DRIVERS\DM9PCI5.SYS [2001-08-17 29696]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; G:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 mmc_2K;mmc_2K; G:\WINDOWS\system32\drivers\mmc_2K.sys [2001-09-04 19702]
R3 MODEMCSA;Unimodem Streaming Filter Device; G:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 nv;nv; G:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-07-28 1341339]
R3 Rksample;Rksample; G:\WINDOWS\System32\DRIVERS\rksample.sys [2001-09-07 67654]
R3 usbhub;USB2 Enabled Hub; G:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; G:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; G:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2001-09-07 584336]
S3 bvrp_pci;bvrp_pci; G:\WINDOWS\system32\drivers\bvrp_pci.sys [2001-06-20 4272]
S3 Dot4;MS IEEE-1284.4 Driver; G:\WINDOWS\system32\DRIVERS\Dot4.sys [2008-04-13 206976]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; G:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 Dot4Scan;Scan Class Driver for IEEE-1284.4; G:\WINDOWS\system32\DRIVERS\Dot4Scan.sys [2001-08-17 8704]
S3 dvd_2K;dvd_2K; G:\WINDOWS\system32\drivers\dvd_2K.sys [2001-09-04 17990]
S3 hsf_msft;hsf_msft; G:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [2001-08-17 542879]
S3 nv4;nv4; G:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); G:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbccgp;Microsoft USB Generic Parent Driver; G:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbscan;USB Scanner Driver; G:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; G:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; G:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; G:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 dvpapi;DvpApi; G:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe [2007-07-09 177416]
R2 IOLO_SRV;iolo System Guard; G:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe [2010-02-09 325544]
R2 ioloFileInfoList;iolo FileInfoList Service; G:\Program Files\iolo\common\lib\ioloServiceManager.exe [2010-02-08 665008]
R2 ioloSystemService;iolo System Service; G:\Program Files\iolo\common\lib\ioloServiceManager.exe [2010-02-08 665008]
R2 NVSvc;NVIDIA Driver Helper Service; G:\WINDOWS\system32\nvsvc32.exe [2003-07-28 77824]
S2 gupdate1ca14b9eb9694e0;Google Update Service (gupdate1ca14b9eb9694e0); G:\Program Files\Google\Update\GoogleUpdate.exe [2009-08-03 133104]
S2 gusvc;Google Software Updater; G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 183280]
S3 iPod Service;iPod Service; G:\Program Files\iPod\bin\iPodService.exe [2009-01-06 536872]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; G:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; G:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 Apple Mobile Device;Apple Mobile Device; G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
S4 Bonjour Service;Bonjour Service; G:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]

-----------------EOF-----------------


info.txt

info.txt logfile of random's system information tool 1.06 2010-02-20 10:21:17

======Uninstall list======

-->G:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 G:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->MsiExec.exe /X{287ECFA4-719A-2143-A09B-D6A12DE54E40}
Adobe AIR-->G:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->G:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->MsiExec.exe /X{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}
Adobe Reader 9.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Shockwave Player 11.5-->"G:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Authentium AntiVirus SDK - 2-->MsiExec.exe /I{C67DF120-4DD3-11D4-A3CA-005004AD2A5B}
Backup Dell-Installed Programs-->MsiExec.exe /X{2A2766A4-6AE4-11D4-AC8E-52544C1966EE}
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Conexant HSF V92 56K RTAD Speakerphone PCI Modem-->G:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2016&SUBSYS_021913E0\SETUP.EXE -U -CMODEM -BPCI -IVEN_14F1&DEV_2016&SUBSYS_021913E0
Critical Update for Windows Media Player 11 (KB959772)-->"G:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Dell ResourceCD-->RunDll32 G:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "G:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Easy CD Creator 5 Basic-->MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
Google Earth-->MsiExec.exe /X{2EAF7E61-068E-11DF-953C-005056806466}
Google Earth-->MsiExec.exe /X{C084BC61-E537-11DE-8616-005056806466}
Google Toolbar for Internet Explorer-->"G:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_9DE96A29E721D90A.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
HijackThis 2.0.2-->"G:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"G:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"G:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"G:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"G:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"G:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
iolo AntiVirus-->"G:\Program Files\iolo\AntiVirus\unins000.exe"
iolo technologies' System Mechanic-->"G:\Program Files\iolo\System Mechanic\unins000.exe"
iTunes-->MsiExec.exe /I{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LimeWire PRO 5.1.2-->"G:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware-->"G:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"G:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"G:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"G:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Disc 2-->MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"G:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Modem Helper-->RunDll32 G:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "G:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\Setup.exe" ControlPanel
NVIDIA Windows 2000/XP Display Drivers-->rundll32.exe G:\WINDOWS\system32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
Ogg Codecs 0.81.15562-->G:\Program Files\Xiph.Org\Ogg Codecs\uninst.exe
PhoneTools-->RunDll32 G:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "G:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C1}\setup.exe" ControlPanel
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"G:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"G:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"G:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"G:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"G:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"G:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"G:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"G:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"G:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"G:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"G:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"G:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"G:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"G:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"G:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"G:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"G:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"G:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"G:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"G:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->G:\WINDOWS\system32\MacroMed\Flash\genuinst.exe G:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"G:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"G:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"G:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"G:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"G:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"G:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"G:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"G:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"G:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"G:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"G:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"G:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"G:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"G:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"G:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"G:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"G:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"G:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"G:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"G:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"G:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"G:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"G:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"G:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"G:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"G:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"G:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"G:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"G:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"G:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"G:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"G:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"G:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"G:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"G:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"G:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"G:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"G:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"G:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"G:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"G:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"G:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"G:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"G:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"G:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"G:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"G:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"G:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"G:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"G:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"G:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"G:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"G:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"G:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"G:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"G:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"G:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"G:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"G:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"G:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"G:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
Turbocharge Your Photos HP Idea Kit-->C:\HP-TUR~1\UNWISE.EXE C:\HP-TUR~1\INSTALL.LOG
Update for Windows Internet Explorer 8 (KB972636)-->"G:\WINDOWS\ie8updates\KB972636-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976749)-->"G:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"G:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"G:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"G:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"G:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"G:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"G:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"G:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"G:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Viewpoint Media Player-->G:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Internet Explorer 8-->"G:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"G:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"G:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"G:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"G:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"G:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Security center information======

AV: iolo AntiVirus®

======System event log======

Computer Name: HOME-DPI79WZ4NF
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 21491
Source Name: W32Time
Time Written: 20100126170003.000000-300
Event Type: warning
User:

Computer Name: HOME-DPI79WZ4NF
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 21397
Source Name: W32Time
Time Written: 20100125165959.000000-300
Event Type: warning
User:

Computer Name: HOME-DPI79WZ4NF
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 21338
Source Name: W32Time
Time Written: 20100124170003.000000-300
Event Type: warning
User:

Computer Name: HOME-DPI79WZ4NF
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 21282
Source Name: W32Time
Time Written: 20100123165948.000000-300
Event Type: warning
User:

Computer Name: HOME-DPI79WZ4NF
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 21229
Source Name: W32Time
Time Written: 20100122170003.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: HOME-DPI79WZ4NF
Event Code: 1002
Message: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 3874
Source Name: Application Hang
Time Written: 20091008180326.000000-240
Event Type: error
User:

Computer Name: HOME-DPI79WZ4NF
Event Code: 1002
Message: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 3873
Source Name: Application Hang
Time Written: 20091008180325.000000-240
Event Type: error
User:

Computer Name: HOME-DPI79WZ4NF
Event Code: 1002
Message: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 3872
Source Name: Application Hang
Time Written: 20091008180256.000000-240
Event Type: error
User:

Computer Name: HOME-DPI79WZ4NF
Event Code: 1002
Message: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 3871
Source Name: Application Hang
Time Written: 20091008180223.000000-240
Event Type: error
User:

Computer Name: HOME-DPI79WZ4NF
Event Code: 1002
Message: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 3870
Source Name: Application Hang
Time Written: 20091008180222.000000-240
Event Type: error
User:

=====Security event log=====

Computer Name: HOME-DPI79WZ4NF
Event Code: 849
Message: An application was listed as an exception when the Windows Firewall started.



Policy origin: Local Policy

Profile used: Standard

Name: Remote Assistance

Path: %windir%\system32\sessmgr.exe

State: Enabled

Scope: All subnets

Record Number: 27304
Source Name: Security
Time Written: 20100212031951.000000-300
Event Type: audit success
User: NT AUTHORITY\SYSTEM

Computer Name: HOME-DPI79WZ4NF
Event Code: 849
Message: An application was listed as an exception when the Windows Firewall started.



Policy origin: Local Policy

Profile used: Standard

Name: LimeWire

Path: G:\Program Files\LimeWire\LimeWire.exe

State: Enabled

Scope: All subnets

Record Number: 27303
Source Name: Security
Time Written: 20100212031951.000000-300
Event Type: audit success
User: NT AUTHORITY\SYSTEM

Computer Name: HOME-DPI79WZ4NF
Event Code: 849
Message: An application was listed as an exception when the Windows Firewall started.



Policy origin: Local Policy

Profile used: Standard

Name: Abacast Distributed On-Demand

Path: G:\Documents and Settings\Todd\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe

State: Enabled

Scope: All subnets

Record Number: 27302
Source Name: Security
Time Written: 20100212031951.000000-300
Event Type: audit success
User: NT AUTHORITY\SYSTEM

Computer Name: HOME-DPI79WZ4NF
Event Code: 849
Message: An application was listed as an exception when the Windows Firewall started.



Policy origin: Local Policy

Profile used: Standard

Name: Abaclient

Path: G:\Documents and Settings\Todd\Local Settings\Application Data\Abacast\Abaclient.exe

State: Enabled

Scope: All subnets

Record Number: 27301
Source Name: Security
Time Written: 20100212031951.000000-300
Event Type: audit success
User: NT AUTHORITY\SYSTEM

Computer Name: HOME-DPI79WZ4NF
Event Code: 848
Message: The following policy was active when the Windows Firewall started.



Group Policy applied: No

Profile used: Standard

Interface: All interfaces

Operational mode: On

Services:

File and Printer Sharing: Disabled

Remote Desktop: Enabled

UPnP Framework: Disabled

Allow remote administration: Disabled

Allow unicast responses to multicast/broadcast traffic: Disabled

Security Logging:

Log dropped packets: Disabled

Log successful connections Disabled

ICMP:

Allow incoming echo request: Disabled

Allow incoming timestamp request: Disabled

Allow incoming mask request: Disabled

Allow incoming router request: Disabled

Allow outgoing destination unreachable: Disabled

Allow outgoing source quench: Disabled

Allow outgoing parameter problem: Disabled

Allow outgoing time exceeded: Disabled

Allow redirect: Disabled

Allow outgoing packet too big: Disabled

Record Number: 27300
Source Name: Security
Time Written: 20100212031951.000000-300
Event Type: audit success
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;G:\Program Files\Common Files\Adaptec Shared\System;G:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 1 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=0102
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;G:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=G:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-20 10:31:43
Windows 5.1.2600 Service Pack 3
Running: pqrvj9xo.exe; Driver: G:\DOCUME~1\Todd\LOCALS~1\Temp\pwliikob.sys


---- System - GMER 1.0.15 ----

Code 81992A28 ZwCreateSection
Code 81992698 ZwDuplicateObject
Code 819928F8 ZwSetInformationFile
Code 81992EE8 ZwSetSystemInformation
Code 81992B58 ZwWriteFile
Code 81992A27 NtCreateSection
Code 81992697 NtDuplicateObject
Code 819928F7 NtSetInformationFile
Code 81992B57 NtWriteFile

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom Code 819927C8
Device \Driver\ACPI \Device\00000042 81902BD8
Device \Driver\ACPI \Device\00000050 81902BD8
Device \Driver\ACPI \Device\00000051 81902BD8
Device \Driver\ACPI \Device\00000052 81902BD8
Device \Driver\ACPI \Device\00000045 81902BD8
Device \Driver\ACPI \Device\00000053 81902BD8
Device \Driver\ACPI \Device\00000054 81902BD8
Device \Driver\ACPI \Device\00000047 81902BD8
Device \Driver\ACPI \Device\00000055 81902BD8
Device \Driver\ACPI \Device\00000048 81902BD8
Device \Driver\ACPI \Device\00000056 81902BD8
Device \Driver\ACPI \Device\00000058 81902BD8
Device \Driver\ACPI \Device\00000059 81902BD8
Device \Driver\ACPI \Device\0000003f 81902BD8
Device \Driver\ACPI \Device\0000005a 81902BD8
Device \Driver\ACPI \Device\0000004d 81902BD8
Device \Driver\ACPI \Device\0000005b 81902BD8
Device \FileSystem\Fastfat \Fat Code 819927C8

---- EOF - GMER 1.0.15 ----


#4 razor49

razor49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 20 February 2010 - 10:55 AM

Syler,
I spoke too soon. The redirect page is there again.

#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:07 PM

Posted 20 February 2010 - 12:39 PM

Hi razor49,

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Edited by syler, 20 February 2010 - 12:40 PM.

unite.jpg


#6 razor49

razor49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 20 February 2010 - 11:49 PM

Syler,
Here are the OTL and Extras logs.



OTL logfile created on: 2/20/2010 11:29:13 PM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = G:\Documents and Settings\Todd\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.00 Mb Total Physical Memory | 67.00 Mb Available Physical Memory | 26.00% Memory free
618.00 Mb Paging File | 323.00 Mb Available in Paging File | 52.00% Paging File free
Paging file location(s): G:\pagefile.sys 384 768 [binary data]

%SystemDrive% = G: | %SystemRoot% = G:\WINDOWS | %ProgramFiles% = G:\Program Files
Drive C: | 101.72 Mb Total Space | 101.00 Mb Free Space | 99.29% Space Free | Partition Type: FAT
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 477.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 18.52 Gb Total Space | 8.52 Gb Free Space | 46.01% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-DPI79WZ4NF
Current User Name: Todd
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/20 23:25:14 | 000,549,376 | ---- | M] (OldTimer Tools) -- G:\Documents and Settings\Todd\Desktop\OTL.exe
PRC - [2010/02/09 17:01:46 | 000,325,544 | ---- | M] () -- G:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe
PRC - [2010/02/09 17:01:42 | 000,489,896 | ---- | M] () -- G:\Program Files\iolo\System Mechanic\SystemGuardAlerter.exe
PRC - [2010/02/08 17:16:54 | 000,665,008 | ---- | M] () -- G:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
PRC - [2009/11/01 15:49:12 | 000,136,176 | ---- | M] (Google Inc.) -- G:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
PRC - [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) -- G:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/08/29 13:08:21 | 000,039,408 | ---- | M] (Google Inc.) -- G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- G:\WINDOWS\explorer.exe
PRC - [2008/03/05 10:48:38 | 000,396,672 | ---- | M] () -- G:\Program Files\iolo\AntiVirus\iAVEmailScanner.exe
PRC - [2008/03/05 10:48:18 | 001,095,520 | ---- | M] () -- G:\Program Files\iolo\AntiVirus\ioloAV.exe
PRC - [2007/07/09 12:54:08 | 000,177,416 | R--- | M] (Authentium, Inc.) -- G:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
PRC - [2003/07/28 14:19:00 | 000,077,824 | ---- | M] (NVIDIA Corporation) -- G:\WINDOWS\system32\nvsvc32.exe


========== Modules (SafeList) ==========

MOD - [2010/02/20 23:25:14 | 000,549,376 | ---- | M] (OldTimer Tools) -- G:\Documents and Settings\Todd\Desktop\OTL.exe
MOD - [2010/02/09 17:02:30 | 000,890,280 | ---- | M] () -- G:\Program Files\iolo\Common\Lib\sguard.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/02/09 17:01:46 | 000,325,544 | ---- | M] () [Auto | Running] -- G:\Program Files\iolo\System Mechanic\IoloSGCtrl.exe -- (IOLO_SRV)
SRV - [2010/02/08 17:16:54 | 000,665,008 | ---- | M] () [Auto | Running] -- G:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloSystemService)
SRV - [2010/02/08 17:16:54 | 000,665,008 | ---- | M] () [Auto | Running] -- G:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloFileInfoList)
SRV - [2009/08/03 23:13:18 | 000,133,104 | ---- | M] (Google Inc.) [Auto | Stopped] -- G:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1ca14b9eb9694e0) Google Update Service (gupdate1ca14b9eb9694e0)
SRV - [2009/03/23 21:14:57 | 000,183,280 | ---- | M] (Google) [Auto | Stopped] -- G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/01/06 13:06:24 | 000,536,872 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- G:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/11/07 14:28:16 | 000,132,424 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/08/29 10:18:44 | 000,238,888 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- G:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/08/19 22:34:26 | 000,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- G:\WINDOWS\system32\termsrv32.dll -- (TermService)
SRV - [2007/07/09 12:54:08 | 000,177,416 | R--- | M] (Authentium, Inc.) [Auto | Running] -- G:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe -- (dvpapi)
SRV - [2003/07/28 14:19:00 | 000,077,824 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- G:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2001/08/10 12:14:14 | 000,192,512 | ---- | M] (Roxio Inc.) [On_Demand | Stopped] -- G:\WINDOWS\system32\ImapiRox.exe -- (ImapiService)


========== Driver Services (SafeList) ==========

DRV - [2008/08/19 22:52:41 | 000,055,216 | ---- | M] (Roxio) [Kernel | System | Running] -- G:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2008/08/19 22:52:41 | 000,022,713 | ---- | M] (Roxio) [Kernel | System | Running] -- G:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2008/04/17 13:12:54 | 000,015,464 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- G:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/04/13 11:39:15 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- G:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/07/09 12:01:04 | 000,834,448 | ---- | M] (Authentium, Inc.) [Kernel | Auto | Running] -- G:\WINDOWS\system32\drivers\Css-Dvp.sys -- (CSS DVP)
DRV - [2003/07/28 14:19:00 | 001,341,339 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- G:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2001/09/10 09:43:46 | 000,205,824 | ---- | M] (Roxio) [File_System | System | Running] -- G:\WINDOWS\system32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2001/09/07 09:57:00 | 000,584,336 | R--- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- G:\WINDOWS\system32\drivers\hsf_cnxt.sys -- (winachsf)
DRV - [2001/09/07 09:57:00 | 000,534,125 | R--- | M] (Conexant Systems) [Kernel | Auto | Running] -- G:\WINDOWS\system32\drivers\v124nt.sys -- (V124)
DRV - [2001/09/07 09:57:00 | 000,426,783 | R--- | M] (Conexant Systems) [Kernel | Auto | Running] -- G:\WINDOWS\system32\drivers\k56nt.sys -- (K56)
DRV - [2001/09/07 09:57:00 | 000,310,899 | R--- | M] (Conexant Systems) [Kernel | Auto | Running] -- G:\WINDOWS\system32\drivers\fallback.sys -- (Fallback)
DRV - [2001/09/07 09:57:00 | 000,217,019 | R--- | M] (Conexant Systems) [Kernel | Auto | Running] -- G:\WINDOWS\system32\drivers\faxnt.sys -- (SoftFax)
DRV - [2001/09/07 09:57:00 | 000,127,405 | R--- | M] (Conexant Systems) [Kernel | Auto | Running] -- G:\WINDOWS\system32\drivers\fsksnt.sys -- (Fsks)
DRV - [2001/09/07 09:57:00 | 000,080,449 | R--- | M] (Conexant Systems) [Kernel | Auto | Running] -- G:\WINDOWS\system32\drivers\spkpnt.sys -- (SpeakerPhone)
DRV - [2001/09/07 09:57:00 | 000,077,426 | R--- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- G:\WINDOWS\system32\drivers\basic2.sys -- (basic2)
DRV - [2001/09/07 09:57:00 | 000,067,654 | R--- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- G:\WINDOWS\system32\drivers\rksample.sys -- (Rksample)
DRV - [2001/09/07 09:57:00 | 000,056,607 | R--- | M] (Conexant Systems) [Kernel | Auto | Running] -- G:\WINDOWS\system32\drivers\tonesnt.sys -- (Tones)
DRV - [2001/09/04 15:37:08 | 000,233,344 | ---- | M] (Roxio) [File_System | System | Running] -- G:\WINDOWS\system32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2001/09/04 14:39:50 | 000,017,990 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- G:\WINDOWS\system32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2001/09/04 14:39:40 | 000,019,702 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- G:\WINDOWS\system32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2001/09/04 14:39:28 | 000,078,454 | ---- | M] (Roxio) [Kernel | System | Running] -- G:\WINDOWS\system32\drivers\pwd_2K.sys -- (pwd_2K)
DRV - [2001/08/20 10:59:38 | 000,025,472 | ---- | M] (Roxio Inc.) [Kernel | System | Running] -- G:\WINDOWS\system32\drivers\imapiRox.sys -- (Imapi)
DRV - [2001/08/18 07:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- G:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/17 12:56:16 | 000,007,552 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- G:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)
DRV - [2001/08/17 12:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- G:\WINDOWS\system32\drivers\hsf_msft.sys -- (hsf_msft)
DRV - [2001/08/17 08:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- G:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 07:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- G:\WINDOWS\system32\drivers\nv4.sys -- (nv4)
DRV - [2001/08/17 07:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- G:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)
DRV - [2001/08/17 07:11:42 | 000,029,696 | ---- | M] (CNet Technology, Inc. ) [Kernel | On_Demand | Running] -- G:\WINDOWS\system32\drivers\DM9PCI5.SYS -- (DM9102) DAVICOM 9102(A)
DRV - [2001/06/20 16:32:54 | 000,004,272 | ---- | M] () [Kernel | On_Demand | Stopped] -- G:\WINDOWS\system32\drivers\bvrp_pci.sys -- (bvrp_pci)
DRV - [2001/05/14 17:15:40 | 000,010,368 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- G:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2052111302-920026266-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-2052111302-920026266-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-2052111302-920026266-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-2052111302-920026266-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/webhp?hl=en
IE - HKU\S-1-5-21-2052111302-920026266-725345543-1004\S-1-5-21-2052111302-920026266-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1


[2009/05/04 15:42:07 | 000,000,000 | ---D | M] -- G:\Documents and Settings\Todd\Application Data\Mozilla\Extensions
[2009/05/04 15:42:07 | 000,000,000 | ---D | M] -- G:\Documents and Settings\Todd\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2009/11/26 23:12:49 | 000,002,278 | ---- | M]) - G:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - G:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - G:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - G:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - G:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-2052111302-920026266-725345543-1004\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - G:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O4 - HKLM..\Run: [iolo AntiVirus] G:\Program Files\iolo\AntiVirus\ioloAV.exe ()
O4 - HKLM..\Run: [NvCplDaemon] G:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] G:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [SystemGuardAlerter] G:\Program Files\iolo\System Mechanic\SystemGuardAlerter.exe ()
O4 - HKU\S-1-5-21-2052111302-920026266-725345543-1004..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: G:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2052111302-920026266-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2052111302-920026266-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileSharing = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - G:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - G:\WINDOWS\System32\iavlsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - G:\WINDOWS\System32\iavlsp.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - G:\WINDOWS\System32\iavlsp.dll ()
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1219206213795 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100 (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} http://www.iolo.com/app/ocx/UpgradeVerify.cab (iolo.ProductDetector)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - G:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - G:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: G:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: G:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/19 23:39:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT ]
O32 - AutoRun File - [2002/11/21 18:50:39 | 000,483,328 | R--- | M] (Electronic Arts Inc.) - F:\AutoRun.exe -- [ CDFS ]
O32 - AutoRun File - [2002/11/21 18:47:56 | 003,534,848 | R--- | M] () - F:\AutoRunGUI.dll -- [ CDFS ]
O32 - AutoRun File - [2002/11/21 18:51:07 | 000,000,000 | R--D | M] - F:\autorun -- [ CDFS ]
O32 - AutoRun File - [2002/11/21 18:50:39 | 000,000,072 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\autorun.exe -- File not found
O34 - HKLM BootExecute: ("autocheck autochk *") - File not found
O34 - HKLM BootExecute: (autocheck smrgdf G:\Documents and Settings\LocalService\Application Data\iolo\) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - G:\WINDOWS\system32\ias [2008/08/19 22:38:48 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - G:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: TermService - G:\WINDOWS\system32\termsrv32.dll (Microsoft Corporation)


CREATERESTOREPOINT
Restore point Set: OTL Restore Point (15203041766539264)

========== Files/Folders - Created Within 30 Days ==========

[2010/02/20 23:25:14 | 000,549,376 | ---- | C] (OldTimer Tools) -- G:\Documents and Settings\Todd\Desktop\OTL.exe
[2010/02/20 10:20:55 | 000,000,000 | ---D | C] -- G:\rsit
[2010/02/17 23:43:22 | 000,000,000 | RH-D | C] -- G:\Documents and Settings\Todd\Recent
[2010/02/17 22:58:54 | 000,000,000 | -HSD | C] -- G:\found.001
[2010/02/15 21:46:41 | 000,000,000 | ---D | C] -- G:\Documents and Settings\Todd\Application Data\Yahoo!
[2010/02/15 21:46:34 | 000,000,000 | ---D | C] -- G:\Program Files\Yahoo!
[2010/02/15 21:46:28 | 000,000,000 | ---D | C] -- G:\Program Files\CCleaner
[2010/02/15 21:26:28 | 000,000,000 | ---D | C] -- G:\Program Files\Trend Micro
[2010/02/13 17:46:40 | 000,000,000 | ---D | C] -- G:\Documents and Settings\Todd\Application Data\Uniblue
[2010/02/06 20:06:10 | 000,000,000 | ---D | C] -- G:\Documents and Settings\All Users\Application Data\PopCap
[2010/02/01 20:37:43 | 000,000,000 | -H-D | C] -- G:\WINDOWS\PIF
[2010/02/01 18:38:04 | 000,000,000 | ---D | C] -- G:\Documents and Settings\Todd\Local Settings\Application Data\mreibs
[2009/11/18 09:45:54 | 000,000,000 | ---D | M] -- G:\Documents and Settings\LocalService\Application Data\iolo
[2009/08/03 23:33:00 | 000,000,000 | ---D | M] -- G:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/08/03 23:13:38 | 000,000,000 | ---D | M] -- G:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/01/17 07:11:12 | 000,000,000 | ---D | M] -- G:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/01/06 21:02:32 | 000,000,000 | --SD | M] -- G:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/08/20 00:01:03 | 000,000,000 | ---D | M] -- G:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/08/19 22:43:49 | 000,000,000 | --SD | M] -- G:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/08/19 22:43:48 | 000,000,000 | ---D | M] -- G:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[3 G:\WINDOWS\*.tmp files -> G:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/20 23:35:00 | 000,000,420 | -H-- | M] () -- G:\WINDOWS\tasks\User_Feed_Synchronization-{CB6942EA-8A04-446A-9506-836B3F88626C}.job
[2010/02/20 23:25:14 | 000,549,376 | ---- | M] (OldTimer Tools) -- G:\Documents and Settings\Todd\Desktop\OTL.exe
[2010/02/20 23:16:31 | 000,000,432 | ---- | M] () -- G:\WINDOWS\System32\iolo.ini
[2010/02/20 23:14:26 | 000,000,882 | ---- | M] () -- G:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/20 22:54:00 | 000,000,886 | ---- | M] () -- G:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/20 14:03:11 | 000,000,868 | ---- | M] () -- G:\WINDOWS\tasks\Google Software Updater.job
[2010/02/20 13:52:26 | 000,000,006 | -H-- | M] () -- G:\WINDOWS\tasks\SA.DAT
[2010/02/20 13:52:20 | 000,002,048 | --S- | M] () -- G:\WINDOWS\bootstat.dat
[2010/02/20 13:52:18 | 267,767,808 | -HS- | M] () -- G:\hiberfil.sys
[2010/02/20 12:01:51 | 003,145,728 | ---- | M] () -- G:\Documents and Settings\Todd\NTUSER.DAT
[2010/02/20 12:01:18 | 000,000,278 | -HS- | M] () -- G:\Documents and Settings\Todd\ntuser.ini
[2010/02/20 10:56:17 | 004,296,560 | -H-- | M] () -- G:\Documents and Settings\Todd\Local Settings\Application Data\IconCache.db
[2010/02/20 10:23:08 | 000,293,376 | ---- | M] () -- G:\Documents and Settings\Todd\Desktop\pqrvj9xo.exe
[2010/02/20 10:20:15 | 000,781,909 | ---- | M] () -- G:\Documents and Settings\Todd\Desktop\RSIT.exe
[2010/02/20 07:11:00 | 000,000,284 | ---- | M] () -- G:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/02/18 00:34:02 | 000,001,915 | ---- | M] () -- G:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/02/18 00:27:52 | 000,311,604 | ---- | M] () -- G:\WINDOWS\System32\perfh009.dat
[2010/02/18 00:27:52 | 000,039,992 | ---- | M] () -- G:\WINDOWS\System32\perfc009.dat
[2010/02/18 00:27:51 | 000,356,120 | ---- | M] () -- G:\WINDOWS\System32\PerfStringBackup.INI
[2010/02/18 00:17:08 | 000,103,400 | ---- | M] () -- G:\WINDOWS\System32\ioloBootDefrag.cfg
[2010/02/17 22:43:45 | 000,000,000 | -H-- | M] () -- G:\Documents and Settings\Todd\My Documents\Default.rdp
[2010/02/17 16:10:04 | 000,002,206 | ---- | M] () -- G:\WINDOWS\System32\wpa.dbl
[2010/02/15 21:46:30 | 000,001,548 | ---- | M] () -- G:\Documents and Settings\Todd\Desktop\CCleaner.lnk
[2010/02/15 21:26:29 | 000,001,734 | ---- | M] () -- G:\Documents and Settings\Todd\Desktop\HijackThis.lnk
[2010/02/15 20:16:11 | 000,000,754 | ---- | M] () -- G:\Documents and Settings\Todd\Desktop\iolo AntiVirus.lnk
[2010/02/15 18:55:14 | 000,001,689 | ---- | M] () -- G:\Documents and Settings\Todd\Desktop\System Mechanic.lnk
[2010/02/09 17:02:04 | 000,093,096 | ---- | M] (iolo technologies, LLC) -- G:\WINDOWS\System32\IncContxMenu.dll
[2010/02/09 17:01:48 | 002,164,648 | ---- | M] () -- G:\WINDOWS\System32\Incinerator.dll
[2010/02/08 08:08:17 | 000,741,888 | ---- | M] () -- G:\Documents and Settings\Todd\My Documents\Check register1.xls
[2010/02/01 20:38:00 | 000,000,439 | ---- | M] () -- G:\WINDOWS\system.ini
[2010/01/28 17:13:18 | 000,030,208 | ---- | M] () -- G:\WINDOWS\System32\iolobtdfg.exe
[2010/01/28 17:13:18 | 000,012,288 | ---- | M] () -- G:\WINDOWS\System32\smrgdf.exe
[3 G:\WINDOWS\*.tmp files -> G:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/20 23:16:31 | 000,000,432 | ---- | C] () -- G:\WINDOWS\System32\iolo.ini
[2010/02/20 10:23:08 | 000,293,376 | ---- | C] () -- G:\Documents and Settings\Todd\Desktop\pqrvj9xo.exe
[2010/02/20 10:20:13 | 000,781,909 | ---- | C] () -- G:\Documents and Settings\Todd\Desktop\RSIT.exe
[2010/02/18 00:23:38 | 000,000,868 | ---- | C] () -- G:\WINDOWS\tasks\Google Software Updater.job
[2010/02/17 22:43:45 | 000,000,000 | -H-- | C] () -- G:\Documents and Settings\Todd\My Documents\Default.rdp
[2010/02/15 21:46:30 | 000,001,548 | ---- | C] () -- G:\Documents and Settings\Todd\Desktop\CCleaner.lnk
[2010/02/15 21:26:29 | 000,001,734 | ---- | C] () -- G:\Documents and Settings\Todd\Desktop\HijackThis.lnk
[2010/02/15 20:16:11 | 000,000,754 | ---- | C] () -- G:\Documents and Settings\Todd\Desktop\iolo AntiVirus.lnk
[2010/02/15 18:43:53 | 267,767,808 | -HS- | C] () -- G:\hiberfil.sys
[2010/02/07 17:01:53 | 000,001,915 | ---- | C] () -- G:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2009/11/04 02:08:40 | 000,000,271 | ---- | C] () -- G:\WINDOWS\SysMech.INI
[2009/11/04 00:49:13 | 002,164,648 | ---- | C] () -- G:\WINDOWS\System32\Incinerator.dll
[2009/01/11 20:21:56 | 000,004,608 | ---- | C] () -- G:\Documents and Settings\Todd\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/10 18:25:39 | 000,000,029 | ---- | C] () -- G:\WINDOWS\atid.ini
[2008/10/07 21:17:26 | 000,004,022 | ---- | C] () -- G:\WINDOWS\cdplayer.ini
[2008/08/26 21:04:23 | 000,000,376 | ---- | C] () -- G:\WINDOWS\ODBC.INI
[2008/08/26 20:16:19 | 000,126,976 | ---- | C] () -- G:\WINDOWS\System32\iavlsp.dll
[2008/08/26 20:11:21 | 000,074,703 | ---- | C] () -- G:\WINDOWS\System32\mfc45.dll
[2008/08/19 22:57:11 | 000,004,272 | ---- | C] () -- G:\WINDOWS\System32\drivers\bvrp_pci.sys
[2008/08/19 22:56:12 | 000,000,029 | ---- | C] () -- G:\WINDOWS\wgedit.ini
[2008/08/19 22:56:07 | 000,057,344 | ---- | C] () -- G:\WINDOWS\uninstBVRP.dll
[2008/08/19 22:53:53 | 000,000,004 | ---- | C] () -- G:\Documents and Settings\All Users\Application Data\DirectCDUserName.txt
[2001/08/10 12:14:16 | 000,028,672 | ---- | C] () -- G:\WINDOWS\System32\ImapiRoxPS.dll
[1999/01/22 20:46:58 | 000,065,536 | ---- | C] () -- G:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 10:00:00 | 000,040,448 | ---- | C] () -- G:\WINDOWS\System32\REGOBJ.DLL

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 03:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- G:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 03:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- G:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/08/19 23:42:51 | 022,245,337 | ---- | M] () .cab file -- G:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/08/26 23:26:15 | 023,852,652 | ---- | M] () .cab file -- G:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/08/19 23:42:51 | 022,245,337 | ---- | M] () .cab file -- G:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/08/26 23:26:15 | 023,852,652 | ---- | M] () .cab file -- G:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- G:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- G:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 01:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- G:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2004/08/04 01:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- G:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2008/08/19 23:42:51 | 022,245,337 | ---- | M] () .cab file -- G:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/26 23:26:15 | 023,852,652 | ---- | M] () .cab file -- G:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/08/19 23:42:51 | 022,245,337 | ---- | M] () .cab file -- G:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/08/26 23:26:15 | 023,852,652 | ---- | M] () .cab file -- G:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- G:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- G:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 00:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- G:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- G:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- G:\WINDOWS\system32\eventlog.dll
[2004/08/04 02:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- G:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- G:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- G:\WINDOWS\system32\netlogon.dll
[2004/08/04 02:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- G:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 02:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- G:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- G:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- G:\WINDOWS\system32\scecli.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> G:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> G:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >




OTL Extras logfile created on: 2/20/2010 11:29:13 PM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = G:\Documents and Settings\Todd\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.00 Mb Total Physical Memory | 67.00 Mb Available Physical Memory | 26.00% Memory free
618.00 Mb Paging File | 323.00 Mb Available in Paging File | 52.00% Paging File free
Paging file location(s): G:\pagefile.sys 384 768 [binary data]

%SystemDrive% = G: | %SystemRoot% = G:\WINDOWS | %ProgramFiles% = G:\Program Files
Drive C: | 101.72 Mb Total Space | 101.00 Mb Free Space | 99.29% Space Free | Partition Type: FAT
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 477.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 18.52 Gb Total Space | 8.52 Gb Free Space | 46.01% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-DPI79WZ4NF
Current User Name: Todd
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- G:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "G:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "G:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "G:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "G:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "G:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "G:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "G:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "G:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"3567:TCP" = 3567:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"3567:TCP" = 3567:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"G:\Program Files\LimeWire\LimeWire.exe" = G:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"G:\Documents and Settings\Todd\Local Settings\Application Data\Abacast\Abaclient.exe" = G:\Documents and Settings\Todd\Local Settings\Application Data\Abacast\Abaclient.exe:*:Enabled:Abaclient -- File not found
"G:\Documents and Settings\Todd\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe" = G:\Documents and Settings\Todd\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe:*:Enabled:Abacast Distributed On-Demand -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{2A2766A4-6AE4-11D4-AC8E-52544C1966EE}" = Backup Dell-Installed Programs
"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{55FD1D5A-7AEF-4DA3-8FAF-A71B2A52FFC7}_is1" = iolo technologies' System Mechanic
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{C084BC61-E537-11DE-8616-005056806466}" = Google Earth
"{C67DF120-4DD3-11D4-A3CA-005004AD2A5B}" = Authentium AntiVirus SDK - 2
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{E3436EE2-D5CB-4249-840B-3A0140CC34C1}" = PhoneTools
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}" = iTunes
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"CNXT_MODEM_PCI_VEN_14F1&DEV_2016&SUBSYS_021913E0" = Conexant HSF V92 56K RTAD Speakerphone PCI Modem
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"iolo AntiVirus_is1" = iolo AntiVirus
"LimeWire" = LimeWire PRO 5.1.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"Ogg Codecs" = Ogg Codecs 0.81.15562
"Turbocharge Your Photos HP Idea Kit" = Turbocharge Your Photos HP Idea Kit
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2052111302-920026266-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Abacast Distributed Live" = Abacast Distributed Live

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/15/2010 9:15:35 PM | Computer Name = HOME-DPI79WZ4NF | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 9.0.0.2416, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/16/2010 3:57:38 PM | Computer Name = HOME-DPI79WZ4NF | Source = Google Update | ID = 20
Description =

Error - 2/16/2010 4:57:25 PM | Computer Name = HOME-DPI79WZ4NF | Source = Google Update | ID = 20
Description =

Error - 2/18/2010 12:15:49 AM | Computer Name = HOME-DPI79WZ4NF | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/18/2010 1:27:15 AM | Computer Name = HOME-DPI79WZ4NF | Source = Google Update | ID = 20
Description =

Error - 2/18/2010 7:18:23 AM | Computer Name = HOME-DPI79WZ4NF | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/18/2010 7:18:23 AM | Computer Name = HOME-DPI79WZ4NF | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/18/2010 7:18:51 AM | Computer Name = HOME-DPI79WZ4NF | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 2/18/2010 7:59:06 AM | Computer Name = HOME-DPI79WZ4NF | Source = Google Update | ID = 20
Description =

Error - 2/18/2010 8:59:07 PM | Computer Name = HOME-DPI79WZ4NF | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 2/20/2010 11:33:46 AM | Computer Name = HOME-DPI79WZ4NF | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 2/20/2010 11:33:46 AM | Computer Name = HOME-DPI79WZ4NF | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 2/20/2010 11:34:02 AM | Computer Name = HOME-DPI79WZ4NF | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 2/20/2010 11:34:02 AM | Computer Name = HOME-DPI79WZ4NF | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.


< End of report >


#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:07 PM

Posted 21 February 2010 - 03:34 PM

Hi,

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#8 razor49

razor49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 22 February 2010 - 07:21 AM

Good morning. Attached is the combo-fix log.

ComboFix 10-02-21.02 - Todd 02/22/2010 6:44.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.125 [GMT -5:00]
Running from: g:\documents and settings\Todd\Desktop\ComboFix.exe
AV: iolo AntiVirus® *On-access scanning disabled* (Updated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

g:\windows\Downloaded Program Files\popcaploader.dll
g:\windows\Downloaded Program Files\popcaploader.inf
g:\windows\system32\_000005_.tmp.dll
g:\windows\system32\_000006_.tmp.dll
g:\windows\system32\_000007_.tmp.dll
g:\windows\system32\COMCTL32.OCA

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))
.

2010-02-20 15:20 . 2010-02-20 15:21 -------- d-----w- G:\rsit
2010-02-18 05:54 . 2010-02-18 05:54 -------- d-----w- g:\documents and settings\HelpAssistant.HOME-DPI79WZ4NF\UserData
2010-02-18 05:54 . 2010-02-18 05:54 -------- d-----w- g:\documents and settings\HelpAssistant.HOME-DPI79WZ4NF\PrivacIE
2010-02-18 05:52 . 2010-02-18 05:52 -------- d-----w- g:\documents and settings\HelpAssistant.HOME-DPI79WZ4NF\IETldCache
2010-02-18 05:52 . 2010-02-18 05:52 -------- d-----w- g:\documents and settings\HelpAssistant.HOME-DPI79WZ4NF\IECompatCache
2010-02-18 05:21 . 2010-01-06 20:56 1521 ----a-w- g:\documents and settings\Todd\Application Data\iolo\Registry\Working\restore.bat
2010-02-18 03:58 . 2010-02-18 07:01 -------- d-----w- G:\found.001
2010-02-16 02:46 . 2010-02-16 02:46 -------- d-----w- g:\documents and settings\Todd\Application Data\Yahoo!
2010-02-16 02:46 . 2010-02-18 03:30 -------- d-----w- g:\program files\Yahoo!
2010-02-16 02:46 . 2010-02-16 02:46 -------- d-----w- g:\program files\CCleaner
2010-02-16 02:26 . 2010-02-20 15:21 -------- d-----w- g:\program files\Trend Micro
2010-02-13 22:46 . 2010-02-13 22:46 -------- d-----w- g:\documents and settings\Todd\Application Data\Uniblue
2010-02-08 19:24 . 2010-02-08 19:24 -------- d-----w- g:\documents and settings\HelpAssistant\UserData
2010-02-08 19:24 . 2010-02-08 19:24 -------- d-----w- g:\documents and settings\HelpAssistant\PrivacIE
2010-02-08 19:20 . 2010-02-08 20:22 -------- d-----w- g:\documents and settings\HelpAssistant\IECompatCache
2010-02-08 19:20 . 2010-02-08 19:20 -------- d-----w- g:\documents and settings\HelpAssistant\IETldCache
2010-02-07 01:06 . 2010-02-07 01:06 -------- d-----w- g:\documents and settings\All Users\Application Data\PopCap
2010-02-02 01:37 . 2010-02-02 01:37 -------- d--h--w- g:\windows\PIF
2010-02-01 23:38 . 2010-02-19 01:40 -------- d-----w- g:\documents and settings\Todd\Local Settings\Application Data\mreibs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 07:43 . 2008-08-27 01:10 -------- d-----w- g:\documents and settings\All Users\Application Data\iolo
2010-02-18 03:41 . 2008-08-20 03:56 -------- d--h--w- g:\program files\InstallShield Installation Information
2010-02-18 03:26 . 2008-08-27 02:53 -------- d-----w- g:\program files\Google
2010-02-17 23:16 . 2008-08-27 01:35 518 ----a-w- g:\documents and settings\Todd\Application Data\iolo\Registry\Last\restore.bat
2010-02-16 06:31 . 2008-08-27 01:35 1521 ----a-w- g:\documents and settings\Todd\Application Data\iolo\restore.bat
2010-02-16 01:15 . 2008-08-27 01:15 -------- d-----w- g:\program files\iolo
2010-02-14 14:16 . 2008-08-27 03:19 -------- d-----w- g:\documents and settings\Todd\Application Data\LimeWire
2010-02-09 22:02 . 2009-11-04 05:49 93096 ----a-w- g:\windows\system32\IncContxMenu.dll
2010-02-09 22:01 . 2009-11-04 05:49 2164648 ----a-w- g:\windows\system32\Incinerator.dll
2010-02-03 19:13 . 2009-11-09 08:40 518 ----a-w- g:\documents and settings\LocalService\Application Data\iolo\Registry\Last\restore.bat
2010-02-02 03:09 . 2008-11-06 02:49 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
2010-02-02 03:09 . 2009-11-27 16:11 5115824 ----a-w- g:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-28 22:13 . 2009-11-04 05:49 30208 ----a-w- g:\windows\system32\iolobtdfg.exe
2010-01-28 22:13 . 2009-11-04 05:49 12288 ----a-w- g:\windows\system32\smrgdf.exe
2010-01-07 21:07 . 2008-11-06 02:49 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-11-06 02:49 19160 ----a-w- g:\windows\system32\drivers\mbam.sys
2010-01-03 16:38 . 2008-09-12 22:35 -------- d-----w- g:\program files\Common Files\AOL
2009-12-31 16:50 . 2001-08-18 12:00 353792 ----a-w- g:\windows\system32\drivers\srv.sys
2009-12-23 14:48 . 2009-11-18 14:45 1119 ----a-w- g:\documents and settings\LocalService\Application Data\iolo\restore.bat
2009-12-21 19:14 . 2001-08-18 12:00 916480 ----a-w- g:\windows\system32\wininet.dll
2009-12-16 18:43 . 2008-08-20 03:34 343040 ----a-w- g:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2001-08-18 12:00 33280 ----a-w- g:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2001-08-18 12:00 2189184 ----a-w- g:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2001-08-17 13:48 2066048 ----a-w- g:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2001-08-18 12:00 455424 ----a-w- g:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2001-08-18 12:00 1291776 ----a-w- g:\windows\system32\quartz.dll
2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- g:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2001-08-18 12:00 28672 ----a-w- g:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- g:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2001-08-18 12:00 84992 ----a-w- g:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-18 12:00 11264 ----a-w- g:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- g:\windows\system32\iyuv_32.dll
2009-11-25 03:31 . 2009-11-25 03:31 495 ----a-w- g:\windows\eReg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="g:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="g:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"iolo AntiVirus"="g:\program files\iolo\AntiVirus\ioloAV.exe" [2008-03-05 1095520]
"SystemGuardAlerter"="g:\program files\iolo\System Mechanic\SystemGuardAlerter.exe" [2010-02-09 489896]

g:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - g:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileSharing"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ "autocheck autochk *"\0autocheck smrgdf g:\documents and settings\LocalService\Application Data\iolo\

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3567:TCP"= 3567:TCP:Services

R2 ioloFileInfoList;iolo FileInfoList Service;g:\program files\iolo\Common\Lib\ioloServiceManager.exe [11/4/2009 12:49 AM 665008]
R2 ioloSystemService;iolo System Service;g:\program files\iolo\Common\Lib\ioloServiceManager.exe [11/4/2009 12:49 AM 665008]
S2 gupdate1ca14b9eb9694e0;Google Update Service (gupdate1ca14b9eb9694e0);g:\program files\Google\Update\GoogleUpdate.exe [8/3/2009 11:13 PM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2010-02-20 g:\windows\Tasks\AppleSoftwareUpdate.job
- g:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-22 g:\windows\Tasks\Google Software Updater.job
- g:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-27 02:14]

2010-02-22 g:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- g:\program files\Google\Update\GoogleUpdate.exe [2009-08-04 04:13]

2010-02-21 g:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- g:\program files\Google\Update\GoogleUpdate.exe [2009-08-04 04:13]

2010-02-22 g:\windows\Tasks\User_Feed_Synchronization-{CB6942EA-8A04-446A-9506-836B3F88626C}.job
- g:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
LSP: g:\windows\system32\iavlsp.dll
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.cab
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-22 06:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x81A10C78]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf9a76f28
\Driver\ACPI -> 0x81a10c78
\Driver\atapi -> atapi.sys @ 0xf99a1852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: CNet PRO200WL PCI Fast Ethernet Adapter -> SendCompleteHandler -> 0x81662330
PacketIndicateHandler -> NDIS.sys @ 0xf98baa21
SendHandler -> NDIS.sys @ 0xf98aed44
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0253ABFE
malicious code @ sector 0x0253AC01 !
PE file found in sector at 0x0253AC17 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(580)
g:\windows\system32\iavlsp.dll
.
Completion time: 2010-02-22 07:02:21
ComboFix-quarantined-files.txt 2010-02-22 12:02

Pre-Run: 9,091,883,008 bytes free
Post-Run: 9,095,561,216 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - F728B824AB5B7F924CA241224746FC88


#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:07 PM

Posted 22 February 2010 - 02:33 PM

razor49,
  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -f& start mbr.log
  • A file called mbr.log will pop up please post the contents in your reply.


  • Go to Start >> Run, and type Notepad into the run box, then click Ok.
  • Copy and paste the following code into Notepad. ( Do not include the word "CODE")
CODE
net user HelpAssistant /active:no
net localgroup Administrators HelpAssistant /delete
net user HelpAssistant>log.txt&START log.txt
  • Click on the File tab, and select Save.
  • In the box that opens type help.bat for the File name.
  • Change the Save as type to All Files, then save it to your Desktop. (It should look like this )
  • Double click help.bat, a box will pop up briefly on your screen and disappear, this is normal.
  • It will produce a file on your desktop called log.txt, please copy and paste this in your next reply.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"3246:TCP"=-
"3389:TCP"=-
"3567:TCP"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then please post back here with the following logs:
  • mbr.log
  • log.txt
  • Combofix.txt

Thanks

unite.jpg


#10 razor49

razor49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 22 February 2010 - 04:37 PM

Syler,
Here we go:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x8190c590
NDIS: CNet PRO200WL PCI Fast Ethernet Adapter -> SendCompleteHandler -> 0x81643330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0253ABFE
malicious code @ sector 0x0253AC01 !
PE file found in sector at 0x0253AC17 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !


User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 2/22/2010 3:59 PM
Password expires Never
Password changeable 2/22/2010 3:59 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/22/2010 3:59 PM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.



ComboFix 10-02-21.02 - Todd 02/22/2010 16:14:26.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.112 [GMT -5:00]
Running from: g:\documents and settings\Todd\Desktop\ComboFix.exe
Command switches used :: g:\documents and settings\Todd\Desktop\CFScript.txt
AV: iolo AntiVirus® *On-access scanning disabled* (Updated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
.
PEV Error: UserFile
PEV Error: UserFolder

((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))
.

2010-02-20 15:20 . 2010-02-20 15:21 -------- d-----w- G:\rsit
2010-02-18 05:54 . 2010-02-18 05:54 -------- d-----w- g:\documents and settings\HelpAssistant.HOME-DPI79WZ4NF\UserData
2010-02-18 05:54 . 2010-02-18 05:54 -------- d-----w- g:\documents and settings\HelpAssistant.HOME-DPI79WZ4NF\PrivacIE
2010-02-18 05:52 . 2010-02-18 05:52 -------- d-----w- g:\documents and settings\HelpAssistant.HOME-DPI79WZ4NF\IETldCache
2010-02-18 05:52 . 2010-02-18 05:52 -------- d-----w- g:\documents and settings\HelpAssistant.HOME-DPI79WZ4NF\IECompatCache
2010-02-18 05:21 . 2010-01-06 20:56 1521 ----a-w- g:\documents and settings\Todd\Application Data\iolo\Registry\Working\restore.bat
2010-02-18 03:58 . 2010-02-18 07:01 -------- d-----w- G:\found.001
2010-02-16 02:46 . 2010-02-16 02:46 -------- d-----w- g:\documents and settings\Todd\Application Data\Yahoo!
2010-02-16 02:46 . 2010-02-18 03:30 -------- d-----w- g:\program files\Yahoo!
2010-02-16 02:46 . 2010-02-16 02:46 -------- d-----w- g:\program files\CCleaner
2010-02-16 02:26 . 2010-02-20 15:21 -------- d-----w- g:\program files\Trend Micro
2010-02-13 22:46 . 2010-02-13 22:46 -------- d-----w- g:\documents and settings\Todd\Application Data\Uniblue
2010-02-08 19:24 . 2010-02-08 19:24 -------- d-----w- g:\documents and settings\HelpAssistant\UserData
2010-02-08 19:24 . 2010-02-08 19:24 -------- d-----w- g:\documents and settings\HelpAssistant\PrivacIE
2010-02-08 19:20 . 2010-02-08 20:22 -------- d-----w- g:\documents and settings\HelpAssistant\IECompatCache
2010-02-08 19:20 . 2010-02-08 19:20 -------- d-----w- g:\documents and settings\HelpAssistant\IETldCache
2010-02-07 01:06 . 2010-02-07 01:06 -------- d-----w- g:\documents and settings\All Users\Application Data\PopCap
2010-02-02 01:37 . 2010-02-02 01:37 -------- d--h--w- g:\windows\PIF
2010-02-01 23:38 . 2010-02-19 01:40 -------- d-----w- g:\documents and settings\Todd\Local Settings\Application Data\mreibs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 07:43 . 2008-08-27 01:10 -------- d-----w- g:\documents and settings\All Users\Application Data\iolo
2010-02-18 03:41 . 2008-08-20 03:56 -------- d--h--w- g:\program files\InstallShield Installation Information
2010-02-18 03:26 . 2008-08-27 02:53 -------- d-----w- g:\program files\Google
2010-02-17 23:16 . 2008-08-27 01:35 518 ----a-w- g:\documents and settings\Todd\Application Data\iolo\Registry\Last\restore.bat
2010-02-16 06:31 . 2008-08-27 01:35 1521 ----a-w- g:\documents and settings\Todd\Application Data\iolo\restore.bat
2010-02-16 01:15 . 2008-08-27 01:15 -------- d-----w- g:\program files\iolo
2010-02-14 14:16 . 2008-08-27 03:19 -------- d-----w- g:\documents and settings\Todd\Application Data\LimeWire
2010-02-09 22:02 . 2009-11-04 05:49 93096 ----a-w- g:\windows\system32\IncContxMenu.dll
2010-02-09 22:01 . 2009-11-04 05:49 2164648 ----a-w- g:\windows\system32\Incinerator.dll
2010-02-03 19:13 . 2009-11-09 08:40 518 ----a-w- g:\documents and settings\LocalService\Application Data\iolo\Registry\Last\restore.bat
2010-02-02 03:09 . 2008-11-06 02:49 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
2010-02-02 03:09 . 2009-11-27 16:11 5115824 ----a-w- g:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-28 22:13 . 2009-11-04 05:49 30208 ----a-w- g:\windows\system32\iolobtdfg.exe
2010-01-28 22:13 . 2009-11-04 05:49 12288 ----a-w- g:\windows\system32\smrgdf.exe
2010-01-07 21:07 . 2008-11-06 02:49 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-11-06 02:49 19160 ----a-w- g:\windows\system32\drivers\mbam.sys
2010-01-03 16:38 . 2008-09-12 22:35 -------- d-----w- g:\program files\Common Files\AOL
2009-12-31 16:50 . 2001-08-18 12:00 353792 ----a-w- g:\windows\system32\drivers\srv.sys
2009-12-23 14:48 . 2009-11-18 14:45 1119 ----a-w- g:\documents and settings\LocalService\Application Data\iolo\restore.bat
2009-12-21 19:14 . 2001-08-18 12:00 916480 ------w- g:\windows\system32\wininet.dll
2009-12-16 18:43 . 2008-08-20 03:34 343040 ----a-w- g:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2001-08-18 12:00 33280 ----a-w- g:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2001-08-18 12:00 2189184 ------w- g:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2001-08-17 13:48 2066048 ------w- g:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2001-08-18 12:00 455424 ----a-w- g:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2001-08-18 12:00 1291776 ----a-w- g:\windows\system32\quartz.dll
2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- g:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2001-08-18 12:00 28672 ----a-w- g:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- g:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2001-08-18 12:00 84992 ----a-w- g:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-18 12:00 11264 ----a-w- g:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- g:\windows\system32\iyuv_32.dll
2009-11-25 03:31 . 2009-11-25 03:31 495 ----a-w- g:\windows\eReg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="g:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="g:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"iolo AntiVirus"="g:\program files\iolo\AntiVirus\ioloAV.exe" [2008-03-05 1095520]
"SystemGuardAlerter"="g:\program files\iolo\System Mechanic\SystemGuardAlerter.exe" [2010-02-09 489896]

g:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - g:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileSharing"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ "autocheck autochk *"\0autocheck smrgdf g:\documents and settings\LocalService\Application Data\iolo\

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1833:TCP"= 1833:TCP:Services

R2 ioloFileInfoList;iolo FileInfoList Service;g:\program files\iolo\Common\Lib\ioloServiceManager.exe [11/4/2009 12:49 AM 665008]
R2 ioloSystemService;iolo System Service;g:\program files\iolo\Common\Lib\ioloServiceManager.exe [11/4/2009 12:49 AM 665008]
S2 gupdate1ca14b9eb9694e0;Google Update Service (gupdate1ca14b9eb9694e0);g:\program files\Google\Update\GoogleUpdate.exe [8/3/2009 11:13 PM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2010-02-20 g:\windows\Tasks\AppleSoftwareUpdate.job
- g:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-22 g:\windows\Tasks\Google Software Updater.job
- g:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-27 02:14]

2010-02-22 g:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- g:\program files\Google\Update\GoogleUpdate.exe [2009-08-04 04:13]

2010-02-22 g:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- g:\program files\Google\Update\GoogleUpdate.exe [2009-08-04 04:13]

2010-02-22 g:\windows\Tasks\User_Feed_Synchronization-{CB6942EA-8A04-446A-9506-836B3F88626C}.job
- g:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
LSP: g:\windows\system32\iavlsp.dll
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-22 16:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8190C590]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf9a76f28
\Driver\ACPI -> 0x8190c590
\Driver\atapi -> atapi.sys @ 0xf99a1852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: CNet PRO200WL PCI Fast Ethernet Adapter -> SendCompleteHandler -> 0x81643330
PacketIndicateHandler -> NDIS.sys @ 0xf98baa21
SendHandler -> NDIS.sys @ 0xf98aed44
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0253ABFE
malicious code @ sector 0x0253AC01 !
PE file found in sector at 0x0253AC17 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(584)
g:\windows\system32\iavlsp.dll

- - - - - - - > 'explorer.exe'(3768)
g:\windows\system32\WININET.dll
g:\program files\iolo\Common\Lib\sguard.dll
g:\progra~1\WINDOW~3\wmpband.dll
g:\windows\system32\ieframe.dll
g:\windows\system32\webcheck.dll
g:\windows\system32\WPDShServiceObj.dll
g:\windows\system32\PortableDeviceTypes.dll
g:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-22 16:30:27
ComboFix-quarantined-files.txt 2010-02-22 21:30
ComboFix2.txt 2010-02-22 12:02

Pre-Run: 9,082,572,800 bytes free
Post-Run: 9,050,411,008 bytes free

- - End Of File - - C48E95452FAF7BA9979FC6296E189552


#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:07 PM

Posted 22 February 2010 - 05:12 PM

Looks like we've got a tough one here.

Please download SystemScan and save it to your desktop.
  • Be aware that the file name will be randomly generated (i.e. sys95769.exe) to deceive malware which may attempt to disabled it.
  • If any installed security tools (anti-virus) detects the file as malware or suspicious while downloading or attempting to run, ignore the alert and allow the download.
  • Double-click on sys*****.exe to start the tool.
  • A read before proceeding disclaimer will appear.
  • Uncheck <- Unflag the checkbox to disable updates! next to the version number at the top.
  • After reading, check the box I have read and agree. Please let me...proceed!, then click the Proceed button.
  • When SystemScan opens, click the "Unselect all" button.
  • Important: Under "Make your choice and than click...", check the boxes next to:
    • PC accounts
  • Everything else should be unchecked.
  • Click "Scan Now".
  • Another warning box will appear. Please follow the instructions and click Ok.
  • Please be patient while the scan is in progress.
  • Systemscan will scan your computer and create a folder named suspectfile on the Desktop to save its report.
  • When the scan is complete, Notepad will automatically open a log file named report.txt with the results.
  • Copy and paste the contents of report.txt in your next reply.

unite.jpg


#12 razor49

razor49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 22 February 2010 - 07:19 PM

SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

Running on: Windows XP HOME Edition, Service Pack 3 (2600.5.1)
System directory: G:\WINDOWS
SystemScan file: G:\Documents and Settings\Todd\Desktop\sys93766.exe
Running in: User mode
Date: 2/22/2010
Time: 7:14:36 PM

Output limited to:
-PC accounts

===================== ACCOUNTS ON THIS PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
| Guest
| HelpAssistant (Disabled)
| SUPPORT_388945a0 (Disabled)
Yes | Todd

### users folders

19/08/2008 22:38:08 (DIR) 0 byte 552 days old -- All Users
26/11/2009 22:05:23 (DIR) 0 byte 88 days old -- Administrator
17/02/2010 23:37:47 (DIR) 0 byte 5 days old -- HelpAssistant
18/02/2010 00:21:56 (DIR) 0 byte 4 days old -- LocalService
22/02/2010 07:02:28 (DIR) 0 byte 0 days old -- NetworkService
22/02/2010 07:02:28 (DIR) 0 byte 0 days old -- Default User
22/02/2010 15:59:32 (DIR) 0 byte 0 days old -- HelpAssistant.HOME-DPI79WZ4NF
22/02/2010 16:40:23 (DIR) 0 byte 0 days old -- Todd

### startup files in users folders

G:\documents and settings\Administrator\Start Menu\Programs\Startup\desktop.ini
G:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
G:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
G:\documents and settings\Default User\Start Menu\Programs\Startup\desktop.ini
G:\documents and settings\HelpAssistant\Start Menu\Programs\Startup\desktop.ini
G:\documents and settings\HelpAssistant.HOME-DPI79WZ4NF\Start Menu\Programs\Startup\desktop.ini
G:\documents and settings\Todd\Start Menu\Programs\Startup\desktop.ini

==========================================
Scan completed in 0 minutes
End of report

#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:07 PM

Posted 23 February 2010 - 11:34 AM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Folder::
g:\documents and settings\HelpAssistant.HOME-DPI79WZ4NF
g:\documents and settings\HelpAssistant
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1833:TCP"=-
MBR::


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#14 razor49

razor49
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 23 February 2010 - 07:05 PM

ComboFix 10-02-21.02 - Todd 02/23/2010 18:04:19.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.90 [GMT -5:00]
Running from: g:\documents and settings\Todd\Desktop\ComboFix.exe
Command switches used :: g:\documents and settings\Todd\Desktop\CFScript.txt
AV: iolo AntiVirus® *On-access scanning disabled* (Updated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
.

((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))
.

2010-02-20 15:20 . 2010-02-20 15:21 -------- d-----w- G:\rsit
2010-02-18 05:54 . 2010-02-18 05:54 -------- d-----w- g:\documents and settings\HelpAssistant.HOME-DPI79WZ4NF\UserData
2010-02-18 05:54 . 2010-02-18 05:54 -------- d-----w- g:\documents and settings\HelpAssistant.HOME-DPI79WZ4NF\PrivacIE
2010-02-18 05:52 . 2010-02-18 05:52 -------- d-----w- g:\documents and settings\HelpAssistant.HOME-DPI79WZ4NF\IETldCache
2010-02-18 05:52 . 2010-02-18 05:52 -------- d-----w- g:\documents and settings\HelpAssistant.HOME-DPI79WZ4NF\IECompatCache
2010-02-18 05:21 . 2010-01-06 20:56 1521 ----a-w- g:\documents and settings\Todd\Application Data\iolo\Registry\Working\restore.bat
2010-02-18 03:58 . 2010-02-18 07:01 -------- d-----w- G:\found.001
2010-02-16 02:46 . 2010-02-16 02:46 -------- d-----w- g:\documents and settings\Todd\Application Data\Yahoo!
2010-02-16 02:46 . 2010-02-18 03:30 -------- d-----w- g:\program files\Yahoo!
2010-02-16 02:46 . 2010-02-16 02:46 -------- d-----w- g:\program files\CCleaner
2010-02-16 02:26 . 2010-02-20 15:21 -------- d-----w- g:\program files\Trend Micro
2010-02-13 22:46 . 2010-02-13 22:46 -------- d-----w- g:\documents and settings\Todd\Application Data\Uniblue
2010-02-08 19:24 . 2010-02-08 19:24 -------- d-----w- g:\documents and settings\HelpAssistant\UserData
2010-02-08 19:24 . 2010-02-08 19:24 -------- d-----w- g:\documents and settings\HelpAssistant\PrivacIE
2010-02-08 19:20 . 2010-02-08 20:22 -------- d-----w- g:\documents and settings\HelpAssistant\IECompatCache
2010-02-08 19:20 . 2010-02-08 19:20 -------- d-----w- g:\documents and settings\HelpAssistant\IETldCache
2010-02-07 01:06 . 2010-02-07 01:06 -------- d-----w- g:\documents and settings\All Users\Application Data\PopCap
2010-02-02 01:37 . 2010-02-02 01:37 -------- d--h--w- g:\windows\PIF
2010-02-01 23:38 . 2010-02-19 01:40 -------- d-----w- g:\documents and settings\Todd\Local Settings\Application Data\mreibs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 22:58 . 2008-08-27 01:10 -------- d-----w- g:\documents and settings\All Users\Application Data\iolo
2010-02-18 03:41 . 2008-08-20 03:56 -------- d--h--w- g:\program files\InstallShield Installation Information
2010-02-18 03:26 . 2008-08-27 02:53 -------- d-----w- g:\program files\Google
2010-02-17 23:16 . 2008-08-27 01:35 518 ----a-w- g:\documents and settings\Todd\Application Data\iolo\Registry\Last\restore.bat
2010-02-16 06:31 . 2008-08-27 01:35 1521 ----a-w- g:\documents and settings\Todd\Application Data\iolo\restore.bat
2010-02-16 01:15 . 2008-08-27 01:15 -------- d-----w- g:\program files\iolo
2010-02-14 14:16 . 2008-08-27 03:19 -------- d-----w- g:\documents and settings\Todd\Application Data\LimeWire
2010-02-09 22:02 . 2009-11-04 05:49 93096 ----a-w- g:\windows\system32\IncContxMenu.dll
2010-02-09 22:01 . 2009-11-04 05:49 2164648 ----a-w- g:\windows\system32\Incinerator.dll
2010-02-03 19:13 . 2009-11-09 08:40 518 ----a-w- g:\documents and settings\LocalService\Application Data\iolo\Registry\Last\restore.bat
2010-02-02 03:09 . 2008-11-06 02:49 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
2010-02-02 03:09 . 2009-11-27 16:11 5115824 ----a-w- g:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-28 22:13 . 2009-11-04 05:49 30208 ----a-w- g:\windows\system32\iolobtdfg.exe
2010-01-28 22:13 . 2009-11-04 05:49 12288 ----a-w- g:\windows\system32\smrgdf.exe
2010-01-07 21:07 . 2008-11-06 02:49 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-11-06 02:49 19160 ----a-w- g:\windows\system32\drivers\mbam.sys
2010-01-03 16:38 . 2008-09-12 22:35 -------- d-----w- g:\program files\Common Files\AOL
2009-12-31 16:50 . 2001-08-18 12:00 353792 ----a-w- g:\windows\system32\drivers\srv.sys
2009-12-23 14:48 . 2009-11-18 14:45 1119 ----a-w- g:\documents and settings\LocalService\Application Data\iolo\restore.bat
2009-12-21 19:14 . 2001-08-18 12:00 916480 ------w- g:\windows\system32\wininet.dll
2009-12-16 18:43 . 2008-08-20 03:34 343040 ----a-w- g:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2001-08-18 12:00 33280 ----a-w- g:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2001-08-18 12:00 2189184 ------w- g:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2001-08-17 13:48 2066048 ------w- g:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2001-08-18 12:00 455424 ----a-w- g:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2001-08-18 12:00 1291776 ----a-w- g:\windows\system32\quartz.dll
2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- g:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2001-08-18 12:00 28672 ----a-w- g:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- g:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2001-08-18 12:00 84992 ----a-w- g:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-18 12:00 11264 ----a-w- g:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- g:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="g:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="g:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"iolo AntiVirus"="g:\program files\iolo\AntiVirus\ioloAV.exe" [2008-03-05 1095520]
"SystemGuardAlerter"="g:\program files\iolo\System Mechanic\SystemGuardAlerter.exe" [2010-02-09 489896]

g:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - g:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileSharing"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ "autocheck autochk *"\0autocheck smrgdf g:\documents and settings\LocalService\Application Data\iolo\

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Program Files\\LimeWire\\LimeWire.exe"=


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2010-02-20 g:\windows\Tasks\AppleSoftwareUpdate.job
- g:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-23 g:\windows\Tasks\Google Software Updater.job
- g:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-27 02:14]

2010-02-23 g:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- g:\program files\Google\Update\GoogleUpdate.exe [2009-08-04 04:13]

2010-02-23 g:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- g:\program files\Google\Update\GoogleUpdate.exe [2009-08-04 04:13]

2010-02-23 g:\windows\Tasks\User_Feed_Synchronization-{CB6942EA-8A04-446A-9506-836B3F88626C}.job
- g:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
LSP: g:\windows\system32\iavlsp.dll
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-23 18:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(576)
g:\windows\system32\iavlsp.dll

- - - - - - - > 'explorer.exe'(2964)
g:\windows\system32\WININET.dll
g:\program files\iolo\Common\Lib\sguard.dll
g:\progra~1\WINDOW~3\wmpband.dll
g:\windows\system32\ieframe.dll
g:\windows\system32\webcheck.dll
g:\windows\system32\WPDShServiceObj.dll
g:\windows\system32\PortableDeviceTypes.dll
g:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
g:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
g:\program files\iolo\common\lib\ioloServiceManager.exe
g:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
g:\program files\iolo\System Mechanic\IoloSGCtrl.exe
g:\windows\system32\nvsvc32.exe
g:\windows\system32\msiexec.exe
g:\program files\iolo\AntiVirus\iAVEmailScanner.exe
.
**************************************************************************
.
Completion time: 2010-02-23 18:50:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-23 23:50
ComboFix2.txt 2010-02-23 20:36
ComboFix3.txt 2010-02-22 21:30
ComboFix4.txt 2010-02-22 12:02

Pre-Run: 9,038,897,152 bytes free
Post-Run: 9,005,490,176 bytes free

- - End Of File - - 1DB59E3C3038B0AB2B7BC4289132A82A


#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:07 PM

Posted 24 February 2010 - 11:07 AM

It appears you ran combofix twice for some reason, please post the contents of this log C:\Quobox\ComboFix2.txt

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users