Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anti Malware Doctor having lasting impact


  • This topic is locked This topic is locked
11 replies to this topic

#1 pgt18731

pgt18731

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 10 May 2010 - 06:50 PM

Infected with Anti Malware Doctor. I used Malwarebytes repeatedly to remove it (although it repeatedly came back), follwing instructions here:
http://www.bleepingcomputer.com/virus-remo...imalware-doctor
I could find the enemies-names.txt file, but never found Antimalware Doctor.exe file and the Registry entries described in the above procedure were not all there.

Repeatedly ran Malwarebytes and AVGfree scans and they both come up clean now. However, the computer is running very slow and frequently freezes, leaving us no option but to turn it off.

I don't know if it is related, but I have a new drive F: called BACKUP (although this could have been created as part of my recent reinstalling of everything last month.

I have followed the Preparation Guide instructions here:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
but when I run the GMER scan the computer freezes before the end of the scan. I have copied the scan results before it freezes (attached) and no new lines are added in the 15minutes prior to the freeze, so hopefully this will be enough.

Any help is much appreciated.
Phil

DS (Ver_10-03-17.01) - NTFSx86
Run by Phil at 20:24:14.78 on 10/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1022.358 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Phil.SNA123456789\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uWindow Title = Packard Bell
uInternet Connection Wizard,ShellNext = hxxp://www.packardbell.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267739981921
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-1 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-1 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-1 242896]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-23 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-23 125160]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-17 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2010-3-1 66048]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-3-23 779496]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2010-3-4 167808]
S3 {BFBCFBBA-3466-4047-8C3D896BBBC37F58};{BFBCFBBA-3466-4047-8C3D896BBBC37F58};c:\windows\system32\svchost.exe -k netsvcs [2004-9-10 14336]

=============== Created Last 30 ================

2010-05-10 19:05:04 0 ----a-w- d:\documents and settings\phil.sna123456789\defogger_reenable
2010-05-04 21:23:33 50990 ----a-w- c:\windows\system32\kooqswnexcbo.exe
2010-05-04 21:23:04 0 d-----w- d:\docume~1\phil~1.sna\applic~1\F3D2E0127BAF7322F834E55875E08D3A
2010-05-02 20:51:30 0 d-----w- c:\program files\iPod
2010-05-02 20:51:19 0 d-----w- d:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-02 20:51:19 0 d-----w- c:\program files\iTunes
2010-05-02 20:45:43 0 d-----w- c:\program files\Bonjour
2010-04-20 17:22:22 0 d-----w- c:\program files\LEGO Media
2010-04-20 17:04:40 0 d-sh--w- c:\windows\ftpcache
2010-04-20 17:03:58 129 ----a-w- c:\windows\gspval.ini
2010-04-20 17:03:39 0 d-----w- c:\program files\Dora The Explorer
2010-04-18 15:47:46 0 d-----w- c:\program files\Puppy Luv A New Breed
2010-04-18 15:47:11 36 ----a-w- c:\windows\Tiny_Run.ini
2010-04-15 23:31:41 0 d-----w- d:\docume~1\phil~1.sna\applic~1\Trusteer
2010-04-15 22:21:39 0 d-----w- c:\program files\Trusteer
2010-04-15 22:13:56 0 d-----w- d:\docume~1\alluse~1\applic~1\Trusteer

==================== Find3M ====================

2010-05-10 16:03:26 75 ----a-w- d:\documents and settings\phil.sna123456789\jagex_runescape_preferences2.dat
2010-05-10 16:02:29 41 ----a-w- d:\documents and settings\phil.sna123456789\jagex_runescape_preferences.dat
2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 15:03:23 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-16 07:33:36 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 07:33:36 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-08 12:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 12:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-24 16:39:19 0 ----a-w- d:\documents and settings\phil.sna123456789\jagex__preferences3.dat
2010-03-17 08:12:32 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-17 08:11:56 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-03-09 18:57:45 66328 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-04 23:04:55 103193 ----a-w- c:\windows\hpoins08.dat
2010-02-25 10:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 12:31:30 454016 ----a-w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 10:57:54 2063744 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 17:37:57 2186880 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 17:35:40 2143744 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 17:35:40 2143744 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 16:57:54 2021888 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 16:57:54 2021888 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01:43 226880 ----a-w- c:\windows\system32\dllcache\tcpip6.sys

============= FINISH: 20:25:34.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:47 PM

Posted 12 May 2010 - 03:00 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 pgt18731

pgt18731
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 12 May 2010 - 05:18 PM

Thanks. System still crashing for no apparent reason.

OTL.txt:

OTL logfile created on: 12/05/2010 22:59:57 - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = D:\Documents and Settings\Phil.SNA123456789\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 454.00 Mb Available Physical Memory | 44.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.99 Gb Total Space | 19.74 Gb Free Space | 65.83% Space Free | Partition Type: NTFS
Drive D: | 336.75 Gb Total Space | 268.38 Gb Free Space | 79.70% Space Free | Partition Type: NTFS
Drive E: | 5.95 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 5.85 Gb Total Space | 2.89 Gb Free Space | 49.44% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SNA123456789
Current User Name: Phil
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/12 22:50:32 | 000,570,880 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Phil.SNA123456789\Desktop\OTL.exe
PRC - [2010/04/21 16:04:10 | 002,064,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/04/21 16:03:21 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/04/01 18:30:54 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/03/23 16:39:18 | 001,303,784 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2010/03/23 16:39:18 | 000,779,496 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2010/03/17 09:12:32 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/03/17 09:12:29 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/03/17 09:11:57 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/03/17 09:11:56 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2007/06/13 11:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/10/20 07:15:00 | 000,090,112 | ---- | M] () -- C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
PRC - [2005/03/14 13:05:02 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2005/01/31 10:45:20 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


========== Modules (SafeList) ==========

MOD - [2010/05/12 22:50:32 | 000,570,880 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Phil.SNA123456789\Desktop\OTL.exe
MOD - [2010/03/23 16:39:24 | 000,496,872 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll
MOD - [2006/08/25 09:45:56 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/10 15:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/23 16:39:18 | 000,779,496 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2010/03/17 09:12:29 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/03/17 09:11:57 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2005/10/20 07:15:00 | 000,090,112 | ---- | M] () [Auto | Running] -- C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe -- (USBDeviceService)
SRV - [2005/03/14 13:05:02 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2005/01/31 10:45:20 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


========== Driver Services (SafeList) ==========

DRV - [2010/04/21 16:03:23 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/03/23 16:39:26 | 000,125,160 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2010/03/23 16:39:26 | 000,058,984 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys -- (RapportKELL)
DRV - [2010/03/17 09:12:32 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/17 09:11:56 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2008/11/11 14:42:00 | 000,024,832 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2008/11/11 14:41:00 | 000,019,968 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2008/11/11 14:41:00 | 000,013,056 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2006/05/29 13:03:00 | 000,006,144 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viaidexp.sys -- (ViaIde)
DRV - [2006/05/16 17:32:58 | 004,275,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/04/28 00:47:00 | 003,663,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/03/16 04:39:10 | 000,167,808 | R--- | M] (NETGEAR Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wg111v2.sys -- (RTLWUSB)
DRV - [2005/01/07 18:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/04 00:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 00:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2004/08/10 15:00:00 | 000,000,734 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe File not found
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\NPJPI150_04.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1267739981921 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\dimsntfy: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\APPS\DESKTOP\BG1024IN.bmp
O24 - Desktop BackupWallPaper: C:\APPS\DESKTOP\BG1024IN.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/04/10 09:24:34 | 000,004,398 | ---- | M] () - F:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0140FEB9-D18C-4B06-F245-9762F6CAA21C} - Macromedia Shockwave Director 10.1
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 10.1
ActiveX: {1BC46932-21B2-4130-86E0-B4EB4F7A7A7B} - Microsoft .NET Framework 1.0 Hotfix (KB887998)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 10.1
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {407408d4-94ed-4d86-ab69-a7f649d112ee} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E8EA5BD6-D931-4001-ABF6-81BAA500360A} - Microsoft .NET Framework 1.0 Hotfix (KB953295)
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {FDC11A6F-17D1-48f9-9EA3-9051954BAA24} - .NET Framework
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: KB910393 - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\EasyCDBlock.inf,PerUserInstall

Drivers32: msacm.dvacm - C:\Program Files\Common Files\Ulead Systems\VIO\DVACM.acm (Ulead Systems, Inc.)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.mpegacm - C:\Program Files\Common Files\Ulead Systems\MPEG\MPEGACM.acm (Ulead Systems, Inc.)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.ulmp3acm - C:\Program Files\Common Files\Ulead Systems\MPEG\ulmp3acm.acm (Ulead systems)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/09/10 16:16:00 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/05/12 22:50:31 | 000,570,880 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Phil.SNA123456789\Desktop\OTL.exe
[2010/05/10 20:28:06 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Phil.SNA123456789\Desktop\gmer
[2010/05/05 22:50:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/05/05 17:26:23 | 000,000,000 | ---D | C] -- D:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/05 01:25:50 | 000,000,000 | ---D | C] -- D:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/04 22:24:01 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Phil.SNA123456789\Local Settings\Application Data\rmanojuja
[2010/05/04 22:23:04 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Phil.SNA123456789\Application Data\F3D2E0127BAF7322F834E55875E08D3A
[2010/05/02 21:51:30 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/05/02 21:51:19 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/05/02 21:51:19 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/05/02 21:45:43 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/04/26 00:33:31 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Phil.SNA123456789\Application Data\Ulead Systems
[2010/04/20 22:29:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/04/20 22:25:49 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\NOS
[2010/04/20 18:22:22 | 000,000,000 | ---D | C] -- C:\Program Files\LEGO Media
[2010/04/20 18:04:56 | 000,000,000 | ---D | C] -- D:\Documents and Settings\LocalService\Application Data\Trusteer
[2010/04/20 18:04:40 | 000,000,000 | -HSD | C] -- C:\WINDOWS\ftpcache
[2010/04/20 18:03:39 | 000,000,000 | ---D | C] -- C:\Program Files\Dora The Explorer
[2010/04/18 16:47:46 | 000,000,000 | ---D | C] -- C:\Program Files\Puppy Luv A New Breed
[2010/04/16 21:48:57 | 000,000,000 | ---D | C] -- D:\Documents and Settings\NetworkService\Application Data\Trusteer
[2010/04/16 00:31:41 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Phil.SNA123456789\Application Data\Trusteer
[2010/04/15 23:21:39 | 000,000,000 | ---D | C] -- C:\Program Files\Trusteer
[2010/04/15 23:13:56 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Trusteer
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/12 22:56:37 | 000,051,048 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/12 22:56:13 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/12 22:56:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/12 22:56:00 | 1072,156,672 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/12 22:50:32 | 000,570,880 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Phil.SNA123456789\Desktop\OTL.exe
[2010/05/12 22:49:39 | 059,913,848 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/05/12 19:43:52 | 003,145,728 | -H-- | M] () -- D:\Documents and Settings\Phil.SNA123456789\NTUSER.DAT
[2010/05/12 19:43:40 | 000,000,178 | -HS- | M] () -- D:\Documents and Settings\Phil.SNA123456789\ntuser.ini
[2010/05/12 01:59:54 | 001,390,788 | -H-- | M] () -- D:\Documents and Settings\Phil.SNA123456789\Local Settings\Application Data\IconCache.db
[2010/05/11 23:24:16 | 000,023,040 | ---- | M] () -- D:\Documents and Settings\Phil.SNA123456789\My Documents\Compass Games.doc
[2010/05/10 20:27:29 | 000,284,915 | ---- | M] () -- D:\Documents and Settings\Phil.SNA123456789\Desktop\gmer.zip
[2010/05/10 20:06:44 | 000,525,824 | ---- | M] () -- D:\Documents and Settings\Phil.SNA123456789\Desktop\dds.scr
[2010/05/10 20:05:04 | 000,000,000 | ---- | M] () -- D:\Documents and Settings\Phil.SNA123456789\defogger_reenable
[2010/05/10 17:03:26 | 000,000,075 | ---- | M] () -- D:\Documents and Settings\Phil.SNA123456789\jagex_runescape_preferences2.dat
[2010/05/10 17:02:29 | 000,000,041 | ---- | M] () -- D:\Documents and Settings\Phil.SNA123456789\jagex_runescape_preferences.dat
[2010/05/09 23:04:14 | 000,002,055 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/04 22:59:52 | 000,363,520 | ---- | M] () -- D:\Documents and Settings\Phil.SNA123456789\Desktop\rkill.com
[2010/05/04 22:23:33 | 000,050,990 | ---- | M] () -- C:\WINDOWS\System32\kooqswnexcbo.exe
[2010/05/02 21:48:36 | 000,001,501 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/05/01 21:56:16 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 19:59:43 | 000,109,056 | ---- | M] () -- D:\Documents and Settings\Phil.SNA123456789\My Documents\Catriona Invite.doc
[2010/04/24 20:03:15 | 000,001,612 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/21 16:03:23 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/04/20 18:04:39 | 000,001,742 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Dora World Adventure.lnk
[2010/04/20 18:03:58 | 000,000,129 | ---- | M] () -- C:\WINDOWS\gspval.ini
[2010/04/19 23:05:05 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/18 16:54:26 | 000,002,401 | ---- | M] () -- D:\Documents and Settings\Phil.SNA123456789\Desktop\Launch Puppy Luv A New Breed.exe.lnk
[2010/04/18 16:47:11 | 000,000,036 | ---- | M] () -- C:\WINDOWS\Tiny_Run.ini
[2010/04/16 08:33:36 | 003,003,680 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\usbaaplrc.dll
[2010/04/14 13:19:29 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/11 23:24:16 | 000,023,040 | ---- | C] () -- D:\Documents and Settings\Phil.SNA123456789\My Documents\Compass Games.doc
[2010/05/10 20:27:31 | 000,284,915 | ---- | C] () -- D:\Documents and Settings\Phil.SNA123456789\Desktop\gmer.zip
[2010/05/10 20:23:36 | 000,525,824 | ---- | C] () -- D:\Documents and Settings\Phil.SNA123456789\Desktop\dds.scr
[2010/05/10 20:05:04 | 000,000,000 | ---- | C] () -- D:\Documents and Settings\Phil.SNA123456789\defogger_reenable
[2010/05/05 23:27:28 | 1072,156,672 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/05 01:00:02 | 000,363,520 | ---- | C] () -- D:\Documents and Settings\Phil.SNA123456789\Desktop\rkill.com
[2010/05/04 22:23:33 | 000,050,990 | ---- | C] () -- C:\WINDOWS\System32\kooqswnexcbo.exe
[2010/05/02 21:52:18 | 000,002,055 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/02 21:48:36 | 000,001,501 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/04/26 19:59:43 | 000,109,056 | ---- | C] () -- D:\Documents and Settings\Phil.SNA123456789\My Documents\Catriona Invite.doc
[2010/04/24 20:03:14 | 000,001,612 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/20 18:04:39 | 000,001,742 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Dora World Adventure.lnk
[2010/04/20 18:03:58 | 000,000,129 | ---- | C] () -- C:\WINDOWS\gspval.ini
[2010/04/18 16:48:09 | 000,002,401 | ---- | C] () -- D:\Documents and Settings\Phil.SNA123456789\Desktop\Launch Puppy Luv A New Breed.exe.lnk
[2010/04/18 16:47:11 | 000,000,036 | ---- | C] () -- C:\WINDOWS\Tiny_Run.ini
[2010/03/08 22:39:58 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/03/08 22:39:58 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2010/03/08 20:07:13 | 000,000,030 | ---- | C] () -- C:\WINDOWS\Iedit.INI
[2010/03/04 23:44:36 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2010/03/02 22:37:08 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/01 21:20:54 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/03/01 20:16:25 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2010/03/01 20:05:46 | 000,002,850 | ---- | C] () -- C:\WINDOWS\System32\SETUPPC.INI
[2010/03/01 20:01:22 | 000,000,059 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2010/03/01 19:42:20 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2010/03/01 19:41:05 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2010/03/01 19:41:05 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2010/03/01 19:41:04 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2010/03/01 19:40:58 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2010/03/01 19:40:58 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2010/03/01 19:40:58 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2010/03/01 19:40:52 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/07/26 09:57:34 | 000,006,741 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/01/12 12:23:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/05 15:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/06/17 06:41:14 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2004/09/10 16:50:43 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/10 15:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2004/08/10 15:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/10 15:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/10 15:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004/08/10 15:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2009/02/06 19:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 19:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/10 15:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/10 15:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

< MD5 for: VIAMRAID.SYS >
[2006/05/29 13:03:22 | 000,092,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=FBF18F9F5FB852C2976723587B44F346 -- C:\PNP\MOBO\VIAMRAID.SYS
[2006/05/29 13:03:22 | 000,092,672 | ---- | M] (VIA Technologies inc,.ltd) MD5=FBF18F9F5FB852C2976723587B44F346 -- C:\WINDOWS\system32\drivers\viamraid.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2005/07/26 05:39:44 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll
[2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/09/10 16:22:10 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/09/10 16:22:08 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/09/10 16:22:08 | 000,851,968 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/03/17 09:11:56 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys
[2010/03/17 09:12:32 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys
[2010/04/21 16:03:23 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 13:31:30 | 000,454,016 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/04/16 08:33:36 | 000,041,472 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\system32\drivers\usbaapl.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 158 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

#4 pgt18731

pgt18731
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 12 May 2010 - 05:28 PM

Sorry - Extras.Txt is refusing to be posted. When I cut & paste it in I just get Internet Explorer Cannot Display... - I'll try attaching it to this post

Attached Files



#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:47 PM

Posted 12 May 2010 - 07:00 PM

Hi,

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !

When it completes, a log will open.

Please post the contents of that log.



In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.

Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.

Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !

When it completes, a log will open.

Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 pgt18731

pgt18731
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 13 May 2010 - 05:16 PM

Thanks. The tool did detect an mbr infection so I followed the above and the log is below.

D:\Documents and Settings\Phil.SNA123456789\Desktop\HelpAsst_mebroot_fix.exe
13/05/2010 at 22:41:48.14

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"9172:TCP"=-
"9173:TCP"=-
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"9172:TCP"=-
"9173:TCP"=-
"3389:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-3507364563-4189585418-1625992188-1004
HelpAssistant profile directory exists at D:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All D:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

mbr infection detected! ~ running mbr -f

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x02E937CC1
malicious code @ sector 0x02E937CC4 !
PE file found in sector at 0x02E937CDA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x02E937CC1
malicious code @ sector 0x02E937CC4 !
PE file found in sector at 0x02E937CDA !

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 13/05/2010 at 23:11:25.25

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86E50EE4]<<
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x02E937CC1
malicious code @ sector 0x02E937CC4 !
PE file found in sector at 0x02E937CDA !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:47 PM

Posted 13 May 2010 - 06:06 PM

Hi,

this is looking good. Can you please provide a new log from gmer and let me know if your PC is still crashing.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 pgt18731

pgt18731
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 15 May 2010 - 08:34 AM

Things are a little better, but I had to run gmer four times before it reached the end before everything froze. Log attached.
Malwarebytes and AVG free scans both come back clean.
Another symptom I've noticed is that internet explorer keeps on throwing up pop-ups to random internet sites, even with pop-up blocker set at the highest. This happens even with Google.
The AVG Resident Shield keeps on identifying tracking cookies (Hitbox, Adtech, tribalfusion, serving-sys) but freezes rather than completing fixing them.

Thanks for all your help.


Attachment not working very well, so here is the Ark.log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-15 01:16:42
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: D:\DOCUME~1\PHIL~1.SNA\LOCALS~1\Temp\kwdyyaoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xF7C18814]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF5DF8360, 0x221CFD, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1144] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007E000A
.text C:\WINDOWS\System32\svchost.exe[1144] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[1144] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007D000C
.text C:\WINDOWS\System32\svchost.exe[1144] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 0138000A
.text C:\WINDOWS\System32\svchost.exe[1144] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00D1000A
.text C:\WINDOWS\Explorer.EXE[3116] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C8000A
.text C:\WINDOWS\Explorer.EXE[3116] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D2000A
.text C:\WINDOWS\Explorer.EXE[3116] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C7000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat B7FD2C8A

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86E50EE4

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:47 PM

Posted 15 May 2010 - 09:35 AM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 pgt18731

pgt18731
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 20 May 2010 - 04:07 AM

Thanks myrti,

Sorry it took so long to reply - I took your advice and stopped using the PC (on the back-up machine now). Internet banking suspended and all passwaords changed! Plan is to reinstall.
Once I've done that, how is there any way I can check no infection has been carried over?
Also, anything I should do to avoid re-infection.

And a great big thank you once again for all your help. You are a star!

Phil

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:47 PM

Posted 20 May 2010 - 04:52 AM

Hi,

You can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If you only have flash drives or external hard drives to back up your data to, please run this tool to vaccinate them against infection:
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

These are the tips I usually give people at the end of a cleaning, respecting those you should be pretty safe:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:Let me know if you have any more questions.
Have a nice day
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:47 PM

Posted 26 May 2010 - 10:41 AM

Since this topic appears to be resolved, I will now close it.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users