Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Defender Virus


  • This topic is locked This topic is locked
29 replies to this topic

#1 husky1954

husky1954

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:09:55 AM

Posted 25 March 2010 - 05:27 PM

I have been working with techextreme in the "Am I infected? What do I do?" forum. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/304027/xp-defender-virus/ ~ OB The virus calls itself XP Defender. It puts out false reports about infections. It would not let me go to the internet and put out pop-ups(This part has been stoped by running Fixexe). I have tried AVG, Spybot, SuperAntiSpyware, rkill and Malwarebytes. The programs appear to run (I can see them in Windows task Manager). However, they don't do anything. When I run SAS I get a message that says " SuperAntiSypware Free Edition has encountered a problem and needs to close. We are sorry for the inconvenience." I have also tried all this in safe mode. And also form a flash drive.

I am not the owner of this pc. I talked to the owner and he said he was getting pop-ups. He clicked the pop-up and took the link to somewhere on the internet then paid a fee to have the pop-ups removed(Big mistake). The problem went away for awhile and then returned. This is when I got involved.

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 13:13:00.64 on Thu 03/25/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.382.176 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5048
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5048
uInternet Connection Wizard,ShellNext = hxxp://www.edotfinds.com/ac/ac.php?aid=41&sid=v300
mSearchAssistant = hxxp://www.google.com/ie
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\2.bin\MWSSRCAS.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL
BHO: McBrwHelper Class: {227b8aa8-daf2-4892-bd1d-73f568bcb24e} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
BHO: rightonadz browser enhancer: {313065c5-48f7-13c5-2bc0-a4564a82b856} - c:\windows\system32\webovfqpohitlpt.dll
BHO: McAfee Privacy Service Popup Blocker: {3ec8255f-e043-4cae-8b3b-b191550c2a22} - c:\program files\mcafee.com\mps\popupkiller.dll
BHO: McAfee Anti-Phishing Filter: {41d68ed8-4cff-4115-88a6-6ebb8af19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
BHO: {6860a44b-5d3e-433d-a7b5-d517f810d0e7} - c:\program files\netproject\sbmdl.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: adssite: {946f6166-237c-75b5-8817-def624482c8a} - c:\windows\system32\d93dbb42-70f1-3b9e-c3b8-0b3bc7760195.dll
BHO: ads_optimizer: {9c8a568e-4201-478a-8536-526cf371d2e2} - c:\windows\system32\nsj1F4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: &Research: {d263fa6d-84cc-48a8-9af6-c664362b7a5b} - c:\windows\system32\winconfig.dll
BHO: Google plugin: {f6e0ef5f-5f03-43f9-8e02-bbaaa95eaa9c} - nods32.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Seekmo Toolbar: {53e0b6e8-a51d-448b-b692-40b67b285543} - c:\program files\seekmo programs\seekmo toolbar\SeekmoTB.dll
TB: Adssite Toolbar: {41c29b07-6f91-4966-91be-2e2841643c83} - c:\program files\adssite advanced toolbar\toolbar.dll
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Power2GoExpress] NA
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\McAgent.exe
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [MPFEXE] "c:\program files\mcafee.com\personal firewall\MPFTray.exe"
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\2.bin\m3SrchMn.exe" /m=2 /w
mRun: [ptjbrniscuvcegqwn] c:\windows\system32\regsvr32.exe /s "c:\windows\system32\webovfqpohitlpt.dll"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.safeiegate.com/redirect.php
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\npjpi150_10.dll
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\mclsp.dll
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {1b40d2ad-d237-4544-b1e1-0bf75bf8fcc0} - No File

============= SERVICES / DRIVERS ===============

R0 Achernar;Achernar - SCSI Command Filter Drivers;c:\windows\system32\drivers\Achernar.sys [2007-12-22 18432]
R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2006-7-31 80640]
S2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2006-7-31 126976]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2006-7-31 221184]
S2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-7-31 122368]
S3 DSCVc;Video Capture;c:\windows\system32\drivers\CoachVc.sys [2007-12-22 44256]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-7-31 29744]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2006-7-31 245760]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-7-31 114464]

=============== Created Last 30 ================

2010-03-25 19:11:21 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-03-24 12:27:57 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-24 03:41:56 3623736 ----a-w- C:\procexp.exe
2010-03-23 20:05:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 20:05:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 20:05:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-23 12:44:14 1026 ----a-w- c:\windows\ifuyuliw.dll
2010-03-23 05:02:24 1026 ----a-w- c:\windows\ehubifamav.dll
2010-03-23 04:39:11 1026 ----a-w- c:\windows\ayonireyi.dll
2010-03-18 23:46:12 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-18 20:51:21 1026 ----a-w- c:\windows\elerikom.dll
2010-03-18 20:46:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-18 18:58:22 1026 ----a-w- c:\windows\amaxecug.dll
2010-03-18 17:36:58 1026 ----a-w- c:\windows\olejahig.dll
2010-03-18 16:25:06 0 d-----w- c:\windows\pss

==================== Find3M ====================

2010-03-23 04:46:53 48271 ----a-w- c:\windows\system32\tkighwgosmq.exe
2010-03-23 04:45:40 103368 ----a-w- c:\windows\system32\a4f32ab1-be62-394f-d033-4ec19f6e2bff.exe
2010-03-18 10:19:34 487936 ----a-w- c:\windows\system32\webovfqpohitlpt.dll
2010-02-02 05:38:10 2004480 ----a-w- c:\windows\system32\d93dbb42-70f1-3b9e-c3b8-0b3bc7760195.dll
2007-03-17 04:52:25 774144 -c--a-w- c:\program files\RngInterstitial.dll

============= FINISH: 13:14:42.40 ===============

Attached Files


Edited by Orange Blossom, 25 March 2010 - 10:38 PM.


BC AdBot (Login to Remove)

 


#2 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:12:55 AM

Posted 29 March 2010 - 09:03 PM

Hey husky1954,

Welcome to Bleepingcomputer! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me. smile.gif
  • To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
  • If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
  • Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
  • Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. ;)
  • Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Bleepingcomputer and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.

I'm looking at your log now and will be back with a fix soon. Thanks for your patience and understanding. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#3 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:12:55 AM

Posted 30 March 2010 - 10:02 AM

Hey husky1954,

From your log(s), one or more of the identified infections are Backdoor Trojan and rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. If this computer is used for online commercial means, please do the following IMMEDIATELY!

1) Call all relevant organisations (like banks, credit card companies etc) and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
2) From an uninfected computer, change ALL your online important personal information that you have used on this computer.

Do NOT use the infected computer for any commercial means during this while as the trojan author can still get information from it.

Due to the likelihood that your computer has already been compromised, there can be no guarantee that your computer can ever be secure again. While, it is possible to completely remove the backdoor trojans on your computer, only a reformat can ensure that your computer is completely clean.

If you would like to continue with the fixing, please do the steps below.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (McAfee) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under custom scans copy and paste the following
      netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post

Next reply (please include in your post):

OTS.txt (attached)
ComboFix.txt

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#4 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:09:55 AM

Posted 30 March 2010 - 08:48 PM

1. Booted in safe mode as administrator.
2. Disabled McAfee firewall and virus scan.
3. Downloaded and ran ComboFix.exe.
4. Nothing happened. ComboFix looks like it is running, I can see it in Task Manager. But, nothing happens. After four
minutes ComboFix disappeared from Task Manager.
5. I tried to run ComboFix again. Same as #5 above.
6. renamed ComboFix.exe to hComboFix.exe. This time ComboFix did run and gave me a message stating that McAfee
virus scan was enabled.I disabled McAfee virus scan and firewall again. ComboFix then asked to install Microsoft
windows Recover Console. Install was successful. ComboFix asked me to copy ten files all starting with UAC. I will list
the on request.
7. The computer then rebooted in normal windows.
8. ComboFix started, backed up the registry and started scanning.
9. ComboFix scanned, deleted many files and rebooted.
10. ComboFix started up to create a log report.
11. McAfee update tried to start. I clicked "Continue what I was doing.".
12. PEV.cfxxe requested access to the internet. this appeared to be part of ComboFix. So, I let it.
13. ComboFix finished.
14. Downloaded and ran OTS.
15. Modified OTS settings per your instructions and clicked Run Scan.
16. OTS scan completed.

ComboFix 10-03-29.04 - Owner 03/30/2010 15:36:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.382.75 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\hComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\ave.exe
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\muiY1k4U.jpg
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\N43d25j.jpg
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\rx4eEA801.jpg
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\YKrgOw28.jpg
c:\documents and settings\Owner.YOUR-99DDF15D27\Application Data\Adssite Advanced Toolbar
c:\documents and settings\Owner.YOUR-99DDF15D27\Application Data\Adssite Advanced Toolbar\advertbuttons.xml
c:\documents and settings\Owner.YOUR-99DDF15D27\Application Data\Adssite Advanced Toolbar\selected.xml
c:\documents and settings\Owner.YOUR-99DDF15D27\Application Data\FunWebProducts
c:\documents and settings\Owner.YOUR-99DDF15D27\Favorites\Online Security Test.url
c:\documents and settings\Owner.YOUR-99DDF15D27\Local Settings\Temporary Internet Files\3QW2gj1Gv.jpg
c:\documents and settings\Owner.YOUR-99DDF15D27\Local Settings\Temporary Internet Files\JP40b6.jpg
c:\documents and settings\Owner.YOUR-99DDF15D27\Local Settings\Temporary Internet Files\SxHpl.jpg
c:\documents and settings\Owner.YOUR-99DDF15D27\Local Settings\Temporary Internet Files\xcvrOxdl.jpg
c:\documents and settings\Owner.YOUR-99DDF15D27\Start Menu\Programs\AntiSpywareShield
c:\documents and settings\Owner.YOUR-99DDF15D27\Start Menu\Programs\AntiSpywareShield\AntiSpywareShield.lnk
c:\documents and settings\Owner.YOUR-99DDF15D27\Start Menu\Programs\AntiSpywareShield\Uninstall.lnk
c:\program files\Adssite Advanced Toolbar
c:\program files\Adssite Advanced Toolbar\buttons.xml
c:\program files\Adssite Advanced Toolbar\search.xml
c:\program files\Adssite Advanced Toolbar\toOLbar.dll
c:\program files\Adssite Advanced Toolbar\uninstall.exe
c:\program files\AntiSpywareShield
c:\program files\AntiSpywareShield\AntiSpywareShield.lic
c:\program files\AntiSpywareShield\AntiSpywareShield0.ad
c:\program files\AntiSpywareShield\AntiSpywareShield0.dll
c:\program files\AntiSpywareShield\AntiSpywareShield1.ad
c:\program files\AntiSpywareShield\AntiSpywareShield1.dll
c:\program files\AntiSpywareShield\AntiSpywareShield3.dll
c:\program files\AntiSpywareShield\Uninstall.exe
c:\program files\Common Files\System\Uninstall
c:\program files\Common Files\System\Uninstall\Uninstall A360.lnk
c:\program files\FunWebProducts
c:\program files\FunWebProducts\PopSwatr\History\allowed
c:\program files\FunWebProducts\PopSwatr\History\notallow
c:\program files\FunWebProducts\ScreenSaver\Images\008B6916.urr
c:\program files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\Internet Explorer\msimg32.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\2.bin\F3BROVLY.DLL
c:\program files\MyWebSearch\bar\2.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\2.bin\F3DTactl.dll
c:\program files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HTmlmu.dll
c:\program files\MyWebSearch\bar\2.bin\F3HTtpct.dll
c:\program files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\2.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\2.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SHllvw.dll
c:\program files\MyWebSearch\bar\2.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\2.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\M3HTml.dll
c:\program files\MyWebSearch\bar\2.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\M3OUtlcn.dll
c:\program files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\0005D393
c:\program files\MyWebSearch\bar\Cache\000EE8E5
c:\program files\MyWebSearch\bar\Cache\0013A7CC.bin
c:\program files\MyWebSearch\bar\Cache\0013B038.bin
c:\program files\MyWebSearch\bar\Cache\0013B1A0.bin
c:\program files\MyWebSearch\bar\Cache\0018F085
c:\program files\MyWebSearch\bar\Cache\0019867C.bin
c:\program files\MyWebSearch\bar\Cache\00589761.bin
c:\program files\MyWebSearch\bar\Cache\00589A7E.bin
c:\program files\MyWebSearch\bar\Cache\00589C43.bin
c:\program files\MyWebSearch\bar\Cache\00589E09.bin
c:\program files\MyWebSearch\bar\Cache\00589FDD.bin
c:\program files\MyWebSearch\bar\Cache\008B4BCA
c:\program files\MyWebSearch\bar\Cache\008B50FA.bin
c:\program files\MyWebSearch\bar\Cache\008B5242.bin
c:\program files\MyWebSearch\bar\Cache\008B5F23.bin
c:\program files\MyWebSearch\bar\Cache\008B6D0D.bin
c:\program files\MyWebSearch\bar\Cache\008B79CF.bin
c:\program files\MyWebSearch\bar\Cache\01145BBD.bin
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Message\COMMON\ask_logo.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.htm
c:\program files\MyWebSearch\bar\Message\COMMON\center.htm
c:\program files\MyWebSearch\bar\Message\COMMON\index.htm
c:\program files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
c:\program files\MyWebSearch\bar\Message\COMMON\mws_logo.gif
c:\program files\MyWebSearch\bar\Message\COMMON\protect.htm
c:\program files\MyWebSearch\bar\Message\COMMON\shocked.gif
c:\program files\MyWebSearch\bar\Message\COMMON\stop.gif
c:\program files\MyWebSearch\bar\Message\COMMON\systray.htm
c:\program files\MyWebSearch\bar\Message\COMMON\systrayp.htm
c:\program files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
c:\program files\MyWebSearch\bar\Message\COMMON\warn.gif
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Search\COMMON.F3S
c:\program files\MyWebSearch\bar\Search\COMMON\bd_grad.gif
c:\program files\MyWebSearch\bar\Search\COMMON\center.htm
c:\program files\MyWebSearch\bar\Search\COMMON\index.htm
c:\program files\MyWebSearch\bar\Search\COMMON\mid_dots.gif
c:\program files\MyWebSearch\bar\Search\COMMON\stop.gif
c:\program files\MyWebSearch\bar\Search\COMMON\systray.htm
c:\program files\MyWebSearch\bar\Search\COMMON\systrayp.htm
c:\program files\MyWebSearch\bar\Search\COMMON\tp_grad.gif
c:\program files\MyWebSearch\bar\Search\COMMON\warn.gif
c:\program files\MyWebSearch\bar\Settings\hs_err_pid2272.log
c:\program files\MyWebSearch\bar\Settings\hs_err_pid3540.log
c:\program files\MyWebSearch\bar\Settings\hs_err_pid3596.log
c:\program files\MyWebSearch\bar\Settings\hs_err_pid416.log
c:\program files\MyWebSearch\bar\Settings\hs_err_pid796.log
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\setting2.htm.bak
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\MyWebSearch\bar\Settings\settings.dat.bak
c:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\SrchAstt\2.bin\MWSSrcas.dll
c:\program files\Seekmo Programs
c:\program files\Seekmo Programs\Seekmo Toolbar\SeEKmotb.dll
c:\program files\Seekmo Programs\Seekmo Toolbar\SeekmoTBUninstaller.exe
c:\program files\VirusHeat 4.3
c:\program files\VirusHeat 4.3\vpp.ini
c:\recycler\S-1-5-21-1671627054-3971227754-2173816183-500
c:\recycler\S-1-5-21-3271917552-2091913210-2675857763-500
c:\windows\amaxecug.dll
c:\windows\ayonireyi.dll
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\ehubifamav.dll
c:\windows\elerikom.dll
c:\windows\ifuyuliw.dll
c:\windows\olejahig.dll
c:\windows\system32\{6952e675-7df8-2a87-c542-6f7095595d2d}.dll-uninst.exe
c:\windows\system32\adssite-remove.exe
c:\windows\system32\alog.txt
c:\windows\system32\bb1.dat
c:\windows\system32\cmds.txt
c:\windows\system32\cont_adssite-remove.exe
c:\windows\system32\cookie1.dat
c:\windows\system32\cs.dat
c:\windows\system32\drivers\UACnswwuyxv.sys
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\fklame32.dll
c:\windows\system32\gzmrt.dll
c:\windows\system32\nsj1F4.dll
c:\windows\system32\ps1.dat
c:\windows\system32\rc.dat
c:\windows\system32\rightonadz-uninst.exe
c:\windows\system32\tb.dr
c:\windows\system32\tkighwgosmq.exe
c:\windows\system32\uacinit.dll
c:\windows\system32\UACixuqydbr.dat
c:\windows\system32\UACkjbmqrrn.dll
c:\windows\system32\UACmlwhkyna.dll
c:\windows\system32\UACmytbaxhi.dll
c:\windows\system32\UACpqvxfujv.log
c:\windows\system32\UACqobirjko.dll
c:\windows\system32\UACrodapkbg.dll
c:\windows\system32\UACulbirsod.log
c:\windows\system32\UACwvkyfmpf.log
c:\windows\system32\webovfqpohitlpt.dll
c:\windows\system32\wiNConfig.dll
c:\windows\Ufosijehulalih.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-30 20:52 . 2010-03-30 20:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee.com Personal Firewall
2010-03-24 12:27 . 2010-03-24 12:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-24 03:41 . 2006-11-01 20:07 3623736 ----a-w- C:\procexp.exe
2010-03-23 20:05 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 20:05 . 2010-03-23 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-23 20:05 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 12:43 . 2010-03-23 12:43 -------- d-----w- c:\documents and settings\Owner.YOUR-99DDF15D27\Application Data\AVG8
2010-03-23 03:17 . 2010-03-23 03:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-03-18 23:46 . 2010-03-23 19:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-18 20:46 . 2010-03-24 03:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 21:33 . 2007-02-03 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-24 03:59 . 2007-10-07 05:35 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-03-24 03:10 . 2006-08-01 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2010-03-23 05:41 . 2006-08-01 00:39 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-23 04:45 . 2009-02-03 02:57 103368 ----a-w- c:\windows\system32\a4f32ab1-be62-394f-d033-4ec19f6e2bff.exe
2010-03-18 19:32 . 2006-06-19 04:25 43472 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-18 15:36 . 2007-01-03 00:26 -------- d-----w- c:\program files\Lx_cats
2010-02-02 05:38 . 2010-02-02 05:38 2004480 ----a-w- c:\windows\system32\d93dbb42-70f1-3b9e-c3b8-0b3bc7760195.dll
2007-03-17 04:52 . 2007-03-17 04:52 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{946f6166-237c-75b5-8817-def624482c8a}]
2010-02-02 05:38 2004480 ----a-w- c:\windows\system32\d93dbb42-70f1-3b9e-c3b8-0b3bc7760195.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\McAgent.exe" [2005-09-23 303104]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MPFEXE"="c:\program files\McAfee.com\Personal Firewall\MPFTray.exe" [2005-09-28 999424]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnapDetect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SnapDetect.lnk
backup=c:\windows\pss\SnapDetect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.YOUR-99DDF15D27^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Owner.YOUR-99DDF15D27\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 21:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 14:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-10-19 00:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-10 15:47 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2006-03-22 01:30 1191936 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dancer]
2004-12-14 15:19 188416 ----a-w- c:\program files\Windows Plus\Dancer\Dancer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 03:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2005-08-01 12:05 94208 ----a-w- c:\program files\Lexmark 2300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2005-07-12 13:36 299008 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMOFFICE4DMOUSE]
2008-04-21 02:49 958464 ----a-w- c:\program files\Labtec\Desktop\V5.1\MOffice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-04-25 01:45 29744 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1154392867\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcgmon.exe]
2005-07-21 06:07 200704 ----a-w- c:\program files\Lexmark 2300 Series\lxcgmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
2005-09-23 00:29 303104 ----a-w- c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
2006-01-11 18:05 212992 ----a-w- c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
2005-09-28 00:17 999424 ----a-w- c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPSExe]
2005-09-28 23:28 296488 ----a-w- c:\progra~1\McAfee.com\MPS\mscifapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
2005-09-26 17:26 110592 ----a-w- c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
2005-08-12 05:02 53248 ----a-w- c:\program files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OFFICEKB]
2008-04-21 02:49 387584 ----a-w- c:\program files\Labtec\Desktop\V5.1\KBDAP32A.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwozule]
2009-02-19 23:50 132608 ----a-w- c:\windows\ulocimaf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 16:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-12-10 01:44 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2007-03-19 23:53 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 01:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-04-05 00:44 16120832 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SightSpeed]
2007-03-13 17:45 3526720 ----a-w- c:\program files\SightSpeed\SightSpeed.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 22:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
2005-08-10 19:49 163840 ----a-w- c:\progra~1\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
2005-07-09 01:18 151552 ----a-w- c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1154392867\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Gateway Games\\Wheel of Fortune\\Wheel of Fortune.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=

R0 Achernar;Achernar - SCSI Command Filter Drivers;c:\windows\system32\drivers\Achernar.sys [12/22/2007 9:43 PM 18432]
S3 DSCVc;Video Capture;c:\windows\system32\drivers\CoachVc.sys [12/22/2007 9:38 PM 44256]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/31/2006 6:29 PM 29744]
.
Contents of the 'Scheduled Tasks' folder

2009-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 23:57]

2010-03-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-03 17:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZNxmk572YYUS&fl=0&ptb=S.q1sMZKfjyfHb60xeg.3g&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\mclsp.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{313065C5-48F7-13C5-2BC0-A4564A82B856} - c:\windows\system32\webovfqpohitlpt.dll
WebBrowser-{5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
HKLM-Run-ptjbrniscuvcegqwn - c:\windows\system32\webovfqpohitlpt.dll
MSConfigStartUp-BD8EF07AC9BE4281D6C703C5916E687E - c:\program files\A360\av360.exe
MSConfigStartUp-I downloaded pirated Software from P2P - c:\windows\system32\Roller Coaster Tycoon 3 soaked .exe
MSConfigStartUp-Icijilape - c:\windows\Ufosijehulalih.dll
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
MSConfigStartUp-ptjbrniscuvcegqwn - c:\windows\system32\webovfqpohitlpt.dll
MSConfigStartUp-Windows update - c:\windows\system32\udupdate.exe
AddRemove-AdssiteToolBar - c:\program files\Adssite Advanced Toolbar\uninstall.exe
AddRemove-MultiMedia Software - c:\program files\NetProject\uninst.exe
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update\\rnuninst.exe
AddRemove-Secure Browsing - c:\program files\NetProject\sbun.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe
AddRemove-tkighwgosmq - c:\windows\system32\tkighwgosmq.exe
AddRemove-WT030381 - c:\program files\Gateway Games\G.H.O.S.T. Hunters



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-30 16:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
MPFEXE = "c:\program files\McAfee.com\Personal Firewall\MPFTray.exe"????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(612)
c:\windows\system32\mclsp.dll
c:\windows\system32\SPORDER.dll
c:\windows\system32\mclsphlr\gdlsphlr.dll
c:\windows\system32\McRtl32.dll

- - - - - - - > 'explorer.exe'(1492)
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\progra~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\agent\mctskshd.exe
c:\progra~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\MsPMSPSv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
.
**************************************************************************
.
Completion time: 2010-03-30 16:15:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-30 22:15

Pre-Run: 9,530,732,544 bytes free
Post-Run: 118,551,093,248 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 87118EADB0C87E37B4B75AB1189D492D

Attached Files

  • Attached File  OTS.Txt   153.52KB   9 downloads


#5 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:09:55 AM

Posted 30 March 2010 - 09:12 PM

Ltangelic,

First I would like to give you and techextreme a big bleeping thank you for your help.

After running ComboFix and OTS I was able to run Malwarebytes. I stopped at the first screen and exited the run.
Is it ok for me to update and run Malwarebytes and Spybot?

Husky

#6 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:12:55 AM

Posted 30 March 2010 - 09:20 PM

Hi husky1954,

Please do not run any scans unless I tell you to. I would ask for your patience in waiting for my next fix to come. smile.gif

Thank you very much.

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#7 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:12:55 AM

Posted 31 March 2010 - 04:20 AM

Hey husky1954,

ComboFix did a pretty good job, but we've got more trash to clean up. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (McAfee) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run CFScript

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
DDS::
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\2.bin\MWSSRCAS.DLL
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL
BHO: rightonadz browser enhancer: {313065c5-48f7-13c5-2bc0-a4564a82b856} - c:\windows\system32\webovfqpohitlpt.dll
BHO: {6860a44b-5d3e-433d-a7b5-d517f810d0e7} - c:\program files\netproject\sbmdl.dll
BHO: adssite: {946f6166-237c-75b5-8817-def624482c8a} - c:\windows\system32\d93dbb42-70f1-3b9e-c3b8-0b3bc7760195.dll
BHO: ads_optimizer: {9c8a568e-4201-478a-8536-526cf371d2e2} - c:\windows\system32\nsj1F4.dll
BHO: &Research: {d263fa6d-84cc-48a8-9af6-c664362b7a5b} - c:\windows\system32\winconfig.dll
BHO: Google plugin: {f6e0ef5f-5f03-43f9-8e02-bbaaa95eaa9c} - nods32.dll
TB: Seekmo Toolbar: {53e0b6e8-a51d-448b-b692-40b67b285543} - c:\program files\seekmo programs\seekmo toolbar\SeekmoTB.dll
TB: Adssite Toolbar: {41c29b07-6f91-4966-91be-2e2841643c83} - c:\program files\adssite advanced toolbar\toolbar.dll
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL
IE: {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.safeiegate.com/redirect.php
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
STS: {1b40d2ad-d237-4544-b1e1-0bf75bf8fcc0} - No File

File::
c:\windows\system32\a4f32ab1-be62-394f-d033-4ec19f6e2bff.exe
c:\windows\system32\d93dbb42-70f1-3b9e-c3b8-0b3bc7760195.dll
C:\Windows\system32\drivers\UACnswwuyxv.sys
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Temp\UACf45d.tmp
C:\WINDOWS\Temp\UAC4405.tmp
C:\WINDOWS\Temp\UAC4c17.tmp
C:\WINDOWS\Temp\UAC8eba.tmp
C:\WINDOWS\Temp\UACd22d.tmp
C:\WINDOWS\Temp\UACd707.tmp
c:\windows\ulocimaf.dll
C:\Documents and Settings\All Users\Application Data\t7AHIvQWcAEro
C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Application Data\t7AHIvQWcAEro
C:\WINDOWS\omasukasevegu.dll
C:\WINDOWS\unusivol.dll

Driver::
Service_UACd.sys
Legacy_UACd.sys

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys@start]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys@type]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys@group]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys@start]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys@type]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys@imagepath]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys@group]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{946f6166-237c-75b5-8817-def624482c8a}]
[-HKEY_CLASSES_ROOT\CLSID\{946f6166-237c-75b5-8817-def624482c8a}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwozule]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications"=dword:00000000  
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
"SearchMigratedDefaultUrl"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt .

2) Run Malwarebytes' Anti-Malware
  • Open Malwarebytes by clicking on its shortcut on desktop. Please click on the "Update" tab and click "Check for Updates".
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

3) Program Removals

From your log, you seem to have WildTangent, Viewpoint and LimeWire installed.

Viewpoint is not malware, but it is considered froistware that is installed without your permission. While it is not harmful in itself, it can bring about unnecessary security risks to your computer as well as collecting private information about your browsing habit. Please look at the article(s) below:

http://en.wikipedia.org/wiki/Viewpoint_Media_Player

WildTangent and LimeWire can bring security risks to your computer as they allow the downloading/sharing of files. Moreover, WildTangent may actually invade your privacy by collecting sensitive information without your knowledge. Please have a look at the following:

http://en.wikipedia.org/wiki/WildTangent
http://en.wikipedia.org/wiki/LimeWire
http://www.microsoft.com/protect/data/down...ilesharing.aspx

Due to the dubious nature of these programs, it is highly recommended that you remove the programs via Add or Remove Programs in Control Panel and refrain from downloading these programs in the future. If you have made a decision to remove these programs, please do the following:

Please go to Add or Remove Programs and remove the following (if present):

LimeWire 4.16.6
Viewpoint Media Player
WildTangent Web Driver
Adssite Advanced Toolbar
My Web Search (Webfetti)
Seekmo Toolbar


Then use Windows Explorer and remove the following (if present):
C:\Program Files\Viewpoint
C:\Program Files\WildTangent
C:\Program Files\LimeWire
C:\Program Files\Seekmo Toolbar
C:\Program Files\Adssite Advanced Toolbar


Reboot your computer.

Next reply (please include in your post):

New OTS log (re-run quick scan)
ComboFix.txt
MBAM scan log

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#8 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:09:55 AM

Posted 31 March 2010 - 10:13 AM

1. The last time I shut down the computer Windows Update ran and installed something. Odd, I have Windows Update
disabled.
2. Booted to normal windows.
3. Disabled Windows Firewall.
4. Disabled McAfee firewall and virus scan.
5. Created CFScript.txt and dragged it to ComboFix.exe.
6. CF started, created a new restore point, started scanning and finished.
7. I uninstalled the old version of Malwarebytes.
8. Having trouble with Internet Explorer. It's trying to connect to 65.55.17.27. I unplugged the cable and it stopped.
Plugged it back in and was able to go to bleepingcomputer.com.
9. Downloaded and installed MB. MB updated to version 3937. MB started and I clicked Quick Scan. MB completed and
found 34 infected objects. MB required a reboot.
10. After the reboot I uninstalled Limewire, Viewpoint, and WildTangent. Adsite, My Web Search and Seekmo were not
present. I deleted the C:\Program Files entries.
11. Ran OTS Quick Scan.
12. I noticed that WildTangent and Viewpoint still have entries under documents and settings. Should I delete them?
13. Internet Explorer is still trying to connect to 65.55.17.27. I don't know what IP location this is. I would like to get rid
of it. Did the same as #7 above to get into bleepingcomputer.com.
14. I would like to do a defrag if it is ok.

Again thank you
Husky

CODE
OTS logfile created on: 3/31/2010 8:17:42 AM - Run 3
OTS by OldTimer - Version 3.1.27.1     Folder = C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

382.00 Mb Total Physical Memory | 79.00 Mb Available Physical Memory | 21.00% Memory free
917.00 Mb Paging File | 644.00 Mb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.75 Gb Total Space | 110.60 Gb Free Space | 76.93% Space Free | Partition Type: NTFS
Drive D: | 5.28 Gb Total Space | 3.37 Gb Free Space | 63.71% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-99DDF15D27
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Quick Scan

[Processes - Safe List]
ots.exe -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\OTS.exe -> [2010/03/30 18:03:35 | 000,637,440 | ---- | M] (OldTimer Tools)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2007/06/13 04:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation)
prismxl.sys -> C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -> [2006/07/31 18:27:45 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.)
mcdetect.exe -> c:\Program Files\McAfee.com\Agent\Mcdetect.exe -> [2005/10/13 19:56:16 | 000,126,976 | ---- | M] (McAfee, Inc)
mpftray.exe -> C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe -> [2005/09/27 18:17:46 | 000,999,424 | ---- | M] (McAfee Security)
mskagent.exe -> C:\Program Files\McAfee\SpamKiller\MSKAgent.exe -> [2005/09/26 11:26:58 | 000,110,592 | ---- | M] (McAfee Inc.)
mcagent.exe -> C:\Program Files\McAfee.com\Agent\mcagent.exe -> [2005/09/22 18:29:08 | 000,303,104 | ---- | M] (McAfee, Inc)
mctskshd.exe -> c:\Program Files\McAfee.com\Agent\McTskshd.exe -> [2005/08/24 17:01:04 | 000,122,368 | ---- | M] (McAfee, Inc)
mpfagent.exe -> C:\Program Files\McAfee.com\Personal Firewall\MpfAgent.exe -> [2005/08/16 17:17:34 | 000,524,288 | ---- | M] (McAfee Security)
mpfservice.exe -> C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe -> [2005/08/16 17:11:40 | 000,548,864 | ---- | M] (McAfee Corporation)
oasclnt.exe -> c:\Program Files\McAfee.com\VSO\oasclnt.exe -> [2005/08/11 23:02:44 | 000,053,248 | ---- | M] (McAfee, Inc.)
mcvsshld.exe -> c:\Program Files\McAfee.com\VSO\mcvsshld.exe -> [2005/08/10 13:49:20 | 000,163,840 | ---- | M] (McAfee, Inc.)
mcshield.exe -> c:\Program Files\McAfee.com\VSO\McShield.exe -> [2005/08/10 12:22:02 | 000,221,184 | ---- | M] (McAfee Inc.)
msksrvr.exe -> C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe -> [2005/07/12 19:10:18 | 000,963,072 | ---- | M] (McAfee Inc.)
mcvsescn.exe -> c:\Program Files\McAfee.com\VSO\McVSEscn.exe -> [2005/07/08 19:16:16 | 000,483,328 | ---- | M] (McAfee, Inc.)
aolacsd.exe -> C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -> [2004/10/20 08:40:04 | 000,010,328 | ---- | M] (America Online)
aoltsmon.exe -> C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe -> [2004/10/15 14:54:14 | 000,100,016 | ---- | M] (America Online, Inc)
aoltpspd.exe -> C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe -> [2004/10/15 14:54:12 | 000,046,768 | ---- | M] (America Online Inc)

[Modules - Safe List]
ots.exe -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\OTS.exe -> [2010/03/30 18:03:35 | 000,637,440 | ---- | M] (OldTimer Tools)
comctl32.dll -> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll -> [2006/08/25 09:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation)
mskoeplg.dll -> C:\Program Files\McAfee\SpamKiller\MSKOEPlg.dll -> [2005/08/17 11:38:00 | 000,143,360 | ---- | M] (McAfee Inc.)
mcvsskt.dll -> c:\Program Files\McAfee.com\VSO\McVSSkt.Dll -> [2005/07/01 21:43:10 | 000,098,304 | ---- | M] (McAfee, Inc.)

[Win32 Services - Safe List]
(GoogleDesktopManager-022208-143751) Google Desktop Manager 5.7.802.22438 [On_Demand | Stopped] -> C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -> [2008/04/24 19:45:02 | 000,029,744 | ---- | M] (Google)
(FLEXnet Licensing Service) FLEXnet Licensing Service [On_Demand | Stopped] -> C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> [2007/10/06 22:41:55 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.)
(AresChatServer) Ares Chatroom server [On_Demand | Stopped] -> C:\Program Files\Ares\chatServer.exe -> [2007/03/19 19:19:14 | 000,263,168 | ---- | M] (Ares Development Group)
(usnjsvc) Messenger Sharing Folders USN Journal Reader service [On_Demand | Stopped] -> C:\Program Files\MSN Messenger\usnsvc.exe -> [2007/01/19 12:54:14 | 000,097,136 | ---- | M] (Microsoft Corporation)
(PrismXL) PrismXL [Auto | Running] -> C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -> [2006/07/31 18:27:45 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.)
(McDetect.exe) McAfee WSC Integration [Auto | Running] -> c:\Program Files\McAfee.com\Agent\Mcdetect.exe -> [2005/10/13 19:56:16 | 000,126,976 | ---- | M] (McAfee, Inc)
(McTskshd.exe) McAfee Task Scheduler [Auto | Running] -> c:\Program Files\McAfee.com\Agent\McTskshd.exe -> [2005/08/24 17:01:04 | 000,122,368 | ---- | M] (McAfee, Inc)
(MpfService) McAfee Personal Firewall Service [On_Demand | Running] -> C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe -> [2005/08/16 17:11:40 | 000,548,864 | ---- | M] (McAfee Corporation)
(McShield) McAfee.com McShield [Auto | Running] -> c:\Program Files\McAfee.com\VSO\McShield.exe -> [2005/08/10 12:22:02 | 000,221,184 | ---- | M] (McAfee Inc.)
(lxcg_device) lxcg_device [On_Demand | Stopped] -> C:\WINDOWS\System32\lxcgcoms.exe -> [2005/07/25 13:25:18 | 000,491,520 | ---- | M] ( )
(MskService) McAfee SpamKiller Server [Auto | Running] -> C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe -> [2005/07/12 19:10:18 | 000,963,072 | ---- | M] (McAfee Inc.)
(mcupdmgr.exe) McAfee SecurityCenter Update Manager [On_Demand | Stopped] -> C:\Program Files\McAfee.com\Agent\mcupdmgr.exe -> [2005/07/01 20:22:50 | 000,245,760 | ---- | M] (McAfee, Inc)
(AOL ACS) AOL Connectivity Service [Auto | Running] -> C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -> [2004/10/20 08:40:04 | 000,010,328 | ---- | M] (America Online)
(AOL TopSpeedMonitor) AOL TopSpeed Monitor [Auto | Running] -> C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe -> [2004/10/15 14:54:14 | 000,100,016 | ---- | M] (America Online, Inc)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Search\\"Default_Search_URL" -> http://www.google.com/ie ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"SearchMigratedDefaultName" -> My Web Search ->
HKEY_CURRENT_USER\: Main\\"SearchMigratedDefaultUrl" -> http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZNxmk572YYUS&fl=0&ptb=S.q1sMZKfjyfHb60xeg.3g&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms} ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://www.msn.com/ ->
HKEY_CURRENT_USER\: Search\\"SearchAssistant" -> http://www.google.com/ie ->
HKEY_CURRENT_USER\: SearchURL\\"" -> http://www.google.com/search?q=%s ->
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 ->
HKEY_CURRENT_USER\: "ProxyOverride" -> *.local ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  ->
< FireFox Extensions [User Folders] > ->
< HOSTS File > ([2010/03/30 15:58:22 | 000,000,027 | ---- | M] - 1 lines) -> C:\WINDOWS\system32\drivers\etc\hosts ->
Reset Hosts
127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2009/12/18 02:16:54 | 000,061,888 | ---- | M] (Adobe Systems Incorporated)
{227B8AA8-DAF2-4892-BD1D-73F568BCB24E} [HKLM] -> c:\Program Files\McAfee.com\MPS\McBrHlpr.dll [McBrwHelper Class] -> [2005/09/28 17:23:04 | 000,147,456 | ---- | M] (McAfee, Inc.)
{3EC8255F-E043-4cae-8B3B-B191550C2A22} [HKLM] -> c:\Program Files\McAfee.com\MPS\PopupKiller.dll [McAfee Privacy Service Popup Blocker] -> [2005/09/28 17:28:10 | 000,132,648 | ---- | M] (McAfee, Inc.)
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000} [HKLM] -> c:\Program Files\McAfee\SpamKiller\McApfBHO.dll [McAfee Anti-Phishing Filter] -> [2005/07/12 19:02:38 | 000,262,236 | ---- | M] (McAfee, Inc.)
{68F9551E-0411-48E4-9AAF-4BC42A6A46BE} [HKLM] -> C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll [EWPBrowseObject Class] -> [2006/04/18 19:04:14 | 000,034,304 | ---- | M] ()
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [SSVHelper Class] -> [2006/11/09 16:21:52 | 000,440,056 | ---- | M] (Sun Microsystems, Inc.)
{7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [Google Toolbar Notifier BHO] -> [2009/02/09 11:48:56 | 000,657,904 | ---- | M] (Google Inc.)
{CA6319C0-31B7-401E-A518-A07C3DB8F777} [HKLM] -> C:\WINDOWS\system32\bae.dll [CBrowserHelperObject Object] -> [2006/02/01 04:54:30 | 000,094,208 | ---- | M] (Gateway Inc.)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
"{327C2873-E90D-4c37-AA9D-10AC9BABA46C}" [HKLM] -> C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [Easy-WebPrint] -> [2006/04/18 19:05:46 | 000,552,960 | ---- | M] ()
"{BA52B914-B692-46c4-B683-905236F6F655}" [HKLM] -> c:\Program Files\McAfee.com\VSO\mcvsshl.dll [McAfee VirusScan] -> [2005/07/01 21:44:30 | 000,114,688 | ---- | M] (McAfee, Inc.)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [&Yahoo! Toolbar] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"LXCGCATS" -> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.DLL [rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16] -> [2005/07/20 11:48:38 | 000,073,728 | ---- | M] ()
"MCAgentExe" -> c:\Program Files\McAfee.com\Agent\mcagent.exe [c:\PROGRA~1\mcafee.com\agent\McAgent.exe] -> [2005/09/22 18:29:08 | 000,303,104 | ---- | M] (McAfee, Inc)
"MCUpdateExe" -> C:\Program Files\McAfee.com\Agent\mcupdate.exe [C:\PROGRA~1\mcafee.com\agent\McUpdate.exe] -> [2006/01/11 12:05:42 | 000,212,992 | ---- | M] (McAfee, Inc)
"MPFEXE" -> C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe ["C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe"] -> [2005/09/27 18:17:46 | 000,999,424 | ---- | M] (McAfee Security)
"MSKAGENTEXE" -> C:\Program Files\McAfee\SpamKiller\MSKAgent.exe [C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe] -> [2005/09/26 11:26:58 | 000,110,592 | ---- | M] (McAfee Inc.)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< Owner.YOUR-99DDF15D27 Startup Folder > -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Start Menu\Programs\Startup ->
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" ->  [1] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"InstallVisualStyle" -> C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles [C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles] -> [2004/08/10 11:39:00 | 001,347,728 | ---- | M] (Microsoft)
\\"InstallTheme" -> C:\WINDOWS\Resources\Themes\Royale.Theme [C:\WINDOWS\Resources\Themes\Royale.theme] -> [2004/07/28 10:03:28 | 000,001,293 | ---- | M] ()
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} [HKLM] -> C:\Program Files\Java\jre1.5.0_10\bin\NPJPI150_10.dll [Menu: Sun Java Console] -> [2006/11/09 16:21:53 | 000,075,528 | ---- | M] (Sun Microsystems, Inc.)
{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}:{7DD73374-7187-4103-8F29-622AA25E7C40} [HKLM] -> c:\Program Files\McAfee\SpamKiller\McApfBHO.dll [Menu: McAfee Anti-Phishing Filter] -> [2005/07/12 19:02:38 | 000,262,236 | ---- | M] (McAfee, Inc.)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> C:\Program Files\Java\jre1.5.0_10\bin\NPJPI150_10.dll [Sun Java Console] -> [2006/11/09 16:21:53 | 000,075,528 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> c:\Program Files\McAfee\SpamKiller\McApfBHO.dll [McAfee Anti-Phishing Filter] -> [2005/07/12 19:02:38 | 000,262,236 | ---- | M] (McAfee, Inc.)
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] ->  [Reg Error: Key error.] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. ->
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 77 domain(s) found. ->
objects_aol.com [*] -> Out of zone range - ( 5 ) ->
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 22 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab [Java Plug-in 1.5.0_10] ->
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab [Java Plug-in 1.5.0_10] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] ->
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ ->
DhcpNameServer -> 65.50.3.27 ->
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{479B54BB-4172-4357-8260-BADE31FEF7A0}\\DhcpNameServer -> 64.30.167.4 64.30.167.5   (RCA USB Cable Modem) ->
{ACABAF11-D8FD-4D14-AAC1-188948B86A77}\\DhcpNameServer -> 65.50.3.27   (Realtek RTL8139/810x Family Fast Ethernet NIC) ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2007/06/13 04:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
AtiExtEvent -> C:\WINDOWS\System32\ati2evxx.dll -> [2006/01/15 22:42:52 | 000,061,440 | ---- | M] (ATI Technologies Inc.)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
"C:\Program Files\MSN Messenger\livecall.exe" -> C:\Program Files\MSN Messenger\livecall.exe [C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)] -> [2007/01/04 16:10:02 | 000,297,752 | ---- | M] (Microsoft Corporation)
"C:\Program Files\MSN Messenger\msncall.exe" -> C:\Program Files\MSN Messenger\msncall.exe [C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)] -> File not found
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"C:\Program Files\America Online 9.0\waol.exe" -> C:\Program Files\America Online 9.0\waol.exe [C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL] -> [2005/06/23 10:24:34 | 000,037,464 | ---- | M] (America Online, Inc.)
"C:\Program Files\Ares\Ares.exe" -> C:\Program Files\Ares\Ares.exe [C:\Program Files\Ares\Ares.exe:*:Disabled:Ares p2p for windows] -> [2007/03/19 19:21:18 | 000,947,200 | ---- | M] (Ares Development Group)
"C:\Program Files\Common Files\AOL\1154392867\EE\AOLServiceHost.exe" -> C:\Program Files\Common Files\AOL\1154392867\EE\AOLServiceHost.exe [C:\Program Files\Common Files\AOL\1154392867\EE\AOLServiceHost.exe:*:Enabled:AOL] -> [2004/11/03 15:03:00 | 000,110,680 | ---- | M] (America Online, Inc.)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" -> C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe [C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL] -> [2004/10/20 08:40:04 | 000,010,328 | ---- | M] (America Online)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" -> C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL] -> [2004/10/20 08:40:04 | 000,034,904 | ---- | M] (America Online)
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe" -> C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe [C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL] -> [2004/10/18 18:42:18 | 000,079,448 | ---- | M] ()
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe" -> C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe [C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL] -> [2004/10/15 13:16:06 | 003,040,856 | ---- | M] (AOL Spyware Protection)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" -> C:\Program Files\Common Files\AOL\Loader\aolload.exe [C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader] -> [2004/10/14 16:33:08 | 000,012,888 | ---- | M] (America Online, Inc.)
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" -> C:\Program Files\Common Files\AOL\System Information\sinf.exe [C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL] -> [2004/11/07 15:10:18 | 000,140,888 | ---- | M] (America Online Inc.)
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe" -> C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe [C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed] -> [2004/10/15 14:54:12 | 000,046,768 | ---- | M] (America Online Inc)
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" -> C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon] -> [2004/10/15 14:54:14 | 000,100,016 | ---- | M] (America Online, Inc)
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe" -> C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe [C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL] -> [2004/10/14 17:34:06 | 000,059,992 | ---- | M] (Gteko Ltd.)
"C:\Program Files\Gateway Games\Wheel of Fortune\Wheel of Fortune.exe" -> C:\Program Files\Gateway Games\Wheel of Fortune\Wheel of Fortune.exe [C:\Program Files\Gateway Games\Wheel of Fortune\Wheel of Fortune.exe:*:Disabled:Wheel of Fortune] -> File not found
"C:\Program Files\LimeWire\LimeWire.exe" -> C:\Program Files\LimeWire\LimeWire.exe [C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire] -> File not found
"C:\Program Files\MSN Messenger\livecall.exe" -> C:\Program Files\MSN Messenger\livecall.exe [C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)] -> [2007/01/04 16:10:02 | 000,297,752 | ---- | M] (Microsoft Corporation)
"C:\Program Files\SightSpeed\SightSpeed.exe" -> C:\Program Files\SightSpeed\SightSpeed.exe [C:\Program Files\SightSpeed\SightSpeed.exe:*:Enabled:SightSpeed] -> [2007/03/13 11:45:44 | 003,526,720 | ---- | M] (SightSpeed Inc.)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > ->  ->
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2006/06/17 03:41:16 | 000,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command ->
comfile [open] -> "%1" %* ->
exefile [open] -> "%1" %* ->
< AppCertDlls [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls ->
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ ->
.com [@ = ComFile] -> "%1" %* ->
.exe [@ = exefile] -> "%1" %* ->


[Files/Folders - Created Within 14 Days]
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2010/03/31 07:23:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation)
mbam-setup.exe -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\mbam-setup.exe -> [2010/03/31 07:22:18 | 005,918,776 | ---- | C] (Malwarebytes Corporation                                    )
mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2010/03/31 07:06:04 | 000,020,824 | ---- | C] (Malwarebytes Corporation)
RECYCLER -> C:\RECYCLER -> [2010/03/31 06:59:27 | 000,000,000 | -HSD | C]
temp -> C:\WINDOWS\temp -> [2010/03/31 06:56:33 | 000,000,000 | ---D | C]
Malwarebytes -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Malwarebytes -> [2010/03/30 19:58:00 | 000,000,000 | ---D | C]
OTS.exe -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\OTS.exe -> [2010/03/30 18:03:35 | 000,637,440 | ---- | C] (OldTimer Tools)
cmdcons -> C:\cmdcons -> [2010/03/30 15:17:02 | 000,000,000 | RHSD | C]
SWXCACLS.exe -> C:\WINDOWS\SWXCACLS.exe -> [2010/03/30 15:11:33 | 000,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> C:\WINDOWS\SWREG.exe -> [2010/03/30 15:11:33 | 000,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> C:\WINDOWS\SWSC.exe -> [2010/03/30 15:11:33 | 000,136,704 | ---- | C] (SteelWerX)
NIRCMD.exe -> C:\WINDOWS\NIRCMD.exe -> [2010/03/30 15:11:33 | 000,031,232 | ---- | C] (NirSoft)
ERDNT -> C:\WINDOWS\ERDNT -> [2010/03/30 15:11:11 | 000,000,000 | ---D | C]
Qoobox -> C:\Qoobox -> [2010/03/30 15:08:10 | 000,000,000 | ---D | C]
Wise Installation Wizard -> C:\Program Files\Common Files\Wise Installation Wizard -> [2010/03/24 06:27:57 | 000,000,000 | ---D | C]
procexp.exe -> C:\procexp.exe -> [2010/03/23 21:41:56 | 003,623,736 | ---- | C] (Sysinternals)
Malwarebytes -> C:\Documents and Settings\All Users\Application Data\Malwarebytes -> [2010/03/23 14:05:51 | 000,000,000 | ---D | C]
AVG8 -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\AVG8 -> [2010/03/23 06:43:58 | 000,000,000 | ---D | C]
Config.Msi -> C:\Config.Msi -> [2010/03/22 23:39:39 | 000,000,000 | ---D | C]
CSC -> C:\WINDOWS\CSC -> [2010/03/18 16:25:38 | 000,000,000 | -HSD | C]
Malwarebytes' Anti-Malware -> C:\Program Files\Malwarebytes' Anti-Malware -> [2010/03/18 14:46:30 | 000,000,000 | ---D | C]
pss -> C:\WINDOWS\pss -> [2010/03/18 10:25:06 | 000,000,000 | ---D | C]
Microsoft -> C:\Documents and Settings\LocalService\Application Data\Microsoft -> [2008/08/19 17:44:04 | 000,000,000 | --SD | M]
Adobe -> C:\Documents and Settings\LocalService\Application Data\Adobe -> [2008/08/19 11:51:58 | 000,000,000 | ---D | M]
Apple -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple -> [2008/05/27 21:25:01 | 000,000,000 | ---D | M]
Sun -> C:\Documents and Settings\LocalService\Application Data\Sun -> [2008/02/02 16:33:31 | 000,000,000 | ---D | M]
Macromedia -> C:\Documents and Settings\LocalService\Application Data\Macromedia -> [2008/02/02 16:24:33 | 000,000,000 | ---D | M]
lxcgserv.dll -> C:\WINDOWS\System32\lxcgserv.dll -> [2007/01/02 18:23:20 | 001,183,744 | ---- | C] ( )
lxcgusb1.dll -> C:\WINDOWS\System32\lxcgusb1.dll -> [2007/01/02 18:23:20 | 001,134,592 | ---- | C] ( )
lxcgprox.dll -> C:\WINDOWS\System32\lxcgprox.dll -> [2007/01/02 18:23:20 | 000,155,648 | ---- | C] ( )
lxcgpplc.dll -> C:\WINDOWS\System32\lxcgpplc.dll -> [2007/01/02 18:23:20 | 000,114,688 | ---- | C] ( )
lxcgcomc.dll -> C:\WINDOWS\System32\lxcgcomc.dll -> [2007/01/02 18:23:19 | 000,704,512 | ---- | C] ( )
lxcgcomm.dll -> C:\WINDOWS\System32\lxcgcomm.dll -> [2007/01/02 18:23:19 | 000,413,696 | ---- | C] ( )
lxcglmpm.dll -> C:\WINDOWS\System32\lxcglmpm.dll -> [2007/01/02 18:23:18 | 000,483,328 | ---- | C] ( )
Microsoft -> C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft -> [2006/12/23 15:01:45 | 000,000,000 | ---D | M]
McAfee.com Personal Firewall -> C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall -> [2006/10/14 17:11:46 | 000,000,000 | ---D | M]
Microsoft -> C:\Documents and Settings\NetworkService\Application Data\Microsoft -> [2006/06/17 03:45:24 | 000,000,000 | --SD | M]
Microsoft -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft -> [2006/06/17 03:45:23 | 000,000,000 | ---D | M]
7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
1 C:\Documents and Settings\Owner.YOUR-99DDF15D27\*.tmp files -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\*.tmp ->

[Files/Folders - Modified Within 14 Days]
wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2010/03/31 07:42:26 | 000,001,158 | ---- | M] ()
Status.MPF -> C:\WINDOWS\System32\Status.MPF -> [2010/03/31 07:41:49 | 000,257,312 | ---- | M] ()
Google Software Updater.job -> C:\WINDOWS\tasks\Google Software Updater.job -> [2010/03/31 07:40:41 | 000,000,868 | ---- | M] ()
SA.DAT -> C:\WINDOWS\tasks\SA.DAT -> [2010/03/31 07:40:17 | 000,000,006 | -H-- | M] ()
bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2010/03/31 07:40:16 | 000,002,048 | --S- | M] ()
hiberfil.sys -> C:\hiberfil.sys -> [2010/03/31 07:40:14 | 400,195,584 | -HS- | M] ()
NTUSER.DAT -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\NTUSER.DAT -> [2010/03/31 07:39:28 | 009,175,040 | -H-- | M] ()
mbam-setup.exe -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\mbam-setup.exe -> [2010/03/31 07:22:18 | 005,918,776 | ---- | M] (Malwarebytes Corporation                                    )
ntuser.ini -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\ntuser.ini -> [2010/03/31 07:00:10 | 000,000,278 | -HS- | M] ()
system.ini -> C:\WINDOWS\system.ini -> [2010/03/31 06:49:27 | 000,000,282 | ---- | M] ()
ComboFix.exe -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\ComboFix.exe -> [2010/03/31 06:34:24 | 003,906,159 | R--- | M] ()
OTS.exe -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\OTS.exe -> [2010/03/30 18:03:35 | 000,637,440 | ---- | M] (OldTimer Tools)
hosts -> C:\WINDOWS\System32\drivers\etc\hosts -> [2010/03/30 15:58:22 | 000,000,027 | ---- | M] ()
boot.ini -> C:\boot.ini -> [2010/03/30 15:17:09 | 000,000,279 | RHS- | M] ()
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation)
mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation)
IconCache.db -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Application Data\IconCache.db -> [2010/03/24 13:27:32 | 003,184,744 | -H-- | M] ()
SUPERAntiSpyware.exe -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\SUPERAntiSpyware.exe -> [2010/03/24 06:35:31 | 007,757,856 | ---- | M] ()
Flash_Disinfector.exe -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\Flash_Disinfector.exe -> [2010/03/24 05:42:37 | 000,132,597 | ---- | M] ()
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2010/03/23 21:58:47 | 000,055,296 | ---- | M] ()
win.ini -> C:\WINDOWS\win.ini -> [2010/03/23 21:26:37 | 000,000,819 | ---- | M] ()
Boot.bak -> C:\Boot.bak -> [2010/03/23 21:26:37 | 000,000,209 | ---- | M] ()
rkill.com -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\rkill.com -> [2010/03/23 13:38:03 | 000,363,008 | ---- | M] ()
perfh009.dat -> C:\WINDOWS\System32\perfh009.dat -> [2010/03/17 20:26:05 | 000,409,540 | ---- | M] ()
perfc009.dat -> C:\WINDOWS\System32\perfc009.dat -> [2010/03/17 20:26:05 | 000,064,488 | ---- | M] ()
PerfStringBackup.INI -> C:\WINDOWS\System32\PerfStringBackup.INI -> [2010/03/17 20:26:04 | 000,482,110 | ---- | M] ()
7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
17 C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Local Settings\temp\*.tmp ->
1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
1 C:\Documents and Settings\Owner.YOUR-99DDF15D27\*.tmp files -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\*.tmp ->

[Files - No Company Name]
ComboFix.exe -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\ComboFix.exe -> [2010/03/31 06:34:24 | 003,906,159 | R--- | C] ()
hiberfil.sys -> C:\hiberfil.sys -> [2010/03/30 15:31:41 | 400,195,584 | -HS- | C] ()
Boot.bak -> C:\Boot.bak -> [2010/03/30 15:17:09 | 000,000,209 | ---- | C] ()
cmldr -> C:\cmldr -> [2010/03/30 15:17:04 | 000,260,272 | ---- | C] ()
PEV.exe -> C:\WINDOWS\PEV.exe -> [2010/03/30 15:11:33 | 000,261,632 | ---- | C] ()
sed.exe -> C:\WINDOWS\sed.exe -> [2010/03/30 15:11:33 | 000,098,816 | ---- | C] ()
grep.exe -> C:\WINDOWS\grep.exe -> [2010/03/30 15:11:33 | 000,080,412 | ---- | C] ()
MBR.exe -> C:\WINDOWS\MBR.exe -> [2010/03/30 15:11:33 | 000,077,312 | ---- | C] ()
zip.exe -> C:\WINDOWS\zip.exe -> [2010/03/30 15:11:33 | 000,068,096 | ---- | C] ()
SUPERAntiSpyware.exe -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\SUPERAntiSpyware.exe -> [2010/03/24 06:35:31 | 007,757,856 | ---- | C] ()
Flash_Disinfector.exe -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\Flash_Disinfector.exe -> [2010/03/24 05:42:37 | 000,132,597 | ---- | C] ()
rkill.com -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\rkill.com -> [2010/03/23 13:38:03 | 000,363,008 | ---- | C] ()
nsh243.dll -> C:\WINDOWS\System32\nsh243.dll -> [2009/01/29 06:51:04 | 000,672,256 | ---- | C] ()
nsk226.dll -> C:\WINDOWS\System32\nsk226.dll -> [2008/12/30 05:23:50 | 000,682,496 | ---- | C] ()
nsr364.dll -> C:\WINDOWS\System32\nsr364.dll -> [2008/07/14 12:13:10 | 000,313,856 | ---- | C] ()
nso21D.dll -> C:\WINDOWS\System32\nso21D.dll -> [2008/07/14 12:04:08 | 000,313,856 | ---- | C] ()
nse2C1.dll -> C:\WINDOWS\System32\nse2C1.dll -> [2008/07/14 12:02:28 | 000,313,856 | ---- | C] ()
nsr50E.dll -> C:\WINDOWS\System32\nsr50E.dll -> [2008/07/14 10:07:38 | 000,313,856 | ---- | C] ()
MRT.INI -> C:\WINDOWS\System32\MRT.INI -> [2008/05/15 20:20:59 | 000,000,118 | ---- | C] ()
Nsvideo.dll -> C:\WINDOWS\System32\Nsvideo.dll -> [2007/12/22 21:39:51 | 000,122,880 | ---- | C] ()
infcpy.dll -> C:\WINDOWS\System32\infcpy.dll -> [2007/12/22 21:38:19 | 000,032,768 | R--- | C] ()
Tw561a.ini -> C:\WINDOWS\Tw561a.ini -> [2007/03/22 17:10:20 | 000,014,385 | ---- | C] ()
ap561.ini -> C:\WINDOWS\ap561.ini -> [2007/03/22 17:10:20 | 000,000,180 | ---- | C] ()
Setup8a.ini -> C:\WINDOWS\Setup8a.ini -> [2007/03/22 17:10:20 | 000,000,081 | ---- | C] ()
EZLiveMonitor2.0.INI -> C:\WINDOWS\EZLiveMonitor2.0.INI -> [2007/03/10 19:58:36 | 000,000,868 | ---- | C] ()
EZMediaBox2.ini -> C:\WINDOWS\EZMediaBox2.ini -> [2007/03/10 19:50:49 | 000,000,012 | ---- | C] ()
xvidcore.dll -> C:\WINDOWS\System32\xvidcore.dll -> [2007/03/10 19:49:13 | 000,679,936 | ---- | C] ()
xvidvfw.dll -> C:\WINDOWS\System32\xvidvfw.dll -> [2007/03/10 19:49:13 | 000,155,648 | ---- | C] ()
EZVMail3.ini -> C:\WINDOWS\EZVMail3.ini -> [2007/03/10 19:49:13 | 000,000,012 | ---- | C] ()
llbiirc.dll -> C:\WINDOWS\System32\llbiirc.dll -> [2007/02/02 22:19:15 | 000,000,038 | ---- | C] ()
LXPRMON.DLL -> C:\WINDOWS\System32\LXPRMON.DLL -> [2007/01/02 18:29:01 | 000,032,768 | ---- | C] ()
LXPMONUI.DLL -> C:\WINDOWS\System32\LXPMONUI.DLL -> [2007/01/02 18:29:01 | 000,020,480 | ---- | C] ()
lxcgvs.dll -> C:\WINDOWS\System32\lxcgvs.dll -> [2007/01/02 18:23:20 | 000,040,960 | ---- | C] ()
iPlayer.INI -> C:\WINDOWS\iPlayer.INI -> [2006/11/21 20:30:11 | 000,000,000 | ---- | C] ()
ActiveSkin.INI -> C:\WINDOWS\ActiveSkin.INI -> [2006/11/18 20:41:15 | 000,000,112 | ---- | C] ()
impborl.dll -> C:\WINDOWS\impborl.dll -> [2006/11/17 18:04:34 | 000,012,288 | ---- | C] ()
WININIT.INI -> C:\WINDOWS\WININIT.INI -> [2006/10/21 12:53:40 | 000,000,053 | ---- | C] ()
SETUP32.INI -> C:\WINDOWS\SETUP32.INI -> [2006/10/21 12:53:34 | 000,000,000 | ---- | C] ()
ODBC.INI -> C:\WINDOWS\ODBC.INI -> [2006/07/31 18:32:49 | 000,000,376 | ---- | C] ()
smscfg.ini -> C:\WINDOWS\smscfg.ini -> [2006/06/21 03:48:15 | 000,000,061 | ---- | C] ()
oeminfo.ini -> C:\WINDOWS\System32\oeminfo.ini -> [2006/06/17 03:24:58 | 000,001,436 | ---- | C] ()
emver.ini -> C:\WINDOWS\System32\emver.ini -> [2006/06/17 03:24:57 | 000,000,490 | ---- | C] ()
psisdecd.dll -> C:\WINDOWS\System32\psisdecd.dll -> [2005/08/05 22:01:54 | 000,235,008 | ---- | C] ()

[File - Lop Check]
ACD Systems -> C:\Documents and Settings\All Users\Application Data\ACD Systems -> [2008/05/01 18:39:02 | 000,000,000 | ---D | M]
Broderbund -> C:\Documents and Settings\All Users\Application Data\Broderbund -> [2007/01/26 18:09:45 | 000,000,000 | ---D | M]
CanonBJ -> C:\Documents and Settings\All Users\Application Data\CanonBJ -> [2006/10/14 18:01:57 | 000,000,000 | -H-D | M]
MinigolfAdventures -> C:\Documents and Settings\All Users\Application Data\MinigolfAdventures -> [2007/11/12 23:18:10 | 000,000,000 | ---D | M]
Napster -> C:\Documents and Settings\All Users\Application Data\Napster -> [2006/07/31 18:39:37 | 000,000,000 | ---D | M]
Newsoft -> C:\Documents and Settings\All Users\Application Data\Newsoft -> [2007/12/22 21:50:38 | 000,000,000 | ---D | M]
TEMP -> C:\Documents and Settings\All Users\Application Data\TEMP -> [2008/03/14 20:13:19 | 000,000,000 | ---D | M]
Viewpoint -> C:\Documents and Settings\All Users\Application Data\Viewpoint -> [2010/03/31 08:03:09 | 000,000,000 | ---D | M]
WildTangent -> C:\Documents and Settings\All Users\Application Data\WildTangent -> [2010/03/31 08:06:55 | 000,000,000 | ---D | M]
Atari -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Atari -> [2006/11/28 19:33:41 | 000,000,000 | ---D | M]
GetRightToGo -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\GetRightToGo -> [2007/04/27 21:33:56 | 000,000,000 | ---D | M]
J River -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\J River -> [2007/02/02 22:19:48 | 000,000,000 | ---D | M]
LimeWire -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\LimeWire -> [2008/09/20 23:55:08 | 000,000,000 | ---D | M]
PlayFirst -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\PlayFirst -> [2006/10/26 22:19:32 | 000,000,000 | ---D | M]
Printer Info Cache -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Printer Info Cache -> [2007/08/03 13:08:50 | 000,000,000 | ---D | M]
Publish Providers -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Publish Providers -> [2008/08/06 15:47:47 | 000,000,000 | ---D | M]
SampleView -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\SampleView -> [2006/07/31 18:49:33 | 000,000,000 | ---D | M]
Sony -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Sony -> [2008/08/06 15:45:53 | 000,000,000 | ---D | M]
Template -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Template -> [2007/01/31 22:53:57 | 000,000,000 | ---D | M]
Viewpoint -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Viewpoint -> [2007/12/05 22:24:26 | 000,000,000 | ---D | M]
Wal-Mart Digital Photo Manager -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Wal-Mart Digital Photo Manager -> [2007/10/20 19:41:29 | 000,000,000 | ---D | M]
Wal-Mart Digital Photo Viewer -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\Wal-Mart Digital Photo Viewer -> [2007/10/20 19:41:22 | 000,000,000 | ---D | M]
ZangoToolbar -> C:\Documents and Settings\Owner.YOUR-99DDF15D27\Application Data\ZangoToolbar -> [2006/11/18 16:42:07 | 000,000,000 | ---D | M]

[File - Purity Scan]


[Alternate Data Streams]
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A11F741D
< End of report >

Attached Files



#9 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:12:55 AM

Posted 02 April 2010 - 07:34 AM

Hey husky1954,

QUOTE
12. I noticed that WildTangent and Viewpoint still have entries under documents and settings. Should I delete them?
13. Internet Explorer is still trying to connect to 65.55.17.27. I don't know what IP location this is. I would like to get rid
of it. Did the same as #7 above to get into bleepingcomputer.com.
14. I would like to do a defrag if it is ok.


Yes, please delete the leftover entries. I'll remove the redirect infection in my next post, don't worry. Yes, go ahead and defrag, just don't remove/fix files/registry entries without seeking my advice. smile.gif

Let's proceed.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (McAfee) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run CFScript

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"SearchMigratedDefaultUrl"=-
"SearchMigratedDefaultName"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt .

2) Upload files for analysis

To enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and close My Computer.
  • Now your computer is configured to show all hidden files.
NEXT

Please visit the online Jotti Virus Scanner <--link
  • Copy and paste the following filepath in the box:

    c:\program files\RngInterstitial.dll
  • Click on the button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.
  • Please do the same for the following files:
    1. C:\WINDOWS\System32\nsh243.dll
    2. C:\WINDOWS\System32\nsk226.dll
    3. C:\WINDOWS\System32\nsr364.dll
    4. C:\WINDOWS\System32\nso21D.dll
    5. C:\WINDOWS\System32\nse2C1.dll
    6. C:\WINDOWS\System32\nsr50E.dll
    7. C:\WINDOWS\System32\jdxah.dll

Next reply (please include in your post):

Tell me how your computer is doing
ComboFix.txt
8 Virscan reports

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#10 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:09:55 AM

Posted 02 April 2010 - 02:44 PM

1. Booted in normal windows.
2. Deleted entries under Documents and Settings for Limewire, Wildtangent and Viewpoint.
3. Ran defrag.
4. Created CFScript.txt and dragged it to Combofix.
5. Combofix started, created a restore point, started scanning, finished and created a log report.
6. Reset folders options to display hidden files and folders.
7. Scanned the eight files you requested with Jotti Virus Scanner.


The computer is booting up every time now. When we started it would only boot one out of five times without locking up.
I am having a problem with Internet explorer. It tries to go to 65.55.17.26 or 65.55.17.25 and then locks up. I can stop this by unplugging the internet cable, starting IE and then plugging the cable back in. I found out that I can start IE with no add-ons from System Tools with no problems. About 80 GB of disk space have been freed up. This is why I wanted to do the defrag. Other than that I can't tell you much. This is not my computer, I am fixing it for someone else. I will try to test some things out.

Husky


Filename: RngInterstitial.dll
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Fri 23 Oct 2009 05:35:42 (CET)

Filename: nsh243.dll
Status: Scan finished. 10 out of 20 scanners reported malware.
Scan taken on: Fri 2 Apr 2010 20:35:07 (CET) Permalink
2010-04-02 Variant:Adware.Ezula.Acb 2010-04-02 Found nothing
2010-04-02 Virus.Win32.BHO!IK 2010-04-02 Gen:Adware.Heur.Pu8@rXBd0mei
2010-04-02 Win32:BHO-VX 2010-04-02 Virus.Win32.BHO
2010-04-02 Found nothing 2010-04-02 Found nothing
2010-04-02 TR/BHO.tko 2010-04-02 Win32/Adware.GooochiBiz
2010-04-02 Found nothing 2010-04-02 Found nothing
2010-04-02 Trojan.BHO-4561 2010-04-02 Found nothing
2010-04-02 Found nothing 2010-04-02 Mal/ZlobDLL-A
2010-04-02 Found nothing 2010-04-01 Found nothing
2010-04-01 W32/AdAgent.Y.gen!Eldorado 2010-04-02 Found nothing

Filename: nsk226.dll
Status: Scan finished. 15 out of 20 scanners reported malware.
Scan taken on: Fri 2 Apr 2010 20:42:58 (CET) Permalink

2010-04-02 Found nothing 2010-04-02 not-a-virus:AdWare.Win32.Cinmus.avxx
2010-04-02 Virus.Win32.BHO!IK 2010-04-02 Gen:Adware.Heur.Pu8@Wn6az8mib
2010-04-02 Win32:BHO-VX 2010-04-02 Virus.Win32.BHO
2010-04-02 Adload_r.GO 2010-04-02 not-a-virus:AdWare.Win32.Cinmus.avxx
2010-04-02 TR/BHO.684544 2010-04-02 Win32/Adware.GooochiBiz
2010-04-02 Found nothing 2010-04-02 Found nothing
2010-04-02 Trojan.BHO-4399 2010-04-02 AdWare.Cinmus.avxx (Not a Virus)
2010-04-02 Troj.Clicker.W32.BHO.H 2010-04-02 Found nothing
2010-04-02 Found nothing 2010-04-01 AdWare.Win32.Cinmus.avxx
2010-04-01 W32/AdAgent.Y.gen!Eldorado 2010-04-02 Trojan.BHO.UUB

Filename: nsr364.dll
Status: Scan finished. 16 out of 20 scanners reported malware.
Scan taken on: Fri 2 Apr 2010 20:49:40 (CET) Permalink

2010-04-02 Found nothing 2010-04-02 Adware:W32/AdRotator.gen!A
2010-04-02 Trojan.BHO.czo!IK 2010-04-02 Trojan.Generic.968881
2010-04-02 Win32:BHO-SD 2010-04-02 Trojan.BHO.czo
2010-04-02 Adload_r.CK 2010-04-02 Trojan-Downloader.Win32.Adload.cbo
2010-04-02 TR/BHO.czo 2010-04-02 Win32/Adware.AdzgaloreBiz
2010-04-02 Found nothing 2010-04-02 Found nothing
2010-04-02 Trojan.BHO-3773 2010-04-02 Found nothing
2010-04-02 Troj.Clicker.W32.BHO.H 2010-04-02 Mal/Cinmus-D
2010-04-02 Adware.Bho.61 2010-04-01 Trojan-Downloader.Win32.Adload.bom
2010-04-01 W32/BadBHO.F.gen!Eldorado 2010-04-02 Adware.Adrotator.Gen.2

Filename: nso21D.dll
Status: Scan finished. 16 out of 20 scanners reported malware.
Scan taken on: Fri 2 Apr 2010 20:56:54 (CET) Permalink

2010-04-02 Found nothing 2010-04-02 Adware:W32/AdRotator.gen!A
2010-04-02 Trojan.BHO.czo!IK 2010-04-02 Trojan.Generic.743741
2010-04-02 Win32:BHO-SD 2010-04-02 Trojan.BHO.czo
2010-04-02 Adload_r.CK 2010-04-02 Trojan-Downloader.Win32.Adload.byl
2010-04-02 TR/BHO.czo 2010-04-02 Win32/Adware.AdzgaloreBiz
2010-04-02 Found nothing 2010-04-02 Found nothing
2010-04-02 Trojan.BHO-3773 2010-04-02 Found nothing
2010-04-02 Troj.Clicker.W32.BHO.H 2010-04-02 Mal/Cinmus-D
2010-04-02 Adware.Bho.61 2010-04-01 Trojan-Downloader.Win32.Adload.bom
2010-04-01 W32/BadBHO.F.gen!Eldorado 2010-04-02 Adware.Adrotator.Gen.2

Filename: nse2C1.dll
Status: Scan finished. 16 out of 20 scanners reported malware.
Scan taken on: Fri 2 Apr 2010 21:00:27 (CET) Permalink

2010-04-02 Found nothing 2010-04-02 Adware:W32/AdRotator.gen!A
2010-04-02 Trojan.BHO.czo!IK 2010-04-02 Trojan.Generic.1115123
2010-04-02 Win32:BHO-SD 2010-04-02 Trojan.BHO.czo
2010-04-02 Adload_r.CK 2010-04-02 Trojan-Downloader.Win32.Adload.dnh
2010-04-02 TR/BHO.czo 2010-04-02 Win32/Adware.AdzgaloreBiz
2010-04-02 Found nothing 2010-04-02 Found nothing
2010-04-02 Trojan.BHO-3773 2010-04-02 Found nothing
2010-04-02 Troj.Clicker.W32.BHO.H 2010-04-02 Mal/Cinmus-D
2010-04-02 Adware.Bho.61 2010-04-01 Trojan-Downloader.Win32.Adload.bom
2010-04-01 W32/BadBHO.F.gen!Eldorado 2010-04-02 Adware.Adrotator.Gen.2

Filename: nsr50E.dll
Status: Scan finished. 15 out of 20 scanners reported malware.
Scan taken on: Fri 2 Apr 2010 21:03:53 (CET) Permalink

2010-04-02 Found nothing 2010-04-02 Adware:W32/AdRotator.gen!A
2010-04-02 Trojan.BHO.czo!IK 2010-04-02 Trojan.Generic.1047933
2010-04-02 Win32:BHO-SD 2010-04-02 Trojan.BHO.czo
2010-04-02 Adload_r.CK 2010-04-02 Trojan-Downloader.Win32.Adload.ewo
2010-04-02 TR/BHO.czo 2010-04-02 Win32/Adware.AdzgaloreBiz
2010-04-02 Found nothing 2010-04-02 Found nothing
2010-04-02 Trojan.BHO-3773 2010-04-02 Found nothing
2010-04-02 Found nothing 2010-04-02 Mal/Cinmus-D
2010-04-02 Adware.Bho.61 2010-04-01 Trojan-Downloader.Win32.Adload.bom
2010-04-01 W32/BadBHO.F.gen!Eldorado 2010-04-02 Adware.Adrotator.Gen.2

File to scan: C:\WINDOWS\System32\jdxah.dll

Status: File is empty (0 bytes)!

Attached Files



#11 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:12:55 AM

Posted 03 April 2010 - 05:18 AM

Hey husky1954,

QUOTE
I am having a problem with Internet explorer. It tries to go to 65.55.17.26 or 65.55.17.25 and then locks up. I can stop this by unplugging the internet cable, starting IE and then plugging the cable back in. I found out that I can start IE with no add-ons from System Tools with no problems.


65.66.17.26 seems legit as it points to Microsoft, so not sure why you are being redirected. We'll do more scans to see what's going on. Your logs look much better now. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (McAfee) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run OTM

Please download the OTM by OldTimer.
  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy everything in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    CODE
    :Files
    C:\WINDOWS\System32\nsh243.dll
    C:\WINDOWS\System32\nsk226.dll
    C:\WINDOWS\System32\nsr364.dll
    C:\WINDOWS\System32\nso21D.dll
    C:\WINDOWS\System32\nse2C1.dll
    C:\WINDOWS\System32\nsr50E.dll
    C:\WINDOWS\System32\jdxah.dll

    :Reg
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000000      
    :Commands
    [purity]
    [emptytemp]
    [reboot]

  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the "Results" window (under the Green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your computer.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

2) Uninstall ComboFix
  • Click START then RUN
  • Now type ComboFix /uninstall in the runbox and click OK. Note the space between the x and the /, it needs to be there.
3) Run DrWeb CureIt

Download Dr.Web CureIt to the desktop.
  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.
NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

4) Re-run ComboFix

Download ComboFix from one of the locations below, and save it to your Desktop.
Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

4) Run MBR and Rooter

Please download MBR.exe to your desktop. Double-click on it and it will produce a log on desktop (mbr.log). Please post the log in your next reply.

THEN

Please download Rooter.exe and save it to your desktop
  • Double-click it to start the tool. If you are using Vista, please right-click and choose Run As Administrator...
  • Alow it to run when you get a Security Warning.
  • At the main control page, please click the green button.
  • It will now begin to scan, please be paitent. The scan should not take more than 3 minutes
  • A Notepad file containing the report will open soon. It can also be foun/d at %systemdrive%\Rooter$\Rooter_1.txt
  • Now push the button to close Rooter.
  • Please post the contents of that log file here in your next reply.

Next reply (please include in your post):

OTM.txt
DrWeb CureIt scan log
ComboFix.txt
MBR.txt
Rooter_1.txt

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#12 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:09:55 AM

Posted 04 April 2010 - 12:08 AM

1. Booted to normal windows.
2. Disabled McAfee virus scan and firewall.
3. Downloaded OTM.
4. Pasted instructions and clicked Moveit.
5. OTM required a reboot.
6. Disabled McAfee virus scan and firewall.
7. Uninstalled ComboFix.
8. I tried internet explorer. It did not lockup and connected to www.msn.com. IE connected quickly . This is a big
improvement.
9. Downloaded and ran Dr. Web express scan.
10. Ran Dr Web complete scan. When the scan finished I could not find the icon you have depicted. I clicked "Select All"
then "Cure". A menu popped up with an option for "Move incurable". I clicked it. Closed Dr Web and rebooted.
11. Disabled McAfee virus scan and firewall.
12. Downloaded and ran ComboFix. CF rebooted.
13. Disabled McAfee virus scan and firewall.
14. Downloaded and ran MBR.
15. Downloaded and ran Rooter.

Everything appears to be running well. I am surprised that we are still finding Trojan virus at this time.
This computer was extremely compromised. I have informed the owner to change their credit card number.
DrWeb cureIt scan log:
AntiSpywareShieldSetup.exe;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Downloads\resources;Trojan.DownLoader.51055;Deleted.;
installer_en.exe;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Downloads\resources;Trojan.DownLoader.36408;Deleted.;
MavisBeacon16-dm.exe;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Downloads\resources;Adware.TryMedia;Incurable.Moved.;
WinSpyKillerSetup.exe;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Downloads\resources;Adware.Spysheriff;Incurable.Moved.;
Preview-T-2368521-grupo extremo norte 192kb.mp3;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Incomplete;Trojan.WMALoader;Cured.;
T-2368521-grupo extremo norte 192kb.mp3;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Incomplete;Trojan.WMALoader;Cured.;
T-3545425-extremo norte.mp3;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Incomplete;Trojan.WMALoader;Cured.;
roller coaster tycoon 3 soaked crack.exe\data022;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Music from Ares\roller coaster tycoon 3 soaked crack.exe;Program.PsKill.101;;
roller coaster tycoon 3 soaked crack.exe\data025;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Music from Ares\roller coaster tycoon 3 soaked crack.exe;Exploit.MS03-043;;
roller coaster tycoon 3 soaked crack.exe\data026;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Music from Ares\roller coaster tycoon 3 soaked crack.exe;Tool.ProcessKill.18;;
roller coaster tycoon 3 soaked crack.exe\data029;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Music from Ares\roller coaster tycoon 3 soaked crack.exe;Trojan.Isbar;;
roller coaster tycoon 3 soaked crack.exe\data030;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Music from Ares\roller coaster tycoon 3 soaked crack.exe;Trojan.DownLoader.3385;;
roller coaster tycoon 3 soaked crack.exe\data031;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Music from Ares\roller coaster tycoon 3 soaked crack.exe;Trojan.Isbar;;
roller coaster tycoon 3 soaked crack.exe;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Music from Ares;Container contains infected objects;Moved.;
Fats Waller - (Oh Susannah) Dust off that old pianna.mp3;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Music from LimeWire;Trojan.WMALoader;Cured.;
grupo extenso.mp3;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Music from LimeWire;Trojan.WMALoader;Cured.;
aoltsmon.dll;c:\program files\common files\aol\topspeed\2.0;Probably DLOADER.Trojan;Incurable.Moved.;
Flash_Disinfector.exe/data002\nircmd.exe;C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop\Flash_Disinfector.exe/data002;Tool.NirCmd.1;;
data002;C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop;Archive contains infected objects;;
Flash_Disinfector.exe;C:\Documents and Settings\Owner.YOUR-99DDF15D27\Desktop;Container contains infected objects;Moved.;
MavisBeacon16-dm.exe;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Downloads\resources;Adware.TryMedia;Invalid path to file ;
WinSpyKillerSetup.exe;C:\Documents and Settings\Owner.YOUR-99DDF15D27\My Documents\Downloads\resources;Adware.Spysheriff;Invalid path to file ;
aoltsmon.dll;C:\Program Files\Common Files\AOL\TopSpeed\2.0;Probably DLOADER.Trojan;Invalid path to file ;
GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Moved.;
nse2C1.dll;C:\_OTM\MovedFiles\04032010_075803\C_WINDOWS\System32;Adware.Bho.61;Incurable.Moved.;
nso21D.dll;C:\_OTM\MovedFiles\04032010_075803\C_WINDOWS\System32;Adware.Bho.61;Incurable.Moved.;
nsr364.dll;C:\_OTM\MovedFiles\04032010_075803\C_WINDOWS\System32;Adware.Bho.61;Incurable.Moved.;
nsr50E.dll;C:\_OTM\MovedFiles\04032010_075803\C_WINDOWS\System32;Adware.Bho.61;Incurable.Moved.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;D:\i386\Apps\App17981\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;D:\i386\Apps\App17981\comps\coach;Archive contains infected objects;Moved.;
tssetup.exe\aoltsmon.dll;D:\i386\Apps\App17981\comps\tpspd\tssetup.exe;Probably DLOADER.Trojan;;
tssetup.exe;D:\i386\Apps\App17981\comps\tpspd;Archive contains infected objects;Moved.;

Attached Files



#13 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:12:55 AM

Posted 04 April 2010 - 03:03 AM

Hey husky1954,

Glad to hear that the computer is no longer being redirected. smile.gif

Important: It seems that there are cracks running on your computer. Please be aware that it is both illegal and dangerous to have cracks as many malwares are bundled with them, and this can compromise a computer's security. Please refrain from downloading cracks in the future.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (McAfee) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run TDSSkiller
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file on here.

2) Run Kaspersky Webscanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 19.
  • Click the "Download JRE" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6u19 with JavaFX 1 License Agreement".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u19-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Make sure the C:\Program Files\JAVA folder is removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u19-windows-i586.exe and select "Run as an Administrator.")

THEN

Please do an online scan with Kaspersky WebScanner
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Next reply (please include in your post):

OTS.txt (Please re-run OTS)
TDSSkiller log
Kaspersky scan log

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#14 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:09:55 AM

Posted 04 April 2010 - 10:54 AM

1. Disabled McAfee virus scan and firewall.
2. Clicked on Internet Explorer and it locked up. I killed the task and tried again. This time IE connected.
3. Downloaded and extracted TDSSkiller.exe.
4. Ran TDSSkiller.
5. Downloaded JRE 6 Update 19. While uninstalling J2SE 5 update 10 I got a message "Fatal error during installation.".
the only option is to click OK. All programs were closed when I tried this.
6. IE locked up again.

Should I Install the new JRE version and keep going?

Husky

TDSSkiller.txt
08:26:40:343 3628 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
08:26:40:343 3628 ================================================================================
08:26:40:343 3628 SystemInfo:

08:26:40:343 3628 OS Version: 5.1.2600 ServicePack: 2.0
08:26:40:343 3628 Product type: Workstation
08:26:40:343 3628 ComputerName: YOUR-99DDF15D27
08:26:40:359 3628 UserName: Owner
08:26:40:359 3628 Windows directory: C:\WINDOWS
08:26:40:359 3628 Processor architecture: Intel x86
08:26:40:359 3628 Number of processors: 2
08:26:40:359 3628 Page size: 0x1000
08:26:40:359 3628 Boot type: Normal boot
08:26:40:359 3628 ================================================================================
08:26:40:359 3628 UnloadDriverW: NtUnloadDriver error 2
08:26:40:359 3628 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
08:26:40:500 3628 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
08:26:40:500 3628 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:26:40:500 3628 wfopen_ex: Trying to KLMD file open
08:26:40:500 3628 wfopen_ex: File opened ok (Flags 2)
08:26:40:500 3628 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
08:26:40:500 3628 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
08:26:40:500 3628 wfopen_ex: Trying to KLMD file open
08:26:40:500 3628 wfopen_ex: File opened ok (Flags 2)
08:26:40:500 3628 Initialize success
08:26:40:500 3628
08:26:40:500 3628 Scanning Services ...
08:26:40:890 3628 Raw services enum returned 356 services
08:26:40:953 3628
08:26:40:953 3628 Scanning Kernel memory ...
08:26:40:953 3628 Devices to scan: 11
08:26:40:953 3628
08:26:40:953 3628 Driver Name: Disk
08:26:40:953 3628 IRP_MJ_CREATE : F7716C30
08:26:40:953 3628 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
08:26:40:953 3628 IRP_MJ_CLOSE : F7716C30
08:26:40:953 3628 IRP_MJ_READ : F7710D9B
08:26:40:953 3628 IRP_MJ_WRITE : F7710D9B
08:26:40:953 3628 IRP_MJ_QUERY_INFORMATION : 804F4544
08:26:40:953 3628 IRP_MJ_SET_INFORMATION : 804F4544
08:26:40:953 3628 IRP_MJ_QUERY_EA : 804F4544
08:26:40:953 3628 IRP_MJ_SET_EA : 804F4544
08:26:40:953 3628 IRP_MJ_FLUSH_BUFFERS : F7711366
08:26:40:953 3628 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
08:26:40:953 3628 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
08:26:40:953 3628 IRP_MJ_DIRECTORY_CONTROL : 804F4544
08:26:40:953 3628 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
08:26:40:953 3628 IRP_MJ_DEVICE_CONTROL : F771144D
08:26:40:953 3628 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7714FC3
08:26:40:953 3628 IRP_MJ_SHUTDOWN : F7711366
08:26:40:953 3628 IRP_MJ_LOCK_CONTROL : 804F4544
08:26:40:953 3628 IRP_MJ_CLEANUP : 804F4544
08:26:40:953 3628 IRP_MJ_CREATE_MAILSLOT : 804F4544
08:26:40:953 3628 IRP_MJ_QUERY_SECURITY : 804F4544
08:26:40:953 3628 IRP_MJ_SET_SECURITY : 804F4544
08:26:40:953 3628 IRP_MJ_POWER : F7712EF3
08:26:40:953 3628 IRP_MJ_SYSTEM_CONTROL : F7717A24
08:26:40:953 3628 IRP_MJ_DEVICE_CHANGE : 804F4544
08:26:40:953 3628 IRP_MJ_QUERY_QUOTA : 804F4544
08:26:40:953 3628 IRP_MJ_SET_QUOTA : 804F4544
08:26:41:000 3628 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:26:41:000 3628
08:26:41:000 3628 Driver Name: Disk
08:26:41:000 3628 IRP_MJ_CREATE : F7716C30
08:26:41:000 3628 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
08:26:41:000 3628 IRP_MJ_CLOSE : F7716C30
08:26:41:000 3628 IRP_MJ_READ : F7710D9B
08:26:41:000 3628 IRP_MJ_WRITE : F7710D9B
08:26:41:000 3628 IRP_MJ_QUERY_INFORMATION : 804F4544
08:26:41:000 3628 IRP_MJ_SET_INFORMATION : 804F4544
08:26:41:000 3628 IRP_MJ_QUERY_EA : 804F4544
08:26:41:000 3628 IRP_MJ_SET_EA : 804F4544
08:26:41:000 3628 IRP_MJ_FLUSH_BUFFERS : F7711366
08:26:41:000 3628 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
08:26:41:000 3628 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
08:26:41:000 3628 IRP_MJ_DIRECTORY_CONTROL : 804F4544
08:26:41:000 3628 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
08:26:41:000 3628 IRP_MJ_DEVICE_CONTROL : F771144D
08:26:41:000 3628 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7714FC3
08:26:41:000 3628 IRP_MJ_SHUTDOWN : F7711366
08:26:41:000 3628 IRP_MJ_LOCK_CONTROL : 804F4544
08:26:41:000 3628 IRP_MJ_CLEANUP : 804F4544
08:26:41:000 3628 IRP_MJ_CREATE_MAILSLOT : 804F4544
08:26:41:000 3628 IRP_MJ_QUERY_SECURITY : 804F4544
08:26:41:000 3628 IRP_MJ_SET_SECURITY : 804F4544
08:26:41:000 3628 IRP_MJ_POWER : F7712EF3
08:26:41:000 3628 IRP_MJ_SYSTEM_CONTROL : F7717A24
08:26:41:000 3628 IRP_MJ_DEVICE_CHANGE : 804F4544
08:26:41:000 3628 IRP_MJ_QUERY_QUOTA : 804F4544
08:26:41:000 3628 IRP_MJ_SET_QUOTA : 804F4544
08:26:41:031 3628 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:26:41:031 3628
08:26:41:031 3628 Driver Name: Disk
08:26:41:031 3628 IRP_MJ_CREATE : F7716C30
08:26:41:031 3628 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
08:26:41:031 3628 IRP_MJ_CLOSE : F7716C30
08:26:41:031 3628 IRP_MJ_READ : F7710D9B
08:26:41:031 3628 IRP_MJ_WRITE : F7710D9B
08:26:41:031 3628 IRP_MJ_QUERY_INFORMATION : 804F4544
08:26:41:031 3628 IRP_MJ_SET_INFORMATION : 804F4544
08:26:41:031 3628 IRP_MJ_QUERY_EA : 804F4544
08:26:41:031 3628 IRP_MJ_SET_EA : 804F4544
08:26:41:031 3628 IRP_MJ_FLUSH_BUFFERS : F7711366
08:26:41:031 3628 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
08:26:41:031 3628 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
08:26:41:031 3628 IRP_MJ_DIRECTORY_CONTROL : 804F4544
08:26:41:031 3628 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
08:26:41:031 3628 IRP_MJ_DEVICE_CONTROL : F771144D
08:26:41:031 3628 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7714FC3
08:26:41:031 3628 IRP_MJ_SHUTDOWN : F7711366
08:26:41:031 3628 IRP_MJ_LOCK_CONTROL : 804F4544
08:26:41:031 3628 IRP_MJ_CLEANUP : 804F4544
08:26:41:031 3628 IRP_MJ_CREATE_MAILSLOT : 804F4544
08:26:41:031 3628 IRP_MJ_QUERY_SECURITY : 804F4544
08:26:41:031 3628 IRP_MJ_SET_SECURITY : 804F4544
08:26:41:031 3628 IRP_MJ_POWER : F7712EF3
08:26:41:031 3628 IRP_MJ_SYSTEM_CONTROL : F7717A24
08:26:41:031 3628 IRP_MJ_DEVICE_CHANGE : 804F4544
08:26:41:031 3628 IRP_MJ_QUERY_QUOTA : 804F4544
08:26:41:031 3628 IRP_MJ_SET_QUOTA : 804F4544
08:26:41:031 3628 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:26:41:031 3628
08:26:41:031 3628 Driver Name: Disk
08:26:41:031 3628 IRP_MJ_CREATE : F7716C30
08:26:41:031 3628 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
08:26:41:031 3628 IRP_MJ_CLOSE : F7716C30
08:26:41:031 3628 IRP_MJ_READ : F7710D9B
08:26:41:031 3628 IRP_MJ_WRITE : F7710D9B
08:26:41:031 3628 IRP_MJ_QUERY_INFORMATION : 804F4544
08:26:41:031 3628 IRP_MJ_SET_INFORMATION : 804F4544
08:26:41:031 3628 IRP_MJ_QUERY_EA : 804F4544
08:26:41:031 3628 IRP_MJ_SET_EA : 804F4544
08:26:41:031 3628 IRP_MJ_FLUSH_BUFFERS : F7711366
08:26:41:031 3628 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
08:26:41:031 3628 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
08:26:41:031 3628 IRP_MJ_DIRECTORY_CONTROL : 804F4544
08:26:41:031 3628 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
08:26:41:031 3628 IRP_MJ_DEVICE_CONTROL : F771144D
08:26:41:031 3628 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7714FC3
08:26:41:031 3628 IRP_MJ_SHUTDOWN : F7711366
08:26:41:031 3628 IRP_MJ_LOCK_CONTROL : 804F4544
08:26:41:031 3628 IRP_MJ_CLEANUP : 804F4544
08:26:41:031 3628 IRP_MJ_CREATE_MAILSLOT : 804F4544
08:26:41:031 3628 IRP_MJ_QUERY_SECURITY : 804F4544
08:26:41:031 3628 IRP_MJ_SET_SECURITY : 804F4544
08:26:41:031 3628 IRP_MJ_POWER : F7712EF3
08:26:41:031 3628 IRP_MJ_SYSTEM_CONTROL : F7717A24
08:26:41:031 3628 IRP_MJ_DEVICE_CHANGE : 804F4544
08:26:41:031 3628 IRP_MJ_QUERY_QUOTA : 804F4544
08:26:41:031 3628 IRP_MJ_SET_QUOTA : 804F4544
08:26:41:046 3628 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:26:41:046 3628
08:26:41:046 3628 Driver Name: usbstor
08:26:41:046 3628 IRP_MJ_CREATE : F6AFB218
08:26:41:046 3628 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
08:26:41:046 3628 IRP_MJ_CLOSE : F6AFB218
08:26:41:046 3628 IRP_MJ_READ : F6AFB23C
08:26:41:046 3628 IRP_MJ_WRITE : F6AFB23C
08:26:41:046 3628 IRP_MJ_QUERY_INFORMATION : 804F4544
08:26:41:046 3628 IRP_MJ_SET_INFORMATION : 804F4544
08:26:41:046 3628 IRP_MJ_QUERY_EA : 804F4544
08:26:41:046 3628 IRP_MJ_SET_EA : 804F4544
08:26:41:046 3628 IRP_MJ_FLUSH_BUFFERS : 804F4544
08:26:41:046 3628 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
08:26:41:046 3628 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
08:26:41:046 3628 IRP_MJ_DIRECTORY_CONTROL : 804F4544
08:26:41:046 3628 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
08:26:41:046 3628 IRP_MJ_DEVICE_CONTROL : F6AFB180
08:26:41:046 3628 IRP_MJ_INTERNAL_DEVICE_CONTROL : F6AF69E6
08:26:41:046 3628 IRP_MJ_SHUTDOWN : 804F4544
08:26:41:046 3628 IRP_MJ_LOCK_CONTROL : 804F4544
08:26:41:046 3628 IRP_MJ_CLEANUP : 804F4544
08:26:41:046 3628 IRP_MJ_CREATE_MAILSLOT : 804F4544
08:26:41:046 3628 IRP_MJ_QUERY_SECURITY : 804F4544
08:26:41:046 3628 IRP_MJ_SET_SECURITY : 804F4544
08:26:41:046 3628 IRP_MJ_POWER : F6AFA5F0
08:26:41:046 3628 IRP_MJ_SYSTEM_CONTROL : F6AF8A6E
08:26:41:046 3628 IRP_MJ_DEVICE_CHANGE : 804F4544
08:26:41:046 3628 IRP_MJ_QUERY_QUOTA : 804F4544
08:26:41:046 3628 IRP_MJ_SET_QUOTA : 804F4544
08:26:41:062 3628 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
08:26:41:062 3628
08:26:41:062 3628 Driver Name: usbstor
08:26:41:062 3628 IRP_MJ_CREATE : F6AFB218
08:26:41:062 3628 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
08:26:41:062 3628 IRP_MJ_CLOSE : F6AFB218
08:26:41:062 3628 IRP_MJ_READ : F6AFB23C
08:26:41:062 3628 IRP_MJ_WRITE : F6AFB23C
08:26:41:062 3628 IRP_MJ_QUERY_INFORMATION : 804F4544
08:26:41:062 3628 IRP_MJ_SET_INFORMATION : 804F4544
08:26:41:062 3628 IRP_MJ_QUERY_EA : 804F4544
08:26:41:062 3628 IRP_MJ_SET_EA : 804F4544
08:26:41:062 3628 IRP_MJ_FLUSH_BUFFERS : 804F4544
08:26:41:062 3628 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
08:26:41:062 3628 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
08:26:41:062 3628 IRP_MJ_DIRECTORY_CONTROL : 804F4544
08:26:41:062 3628 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
08:26:41:062 3628 IRP_MJ_DEVICE_CONTROL : F6AFB180
08:26:41:062 3628 IRP_MJ_INTERNAL_DEVICE_CONTROL : F6AF69E6
08:26:41:062 3628 IRP_MJ_SHUTDOWN : 804F4544
08:26:41:062 3628 IRP_MJ_LOCK_CONTROL : 804F4544
08:26:41:062 3628 IRP_MJ_CLEANUP : 804F4544
08:26:41:062 3628 IRP_MJ_CREATE_MAILSLOT : 804F4544
08:26:41:062 3628 IRP_MJ_QUERY_SECURITY : 804F4544
08:26:41:062 3628 IRP_MJ_SET_SECURITY : 804F4544
08:26:41:062 3628 IRP_MJ_POWER : F6AFA5F0
08:26:41:062 3628 IRP_MJ_SYSTEM_CONTROL : F6AF8A6E
08:26:41:062 3628 IRP_MJ_DEVICE_CHANGE : 804F4544
08:26:41:062 3628 IRP_MJ_QUERY_QUOTA : 804F4544
08:26:41:062 3628 IRP_MJ_SET_QUOTA : 804F4544
08:26:41:062 3628 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
08:26:41:062 3628
08:26:41:062 3628 Driver Name: usbstor
08:26:41:062 3628 IRP_MJ_CREATE : F6AFB218
08:26:41:062 3628 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
08:26:41:062 3628 IRP_MJ_CLOSE : F6AFB218
08:26:41:078 3628 IRP_MJ_READ : F6AFB23C
08:26:41:078 3628 IRP_MJ_WRITE : F6AFB23C
08:26:41:078 3628 IRP_MJ_QUERY_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_SET_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_EA : 804F4544
08:26:41:078 3628 IRP_MJ_SET_EA : 804F4544
08:26:41:078 3628 IRP_MJ_FLUSH_BUFFERS : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_DIRECTORY_CONTROL : 804F4544
08:26:41:078 3628 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
08:26:41:078 3628 IRP_MJ_DEVICE_CONTROL : F6AFB180
08:26:41:078 3628 IRP_MJ_INTERNAL_DEVICE_CONTROL : F6AF69E6
08:26:41:078 3628 IRP_MJ_SHUTDOWN : 804F4544
08:26:41:078 3628 IRP_MJ_LOCK_CONTROL : 804F4544
08:26:41:078 3628 IRP_MJ_CLEANUP : 804F4544
08:26:41:078 3628 IRP_MJ_CREATE_MAILSLOT : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_SECURITY : 804F4544
08:26:41:078 3628 IRP_MJ_SET_SECURITY : 804F4544
08:26:41:078 3628 IRP_MJ_POWER : F6AFA5F0
08:26:41:078 3628 IRP_MJ_SYSTEM_CONTROL : F6AF8A6E
08:26:41:078 3628 IRP_MJ_DEVICE_CHANGE : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_QUOTA : 804F4544
08:26:41:078 3628 IRP_MJ_SET_QUOTA : 804F4544
08:26:41:078 3628 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
08:26:41:078 3628
08:26:41:078 3628 Driver Name: usbstor
08:26:41:078 3628 IRP_MJ_CREATE : F6AFB218
08:26:41:078 3628 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
08:26:41:078 3628 IRP_MJ_CLOSE : F6AFB218
08:26:41:078 3628 IRP_MJ_READ : F6AFB23C
08:26:41:078 3628 IRP_MJ_WRITE : F6AFB23C
08:26:41:078 3628 IRP_MJ_QUERY_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_SET_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_EA : 804F4544
08:26:41:078 3628 IRP_MJ_SET_EA : 804F4544
08:26:41:078 3628 IRP_MJ_FLUSH_BUFFERS : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_DIRECTORY_CONTROL : 804F4544
08:26:41:078 3628 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
08:26:41:078 3628 IRP_MJ_DEVICE_CONTROL : F6AFB180
08:26:41:078 3628 IRP_MJ_INTERNAL_DEVICE_CONTROL : F6AF69E6
08:26:41:078 3628 IRP_MJ_SHUTDOWN : 804F4544
08:26:41:078 3628 IRP_MJ_LOCK_CONTROL : 804F4544
08:26:41:078 3628 IRP_MJ_CLEANUP : 804F4544
08:26:41:078 3628 IRP_MJ_CREATE_MAILSLOT : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_SECURITY : 804F4544
08:26:41:078 3628 IRP_MJ_SET_SECURITY : 804F4544
08:26:41:078 3628 IRP_MJ_POWER : F6AFA5F0
08:26:41:078 3628 IRP_MJ_SYSTEM_CONTROL : F6AF8A6E
08:26:41:078 3628 IRP_MJ_DEVICE_CHANGE : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_QUOTA : 804F4544
08:26:41:078 3628 IRP_MJ_SET_QUOTA : 804F4544
08:26:41:078 3628 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
08:26:41:078 3628
08:26:41:078 3628 Driver Name: Disk
08:26:41:078 3628 IRP_MJ_CREATE : F7716C30
08:26:41:078 3628 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
08:26:41:078 3628 IRP_MJ_CLOSE : F7716C30
08:26:41:078 3628 IRP_MJ_READ : F7710D9B
08:26:41:078 3628 IRP_MJ_WRITE : F7710D9B
08:26:41:078 3628 IRP_MJ_QUERY_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_SET_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_EA : 804F4544
08:26:41:078 3628 IRP_MJ_SET_EA : 804F4544
08:26:41:078 3628 IRP_MJ_FLUSH_BUFFERS : F7711366
08:26:41:078 3628 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_DIRECTORY_CONTROL : 804F4544
08:26:41:078 3628 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
08:26:41:078 3628 IRP_MJ_DEVICE_CONTROL : F771144D
08:26:41:078 3628 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7714FC3
08:26:41:078 3628 IRP_MJ_SHUTDOWN : F7711366
08:26:41:078 3628 IRP_MJ_LOCK_CONTROL : 804F4544
08:26:41:078 3628 IRP_MJ_CLEANUP : 804F4544
08:26:41:078 3628 IRP_MJ_CREATE_MAILSLOT : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_SECURITY : 804F4544
08:26:41:078 3628 IRP_MJ_SET_SECURITY : 804F4544
08:26:41:078 3628 IRP_MJ_POWER : F7712EF3
08:26:41:078 3628 IRP_MJ_SYSTEM_CONTROL : F7717A24
08:26:41:078 3628 IRP_MJ_DEVICE_CHANGE : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_QUOTA : 804F4544
08:26:41:078 3628 IRP_MJ_SET_QUOTA : 804F4544
08:26:41:078 3628 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:26:41:078 3628
08:26:41:078 3628 Driver Name: Disk
08:26:41:078 3628 IRP_MJ_CREATE : F7716C30
08:26:41:078 3628 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
08:26:41:078 3628 IRP_MJ_CLOSE : F7716C30
08:26:41:078 3628 IRP_MJ_READ : F7710D9B
08:26:41:078 3628 IRP_MJ_WRITE : F7710D9B
08:26:41:078 3628 IRP_MJ_QUERY_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_SET_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_EA : 804F4544
08:26:41:078 3628 IRP_MJ_SET_EA : 804F4544
08:26:41:078 3628 IRP_MJ_FLUSH_BUFFERS : F7711366
08:26:41:078 3628 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_DIRECTORY_CONTROL : 804F4544
08:26:41:078 3628 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
08:26:41:078 3628 IRP_MJ_DEVICE_CONTROL : F771144D
08:26:41:078 3628 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7714FC3
08:26:41:078 3628 IRP_MJ_SHUTDOWN : F7711366
08:26:41:078 3628 IRP_MJ_LOCK_CONTROL : 804F4544
08:26:41:078 3628 IRP_MJ_CLEANUP : 804F4544
08:26:41:078 3628 IRP_MJ_CREATE_MAILSLOT : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_SECURITY : 804F4544
08:26:41:078 3628 IRP_MJ_SET_SECURITY : 804F4544
08:26:41:078 3628 IRP_MJ_POWER : F7712EF3
08:26:41:078 3628 IRP_MJ_SYSTEM_CONTROL : F7717A24
08:26:41:078 3628 IRP_MJ_DEVICE_CHANGE : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_QUOTA : 804F4544
08:26:41:078 3628 IRP_MJ_SET_QUOTA : 804F4544
08:26:41:078 3628 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
08:26:41:078 3628
08:26:41:078 3628 Driver Name: atapi
08:26:41:078 3628 IRP_MJ_CREATE : F7457572
08:26:41:078 3628 IRP_MJ_CREATE_NAMED_PIPE : 804F4544
08:26:41:078 3628 IRP_MJ_CLOSE : F7457572
08:26:41:078 3628 IRP_MJ_READ : 804F4544
08:26:41:078 3628 IRP_MJ_WRITE : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_SET_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_EA : 804F4544
08:26:41:078 3628 IRP_MJ_SET_EA : 804F4544
08:26:41:078 3628 IRP_MJ_FLUSH_BUFFERS : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_SET_VOLUME_INFORMATION : 804F4544
08:26:41:078 3628 IRP_MJ_DIRECTORY_CONTROL : 804F4544
08:26:41:078 3628 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4544
08:26:41:078 3628 IRP_MJ_DEVICE_CONTROL : F7457592
08:26:41:078 3628 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74537B4
08:26:41:078 3628 IRP_MJ_SHUTDOWN : 804F4544
08:26:41:078 3628 IRP_MJ_LOCK_CONTROL : 804F4544
08:26:41:078 3628 IRP_MJ_CLEANUP : 804F4544
08:26:41:078 3628 IRP_MJ_CREATE_MAILSLOT : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_SECURITY : 804F4544
08:26:41:078 3628 IRP_MJ_SET_SECURITY : 804F4544
08:26:41:078 3628 IRP_MJ_POWER : F74575BC
08:26:41:078 3628 IRP_MJ_SYSTEM_CONTROL : F745E164
08:26:41:078 3628 IRP_MJ_DEVICE_CHANGE : 804F4544
08:26:41:078 3628 IRP_MJ_QUERY_QUOTA : 804F4544
08:26:41:078 3628 IRP_MJ_SET_QUOTA : 804F4544
08:26:41:093 3628 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
08:26:41:093 3628
08:26:41:093 3628 Completed
08:26:41:093 3628
08:26:41:093 3628 Results:
08:26:41:093 3628 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
08:26:41:093 3628 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
08:26:41:093 3628 File objects infected / cured / cured on reboot: 0 / 0 / 0
08:26:41:093 3628
08:26:41:093 3628 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
08:26:41:093 3628 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
08:26:41:109 3628 KLMD(ARK) unloaded successfully


#15 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:12:55 AM

Posted 06 April 2010 - 09:19 AM

Hi,

Sincere apologies for the late reply. I will be unavailable from today and a fellow colleague will take over and help you instead. Please be patient in waiting for a reply, thank you. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users