Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32: Rootkit-gen(rtk)


  • This topic is locked This topic is locked
20 replies to this topic

#1 friarduck

friarduck

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pacific Northwest
  • Local time:03:33 AM

Posted 02 March 2010 - 09:58 PM

I found this site by searching for win32: Rootkit.gen(rtk). I followed the instructions that were directed to another member, and I seem to be free of the malware at this time. I have bookmarked this site, and feel it is a very important project. As I am sure I may need it again, and I am currently unemployed, (hopefully my assignment tomorrow will lead to a permanent situation), as soon as possible, I will contribute what I can.

I used Combofix, apparently, I was massively infected.

THANK YOU!

p.s. infection was identified by Avast directly after the last database update File name was xsrglu.tmp

I run with Windows XP Home Edition, Internet Explorer 8, Avast AV home version, Yahoo Messenger. These are the apps that are normally always active.

The symptoms started with various blue screen crashes, various error codes, but usually pointed to my sound driver. (I didn't get them frequently, but occured mainly in flash applications) As it progressed, it would stop the sound driver during boot up, and when I found your site it had progressed to not being able run flash applications. Java would run fine. I would like to verify that my machine is clean and whether or not I need to do any cleanup operations.

ComboFix 10-03-01.03 - Howard 03/02/2010 1:31.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.508 [GMT -8:00]
Running from: c:\documents and settings\Howard.MUNROES\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100301-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\docume~1\HOWARD~1.MUN\LOCALS~1\Temp\install_flash_player.exe
c:\docume~1\HOWARD~1.MUN\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\HOWARD~1.MUN\LOCALS~1\Temp\tmp2.tmp
c:\docume~1\HOWARD~1.MUN\LOCALS~1\Temp\xsrglu.tmp
c:\documents and settings\Howard.MUNROES\Local Settings\Temp\xsrglu.tmp
C:\Logo.sys
c:\windows\desktop
c:\windows\desktop\Fish.scr
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\music\mainmenumusic.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\areabomb.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\beetlezap.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\bonusrow.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\bonustimer.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\bucketfilled.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\clearpyramid.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\cleartriangle1a.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\cleartriangle1b.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\cleartriangle1c.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\cleartriangle2a.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\cleartriangle2b.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\cleartriangle2c.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\colorchain.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\dialogbox.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\drumbeat.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\fillrow.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\gateopen.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\helptip.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\powerup.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\rotateboardleft.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\timerup.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\warning.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\warning2.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\artifacts-bb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\bar.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\chamber0.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\chamber1.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\circledoor.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\full_screen_dialog.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\global-hs-bb_large.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\global-hs-bb_small.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\help-bb_large.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\help-bb_small.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\hexfield.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\hidden-artifact_icon.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\large_dialog.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\local-hs-bb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\mainmenu.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\small_dialog.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\textfield.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\trifield.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetlehover1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetlehover2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetlehover3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetlehover4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetleshock1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetleshock2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetleshock3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetleshock4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetletatoo.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\dirt.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\scarabpost.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\scarabpostovr.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\tritop.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowdown_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowdown_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowdown_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowleft_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowleft_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowleft_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowright_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowright_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowright_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowup_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowup_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowup_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\bluearrowleft_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\bluearrowleft_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\bluearrowleft_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\bluearrowright_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\bluearrowright_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\bluearrowright_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\checkdown.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\checkup.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\long_button_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\long_button_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\long_button_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\orange-button_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\orange-button_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\orange-button_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\rotleft_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\rotleft_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\rotleft_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\rotright_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\rotright_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\rotright_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\simplebutton_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\simplebutton_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\simplebutton_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\sliderknob.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\sliderknobover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\sliderrail.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\characters\anwar\look\pl0001.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\characters\bast\look\bl0001.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\characters\kristine\look\kl0001.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\crackedstopper.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\cursor.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\doorlights.txt
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\fonts\jackarmstrong.mvec
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\fonts\lithos.mvec
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\greybomb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\helptips\arrowkeys.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\helptips\helptip.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\levels\levels.dat
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\models\disk.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\models\equilateraltriangle.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\models\flattri.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\models\pyramid.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\models\quad.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\models\rotatingpyramid.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\models\scarabpanel.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\p1icon.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\scenes\page1-0.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\scenes\page1-1.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\scenes\panel1-0-1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\scenes\panel1-1-1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\scorecloud.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\setup.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\areashockwave.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\bolt_1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\bolt_2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\bolt_3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\bolt_4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\bolt_starter.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\bolt_tail.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\flash.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\rubble.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\smoke.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\smoke2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\smoke3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\splash\aol_logo.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\splash\playfirst_logo.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\statues\statue0\snake_dirty.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\statues\statue1\arm01_dirty.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\statues\statue1\mask01_1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\statues\statue1\statue01_dirty.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\stopper.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\timer.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\timerglow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\timericon.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\tm.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mouseblue1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mouseblue2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mouseblue3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mousegreen1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mousegreen2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mousegreen3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mousered1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mousered2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mousered3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mouseyellow1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mouseyellow2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mouseyellow3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\areabomb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\areabombrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\blue.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\bluerollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\boardfill.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\brick.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\brick1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\brick2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\brick3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\bricktip.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\clearanim\cleared1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\clearanim\cleared2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\clearanim\cleared3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\clearanim\cleared4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\clearanim\cleared5.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\clearanim\cleared6.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\eye1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\eye2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\eye3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\eye4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\green.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\greenrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-blue.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-bluerollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-green.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-greenrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-red.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-redrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-yellow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-yellowrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\red.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\redrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\wild.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\wildrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\yellow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\yellowrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\upsell\image0.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\upsell\image1.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\upsell\image2.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\upsell\image3.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\bluebucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\buckettriangle.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\chainlink.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\chaintip.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\genericbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\greenbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\redbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\smallblue.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\smallgreen.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\smallred.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\smallyellow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\urnglow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\urnplatform.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\yellowbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\warning.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\error.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\game.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\gameover.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\hiscore.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\hiscoreinfo.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\hiscoresubmit.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\instructions.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\leveldesign.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\levelover.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\mainarcade.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\mainconfirm.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\maincontinue.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\maingames.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\mainpuzzle.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\maphelptip.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\options.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\pause.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\quitconfirm.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\start.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\storyplayer.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\style.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\upsell.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\strings.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\TriJinx.exe
c:\windows\EventSystem.log
c:\windows\system32\Data
c:\windows\system32\twain.dll
c:\windows\system32\twain_32.dll

-- Previous Run --

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

--------

.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 08:53 . 2008-04-14 01:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-03-02 08:53 . 2008-04-14 01:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2010-03-01 08:03 . 2010-03-01 08:03 -------- d-----w- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Temp
2010-03-01 08:03 . 2010-03-01 08:03 -------- d-----w- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Google
2010-03-01 08:03 . 2010-03-01 08:03 -------- d-----w- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Deployment
2010-02-12 03:27 . 2010-02-12 03:27 -------- d-----w- C:\FOUND.021
2010-02-04 04:24 . 2010-02-04 04:24 -------- d-----w- C:\FOUND.020

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 17:16 . 2009-10-02 23:59 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-10 07:06 . 2005-10-10 08:41 2097 ----a-w- c:\windows\eReg.dat
2010-01-23 02:04 . 2010-01-23 02:04 262144 ----a-w- C:\ntuser.dat
2009-12-31 16:50 . 2001-08-23 20:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 18:10 . 2005-10-11 18:38 32912 ----a-w- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2004-01-08 23:23 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2005-10-10 07:18 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2001-08-23 20:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2001-08-23 20:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2001-08-17 21:48 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2001-08-23 20:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
1999-07-22 19:14 . 1999-07-22 19:14 11079 ---ha-w- c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2008-01-04 202024]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Google Update"="c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-01 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-13 106496]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-25 98304]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"EW Message Server"="msg32.exe" [2004-09-30 45056]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero BackItUp 4\NBKeyScan.exe" [2008-12-05 2254120]
"HTpatch"="c:\windows\htpatch.exe" [2002-10-31 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"d:\\Program Files\\Alias\\Maya 6.0 Personal Learning Edition\\bin\\maya.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/13/2008 10:50 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/13/2008 10:50 AM 20560]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [9/15/2009 2:21 PM 54752]
R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [5/2/2008 12:40 PM 148768]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 EWAVE;EWAVE;c:\windows\system32\drivers\ew.sys [2/10/2007 12:59 AM 1693344]
R3 NSTATION;NSTATION;c:\windows\system32\drivers\NSTATION.sys [2/10/2007 12:59 AM 19808]
S3 EMUXMIDI;E-MU Xmidi Driver;c:\windows\system32\DRIVERS\EMUXMIDI.sys --> c:\windows\system32\DRIVERS\EMUXMIDI.sys [?]
S3 FILESPY;FILESPY;c:\windows\system32\drivers\FileSpy.sys [2/10/2007 12:59 AM 26992]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [11/24/2006 6:57 PM 392864]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [11/24/2006 6:57 PM 10688]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [3/14/2007 6:51 PM 18112]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EWAVE
*NewlyCreated* - NSTATION
*NewlyCreated* - SISPORT
*Deregistered* - SiSPort
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-12-26 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 19:56]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-963894560-839522115-1004Core.job
- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-01 08:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
IE: &AOL Toolbar search
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mystery-of-shark-island/MysteryOfSharkIslandWeb.1.0.0.8.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://aolsvc.aol.com/onlinegames/trytrijinx/TriJinx.1.0.0.58.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.9.cab
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/ballistik/sis/slgwebinstall.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/tryaces/zylomgamesplayer.cab
DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} - hxxp://cdn.ll.neoedge.com/webgames/SandScript/SandScript.1.0.0.21.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-EPSON Stylus C66 Series (Copy 1) - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE
HKLM-Run-EPSON Stylus C66 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE
HKLM-Run-Auto EPSON Stylus C66 Series on OWNER-OBZDW5W2Y - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE
AddRemove-Marine Aquarium 2, Sharks & Carousel Bundle - c:\program files\Prolific Publishing



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 01:37
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HTpatch = c:\windows\htpatch.exe?ows\CurrentVersion\Run?t?HLP?]??Z???????Z???Z???????????????? ??Z???Z8Q?????Z$??????Z????????????{??Z???????????Z$?G~????(????~B~??G~?????~B~??G~???Z@???????d??????Z%??Zx??Zd??????Z,>?Z???Zv?B~Z|?Z{3?Z?2?Z????st.I????G??Z????d????<?Z?I?Z

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(500)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3104)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-02 01:39:11
ComboFix-quarantined-files.txt 2010-03-02 09:39

Pre-Run: 66,408,546,304 bytes free
Post-Run: 66,358,607,872 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - A837259595539679C0E20D94E76CDF4A

Edited by Orange Blossom, 02 March 2010 - 10:51 PM.
Move to log forum. ~ OB

You know you're getting old when the classic rock station doesn't play your classic rock anymore

BC AdBot (Login to Remove)

 


#2 friarduck

friarduck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pacific Northwest
  • Local time:03:33 AM

Posted 03 March 2010 - 03:38 AM

I found this site by searching for win32: Rootkit.gen(rtk). I followed the instructions that were directed to another member, and I seem to be free of the malware at this time. I have bookmarked this site, and feel it is a very important project. As I am sure I may need it again, and I am currently unemployed, (hopefully my assignment tomorrow will lead to a permanent situation), as soon as possible, I will contribute what I can.

I used Combofix, and I can supply a log if needed. Apparently, I was massively infected.

THANK YOU!

p.s. infection was identified by Avast directly after the last database update File name was xsrglu.tmp

As per instructions by Orange Blossom I have taken the necessary steps and am posting my logs.

DDS (Ver_09-12-01.01) - FAT32x86
Run by Howard at 0:02:12.07 on Wed 03/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.442 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 100302-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\WINDOWS\system32\msg32.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\SOUNDMAN.EXE
SVCHOST.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Documents and Settings\Howard.MUNROES\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\infocard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\providerComcast\bin\tgsrvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Howard.MUNROES\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Howard.MUNROES\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Howard.MUNROES\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Howard.MUNROES\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.freeart1cile.com
mStart Page = hxxp://www.yahoo.com
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Google Update] "c:\documents and settings\howard.munroes\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Firewall Administrating] c:\windows\infocard.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [EW Message Server] msg32.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero backitup 4\NBKeyScan.exe"
mRun: [HTpatch] c:\windows\htpatch.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Firewall Administrating] c:\windows\infocard.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &AOL Toolbar search
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mystery-of-shark-island/MysteryOfSharkIslandWeb.1.0.0.8.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://aolsvc.aol.com/onlinegames/trytrijinx/TriJinx.1.0.0.58.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {38A5F6F0-0B64-421B-A553-3D49A76ECDCD} - hxxp://cdn.ll.neoedge.com/webgames/MythicMarbles/MythicMarbles.1.0.0.2.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} - hxxp://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129049616529
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.9.cab
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/ballistik/sis/slgwebinstall.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/amun/default/mjolauncher.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} - hxxp://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} - hxxp://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/tryaces/zylomgamesplayer.cab
DPF: {C7E002D6-324B-4500-883D-84B620FD8640} - hxxp://cdn2.zone.msn.com/Bingame/BRDG/dataFiles_64916/heartbeat.cab
DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} - hxxp://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} - hxxp://cdn.ll.neoedge.com/webgames/SandScript/SandScript.1.0.0.21.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://zone.msn.com/bingame/feed/default/SproutLauncher.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://zone.msn.com/bingame/shpo/default/shapo.cab
DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} - hxxp://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} - hxxp://zone.msn.com/bingame/swet/default/Sweetopia.1.0.0.46.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-13 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-13 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2005-10-11 138680]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-15 54752]
R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providercomcast\bin\tgsrvc.exe [2008-5-2 148768]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2005-10-11 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2005-10-11 352920]
R3 EWAVE;EWAVE;c:\windows\system32\drivers\ew.sys [2007-2-10 1693344]
R3 NSTATION;NSTATION;c:\windows\system32\drivers\NSTATION.sys [2007-2-10 19808]
S3 EMUXMIDI;E-MU Xmidi Driver;c:\windows\system32\drivers\emuxmidi.sys --> c:\windows\system32\drivers\EMUXMIDI.sys [?]
S3 FILESPY;FILESPY;c:\windows\system32\drivers\FileSpy.sys [2007-2-10 26992]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [2006-11-24 392864]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2006-11-24 10688]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2007-3-14 18112]

=============== Created Last 30 ================

2010-03-03 07:57:17 0 ----a-w- c:\documents and settings\howard.munroes\defogger_reenable
2010-03-03 03:05:30 0 d-sh--w- C:\Recycled
2010-03-03 03:01:32 103565 --sh--r- c:\windows\infocard.exe
2010-03-02 09:30:52 0 d-----w- C:\ComboFix
2010-03-02 08:53:49 50176 ----a-w- c:\windows\system32\proquota.exe
2010-03-02 08:53:49 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2010-03-02 08:42:32 0 d-sha-r- C:\cmdcons
2010-03-02 08:41:28 98816 ----a-w- c:\windows\sed.exe
2010-03-02 08:41:28 77312 ----a-w- c:\windows\MBR.exe
2010-03-02 08:41:28 261632 ----a-w- c:\windows\PEV.exe
2010-03-02 08:41:28 161792 ----a-w- c:\windows\SWREG.exe
2010-02-12 03:27:32 0 d-----w- C:\FOUND.021
2010-02-04 04:24:48 0 d-----w- C:\FOUND.020

==================== Find3M ====================

2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-10 07:06:34 2097 ----a-w- c:\windows\eReg.dat
2010-01-23 02:04:10 262144 ----a-w- C:\ntuser.dat
2009-12-31 16:50:04 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:28 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:28 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:24 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:24 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 19:27:52 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:27:52 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:16 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:52 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
1999-07-22 19:14:58 266 --sh--w- c:\program files\desktop.ini
1999-07-22 19:14:58 11079 ---ha-w- c:\program files\folder.htt
2008-08-19 22:46:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 0:02:44.70 ===============

Attached Files


Edited by Orange Blossom, 03 March 2010 - 07:07 PM.
Merged topics. ~ OB

You know you're getting old when the classic rock station doesn't play your classic rock anymore

#3 friarduck

friarduck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pacific Northwest
  • Local time:03:33 AM

Posted 04 March 2010 - 02:13 AM

thank you for getting me to the right place OB
You know you're getting old when the classic rock station doesn't play your classic rock anymore

#4 friarduck

friarduck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pacific Northwest
  • Local time:03:33 AM

Posted 05 March 2010 - 05:54 AM

While waiting for this issue to be reviewed, I received a yahoo messenger message from a former workmate of mine asking me to look at a family photo with a link to a legitimate looking facebook page. When clicked, it redirected to an unidentified Myspace location and promptly tried to install six cookies. I blocked them, but it still installed a variant of win32:malware-gen it was found in file TRZ33A.tmp and it immediately opened a permanent port connection via infocard.exe. Since I felt this was a very serious security threat, I did a boot scan with Avast, and it also found an instance in my restore. Since this is the case, I feel I may need to redo all scans and reset a new restore point. Please advise.


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the Malware Response Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 05 March 2010 - 08:06 AM.

You know you're getting old when the classic rock station doesn't play your classic rock anymore

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:33 AM

Posted 07 March 2010 - 04:55 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 friarduck

friarduck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pacific Northwest
  • Local time:03:33 AM

Posted 07 March 2010 - 03:16 PM

Here are the results from new scans:


DDS (Ver_09-12-01.01) - FAT32x86
Run by Howard at 11:43:06.60 on Sun 03/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.606 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 100307-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\providerComcast\bin\tgsrvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\WINDOWS\system32\msg32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\htpatch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Documents and Settings\Howard.MUNROES\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Howard.MUNROES\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://freeart1cile.com
mStart Page = hxxp://www.yahoo.com
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Google Update] "c:\documents and settings\howard.munroes\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [EW Message Server] msg32.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero backitup 4\NBKeyScan.exe"
mRun: [HTpatch] c:\windows\htpatch.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [SoundMan] SOUNDMAN.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &AOL Toolbar search
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mystery-of-shark-island/MysteryOfSharkIslandWeb.1.0.0.8.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://aolsvc.aol.com/onlinegames/trytrijinx/TriJinx.1.0.0.58.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {38A5F6F0-0B64-421B-A553-3D49A76ECDCD} - hxxp://cdn.ll.neoedge.com/webgames/MythicMarbles/MythicMarbles.1.0.0.2.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} - hxxp://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129049616529
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.9.cab
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/ballistik/sis/slgwebinstall.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/amun/default/mjolauncher.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} - hxxp://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} - hxxp://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/tryaces/zylomgamesplayer.cab
DPF: {C7E002D6-324B-4500-883D-84B620FD8640} - hxxp://cdn2.zone.msn.com/Bingame/BRDG/dataFiles_64916/heartbeat.cab
DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} - hxxp://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} - hxxp://cdn.ll.neoedge.com/webgames/SandScript/SandScript.1.0.0.21.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://zone.msn.com/bingame/feed/default/SproutLauncher.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://zone.msn.com/bingame/shpo/default/shapo.cab
DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} - hxxp://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} - hxxp://zone.msn.com/bingame/swet/default/Sweetopia.1.0.0.46.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\howard~1.mun\applic~1\mozilla\firefox\profiles\7w6omho2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\howard.munroes\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-13 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-13 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2005-10-11 138680]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-15 54752]
R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providercomcast\bin\tgsrvc.exe [2008-5-2 148768]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EWAVE;EWAVE;c:\windows\system32\drivers\ew.sys [2007-2-10 1693344]
R3 NSTATION;NSTATION;c:\windows\system32\drivers\NSTATION.sys [2007-2-10 19808]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2005-10-11 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2005-10-11 352920]
S3 EMUXMIDI;E-MU Xmidi Driver;c:\windows\system32\drivers\emuxmidi.sys --> c:\windows\system32\drivers\EMUXMIDI.sys [?]
S3 FILESPY;FILESPY;c:\windows\system32\drivers\FileSpy.sys [2007-2-10 26992]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [2006-11-24 392864]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2006-11-24 10688]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [2007-3-14 18112]

=============== Created Last 30 ================

2010-03-03 07:57:17 0 ----a-w- c:\documents and settings\howard.munroes\defogger_reenable
2010-03-03 03:05:30 0 d-sh--w- C:\Recycled
2010-03-02 09:30:52 0 d-----w- C:\ComboFix
2010-03-02 08:53:49 50176 ----a-w- c:\windows\system32\proquota.exe
2010-03-02 08:53:49 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2010-03-02 08:42:32 0 d-sha-r- C:\cmdcons
2010-03-02 08:41:28 98816 ----a-w- c:\windows\sed.exe
2010-03-02 08:41:28 77312 ----a-w- c:\windows\MBR.exe
2010-03-02 08:41:28 261632 ----a-w- c:\windows\PEV.exe
2010-03-02 08:41:28 161792 ----a-w- c:\windows\SWREG.exe
2010-02-12 03:27:32 0 d-----w- C:\FOUND.021

==================== Find3M ====================

2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-10 07:06:34 2097 ----a-w- c:\windows\eReg.dat
2010-01-23 02:04:10 262144 ----a-w- C:\ntuser.dat
2009-12-31 16:50:04 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:28 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:28 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:24 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:24 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 19:27:52 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:27:52 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:16 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:52 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
1999-07-22 19:14:58 266 --sh--w- c:\program files\desktop.ini
1999-07-22 19:14:58 11079 ---ha-w- c:\program files\folder.htt
2008-08-19 22:46:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 11:43:46.93 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-07 12:02:09
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\HOWARD~1.MUN\LOCALS~1\Temp\fgtdypog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xBAE006B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xBAE00574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xBAE00A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xBAE0014C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xBAE0064E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xBAE0008C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xBAE000F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xBAE0076E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xBAE0072E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xBAE008AE]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[532] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[532] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat sisidex.sys (SISIDEX Driver/Windows ® 2000 DDK provider)
AttachedDevice \FileSystem\Fastfat \Fat sisidex.sys (SISIDEX Driver/Windows ® 2000 DDK provider)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----

Attached Files


You know you're getting old when the classic rock station doesn't play your classic rock anymore

#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:33 AM

Posted 08 March 2010 - 01:15 PM

Hello, friarduck
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 friarduck

friarduck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pacific Northwest
  • Local time:03:33 AM

Posted 08 March 2010 - 03:07 PM

Hi Tom,

Alright, here it is, no problems with running.

ComboFix 10-03-08.01 - Howard 03/08/2010 11:46:35.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.513 [GMT -8:00]
Running from: c:\documents and settings\Howard.MUNROES\Desktop\schrauber.exe
AV: avast! antivirus 4.8.1368 [VPS 100308-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.

2010-03-05 21:09 . 2010-03-05 21:09 -------- d-----w- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Mozilla
2010-03-02 09:30 . 2010-03-02 09:30 -------- d-----w- C:\ComboFix
2010-03-02 08:53 . 2008-04-14 01:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-03-02 08:53 . 2008-04-14 01:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2010-03-01 08:03 . 2010-03-01 08:03 -------- d-----w- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Temp
2010-03-01 08:03 . 2010-03-01 08:03 -------- d-----w- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Google
2010-03-01 08:03 . 2010-03-01 08:03 -------- d-----w- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Deployment
2010-02-12 03:27 . 2010-02-12 03:27 -------- d-----w- C:\FOUND.021

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 17:16 . 2009-10-02 23:59 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-10 07:06 . 2005-10-10 08:41 2097 ----a-w- c:\windows\eReg.dat
2010-01-23 02:04 . 2010-01-23 02:04 262144 ----a-w- C:\ntuser.dat
2009-12-31 16:50 . 2001-08-23 20:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 18:10 . 2005-10-11 18:38 32912 ----a-w- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2004-01-08 23:23 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2005-10-10 07:18 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2001-08-23 20:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
1999-07-22 19:14 . 1999-07-22 19:14 11079 ---ha-w- c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2008-01-04 202024]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Google Update"="c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-01 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-13 106496]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-25 98304]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"EW Message Server"="msg32.exe" [2004-09-30 45056]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero BackItUp 4\NBKeyScan.exe" [2008-12-05 2254120]
"HTpatch"="c:\windows\htpatch.exe" [2002-10-31 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"d:\\Program Files\\Alias\\Maya 6.0 Personal Learning Edition\\bin\\maya.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/13/2008 10:50 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/13/2008 10:50 AM 20560]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [9/15/2009 2:21 PM 54752]
R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [5/2/2008 12:40 PM 148768]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 EWAVE;EWAVE;c:\windows\system32\drivers\ew.sys [2/10/2007 12:59 AM 1693344]
R3 NSTATION;NSTATION;c:\windows\system32\drivers\NSTATION.sys [2/10/2007 12:59 AM 19808]
S3 EMUXMIDI;E-MU Xmidi Driver;c:\windows\system32\DRIVERS\EMUXMIDI.sys --> c:\windows\system32\DRIVERS\EMUXMIDI.sys [?]
S3 FILESPY;FILESPY;c:\windows\system32\drivers\FileSpy.sys [2/10/2007 12:59 AM 26992]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [11/24/2006 6:57 PM 392864]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [11/24/2006 6:57 PM 10688]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [3/14/2007 6:51 PM 18112]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EWAVE
*NewlyCreated* - NSTATION
*NewlyCreated* - WINIO
*Deregistered* - WINIO
.
Contents of the 'Scheduled Tasks' folder

2010-03-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-12-26 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 19:56]

2010-03-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-963894560-839522115-1004Core.job
- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-01 08:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://freeart1cile.com
mStart Page = hxxp://www.yahoo.com
IE: &AOL Toolbar search
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mystery-of-shark-island/MysteryOfSharkIslandWeb.1.0.0.8.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://aolsvc.aol.com/onlinegames/trytrijinx/TriJinx.1.0.0.58.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.9.cab
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/ballistik/sis/slgwebinstall.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/tryaces/zylomgamesplayer.cab
DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} - hxxp://cdn.ll.neoedge.com/webgames/SandScript/SandScript.1.0.0.21.cab
FF - ProfilePath - c:\documents and settings\Howard.MUNROES\Application Data\Mozilla\Firefox\Profiles\7w6omho2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\YAHOO!\COMMON\npyaxmpb.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 11:52
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HTpatch = c:\windows\htpatch.exe?ows\CurrentVersion\Run?t?HLP?]??Z???????Z???Z???????????????? ??Z???Z8Q?????Z$??????Z????????????{??Z???????????Z$?G~????(????~B~??G~?????~B~??G~???Z@???????d??????Z%??Zx??Zd??????Z,>?Z???Zv?B~Z|?Z{3?Z?2?Z????st.I????G??Z????d????<?Z?I?Z

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(492)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2832)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-08 11:54:18
ComboFix-quarantined-files.txt 2010-03-08 19:54
ComboFix2.txt 2010-03-02 09:39

Pre-Run: 66,194,898,944 bytes free
Post-Run: 66,163,146,752 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - B69637B826F7236083C12360BB5B6F99
You know you're getting old when the classic rock station doesn't play your classic rock anymore

#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:33 AM

Posted 08 March 2010 - 03:42 PM

Hi,

Please post back with the content of C:\Qoobox\Combofix2.txt
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 friarduck

friarduck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pacific Northwest
  • Local time:03:33 AM

Posted 08 March 2010 - 03:54 PM

Great Tom,

Here is the report requested:

ComboFix 10-03-01.03 - Howard 03/02/2010 1:31.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.508 [GMT -8:00]
Running from: c:\documents and settings\Howard.MUNROES\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100301-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\docume~1\HOWARD~1.MUN\LOCALS~1\Temp\install_flash_player.exe
c:\docume~1\HOWARD~1.MUN\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\HOWARD~1.MUN\LOCALS~1\Temp\tmp2.tmp
c:\docume~1\HOWARD~1.MUN\LOCALS~1\Temp\xsrglu.tmp
c:\documents and settings\Howard.MUNROES\Local Settings\Temp\xsrglu.tmp
C:\Logo.sys
c:\windows\desktop
c:\windows\desktop\Fish.scr
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\music\mainmenumusic.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\areabomb.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\beetlezap.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\bonusrow.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\bonustimer.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\bucketfilled.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\clearpyramid.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\cleartriangle1a.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\cleartriangle1b.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\cleartriangle1c.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\cleartriangle2a.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\cleartriangle2b.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\cleartriangle2c.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\colorchain.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\dialogbox.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\drumbeat.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\fillrow.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\gateopen.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\helptip.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\powerup.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\rotateboardleft.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\timerup.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\warning.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\audio\sfx\warning2.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\artifacts-bb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\bar.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\chamber0.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\chamber1.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\circledoor.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\full_screen_dialog.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\global-hs-bb_large.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\global-hs-bb_small.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\help-bb_large.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\help-bb_small.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\hexfield.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\hidden-artifact_icon.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\large_dialog.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\local-hs-bb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\mainmenu.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\small_dialog.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\textfield.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\backgrounds\trifield.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetlehover1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetlehover2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetlehover3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetlehover4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetleshock1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetleshock2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetleshock3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetleshock4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\beetletatoo.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\dirt.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\scarabpost.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\scarabpostovr.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\beetles\tritop.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowdown_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowdown_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowdown_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowleft_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowleft_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowleft_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowright_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowright_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowright_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowup_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowup_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\arrowup_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\bluearrowleft_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\bluearrowleft_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\bluearrowleft_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\bluearrowright_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\bluearrowright_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\bluearrowright_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\checkdown.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\checkup.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\long_button_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\long_button_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\long_button_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\orange-button_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\orange-button_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\orange-button_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\rotleft_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\rotleft_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\rotleft_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\rotright_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\rotright_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\rotright_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\simplebutton_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\simplebutton_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\simplebutton_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\sliderknob.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\sliderknobover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\buttons\sliderrail.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\characters\anwar\look\pl0001.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\characters\bast\look\bl0001.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\characters\kristine\look\kl0001.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\crackedstopper.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\cursor.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\doorlights.txt
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\fonts\jackarmstrong.mvec
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\fonts\lithos.mvec
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\greybomb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\helptips\arrowkeys.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\helptips\helptip.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\levels\levels.dat
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\models\disk.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\models\equilateraltriangle.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\models\flattri.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\models\pyramid.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\models\quad.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\models\rotatingpyramid.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\models\scarabpanel.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\p1icon.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\scenes\page1-0.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\scenes\page1-1.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\scenes\panel1-0-1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\scenes\panel1-1-1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\scorecloud.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\setup.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\areashockwave.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\bolt_1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\bolt_2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\bolt_3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\bolt_4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\bolt_starter.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\bolt_tail.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\flash.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\rubble.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\smoke.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\smoke2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\sfx\smoke3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\splash\aol_logo.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\splash\playfirst_logo.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\statues\statue0\snake_dirty.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\statues\statue1\arm01_dirty.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\statues\statue1\mask01_1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\statues\statue1\statue01_dirty.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\stopper.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\timer.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\timerglow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\timericon.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\tm.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mouseblue1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mouseblue2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mouseblue3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mousegreen1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mousegreen2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mousegreen3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mousered1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mousered2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mousered3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mouseyellow1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mouseyellow2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\trails\mouseyellow3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\areabomb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\areabombrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\blue.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\bluerollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\boardfill.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\brick.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\brick1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\brick2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\brick3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\bricktip.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\clearanim\cleared1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\clearanim\cleared2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\clearanim\cleared3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\clearanim\cleared4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\clearanim\cleared5.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\clearanim\cleared6.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\eye1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\eye2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\eye3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\eye4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\green.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\greenrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-blue.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-bluerollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-green.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-greenrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-red.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-redrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-yellow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\plain_tri-yellowrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\red.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\redrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\wild.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\wildrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\yellow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\triangles\yellowrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\upsell\image0.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\upsell\image1.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\upsell\image2.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\upsell\image3.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\bluebucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\buckettriangle.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\chainlink.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\chaintip.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\genericbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\greenbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\redbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\smallblue.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\smallgreen.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\smallred.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\smallyellow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\urnglow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\urnplatform.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\urns\yellowbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\assets\warning.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\error.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\game.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\gameover.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\hiscore.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\hiscoreinfo.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\hiscoresubmit.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\instructions.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\leveldesign.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\levelover.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\mainarcade.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\mainconfirm.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\maincontinue.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\maingames.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\mainpuzzle.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\maphelptip.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\options.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\pause.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\quitconfirm.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\start.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\storyplayer.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\style.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\screens\upsell.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\strings.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.58\TriJinx.exe
c:\windows\EventSystem.log
c:\windows\system32\Data
c:\windows\system32\twain.dll
c:\windows\system32\twain_32.dll

-- Previous Run --

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

--------

.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 08:53 . 2008-04-14 01:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-03-02 08:53 . 2008-04-14 01:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2010-03-01 08:03 . 2010-03-01 08:03 -------- d-----w- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Temp
2010-03-01 08:03 . 2010-03-01 08:03 -------- d-----w- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Google
2010-03-01 08:03 . 2010-03-01 08:03 -------- d-----w- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Deployment
2010-02-12 03:27 . 2010-02-12 03:27 -------- d-----w- C:\FOUND.021
2010-02-04 04:24 . 2010-02-04 04:24 -------- d-----w- C:\FOUND.020

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 17:16 . 2009-10-02 23:59 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-10 07:06 . 2005-10-10 08:41 2097 ----a-w- c:\windows\eReg.dat
2010-01-23 02:04 . 2010-01-23 02:04 262144 ----a-w- C:\ntuser.dat
2009-12-31 16:50 . 2001-08-23 20:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 18:10 . 2005-10-11 18:38 32912 ----a-w- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2004-01-08 23:23 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2005-10-10 07:18 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2001-08-23 20:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2001-08-23 20:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2001-08-17 21:48 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2001-08-23 20:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
1999-07-22 19:14 . 1999-07-22 19:14 11079 ---ha-w- c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2008-01-04 202024]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Google Update"="c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-01 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-13 106496]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-25 98304]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"EW Message Server"="msg32.exe" [2004-09-30 45056]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero BackItUp 4\NBKeyScan.exe" [2008-12-05 2254120]
"HTpatch"="c:\windows\htpatch.exe" [2002-10-31 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"d:\\Program Files\\Alias\\Maya 6.0 Personal Learning Edition\\bin\\maya.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/13/2008 10:50 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/13/2008 10:50 AM 20560]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [9/15/2009 2:21 PM 54752]
R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providerComcast\bin\tgsrvc.exe [5/2/2008 12:40 PM 148768]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 EWAVE;EWAVE;c:\windows\system32\drivers\ew.sys [2/10/2007 12:59 AM 1693344]
R3 NSTATION;NSTATION;c:\windows\system32\drivers\NSTATION.sys [2/10/2007 12:59 AM 19808]
S3 EMUXMIDI;E-MU Xmidi Driver;c:\windows\system32\DRIVERS\EMUXMIDI.sys --> c:\windows\system32\DRIVERS\EMUXMIDI.sys [?]
S3 FILESPY;FILESPY;c:\windows\system32\drivers\FileSpy.sys [2/10/2007 12:59 AM 26992]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [11/24/2006 6:57 PM 392864]
S3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [11/24/2006 6:57 PM 10688]
S3 TASCAM_US144_WDM;TASCAM US-144 WDM;c:\windows\system32\drivers\tscusb2a.sys [3/14/2007 6:51 PM 18112]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EWAVE
*NewlyCreated* - NSTATION
*NewlyCreated* - SISPORT
*Deregistered* - SiSPort
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-12-26 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 19:56]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-963894560-839522115-1004Core.job
- c:\documents and settings\Howard.MUNROES\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-01 08:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
IE: &AOL Toolbar search
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mystery-of-shark-island/MysteryOfSharkIslandWeb.1.0.0.8.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://aolsvc.aol.com/onlinegames/trytrijinx/TriJinx.1.0.0.58.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://aolsvc.aol.com/onlinegames/free-trial-dream-chronicles/dreamweb.1.0.0.9.cab
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/ballistik/sis/slgwebinstall.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/tryaces/zylomgamesplayer.cab
DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} - hxxp://cdn.ll.neoedge.com/webgames/SandScript/SandScript.1.0.0.21.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-EPSON Stylus C66 Series (Copy 1) - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE
HKLM-Run-EPSON Stylus C66 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE
HKLM-Run-Auto EPSON Stylus C66 Series on OWNER-OBZDW5W2Y - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE
AddRemove-Marine Aquarium 2, Sharks & Carousel Bundle - c:\program files\Prolific Publishing



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 01:37
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HTpatch = c:\windows\htpatch.exe?ows\CurrentVersion\Run?t?HLP?]??Z???????Z???Z???????????????? ??Z???Z8Q?????Z$??????Z????????????{??Z???????????Z$?G~????(????~B~??G~?????~B~??G~???Z@???????d??????Z%??Zx??Zd??????Z,>?Z???Zv?B~Z|?Z{3?Z?2?Z????st.I????G??Z????d????<?Z?I?Z

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(500)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3104)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-02 01:39:11
ComboFix-quarantined-files.txt 2010-03-02 09:39

Pre-Run: 66,408,546,304 bytes free
Post-Run: 66,358,607,872 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - A837259595539679C0E20D94E76CDF4A

You know you're getting old when the classic rock station doesn't play your classic rock anymore

#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:33 AM

Posted 10 March 2010 - 01:05 PM

Hi,


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.




  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    safebootminimal
    safebootnetwork
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#12 friarduck

friarduck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pacific Northwest
  • Local time:03:33 AM

Posted 10 March 2010 - 03:32 PM

Thank you very much Tom,

Here are the requested reports:

MBAM:

Malwarebytes' Anti-Malware 1.44
Database version: 3849
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/10/2010 11:52:21 AM
mbam-log-2010-03-10 (11-52-21).txt

Scan type: Quick Scan
Objects scanned: 225442
Time elapsed: 7 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PiratePoppers.1.0.0.39.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{38d97cce-7243-4b6e-b6a8-dd872ad3eb33} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6868afe5-f258-47dc-bc37-0821f96dc1d2} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{49e67060-2c0d-415e-94c7-52a49f73b2f1} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{49e67060-2c0d-415e-94c7-52a49f73b2f1} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{49e67060-2c0d-415e-94c7-52a49f73b2f1} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{49e67060-2c0d-415e-94c7-52a49f73b2f1} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\PiratePoppers.1.0.0.39.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://freeart1cile.com) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\PiratePoppers.1.0.0.39.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\PiratePoppers.1.0.0.39.inf (Trojan.Agent) -> Quarantined and deleted successfully.

OTL:

OTL logfile created on: 3/10/2010 12:02:41 PM - Run 1
OTL by OldTimer - Version 3.1.36.0 Folder = C:\Documents and Settings\Howard.MUNROES\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 492.00 Mb Available Physical Memory | 48.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.76 Gb Total Space | 61.65 Gb Free Space | 55.16% Space Free | Partition Type: FAT32
Drive D: | 37.26 Gb Total Space | 14.63 Gb Free Space | 39.27% Space Free | Partition Type: FAT32
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MUNROES
Current User Name: Howard
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/10 12:00:00 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Howard.MUNROES\Desktop\OTL.exe
PRC - [2009/11/24 15:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 15:51:36 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 15:51:22 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 15:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 15:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/10 15:39:26 | 005,244,216 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/02/23 05:05:34 | 000,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2008/12/05 14:07:06 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2008/12/05 14:06:42 | 000,081,920 | ---- | M] (Prolific Technology Inc.) -- C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
PRC - [2008/11/09 12:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/06/10 11:56:30 | 001,442,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\itype.exe
PRC - [2008/06/10 11:56:28 | 000,447,560 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
PRC - [2008/06/05 15:06:32 | 000,125,208 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
PRC - [2008/05/02 12:40:34 | 000,148,768 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\providerComcast\bin\tgsrvc.exe
PRC - [2008/04/13 17:12:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/04 09:45:24 | 001,410,344 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
PRC - [2008/01/04 09:45:06 | 000,202,024 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
PRC - [2006/11/03 18:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/08/03 05:12:00 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SoundMan.exe
PRC - [2006/01/02 16:41:22 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2004/12/02 18:23:34 | 000,102,400 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
PRC - [2004/09/30 15:04:20 | 000,045,056 | ---- | M] (TASCAM) -- C:\WINDOWS\system32\msg32.exe
PRC - [2003/11/26 14:44:20 | 000,061,440 | ---- | M] (CrypKey (Canada) Ltd.) -- C:\WINDOWS\system32\Crypserv.exe
PRC - [2002/10/30 17:40:34 | 000,028,672 | R--- | M] () -- C:\WINDOWS\htpatch.exe


========== Modules (SafeList) ==========

MOD - [2010/03/10 12:00:00 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Howard.MUNROES\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 15:51:36 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 15:51:22 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 15:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 15:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/08/05 22:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/12/05 14:07:06 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2008/12/05 14:06:42 | 000,081,920 | ---- | M] (Prolific Technology Inc.) [Auto | Running] -- C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe -- (PLFlash DeviceIoControl Service)
SRV - [2008/11/09 12:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/05/02 12:40:34 | 000,398,704 | ---- | M] (SupportSoft, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\supportsoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)
SRV - [2008/05/02 12:40:34 | 000,148,768 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\providerComcast\bin\tgsrvc.exe -- (tgsrvc_providercomcast) SupportSoft Repair Service (providercomcast)
SRV - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2003/11/26 14:44:20 | 000,061,440 | ---- | M] (CrypKey (Canada) Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.Google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = DC 78 09 1F E3 96 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/05 13:09:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/05 13:09:28 | 000,000,000 | ---D | M]

[2010/03/05 13:10:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\Mozilla\Extensions
[2010/03/05 13:10:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\Mozilla\Firefox\Profiles\7w6omho2.default\extensions
[2010/03/05 13:19:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Howard.MUNROES\Application Data\Mozilla\Firefox\Profiles\7w6omho2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/05 13:09:28 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2001/08/23 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [EW Message Server] C:\WINDOWS\System32\msg32.exe (TASCAM)
O4 - HKLM..\Run: [HTpatch] C:\WINDOWS\htpatch.exe ()
O4 - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero BackItUp 4\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe (Silicon Integrated Systems Corp.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SoundMan.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [YMailAdvisor] C:\Program Files\Yahoo!\Common\YMailAdvisor.exe (Yahoo! Inc.)
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe (Creative Technology Ltd)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Yahoo! Search - C:\Program Files\Yahoo!\Common [2005/10/11 11:41:54 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Dictionary - C:\Program Files\Yahoo!\Common [2005/10/11 11:41:54 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Maps - C:\Program Files\Yahoo!\Common [2005/10/11 11:41:54 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &SMS - C:\Program Files\Yahoo!\Common [2005/10/11 11:41:54 | 000,000,000 | ---D | M]
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/fhg.CAB (Reg Error: Key error.)
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} http://download.gigabyte.com.tw/object/Dldrv.ocx (Dldrv2 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} http://aolsvc.aol.com/onlinegames/free-tri...Web.1.0.0.8.cab (CPlayFirstmsiControl Object)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} http://aolsvc.aol.com/onlinegames/trytriji...nx.1.0.0.58.cab (CPlayFirstTriJinxControl Object)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll (Installation Support)
O16 - DPF: {38A5F6F0-0B64-421B-A553-3D49A76ECDCD} http://cdn.ll.neoedge.com/webgames/MythicM...les.1.0.0.2.cab (CPlayFirstMythicMarblesControl Object)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1129049616529 (MUWebControl Class)
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} http://aolsvc.aol.com/onlinegames/free-tri...web.1.0.0.9.cab (CPlayFirstdreamControl Object)
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} http://www.shockwave.com/content/ballistik...gwebinstall.cab (Sandlot Loader Control)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://zone.msn.com/bingame/amun/default/mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} http://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab (WildfireActiveXHost Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab (ZoneAxRcMgr Class)
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} http://download.games.yahoo.com/games/web_...loadControl.cab (DVCDownloadControl)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn.com/download/MsnMesse...pDownloader.cab (MsnMessengerSetupDownloadControl Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} http://download.games.yahoo.com/games/web_...itched/main.cab (BewitchedGameClass Control)
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} http://aolsvc.aol.com/onlinegames/tryaces/...gamesplayer.cab (Zylom Games Player)
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} http://cdn2.zone.msn.com/Bingame/BRDG/data...6/heartbeat.cab (Bridge Installer)
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab (AstoundLauncher Control)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} http://cdn.ll.neoedge.com/webgames/SandScr...pt.1.0.0.21.cab (CPlayFirstSandScriptControl Object)
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} http://zone.msn.com/bingame/feed/default/SproutLauncher.cab (SproutLauncherCtrl Class)
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} http://zone.msn.com/bingame/shpo/default/shapo.cab (TikGames Online Control)
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab (SCEWebLauncherCtl Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab (CPlayFirstSweetopiaControl Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.69.150 68.87.85.102
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Howard.MUNROES\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Howard.MUNROES\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/06/24 21:45:40 | 000,000,260 | -HS- | M] () - C:\AUTOEXEC.DOS -- [ FAT32 ]
O32 - AutoRun File - [2003/09/11 00:20:56 | 000,000,260 | -HS- | M] () - C:\AUTOEXEC.BAK -- [ FAT32 ]
O32 - AutoRun File - [1999/10/14 12:24:44 | 000,000,288 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/10/09 23:08:52 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/03/10 12:00:08 | 000,554,496 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Howard.MUNROES\Desktop\OTL.exe
[2010/03/10 11:40:46 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/10 11:40:44 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/10 11:40:44 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/10 11:39:19 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Howard.MUNROES\Desktop\mbam-setup.exe
[2010/03/08 11:45:26 | 000,000,000 | ---D | C] -- C:\schrauber
[2010/03/05 13:09:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Howard.MUNROES\Local Settings\Application Data\Mozilla
[2010/03/05 13:09:27 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/03/03 00:09:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Howard.MUNROES\Desktop\gmer
[2010/03/02 01:30:52 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/03/02 00:42:32 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/03/02 00:41:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/02 00:41:28 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/02 00:41:28 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/02 00:41:28 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/02 00:41:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/02 00:40:38 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/01 00:06:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Howard.MUNROES\My Documents\Downloads
[2010/03/01 00:03:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Howard.MUNROES\Local Settings\Application Data\Temp
[2010/03/01 00:03:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Howard.MUNROES\Local Settings\Application Data\Google
[2010/03/01 00:03:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Howard.MUNROES\Local Settings\Application Data\Deployment
[2010/02/28 21:41:22 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2003/09/12 14:01:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2003/09/12 14:01:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2003/09/12 13:26:34 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2003/09/12 13:26:34 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/03/10 12:00:00 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Howard.MUNROES\Desktop\OTL.exe
[2010/03/10 11:59:20 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/03/10 11:56:58 | 000,013,002 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/10 11:56:12 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/10 11:56:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/10 11:55:26 | 009,961,472 | -H-- | M] () -- C:\Documents and Settings\Howard.MUNROES\NTUSER.DAT
[2010/03/10 11:55:04 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Howard.MUNROES\ntuser.ini
[2010/03/10 11:40:50 | 000,000,609 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/10 11:39:10 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Howard.MUNROES\Desktop\mbam-setup.exe
[2010/03/10 00:08:02 | 000,000,946 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-299502267-963894560-839522115-1004Core.job
[2010/03/09 19:07:18 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/03/09 19:07:18 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/03/08 11:52:38 | 000,000,255 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/08 11:43:10 | 003,882,589 | R--- | M] () -- C:\Documents and Settings\Howard.MUNROES\Desktop\schrauber.exe
[2010/03/05 13:09:34 | 000,001,515 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/03/05 11:54:28 | 094,539,776 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2010/03/03 00:07:38 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Howard.MUNROES\Desktop\gmer.zip
[2010/03/02 23:59:26 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\Howard.MUNROES\Desktop\dds.scr
[2010/03/02 23:57:18 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Howard.MUNROES\defogger_reenable
[2010/03/02 23:55:38 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Howard.MUNROES\Desktop\Defogger.exe
[2010/03/02 01:20:00 | 003,876,630 | R--- | M] () -- C:\Documents and Settings\Howard.MUNROES\Desktop\ComboFix.exe
[2010/03/02 00:42:36 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/03/01 00:03:48 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Howard.MUNROES\Desktop\Google Chrome.lnk
[2010/02/28 21:34:12 | 000,000,221 | ---- | M] () -- C:\Documents and Settings\Howard.MUNROES\Application Data\default.rss
[2010/02/28 21:34:10 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/02/28 17:32:16 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/28 07:30:28 | 002,652,308 | -H-- | M] () -- C:\Documents and Settings\Howard.MUNROES\Local Settings\Application Data\IconCache.db
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/10 11:40:49 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/09 19:07:16 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/03/09 19:07:16 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/03/08 11:43:39 | 003,882,589 | R--- | C] () -- C:\Documents and Settings\Howard.MUNROES\Desktop\schrauber.exe
[2010/03/05 13:09:32 | 000,001,515 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/03/03 00:07:33 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Howard.MUNROES\Desktop\gmer.zip
[2010/03/02 23:59:22 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Howard.MUNROES\Desktop\dds.scr
[2010/03/02 23:57:17 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Howard.MUNROES\defogger_reenable
[2010/03/02 23:56:30 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Howard.MUNROES\Desktop\Defogger.exe
[2010/03/02 00:42:35 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/03/02 00:42:33 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/03/02 00:41:28 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/02 00:41:28 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/02 00:41:28 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/02 00:41:28 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/02 00:41:28 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/02 00:38:51 | 003,876,630 | R--- | C] () -- C:\Documents and Settings\Howard.MUNROES\Desktop\ComboFix.exe
[2010/03/01 00:03:47 | 000,002,268 | ---- | C] () -- C:\Documents and Settings\Howard.MUNROES\Desktop\Google Chrome.lnk
[2010/03/01 00:03:13 | 000,000,946 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-299502267-963894560-839522115-1004Core.job
[2009/09/27 21:12:17 | 000,000,760 | ---- | C] () -- C:\Documents and Settings\Howard.MUNROES\Application Data\setup_ldm.iss
[2009/07/26 18:23:12 | 000,003,072 | R--- | C] () -- C:\WINDOWS\winio.sys
[2009/06/07 11:44:12 | 000,000,039 | ---- | C] () -- C:\WINDOWS\GenericSimPoseLike.ini
[2009/04/14 22:25:12 | 000,033,330 | ---- | C] () -- C:\Documents and Settings\Howard.MUNROES\Local Settings\Application Data\slot1.mm1
[2009/03/25 22:48:15 | 000,000,221 | ---- | C] () -- C:\Documents and Settings\Howard.MUNROES\Application Data\default.rss
[2009/03/21 22:45:09 | 000,004,757 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2009/03/21 18:09:34 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/09/06 03:37:13 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2007/07/29 12:12:40 | 000,000,404 | ---- | C] () -- C:\WINDOWS\gfscore.ini
[2007/04/28 21:14:21 | 000,000,031 | ---- | C] () -- C:\WINDOWS\Masque.INI
[2007/03/16 02:37:19 | 000,000,066 | ---- | C] () -- C:\WINDOWS\EPSC66EF.ini
[2007/03/16 02:36:17 | 000,000,051 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2007/02/10 00:43:49 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2007/01/05 04:54:36 | 000,000,309 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2006/11/24 19:14:39 | 000,000,077 | ---- | C] () -- C:\WINDOWS\Crypkey.ini
[2006/11/24 19:14:36 | 000,028,518 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys
[2006/11/24 19:14:36 | 000,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll
[2006/11/21 07:43:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Transmogrifier.INI
[2006/11/18 12:40:36 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2006/11/04 16:20:34 | 000,000,022 | ---- | C] () -- C:\WINDOWS\iexplore.ini
[2006/08/14 01:40:48 | 000,000,092 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2006/05/28 23:20:06 | 000,002,552 | ---- | C] () -- C:\WINDOWS\WAVEMIX.INI
[2006/05/28 23:19:55 | 000,000,625 | ---- | C] () -- C:\WINDOWS\INSPACE.INI
[2006/02/08 22:33:12 | 000,000,103 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/02/08 22:32:50 | 000,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/01/28 10:11:06 | 000,000,113 | ---- | C] () -- C:\WINDOWS\entpack.ini
[2006/01/09 22:43:24 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Howard.MUNROES\Local Settings\Application Data\fusioncache.dat
[2005/12/04 22:46:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Transmogrifier-1.4.INI
[2005/11/24 23:44:53 | 000,000,024 | ---- | C] () -- C:\WINDOWS\atid.ini
[2005/11/14 00:51:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ATIMMC.INI
[2005/11/14 00:42:58 | 000,055,808 | ---- | C] () -- C:\Documents and Settings\Howard.MUNROES\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/11/13 23:10:11 | 000,000,058 | ---- | C] () -- C:\WINDOWS\SimPose7.ini
[2005/10/11 11:27:43 | 000,000,478 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/10/10 10:06:58 | 000,000,680 | ---- | C] () -- C:\WINDOWS\SimPose5.ini
[2005/10/10 00:59:51 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/10/09 23:37:11 | 000,032,768 | ---- | C] () -- C:\WINDOWS\SIS_LIB.DLL
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/13 20:09:48 | 000,659,520 | ---- | C] () -- C:\WINDOWS\System32\vbid3lib.dll
[2001/04/20 19:23:28 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\PManager.dll
[2001/03/31 10:53:00 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\lib3ds.dll
[1999/07/29 01:27:10 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[1999/07/22 11:14:56 | 000,011,079 | -H-- | C] () -- C:\Program Files\folder.htt
[1998/09/07 01:03:36 | 000,012,208 | ---- | C] () -- C:\WINDOWS\System32\Cdio16.dll
[1998/09/07 00:55:42 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\cdio32.dll

========== LOP Check ==========

[2005/10/11 01:54:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\MumboJumbo
[2005/11/08 02:46:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PopCap
[2005/11/24 23:53:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
[2005/12/20 02:58:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PlayFirst
[2006/05/28 00:03:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Zylom
[2006/07/28 08:42:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SonyPicturesGames
[2007/09/04 17:43:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2007/09/07 21:07:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\GameHouse
[2007/12/16 03:00:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Sandlot Games
[2008/02/14 18:26:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Individual Software
[2008/04/22 16:31:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\JollyBear
[2008/04/27 15:23:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\iWin
[2008/09/05 13:12:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\NeoEdge Networks
[2009/05/18 15:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Masque
[2009/10/18 01:57:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Fugazo
[2005/10/16 15:11:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\Wildfire
[2005/12/20 02:58:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\PlayFirst
[2006/01/24 19:34:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\Template
[2006/11/24 15:28:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\Cakewalk
[2006/11/24 19:09:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\Steinberg
[2007/02/09 21:18:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\Viewpoint
[2007/03/16 02:44:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\Leadertech
[2008/02/14 22:46:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\Individual Software
[2008/04/27 15:23:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\iWin
[2008/09/01 04:04:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\MilkShape 3D 1.x.x
[2008/09/05 13:13:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\BloodTies
[2008/09/15 20:21:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\MysteryStudio
[2008/11/25 16:12:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\Pogo Games
[2009/02/28 22:21:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\panoramik
[2009/04/15 16:16:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\funkitron
[2009/05/18 15:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\Masque
[2009/10/09 01:03:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\TMInc
[2009/10/09 20:43:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\YoudaGames
[2009/10/20 02:53:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Howard.MUNROES\Application Data\Friday's games
[2010/03/10 11:59:20 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2005/12/05 18:55:54 | 000,010,920 | ---- | M] () -- C:\aolconnfix.exe


< MD5 for: AGP440.SYS >
[2005/10/11 10:29:32 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/08/19 14:31:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2005/10/11 10:29:32 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/08/19 14:31:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2005/10/11 10:29:32 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/19 14:31:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2005/10/11 10:29:32 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/08/19 14:31:46 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 17:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 00:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 17:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 00:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 17:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 17:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >


EXTRAS:

OTL Extras logfile created on: 3/10/2010 12:02:41 PM - Run 1
OTL by OldTimer - Version 3.1.36.0 Folder = C:\Documents and Settings\Howard.MUNROES\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 492.00 Mb Available Physical Memory | 48.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.76 Gb Total Space | 61.65 Gb Free Space | 55.16% Space Free | Partition Type: FAT32
Drive D: | 37.26 Gb Total Space | 14.63 Gb Free Space | 39.27% Space Free | Partition Type: FAT32
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MUNROES
Current User Name: Howard
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (America Online, Inc.)
"C:\WINDOWS\System32\mmc.exe" = C:\WINDOWS\System32\mmc.exe:*:Disabled:Microsoft Management Console -- (Microsoft Corporation)
"D:\Program Files\Alias\Maya 6.0 Personal Learning Edition\bin\maya.exe" = D:\Program Files\Alias\Maya 6.0 Personal Learning Edition\bin\maya.exe:*:Enabled:Maya -- (Alias)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe" = C:\Program Files\Infogrames Interactive\Scrabble Complete\ScrabbleComplete.exe:*:Enabled:Scrabble Complete -- (Infogrames Interactive)
"C:\WINDOWS\System32\dplaysvr.exe" = C:\WINDOWS\System32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02627ee5-eaca-4742-a9cc-e687631773e4}" = Nero ShowTime
"{02F6993D-B763-4F40-8F93-2A9CD97586E3}" = Microsoft IntelliType Pro 6.3
"{086a7d8c-0a38-4c7f-819a-620275550d5c}" = Nero Burning ROM Help
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1c00c7c5-e615-4139-b817-7f4003de68c0}" = Nero PhotoSnap Help
"{20400dbd-e6db-45b8-9b6b-1dd7033818ec}" = Nero InfoTool
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{20FA8AEE-E785-4F79-98EB-2067A8F395F4}" = Monopoly
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2348b586-c9ae-46ce-936c-a68e9426e214}" = Nero StartSmart Help
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 17
"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
"{300A2961-B2B5-4889-9CB9-5C2A570D08AD}" = Debugging Tools for Windows (x86)
"{30614D5F-58BB-4A76-8BC9-C763A815CFC4}" = Hackman Hex Editor
"{33cf58f5-48d8-4575-83d6-96f574e4d83a}" = Nero DriveSpeed
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{359cfc0a-beb1-440d-95ba-cf63a86da34f}" = Nero Recode
"{35E1A8C8-6646-4101-B0AA-42D1EB2AB3AE}" = Windows Live Outlook Toolbar (Windows Live Toolbar)
"{368ba326-73ad-4351-84ed-3c0a7a52cc53}" = Nero Rescue Agent
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{43e39830-1826-415d-8bae-86845787b54b}" = Nero Vision
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{53B2CFE9-A508-4457-B2CA-5D253536BFB7}" = OneCare Advisor (Windows Live Toolbar)
"{548B3DC6-2300-47E1-BA7B-74AD25F8DEBF}" = Form Fill (Windows Live Toolbar)
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{595a3116-40bb-4e0f-a2e8-d7951da56270}" = NeroExpress
"{5d9be3c1-8ba4-4e7e-82fd-9f74fa6815d1}" = Nero Vision
"{5e08ecd1-c98e-4711-bf65-8fd736b3f969}" = Nero RescueAgent Help
"{60c731fb-c951-41ce-ad41-8e54c8594609}" = Nero Disc Copy Gadget Help
"{62ac81f6-bdd3-4110-9d36-3e9eaab40999}" = Nero CoverDesigner
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{65883ddf-2152-4cb7-8e13-b99194b13498}" = Nero BackItUp
"{66A7A386-6F35-41A7-A731-101F0C0153C8}" = Popup Blocker (Windows Live Toolbar)
"{68108E66-D13A-4EE8-A6F4-40E4B90C2A26}" = Windows Live Toolbar Feed Detector (Windows Live Toolbar)
"{6D71F97C-8069-492A-B081-E77B52C3C222}" = Hoyle Casino Empire
"{6E32356E-88F8-4382-8B22-A210DE6D659F}" = MostFun - Shopmania
"{74EF6721-0431-4873-B8E5-4D6A242C7E3F}" = MostFun - Mystery of Shark Island
"{75c53f52-398b-4d66-b28a-f9ef170b3b34}" = Nero BackItUp
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)
"{7748ac8c-18e3-43bb-959b-088faea16fb2}" = Nero StartSmart
"{77e33d87-255e-413e-9c8d-eed2a7f9bebf}" = Nero Live Help
"{7829db6f-a066-4e40-8912-cb07887c20bb}" = Nero BurnRights
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{7E4BEB77-BEA9-4544-AB74-06EDE6CE3D39}" = Comcast User Setup
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110375480}" = Luxor
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11231247}" = Peggle
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113297350}" = Cake Mania 2
"{83202942-84b3-4c50-8622-b8c0aa2d2885}" = Nero Express Help
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{85243696-5e58-4357-9cf8-3498c609941d}" = NeroLiveGadget Help
"{869200db-287a-4dc0-b02b-2b6787fbcd4c}" = Nero DiscSpeed
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8AB8D458-939E-403F-0097-9BA1C1F013D5}" = The Sims 2
"{8C6CB33A-AA86-446C-8C4D-304A7FA51033}" = Nero 8 Essentials
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{98a67610-a3b5-4098-a423-3708040026d3}" = "Nero SoundTrax Help
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9A00D1BA-D03A-44E5-AF28-86A1F377DF61}" = The Sims Makin' Magic
"{9e82b934-9a25-445b-b8df-8012808074ac}" = Nero PhotoSnap
"{9e9fdde6-2c26-492a-85a0-05646b3f2795}" = NeroLiveGadget
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{a209525b-3377-43f4-b886-32f6b6e7356f}" = Nero WaveEditor
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A54F806B-A2E1-4794-A7FE-365167EC67CB}" = Masque IGT Slots Little Green Men
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{AC76BA86-7AD7-1033-7B44-A70500000002}" = Adobe Reader 7.0.8
"{ad6bc5cc-2ef0-49c4-b33d-cdc8b2c4dc80}" = Nero Recode Help
"{b1adf008-e898-4fe2-8a1f-690d9a06acaf}" = DolbyFiles
"{b2ec4a38-b545-4a00-8214-13fe0e915e6d}" = Advertising Center
"{B36649A3-D0DD-4706-B042-F5B384529C7A}" = Scrabble Complete
"{b78120a0-cf84-4366-a393-4d0a59bc546c}" = Menu Templates - Starter Kit
"{BA63612E-0458-416A-ADCD-B2349194F20F}" = Creative Zen Nano Plus
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{bd5ca0da-71ad-43da-b19e-6eee0c9adc9a}" = Nero ControlCenter
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{c5a7cb6c-e76d-408f-ba0e-85605420fe9d}" = SoundTrax
"{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}" = DAO
"{cc019e3f-59d2-4486-8d4b-878105b62a71}" = Nero DiscSpeed
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{ce96f5a5-584d-4f8f-aa3e-9baed413db72}" = Nero CoverDesigner Help
"{d025a639-b9c9-417d-8531-208859000af8}" = NeroBurningROM
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{d9dcf92e-72eb-412d-ac71-3b01276e5f8b}" = Nero ShowTime
"{df6a95f5-adc1-406a-bdc6-2aa7cc0182aa}" = Nero Live
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{e2e7785e-4c44-4513-8d23-25dfa98ca959}" = Nero 9
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{e498385e-1c51-459a-b45f-1721e37aa1a0}" = Movie Templates - Starter Kit
"{e5c7d048-f9b4-4219-b323-8bdb01a2563d}" = Nero DriveSpeed
"{E7DADD44-6785-11D6-A493-00A00C445B53}" = Hackman
"{e8631efb-6b9a-426c-b1ce-e7173ca26bf8}" = Nero WaveEditor Help
"{e8a80433-302b-4ff1-815d-fcc8eac482ff}" = Nero Installer
"{E9E34215-82EF-4909-BE2F-F581F0DC9062}" = DirectX for Managed Code Update (Summer 2004)
"{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}" = ATI Catalyst Control Center
"{ee2b221c-32ce-4723-af45-89b30b4e88f9}" = Nero BackItUp 4
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{f1861f30-3419-44db-b2a1-c274825698b3}" = Nero Disc Copy Gadget
"{f4041dce-3fe1-4e18-8a9e-9de65231ee36}" = Nero ControlCenter
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{f6bdd7c5-89ed-4569-9318-469aa9732572}" = Nero BurnRights
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{fbcdfd61-7dcf-4e71-9226-873ba0053139}" = Nero InfoTool
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"AOL Uninstaller" = AOL Uninstaller
"ATI Display Driver" = ATI Display Driver
"avast!" = avast! Antivirus
"Best of Slots II" = Best of Slots II
"blueprint ObjectEditor_is1" = blueprint ObjectEditor 1.0.0
"blueprint_is1" = blueprint 1.0
"Cake Mania Deluxe_is1" = Cake Mania Deluxe
"Chuzzle Deluxe 1.01" = Chuzzle Deluxe 1.01
"Creating Sims 2 Meshes Part 1_is1" = Creating Sims 2 Meshes Part 1 v 1.5
"Creative Mass Storage Drivers" = Creative Mass Storage Drivers
"DECCHECK" = Microsoft Windows XP Video Decoder Checkup Utility
"Diner Dash" = Diner Dash
"EPSON Printer and Utilities" = EPSON Printer Software
"FAR Edit Version 1.0_is1" = FAR Edit Version 1.0
"Flight Simulator 7.0" = Microsoft Flight Simulator 2000
"Free RAR Extract Frog 1.00" = Free RAR Extract Frog 1.00
"GigaStudio 3.0 LE" = GigaStudio 3.0 LE
"HammerHead Rhythm Station" = HammerHead Rhythm Station
"HB_Door_800_03" = HB_Door_800_03 Screen Saver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Impulse v. 3.10" = Impulse v. 3.10
"Indeo® software" = Indeo® software
"InstallShield_{6D71F97C-8069-492A-B081-E77B52C3C222}" = Casino Empire
"InstallShield_{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}" = DAO
"Lemmings Revolution" = Lemmings Revolution
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Masque Slots" = Masque Slots
"Masque Slots from Bally Gaming" = Masque Slots from Bally Gaming
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MilkShape 3D 1.7.10" = MilkShape 3D 1.7.10
"MilkShape 3D 1.7.2" = MilkShape 3D 1.7.2
"MilkShape 3D 1.8.4" = MilkShape 3D 1.8.4
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MuVo Driver" = Creative Mass Storage Drivers
"Network Play System (Patching)" = Network Play System (Patching)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Peggle Nights 1.0" = Peggle Nights 1.0
"QuickTime" = QuickTime
"RealPlayer 6.0" = RealPlayer Basic
"Riven 1.0" = Riven
"SimEnhancer Character CMX Validation" = SimEnhancer Character CMX Validation
"SimPE_is1" = SimPE 0.72 (alpha)
"Starship Titanic" = Starship Titanic
"Steinberg Cubase LE" = Steinberg Cubase LE
"SysInfo" = Creative System Information
"Theme Park World" = SimTheme Park
"Total 3D Home, Landscape & Deck Premium Suite" = Total 3D Home, Landscape & Deck Premium Suite
"TriJinx" = TriJinx
"USB_AUDIO_DEusb-audio.deTascam" = US-122L / US-144 driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Customizations" = Yahoo! Browser Services
"Yahoo! Mail" = Yahoo! Internet Mail
"Yahoo! Mail Advisor" = Yahoo! Mail Advisor
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Mystery Case Files - Ravenhearst" = Mystery Case Files - Ravenhearst (remove only)

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 10/18/2005 1:55:15 PM | Computer Name = MUNROES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Howard.MUNROES\Local Settings\Temporary Internet Files\Content.IE5\8XK7WR4V\rapiBridge[1].js
failed, 0000A474.

Error - 10/18/2005 1:55:17 PM | Computer Name = MUNROES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Program Files\Yahoo!\Messenger\cache\MsgrFixedStationList.xml failed, 0000A474.


Error - 10/18/2005 2:08:05 PM | Computer Name = MUNROES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Howard.MUNROES\Application Data\Microsoft\MSN Messenger\1394594773\ListCache.dat
failed, 0000A474.

Error - 10/18/2005 2:08:17 PM | Computer Name = MUNROES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Program Files\Yahoo!\Messenger\cache\searchcategories.xml failed, 0000A474.


Error - 10/18/2005 2:08:17 PM | Computer Name = MUNROES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Howard.MUNROES\Local Settings\Temporary Internet Files\Content.IE5\8XK7WR4V\rapiBridge[2].js
failed, 0000A474.

Error - 10/18/2005 2:08:17 PM | Computer Name = MUNROES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Howard.MUNROES\Local Settings\Temporary Internet Files\Content.IE5\8XK7WR4V\rapiBridge[2].js
failed, 0000A474.

Error - 10/18/2005 2:08:18 PM | Computer Name = MUNROES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Howard.MUNROES\Local Settings\Temporary Internet Files\Content.IE5\8XK7WR4V\playmessenger[1].htm
failed, 0000A474.

Error - 10/18/2005 2:08:19 PM | Computer Name = MUNROES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Program Files\Yahoo!\Messenger\cache\MsgrFixedStationList.xml failed, 0000A474.


Error - 10/18/2005 4:26:49 PM | Computer Name = MUNROES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Howard.MUNROES\Application Data\Microsoft\MSN Messenger\1394594773\ListCache.dat
failed, 0000A474.

Error - 1/18/2006 5:31:50 AM | Computer Name = MUNROES | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://www.faa.gov/ats/ato/drvsm/docs/semi...s_Attendees.doc failed,
0000A477.

[ Application Events ]
Error - 3/1/2010 2:44:46 AM | Computer Name = MUNROES | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 3/1/2010 2:45:13 AM | Computer Name = MUNROES | Source = Application Error | ID = 1001
Description = Fault bucket 738702451.

Error - 3/1/2010 3:35:53 AM | Computer Name = MUNROES | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 3/1/2010 4:35:57 AM | Computer Name = MUNROES | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 3/1/2010 7:01:05 PM | Computer Name = MUNROES | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 3/2/2010 4:33:00 AM | Computer Name = MUNROES | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 3/2/2010 5:12:26 AM | Computer Name = MUNROES | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 3/2/2010 5:27:59 AM | Computer Name = MUNROES | Source = WinDefendRtp | ID = 3003
Description = %%827 Real-Time Protection checkpoint has encountered an error and
failed to start. User: MUNROES\Howard Checkpoint ID: 1 Error Code: 0x80070005 Error
description: Access is denied.

Error - 3/2/2010 5:27:59 AM | Computer Name = MUNROES | Source = WinDefendRtp | ID = 3003
Description = %%827 Real-Time Protection checkpoint has encountered an error and
failed to start. User: MUNROES\Howard Checkpoint ID: 1 Error Code: 0x8000ffff Error
description: Catastrophic failure

Error - 3/5/2010 5:48:43 AM | Computer Name = MUNROES | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 3/5/2010 8:46:21 PM | Computer Name = MUNROES | Source = System Error | ID = 1003
Description = Error code 1000008e, parameter1 c0000005, parameter2 0ba7865c, parameter3
b858dc64, parameter4 00000000.

Error - 3/6/2010 3:19:49 PM | Computer Name = MUNROES | Source = Service Control Manager | ID = 7000
Description = The FILESPY service failed to start due to the following error: %%183

Error - 3/7/2010 2:10:38 PM | Computer Name = MUNROES | Source = Service Control Manager | ID = 7000
Description = The FILESPY service failed to start due to the following error: %%183

Error - 3/7/2010 8:24:05 PM | Computer Name = MUNROES | Source = Service Control Manager | ID = 7000
Description = The FILESPY service failed to start due to the following error: %%183

Error - 3/8/2010 3:29:52 PM | Computer Name = MUNROES | Source = Service Control Manager | ID = 7000
Description = The FILESPY service failed to start due to the following error: %%183

Error - 3/9/2010 3:41:25 PM | Computer Name = MUNROES | Source = Service Control Manager | ID = 7000
Description = The FILESPY service failed to start due to the following error: %%183

Error - 3/10/2010 3:30:04 PM | Computer Name = MUNROES | Source = Service Control Manager | ID = 7000
Description = The FILESPY service failed to start due to the following error: %%183

Error - 3/10/2010 3:56:16 PM | Computer Name = MUNROES | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 3/10/2010 3:56:36 PM | Computer Name = MUNROES | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
PCIIde

Error - 3/10/2010 3:56:52 PM | Computer Name = MUNROES | Source = Service Control Manager | ID = 7000
Description = The FILESPY service failed to start due to the following error: %%183


< End of report >

You know you're getting old when the classic rock station doesn't play your classic rock anymore

#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:33 AM

Posted 12 March 2010 - 12:40 PM

Hi,



Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.






I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 friarduck

friarduck
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pacific Northwest
  • Local time:03:33 AM

Posted 12 March 2010 - 06:31 PM

Tom,

here are the contents of the eset:


C:\System Volume Information\_restore{14590B46-EDDB-44F3-AF98-47954242D1DB}\RP1424\A0316796.exe IRC/SdBot trojan cleaned by deleting - quarantined

Thank you, looks close..My wife is already afraid of me, I keep looking at her computer..lol..(she needs to be safe too)
You know you're getting old when the classic rock station doesn't play your classic rock anymore

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:33 AM

Posted 13 March 2010 - 03:55 AM

HI smile.gif

Please post back with a fresh OTL logfile so we can cleanup our work. How is it running now?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users