Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit, browser hijack maybe more


  • This topic is locked This topic is locked
27 replies to this topic

#1 try_and_fix_it

try_and_fix_it

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 13 April 2010 - 05:26 AM

Hi,

I made a post explaining my problem in the am I infected forum here:
http://www.bleepingcomputer.com/forums/t/308419/firefox-hijack-trojan-rootkit-more-what-next/
and was told there is a rootkit on the machine and to post the gmer log I have, here is the text from my original post:
QUOTE
Hello,

I am dealing with a friend's computer which seem to have a bad case of various malware and possibly rootkit(s). She had some guests over and their 15 year old was the last person using the computer before the symptoms appeared, he either caught it from some online gaming site or possibly some pr0nsite (can't tell all history has been wiped).

The original symptoms were that the computer pretty much refused to do anything, she had a friend over to help and they did a full scan with AVG in safe mode, this found and removed a few of problems but not all:

1. Trojan Horse Downloader Generic.9.BNNG
2. Trojan Horse Crypt.SAF
3. Trojan Horse Cryptic.EA
4. Trojan Horse Rootkit-Agent.DI

Then I got involved, the obvious symptom now was this:
all search on google redirected to spurious other search pages which then redirected again to other pages (usually IP addresses instaed of URLs which seem related to the goored infection) containing malware payloads some of which were caught/flagged by AVG resident shield)
XP Firewall was disabled and notification turned off in the security centre.
Another full scan revealed nothing but while it was running the resident shield of AVG caught some infected files containing that last Rootkit-agent in the above list; the file was
C:\windows\system32\drivers\ndis.sys which could not be cleaned as the process involved was svchost.exe from the system32 folder once again.
I restarted from the XP cd and replaced that file with the one from the CD, to no avail it came up again flagged by the resident shield.

I disabled system restore did a cleanup with CCLeaner, installed malwarebytes which found and removed even more stuff.

Rescanned with AVG and malwarebytes once again.

Still no dice, the redirects from google have now stopped but firefox is opening random tabs which if not closed redirect to pages with malware payloads.
That ndis.sys file was flagged again this time as: C:\windows\system32\dllcache\ndis.sys
I downloaded GMER which flags C:\windows\system32\drivers\atapi.sys as having a suspicious modification and mousclass.sys in the same folder.



Since running gmer I have not restarted windows but I have run Superantispyware (version: 3.9.1008, with updated definitions) from a UBCD4win live CD and it only found 3 adware cookies

Machine runs XP SP2
anti virus: AVG 8.xx
Here is the gmer log (also attached):

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-09 20:30:43
Windows 5.1.2600 Service Pack 2
Running: llwe3y4h.exe; Driver: C:\DOCUME~1\bug\LOCALS~1\Temp\pxtdqpoc.sys


---- Kernel code sections - GMER 1.0.15 ----

? nuult.sys The system cannot find the file specified. !
.rsrc C:\WINDOWS\System32\DRIVERS\mouclass.sys entry point in ".rsrc" section [0xF8839814]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[836] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007A000A
.text C:\WINDOWS\System32\svchost.exe[836] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007B000A
.text C:\WINDOWS\System32\svchost.exe[836] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0079000C
.text C:\WINDOWS\System32\svchost.exe[836] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0222000A
.text C:\WINDOWS\Explorer.EXE[1272] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A
.text C:\WINDOWS\Explorer.EXE[1272] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A7000A
.text C:\WINDOWS\Explorer.EXE[1272] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A0000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 82191AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\DRIVERS\mouclass.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

I will wait for instructions i am keeping the machine of the internet and downloading needed programs via UBCD4win.

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 17 April 2010 - 07:41 AM

Hi, are you there? Please reply and let me know and I can provide the first set of instructions.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 try_and_fix_it

try_and_fix_it
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 17 April 2010 - 07:58 AM

QUOTE(etavares @ Apr 17 2010, 01:41 PM) View Post
Hi, are you there? Please reply and let me know and I can provide the first set of instructions.

Hi and thank you,

I am indeed here and waiting smile.gif

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 17 April 2010 - 08:51 AM

Hello, try_and_fix_it.
OK, first things first. You are indeed infected with a backdoor rootkit.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.




Are you able to boot into Windows without UBCD? If so, please continue with Combofix.


Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as try_and_fix_itCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on try_and_fix_itCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 try_and_fix_it

try_and_fix_it
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 17 April 2010 - 10:48 AM

Hi etavares,

I can indeed start windows

before proceeding I need to ask you one question:

I am going to backup my friends files before going ahead, they are of 4 types:
.iso
.doc
.pdf
.xls
is there a risk these might have been modified/infected and how could I make sure they are safe?
(I will copy them via UBCD and was thinking of using the jotti online scanner to test them but you might have a better solution)

i need to rush out right now but will post the combofix log once I have run it and report any unusual activity.

Thank you for helping.

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 17 April 2010 - 11:12 AM

These types of documents can carry viruses, but they're also easy to detect and fix. Go ahead and back them up, then you can use the ESET scanner or their onboard antivirus once it's clean later to check...Jotti can only do one file at a time.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 try_and_fix_it

try_and_fix_it
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 18 April 2010 - 08:02 AM

Hi

sorry for the delay.
I backed up the important information and then went ahead with your instructions.

combofix had to reboot the machine after detecting rootkit activity and then proceeded along.
After it ran, the AVG icon was not visible in the system tray but seems to be working.
Am not noticing anything weird at the moment but I am also not really using the machine, only uploading the combofix log for you, no weird tab opening in firefox so far, and google is not redirecting to dodgy searches/payload pages.
Here is the log:


ComboFix 10-04-17.05 - bug 18/04/2010 13:38:51.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.249 [GMT 1:00]
Running from: c:\documents and settings\bug\Desktop\CtryandfixitF.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
c:\windows\system32\dbghlp.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-09 15:04 . 2004-08-03 23:14 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-09 14:29 . 2010-04-09 14:29 -------- d-----w- c:\documents and settings\bug\Application Data\Malwarebytes
2010-04-09 14:29 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-09 14:29 . 2010-04-09 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-09 14:29 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-09 14:29 . 2010-04-09 14:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:52 . 2010-04-07 19:52 -------- d-----w- c:\program files\Trend Micro
2010-04-07 16:25 . 2010-04-07 16:25 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-07 16:24 . 2010-04-07 16:24 -------- d-----w- c:\program files\Bonjour
2010-04-07 16:23 . 2010-04-07 16:23 -------- d-----w- c:\program files\iPod
2010-04-07 16:23 . 2010-04-07 16:23 -------- d-----w- c:\program files\iTunes
2010-04-07 16:23 . 2010-04-07 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2010-04-05 14:51 . 2010-04-07 16:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-04-05 14:51 . 2010-04-07 16:21 -------- d-s---w- c:\documents and settings\Administrator
2010-04-03 10:56 . 2010-04-07 16:21 -------- d-----w- c:\program files\Skype(2)
2010-04-01 20:15 . 2010-04-07 15:52 -------- d-----w- c:\documents and settings\bug\Application Data\skypePM
2010-04-01 20:15 . 2010-04-01 20:15 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-04-01 20:14 . 2010-04-07 16:21 -------- d-----w- c:\documents and settings\bug\Application Data\Skype
2010-04-01 20:13 . 2010-04-07 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-31 19:47 . 2010-04-07 16:21 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-31 19:32 . 2010-04-07 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-31 19:32 . 2010-03-31 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-31 19:32 . 2010-03-31 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-03-31 09:32 . 2010-04-07 16:22 -------- d-----w- c:\windows\system32\Adobe
2010-03-27 20:07 . 2010-04-07 16:23 -------- d-----w- c:\program files\iPod(2)
2010-03-27 20:07 . 2010-04-07 16:23 -------- d-----w- c:\program files\iTunes(2)
2010-03-27 20:07 . 2010-03-27 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-27 19:57 . 2010-04-07 16:24 -------- d-----w- c:\program files\Bonjour(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 18:22 . 2002-08-29 01:27 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-04-07 17:53 . 2009-09-06 14:14 -------- d-----w- c:\program files\Google
2010-04-07 16:24 . 2008-09-28 10:58 -------- d-----w- c:\program files\Safari
2010-04-07 16:24 . 2008-09-28 11:06 -------- d-----w- c:\program files\QuickTime
2010-04-07 16:23 . 2008-06-14 20:31 -------- d-----w- c:\program files\Common Files\Apple
2010-04-07 16:23 . 2008-06-14 20:33 -------- d-----w- c:\documents and settings\bug\Application Data\Apple Computer
2010-04-05 11:47 . 2008-06-18 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-02-26 06:05 . 2002-08-29 12:00 668672 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:05 . 2007-11-22 14:37 81920 ------w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:03 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2001-01-15 192512]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-06 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-30 20:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [19/06/2008 00:34 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [19/06/2008 00:34 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [18/06/2009 15:06 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/07/2008 12:22 297752]
.
Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bug\Application Data\Mozilla\Firefox\Profiles\1q3ddfgs.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Adobe Shockwave Player - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 13:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-18 13:46:08
ComboFix-quarantined-files.txt 2010-04-18 12:46

Pre-Run: 72,340,209,664 bytes free
Post-Run: 72,487,075,840 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 4F23402F0DB7227966A1642CC5551DD4

I have now updated the AVG definitions.
I also attach the log.
FYI: automatic updates wants to install all the recent ones but I am waiting until the disinfection is done before doing them.

Thank you
try_and_fix_it

Attached Files


Edited by try_and_fix_it, 18 April 2010 - 08:06 AM.


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 18 April 2010 - 08:09 AM

Hello, try_and_fix_it.

OK, we're making progress.



Step 1

Download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    dbghlp.dll
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.


Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task




Step 2

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT


  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply. If they are too big to paste in one reply, please split them into separate posts.

etavares

Edited by etavares, 18 April 2010 - 08:10 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 try_and_fix_it

try_and_fix_it
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 18 April 2010 - 11:32 AM

Hi again etavares,

I did as instructed (copy and paste in the window) and it all seemed to go through fine.
Just to be sure: AVG resident shield was running when i did those scans.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:45 on 18/04/2010 by bug (Administrator - Elevation successful)

========== filefind ==========

Searching for "dbghlp.dll"
No files found.

-=End Of File=-

Someone distracted me as I was launching OTL so it ran once without the "scan all user" button ticked, so I ran it a second time.
Here is the log, the extras log will be in the next post.:

OTL logfile created on: 18/04/2010 17:09:53 - Run 2
OTL by OldTimer - Version 3.2.1.2 Folder = C:\Documents and Settings\bug\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.00 Mb Total Physical Memory | 118.00 Mb Available Physical Memory | 23.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 78.13 Gb Total Space | 67.45 Gb Free Space | 86.33% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 125.45 Gb Total Space | 124.52 Gb Free Space | 99.26% Space Free | Partition Type: NTFS
Drive F: | 29.30 Gb Total Space | 28.07 Gb Free Space | 95.79% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BUGS
Current User Name: bug
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/18 16:44:33 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bug\Desktop\OTL.exe
PRC - [2010/04/09 15:41:01 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/19 13:30:53 | 002,046,816 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/09/06 15:35:15 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/08/30 21:01:18 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/30 21:01:17 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/30 21:01:13 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/30 21:01:07 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/08/30 21:01:03 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2008/06/10 04:27:04 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
PRC - [2008/06/10 04:27:03 | 000,329,104 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
PRC - [2007/10/12 09:34:56 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2007/06/13 11:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/08/03 06:12:00 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
PRC - [2003/01/27 18:16:58 | 000,376,912 | ---- | M] () -- C:\Program Files\BroadJump\Client Foundation\CFD.exe
PRC - [2001/01/15 16:47:50 | 000,192,512 | ---- | M] (ATI Technologies, Inc.) -- C:\WINDOWS\system32\atiptaxx.exe


========== Modules (SafeList) ==========

MOD - [2010/04/18 16:44:33 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bug\Desktop\OTL.exe
MOD - [2006/08/25 09:45:56 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/08/30 21:01:07 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/08/30 21:01:03 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2007/10/12 09:34:56 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1454471165-2147056087-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com
IE - HKU\S-1-5-21-1454471165-2147056087-839522115-1004\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1454471165-2147056087-839522115-1004\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-1454471165-2147056087-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1454471165-2147056087-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429
FF - prefs.js..extensions.enabledItems: avg@igeared:3.011.025.005
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: en-US@dictionaries.addons.mozilla.org:4.0.0
FF - prefs.js..keyword.URL: "http://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p="

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2010/01/06 12:06:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2010/01/07 16:47:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/09 15:41:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/09 15:41:20 | 000,000,000 | ---D | M]

[2008/09/16 00:41:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bug\Application Data\Mozilla\Extensions
[2010/04/18 14:02:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bug\Application Data\Mozilla\Firefox\Profiles\1q3ddfgs.default\extensions
[2009/09/03 09:42:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\bug\Application Data\Mozilla\Firefox\Profiles\1q3ddfgs.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/01/11 23:37:51 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\bug\Application Data\Mozilla\Firefox\Profiles\1q3ddfgs.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/04/07 17:21:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bug\Application Data\Mozilla\Firefox\Profiles\1q3ddfgs.default\extensions\battlefieldheroespatcher@ea(2).com
[2009/10/04 12:57:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bug\Application Data\Mozilla\Firefox\Profiles\1q3ddfgs.default\extensions\en-US@dictionaries.addons.mozilla.org
[2010/04/09 17:07:52 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/01/11 19:27:42 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla(2).org
[2010/04/09 15:41:10 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/04/09 15:41:11 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/04/09 15:41:11 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/04/09 15:41:11 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2002/08/29 13:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\Real\realplayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-1454471165-2147056087-839522115-1004\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-1454471165-2147056087-839522115-1004\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AtiPTA] C:\WINDOWS\System32\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe ()
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1454471165-2147056087-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1454471165-2147056087-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1454471165-2147056087-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1454471165-2147056087-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1200256533750 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 () - http://cdn.last.fm/flatness/listen_v2/starter_gradient.gif
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\bug\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\bug\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/22 14:12:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/11/22 14:12:14 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found


ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608555} - Internet Explorer Classes for Java
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.2
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.2
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - Windows Messenger 5.1
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.3IV2 - C:\WINDOWS\System32\3ivxVfWCodec.dll (3ivx Technologies Pty. Ltd.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 14 Days ==========

[2010/04/18 16:44:31 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\bug\Desktop\OTL.exe
[2010/04/18 13:46:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/18 13:34:17 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/18 13:31:13 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/18 13:31:13 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/18 13:31:13 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/18 13:31:13 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/18 13:31:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/18 13:29:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/09 16:16:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/09 15:29:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bug\Application Data\Malwarebytes
[2010/04/09 15:29:11 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/09 15:29:09 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/09 15:29:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/09 15:29:08 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/09 15:23:48 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\bug\Recent
[2010/04/07 20:52:15 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/07 18:53:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2010/04/07 17:24:44 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/04/07 17:23:41 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/07 17:23:37 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/04/07 17:23:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2010/04/07 17:21:38 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/01/06 12:01:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
[2009/09/06 15:33:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/09/06 15:19:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/06/12 12:21:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR
[2009/03/25 01:22:16 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/03/25 01:22:16 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/03/25 01:22:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/07/01 23:19:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/01/07 21:25:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\bug\My Documents\*.tmp files -> C:\Documents and Settings\bug\My Documents\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/18 16:44:33 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bug\Desktop\OTL.exe
[2010/04/18 16:44:17 | 000,100,908 | ---- | M] () -- C:\Documents and Settings\bug\Desktop\SystemLook.exe
[2010/04/18 16:40:54 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/18 16:40:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/18 16:40:51 | 536,399,872 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/18 16:32:40 | 002,822,144 | ---- | M] () -- C:\Documents and Settings\bug\ntuser.dat
[2010/04/18 16:32:40 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\bug\ntuser.ini
[2010/04/18 14:18:37 | 003,919,898 | R--- | M] () -- C:\Documents and Settings\bug\Desktop\CtryandfixitF.exe
[2010/04/18 13:51:07 | 059,026,748 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/04/18 13:44:44 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/18 13:38:19 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/18 13:34:28 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/13 11:46:08 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\bug\Desktop\Defogger.exe
[2010/04/12 16:48:52 | 000,262,144 | ---- | M] () -- C:\Documents and Settings\All Users\NtUser.dat
[2010/04/09 15:29:14 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/07 20:52:18 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\bug\Desktop\HijackThis.lnk
[2010/04/07 17:47:11 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\bug\Local Settings\Application Data\housecall.guid.cache
[2010/04/07 17:30:54 | 000,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/07 17:30:54 | 000,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/07 17:30:54 | 000,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/07 16:50:52 | 000,012,540 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2010/04/05 15:39:09 | 000,002,796 | -HS- | M] () -- C:\Documents and Settings\bug\Local Settings\Application Data\8s32
[2010/04/05 15:39:09 | 000,002,796 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\8s32
[2010/04/05 15:38:23 | 000,001,044 | -HS- | M] () -- C:\Documents and Settings\bug\Local Settings\Application Data\2975001584
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\bug\My Documents\*.tmp files -> C:\Documents and Settings\bug\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/18 16:44:16 | 000,100,908 | ---- | C] () -- C:\Documents and Settings\bug\Desktop\SystemLook.exe
[2010/04/18 14:18:13 | 003,919,898 | R--- | C] () -- C:\Documents and Settings\bug\Desktop\CtryandfixitF.exe
[2010/04/18 13:34:28 | 000,000,210 | ---- | C] () -- C:\Boot.bak
[2010/04/18 13:34:24 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/18 13:31:13 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/18 13:31:13 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/18 13:31:13 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/18 13:31:13 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/18 13:31:13 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/13 11:46:35 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\bug\Desktop\Defogger.exe
[2010/04/12 16:48:52 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NtUser.dat
[2010/04/12 16:48:52 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NtUser.dat.LOG
[2010/04/09 15:29:14 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/07 20:52:17 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\bug\Desktop\HijackThis.lnk
[2010/04/07 17:47:11 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\bug\Local Settings\Application Data\housecall.guid.cache
[2010/04/07 17:26:12 | 536,399,872 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/05 15:38:22 | 000,001,044 | -HS- | C] () -- C:\Documents and Settings\bug\Local Settings\Application Data\2975001584
[2010/04/03 23:36:50 | 000,002,796 | -HS- | C] () -- C:\Documents and Settings\bug\Local Settings\Application Data\8s32
[2010/04/03 23:36:50 | 000,002,796 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8s32
[2010/03/25 15:54:21 | 002,822,144 | ---- | C] () -- C:\Documents and Settings\bug\ntuser.dat
[2009/09/14 20:58:08 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\bug\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/05 13:50:13 | 000,000,058 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/04/20 09:18:41 | 000,000,026 | ---- | C] () -- C:\WINDOWS\penusds2.INI
[2008/04/20 09:16:39 | 000,000,219 | ---- | C] () -- C:\WINDOWS\irispen.ini
[2008/02/19 07:33:34 | 000,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2007/12/02 18:51:08 | 000,663,552 | ---- | C] () -- C:\WINDOWS\System32\libeay32_1-1-0_DDR.dll
[2007/12/02 18:51:08 | 000,532,594 | ---- | C] () -- C:\WINDOWS\System32\xerces-c_1_40_0_DDR.dll
[2007/12/02 18:51:08 | 000,524,377 | ---- | C] () -- C:\WINDOWS\System32\stlport_4_0_0_DDR.dll
[2007/12/02 18:51:08 | 000,307,329 | ---- | C] () -- C:\WINDOWS\System32\BJBase_2-2-2_DDR.dll
[2007/12/02 18:51:08 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32_1-1-0_DDR.dll
[2007/11/22 19:35:15 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/22 19:00:48 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2007/11/22 17:29:52 | 000,000,011 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.ini
[2007/11/22 17:26:53 | 000,000,490 | ---- | C] () -- C:\WINDOWS\demo.INI
[2007/11/22 17:21:57 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2007/11/22 17:21:21 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2007/11/22 16:09:26 | 000,061,440 | ---- | C] () -- C:\WINDOWS\ContextMenuExt.dll
[2007/11/22 14:16:06 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\bug\ntuser.dat.LOG
[2007/11/22 14:16:06 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\bug\ntuser.ini
[1999/01/22 11:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2009/11/10 12:48:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/09/14 20:49:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flip Video
[2009/05/07 15:01:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/04/07 17:23:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2010/03/27 21:08:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/19 22:10:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bug\Application Data\AVGTOOLBAR
[2008/01/11 21:46:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bug\Application Data\foobar2000
[2009/05/06 12:04:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bug\Application Data\Spotify
[2009/06/12 12:21:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/04/13 19:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/08/29 13:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2002/08/29 13:00:00 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 19:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 01:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2004/08/04 01:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/04 01:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2004/08/04 01:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll
[2002/08/29 13:00:00 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 01:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2002/08/29 13:00:00 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2009/02/06 19:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2009/02/06 19:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2009/02/06 19:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 01:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 01:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/04 01:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2004/08/04 01:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2002/08/29 13:00:00 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 01:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >


#10 try_and_fix_it

try_and_fix_it
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 18 April 2010 - 11:33 AM

Here is the file Extra.txt content:

OTL Extras logfile created on: 18/04/2010 16:56:28 - Run 1
OTL by OldTimer - Version 3.2.1.2 Folder = C:\Documents and Settings\bug\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.00 Mb Total Physical Memory | 119.00 Mb Available Physical Memory | 23.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 78.13 Gb Total Space | 67.45 Gb Free Space | 86.33% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 125.45 Gb Total Space | 124.52 Gb Free Space | 99.26% Space Free | Partition Type: NTFS
Drive F: | 29.30 Gb Total Space | 28.07 Gb Free Space | 95.79% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BUGS
Current User Name: bug
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = SafariHTML] -- C:\Program Files\Safari\Safari.exe (Apple Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Safari\Safari.exe" -url "%1" (Apple Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [foobar2000.enqueue] -- "C:\Program Files\foobar2000\foobar2000.exe" /add "%1" ()
Directory [foobar2000.play] -- "C:\Program Files\foobar2000\foobar2000.exe" "%1" ()
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify AB)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{41B9E2CF-0B3F-442A-B5B3-592A4A355634}" = iTunes
"{571FFCA2-4D86-4F10-B3A4-5838F2D34FB0}" = IRISPen Express 4.91
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7CCEBC24-62DB-4280-A8EC-BFA49F167920}" = Software Update for Web Folders
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}" = RTLSetup
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A44413DC-17D5-4F0B-A128-8B590B20323C}" = Windows Messenger 5.1
"{AA9768AA-FF0B-4C66-A085-31E934F77841}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C098DAEC-29EF-4A59-B18E-0E950169CA3C}" = Western Australian Time Zone Update
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}" = Safari
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"3ivx MPEG-4 5.0.3" = 3ivx MPEG-4 5.0.3 (remove only)
"7-Zip" = 7-Zip 4.42
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"ATI Display Driver" = ATI Windows 2000 Display Driver
"AVG8Uninstall" = AVG 8.5
"BroadJump Client Foundation" = BroadJump Client Foundation
"CCleaner" = CCleaner (remove only)
"Enable S3 for USB Device" = Enable S3 for USB Device
"foobar2000" = foobar2000 v0.9.4.5
"HijackThis" = HijackThis 2.0.2
"InstallShield_{571FFCA2-4D86-4F10-B3A4-5838F2D34FB0}" = IRISPen Express 4.91
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"RealPlayer 12.0" = RealPlayer
"Spotify" = Spotify
"VLC media player" = VideoLAN VLC media player 0.8.6c
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows Script" = Microsoft Windows Script 5.7
"Windows XP Service Pack" = Windows XP Service Pack 2
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 20/03/2010 07:02:13 | Computer Name = BUGS | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3685, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 29/03/2010 04:17:51 | Computer Name = BUGS | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 29/03/2010 04:20:32 | Computer Name = BUGS | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 29/03/2010 04:20:32 | Computer Name = BUGS | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 31/03/2010 13:42:36 | Computer Name = BUGS | Source = Application Error | ID = 1000
Description = Faulting application bfheroes.exe, version 0.0.0.0, faulting module
renddx9.dll, version 0.0.0.0, fault address 0x00015a56.

Error - 31/03/2010 13:43:47 | Computer Name = BUGS | Source = Application Error | ID = 1000
Description = Faulting application bfheroes.exe, version 0.0.0.0, faulting module
renddx9.dll, version 0.0.0.0, fault address 0x00015a56.

Error - 04/04/2010 06:44:39 | Computer Name = BUGS | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 07/04/2010 11:49:45 | Computer Name = BUGS | Source = Windows Product Activation | ID = 1012
Description = Due to hardware changes on this computer, you will need to reactivate
your Windows product.

Error - 07/04/2010 11:55:00 | Computer Name = BUGS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 07/04/2010 11:55:02 | Computer Name = BUGS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 18/04/2010 08:38:30 | Computer Name = BUGS | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 18/04/2010 08:38:30 | Computer Name = BUGS | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 18/04/2010 11:16:55 | Computer Name = BUGS | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 18/04/2010 11:16:55 | Computer Name = BUGS | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 18/04/2010 11:16:56 | Computer Name = BUGS | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 18/04/2010 11:16:56 | Computer Name = BUGS | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 18/04/2010 11:41:06 | Computer Name = BUGS | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 18/04/2010 11:41:06 | Computer Name = BUGS | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 18/04/2010 11:41:06 | Computer Name = BUGS | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 18/04/2010 11:41:06 | Computer Name = BUGS | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.


< End of report >


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 19 April 2010 - 05:24 PM

Hello, try_and_fix_it.

OK, interesting that SystemLook didn't see that file. Let's get rid of another bad file.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\system32\ezsidmv.dat
C:\WINDOWS\penusds2.INI
Folder::
c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
C:\Documents and Settings\bug\Local Settings\Application Data\8s32
C:\Documents and Settings\All Users\Application Data\8s32
C:\Documents and Settings\bug\Local Settings\Application Data\2975001584
FileLook::
c:\windows\system32\dbghlp.dll


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 try_and_fix_it

try_and_fix_it
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 20 April 2010 - 04:52 AM

Hello etavares,

Just to have an idea, which time zone are you in?
I'm in London so currently BST (GMT+1)

One thing I noticed after starting the computer: automatic updates is now saying I need to reboot the computer for the updates to finish. So I guyess it will have done the windows latest removal tool thing as well next time I boot. Also I only start this machine whem I need to follow instructions for you and it is off the internet unless I need to post a log for you.

Here is the log:

ComboFix 10-04-17.05 - bug 20/04/2010 10:34:29.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.216 [GMT 1:00]
Running from: c:\documents and settings\bug\Desktop\CtryandfixitF.exe
Command switches used :: c:\documents and settings\bug\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\penusds2.INI"
"c:\windows\system32\ezsidmv.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}\x86\DIFxInstallLog.txt
c:\windows\penusds2.INI
c:\windows\system32\ezsidmv.dat

c:\windows\system32\dbghlp.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
.

2010-04-20 09:21 . 2010-04-20 09:21 -------- d-----w- c:\windows\LastGood
2010-04-18 15:22 . 2010-04-18 15:22 439816 ----a-w- c:\documents and settings\bug\Application Data\Real\Update\setup3.10\setup.exe
2010-04-18 12:34 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-09 15:04 . 2004-08-03 23:14 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-09 14:29 . 2010-04-09 14:29 -------- d-----w- c:\documents and settings\bug\Application Data\Malwarebytes
2010-04-09 14:29 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-09 14:29 . 2010-04-09 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-09 14:29 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-09 14:29 . 2010-04-09 14:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:52 . 2010-04-07 19:52 -------- d-----w- c:\program files\Trend Micro
2010-04-07 16:25 . 2010-04-07 16:25 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-07 16:24 . 2010-04-07 16:24 -------- d-----w- c:\program files\Bonjour
2010-04-07 16:23 . 2010-04-07 16:23 -------- d-----w- c:\program files\iPod
2010-04-07 16:23 . 2010-04-07 16:23 -------- d-----w- c:\program files\iTunes
2010-04-07 16:23 . 2010-04-07 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2010-03-31 19:32 . 2010-03-31 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-31 19:32 . 2010-03-31 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-03-31 09:32 . 2010-04-07 16:22 -------- d-----w- c:\windows\system32\Adobe
2010-03-27 20:07 . 2010-04-07 16:23 -------- d-----w- c:\program files\iPod(2)
2010-03-27 20:07 . 2010-04-07 16:23 -------- d-----w- c:\program files\iTunes(2)
2010-03-27 19:57 . 2010-04-07 16:24 -------- d-----w- c:\program files\Bonjour(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 18:22 . 2002-08-29 01:27 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-04-07 17:53 . 2009-09-06 14:14 -------- d-----w- c:\program files\Google
2010-04-07 16:24 . 2008-09-28 10:58 -------- d-----w- c:\program files\Safari
2010-04-07 16:24 . 2008-09-28 11:06 -------- d-----w- c:\program files\QuickTime
2010-04-07 16:23 . 2008-06-14 20:31 -------- d-----w- c:\program files\Common Files\Apple
2010-04-07 16:23 . 2008-06-14 20:33 -------- d-----w- c:\documents and settings\bug\Application Data\Apple Computer
2010-04-07 16:21 . 2010-03-31 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-07 16:21 . 2010-04-01 20:14 -------- d-----w- c:\documents and settings\bug\Application Data\Skype
2010-04-07 16:21 . 2010-04-01 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-04-07 16:21 . 2010-04-03 10:56 -------- d-----w- c:\program files\Skype(2)
2010-04-07 16:21 . 2010-03-31 19:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-07 15:52 . 2010-04-01 20:15 -------- d-----w- c:\documents and settings\bug\Application Data\skypePM
2010-04-05 11:47 . 2008-06-18 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-03-09 11:09 . 2002-08-29 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:05 . 2002-08-29 12:00 668672 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:05 . 2007-11-22 14:37 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2002-08-29 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 10:57 . 2002-08-29 01:04 2063744 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 17:37 . 2002-08-29 12:00 2186880 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-12 04:36 . 2010-02-12 04:36 100864 ----a-w- c:\windows\system32\SET18.tmp
2010-02-11 11:08 . 2002-08-29 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-04-18_12.44.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-22 15:26 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
- 2007-11-22 15:26 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2010-01-13 14:10 . 2010-01-13 14:10 85504 c:\windows\system32\dllcache\cabview.dll
+ 2002-08-29 12:00 . 2010-01-13 14:10 85504 c:\windows\system32\cabview.dll
+ 2009-12-24 07:05 . 2009-12-24 07:05 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2007-07-31 20:45 . 2010-03-09 11:09 430080 c:\windows\system32\dllcache\vbscript.dll
+ 2007-11-22 15:22 . 2010-02-11 11:08 226880 c:\windows\system32\dllcache\tcpip6.sys
+ 2007-11-22 15:19 . 2010-02-24 12:31 454016 c:\windows\system32\dllcache\mrxsmb.sys
+ 2007-11-22 15:22 . 2010-02-12 04:36 100864 c:\windows\system32\dllcache\6to4svc.dll
+ 2007-11-22 15:19 . 2010-02-24 12:31 454016 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2007-11-22 15:29 . 2010-02-16 17:37 2186880 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2007-11-22 15:29 . 2010-02-16 16:57 2021888 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2007-11-22 15:29 . 2010-02-17 10:57 2063744 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2007-11-22 15:29 . 2010-02-16 17:35 2143744 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2007-11-22 15:09 . 2010-02-16 17:37 2186880 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2007-11-22 15:09 . 2010-02-16 16:57 2021888 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2007-11-22 15:09 . 2010-02-17 10:57 2063744 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2007-11-22 15:09 . 2010-02-16 17:35 2143744 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2007-11-22 15:41 . 2010-04-06 17:52 31971272 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:03 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2001-01-15 192512]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-06 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-30 20:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [19/06/2008 00:34 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [19/06/2008 00:34 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [18/06/2009 15:06 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/07/2008 12:22 297752]
.
Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bug\Application Data\Mozilla\Firefox\Profiles\1q3ddfgs.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-20 10:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-20 10:40:47
ComboFix-quarantined-files.txt 2010-04-20 09:40
ComboFix2.txt 2010-04-18 12:46

Pre-Run: 72,296,939,520 bytes free
Post-Run: 72,266,625,024 bytes free

- - End Of File - - 84AAA75A98D15C47287A12740579C17C



Attached Files



#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 PM

Posted 20 April 2010 - 05:49 PM

Hello, try_and_fix_it.

I was almost in London this week....trip cancelled last week which is good or I'd be stranded! I'm 5 hours behind you.

We're making progress, but I am concerned about one file that CF is detecting, yet we didn't find a clean replacement with the SystemLook earlier. Let's take a deeper look.





Step 1

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\dbghlp.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



Step 2

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
FileLook::
c:\windows\system32\dbghlp.dll
SkipFix::


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 try_and_fix_it

try_and_fix_it
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 20 April 2010 - 07:00 PM

Hi etavares,

Here is an interim report:

c:\windows\system32\dbghlp.dll is nowhere to be found, on the other hand I have found this:
c:\windows\system32\dbghelp.dll
so am submitting this to jotti for now and next post will have both logs you asked for (apart from the mysterious file).

#15 try_and_fix_it

try_and_fix_it
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 20 April 2010 - 07:19 PM

And hello again,

so, I could not find that invisible file (yes I have windows set to show all files), I submitted the one I mentionned in the previous post to jotti which came back clean all round.

Here is the combofix log run as per instructions:

ComboFix 10-04-17.05 - bug 21/04/2010 1:06.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.229 [GMT 1:00]
Running from: c:\documents and settings\bug\Desktop\CtryandfixitF.exe
Command switches used :: c:\documents and settings\bug\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dbghlp.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-18 15:22 . 2010-04-18 15:22 439816 ----a-w- c:\documents and settings\bug\Application Data\Real\Update\setup3.10\setup.exe
2010-04-18 12:34 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-09 15:04 . 2004-08-03 23:14 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-09 14:29 . 2010-04-09 14:29 -------- d-----w- c:\documents and settings\bug\Application Data\Malwarebytes
2010-04-09 14:29 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-09 14:29 . 2010-04-09 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-09 14:29 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-09 14:29 . 2010-04-09 14:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 19:52 . 2010-04-07 19:52 -------- d-----w- c:\program files\Trend Micro
2010-04-07 16:25 . 2010-04-07 16:25 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-07 16:24 . 2010-04-07 16:24 -------- d-----w- c:\program files\Bonjour
2010-04-07 16:23 . 2010-04-07 16:23 -------- d-----w- c:\program files\iPod
2010-04-07 16:23 . 2010-04-07 16:23 -------- d-----w- c:\program files\iTunes
2010-04-07 16:23 . 2010-04-07 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2010-03-31 19:32 . 2010-03-31 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-31 19:32 . 2010-03-31 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-03-31 09:32 . 2010-04-07 16:22 -------- d-----w- c:\windows\system32\Adobe
2010-03-27 20:07 . 2010-04-07 16:23 -------- d-----w- c:\program files\iPod(2)
2010-03-27 20:07 . 2010-04-07 16:23 -------- d-----w- c:\program files\iTunes(2)
2010-03-27 19:57 . 2010-04-07 16:24 -------- d-----w- c:\program files\Bonjour(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 18:22 . 2002-08-29 01:27 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-04-07 17:53 . 2009-09-06 14:14 -------- d-----w- c:\program files\Google
2010-04-07 16:24 . 2008-09-28 10:58 -------- d-----w- c:\program files\Safari
2010-04-07 16:24 . 2008-09-28 11:06 -------- d-----w- c:\program files\QuickTime
2010-04-07 16:23 . 2008-06-14 20:31 -------- d-----w- c:\program files\Common Files\Apple
2010-04-07 16:23 . 2008-06-14 20:33 -------- d-----w- c:\documents and settings\bug\Application Data\Apple Computer
2010-04-07 16:21 . 2010-03-31 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-07 16:21 . 2010-04-01 20:14 -------- d-----w- c:\documents and settings\bug\Application Data\Skype
2010-04-07 16:21 . 2010-04-01 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-04-07 16:21 . 2010-04-03 10:56 -------- d-----w- c:\program files\Skype(2)
2010-04-07 16:21 . 2010-03-31 19:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-07 15:52 . 2010-04-01 20:15 -------- d-----w- c:\documents and settings\bug\Application Data\skypePM
2010-04-05 11:47 . 2008-06-18 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-03-09 11:09 . 2002-08-29 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:05 . 2002-08-29 12:00 668672 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:05 . 2007-11-22 14:37 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2002-08-29 12:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 10:57 . 2002-08-29 01:04 2063744 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 17:37 . 2002-08-29 12:00 2186880 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-12 04:36 . 2002-08-29 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 11:08 . 2002-08-29 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-04-18_12.44.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-22 15:26 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
- 2007-11-22 15:26 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2010-01-13 14:10 . 2010-01-13 14:10 85504 c:\windows\system32\dllcache\cabview.dll
+ 2002-08-29 12:00 . 2010-01-13 14:10 85504 c:\windows\system32\cabview.dll
+ 2002-08-29 12:00 . 2009-12-24 07:05 177664 c:\windows\system32\wintrust.dll
+ 2009-12-24 07:05 . 2009-12-24 07:05 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2007-07-31 20:45 . 2010-03-09 11:09 430080 c:\windows\system32\dllcache\vbscript.dll
+ 2007-11-22 15:22 . 2010-02-11 11:08 226880 c:\windows\system32\dllcache\tcpip6.sys
+ 2007-11-22 15:19 . 2010-02-24 12:31 454016 c:\windows\system32\dllcache\mrxsmb.sys
+ 2007-11-22 15:22 . 2010-02-12 04:36 100864 c:\windows\system32\dllcache\6to4svc.dll
+ 2007-11-22 15:19 . 2010-02-24 12:31 454016 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2007-11-22 15:29 . 2010-02-16 17:37 2186880 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2007-11-22 15:29 . 2010-02-16 16:57 2021888 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2007-11-22 15:29 . 2010-02-17 10:57 2063744 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2007-11-22 15:29 . 2010-02-16 17:35 2143744 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2007-11-22 15:09 . 2010-02-16 17:37 2186880 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2007-11-22 15:09 . 2010-02-16 16:57 2021888 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2007-11-22 15:09 . 2010-02-17 10:57 2063744 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2007-11-22 15:09 . 2010-02-16 17:35 2143744 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2007-11-22 15:41 . 2010-04-06 17:52 31971272 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:03 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2001-01-15 192512]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-06 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-30 20:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [19/06/2008 00:34 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [19/06/2008 00:34 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [18/06/2009 15:06 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/07/2008 12:22 297752]
.
Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bug\Application Data\Mozilla\Firefox\Profiles\1q3ddfgs.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 01:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3296)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-21 01:09:32
ComboFix-quarantined-files.txt 2010-04-21 00:09
ComboFix2.txt 2010-04-20 09:40
ComboFix3.txt 2010-04-18 12:46

Pre-Run: 72,262,643,712 bytes free
Post-Run: 72,230,330,368 bytes free

- - End Of File - - 03D372E459CF1700F552241CA94668C6

and attached too.

Am starting to think that it looks like a clean install is going to be needed :\

Attached Files


Edited by try_and_fix_it, 20 April 2010 - 07:21 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users