Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects - Aurelion?


  • This topic is locked This topic is locked
11 replies to this topic

#1 Solecizm

Solecizm

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 16 May 2010 - 08:44 AM

Hello,

My partner's computer has been infected with something ever since she tried to download some sheet music. The main problem is that clicking on links from search engines (Google, Bing) leads to random (but seemingly respectable) websites like eBay and Amazon. The only way to navigate to the desired page is to copy the link and paste into the address bar.

AVG free found and removed some spyware, but the problem persists, and subsequent runs only find cookies. Windows Defender finds nothing. Microsoft's Malicious Software Removal Tool found something the first time I ran it called Aurelion I think, but it said it only partially removed it. Subsequent runs have found nothing. I tried cleaning up the registry with RegSeeker, but that hasn't fixed the problem.

I would be very grateful for any assistance, before I get impatient and reformat!

DDS (Ver_10-03-17.01) - NTFSx86
Run by Katrina Davis at 13:39:56.57 on 16/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1022.432 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdwserv.exe
C:\WINDOWS\system32\lxdwcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark 7600 Series\lxdwMsdMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WN121T\wn121t.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Katrina Davis\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.birminghamcourseonline.co.uk/course/view.php?id=25
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [lxdwmon.exe] "c:\program files\lexmark 7600 series\lxdwmon.exe"
mRun: [lxdwamon] "c:\program files\lexmark 7600 series\lxdwamon.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wn121t\wn121t.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: NameServer = 93.188.164.98,93.188.166.141
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-25 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-25 29512]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-25 242896]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-4-25 353672]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-18 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-18 308064]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [2009-12-19 98984]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S1 MpKsl22430b59;MpKsl22430b59;\??\c:\windows\system32\mpenginestore\mpksl22430b59.sys --> c:\windows\system32\mpenginestore\MpKsl22430b59.sys [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2010-05-16 12:35:54 0 ----a-w- c:\documents and settings\katrina davis\defogger_reenable
2010-05-15 19:22:22 0 dc-h--w- c:\windows\ie8
2010-05-13 17:29:53 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-13 17:29:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-13 07:30:16 100736 ----a-w- c:\windows\system32\drivers\NVATA.SYS
2010-05-13 06:14:30 0 d-----w- c:\windows\system32\MpEngineStore
2010-05-12 06:32:01 173 ----a-w- c:\windows\system32\MRT.INI
2010-05-01 12:36:00 0 d-----w- c:\windows\pss
2010-04-30 13:13:42 84992 --sha-r- c:\windows\system32\pngfiltr.dll
2010-04-28 16:44:28 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2010-04-28 16:44:24 0 d-----w- c:\program files\SoundSpectrum

==================== Find3M ====================

2010-05-06 09:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-22 06:19:14 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-18 08:28:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-18 08:28:04 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-17 08:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-04-27 14:14:25 58176864 ----a-w- c:\program files\ENX201Inst.exe
2009-04-25 11:17:27 15166101 ----a-w- c:\program files\netgear driver.exe
2007-11-18 18:42:52 461952 ----a-w- c:\windows\inf\wn121t\Mrvw245.sys
2007-05-24 13:58:00 249856 ----a-w- c:\windows\inf\wn121t\InsDrv2k.exe
2006-07-05 10:21:50 212992 ----a-w- c:\windows\inf\wn121t\CopyWHQLDriver.exe
2005-11-17 14:46:24 845736 ----a-w- c:\windows\inf\wn121t\DPInst.exe

============= FINISH: 13:40:33.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:44 PM

Posted 18 May 2010 - 01:45 PM

Hi Solecizm, and welcome to Bleeping Computer.

Order below is important...

Firstly,
Download mbr.exe to the root of your c:\ drive...

Then,
Go to Start --> Run --> write cmd and click OK...

In the command prompt write (or copy and right-click paste):

mbr -t

Exit the Command prompt... A logfile should be created, post the contents of c:\mbr.log in your reply...

Secondly,
* Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
* Execute the file TDSSKiller.exe by double-clicking on it.
* Wait for the scan and disinfection process to be over.
* When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).
The log is like UtilityName.Version_Date_Time_log.txt.
for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 Solecizm

Solecizm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 18 May 2010 - 04:20 PM

Hi Snemelk,

Thanks for the fast reply! I ran both those programs as instructed. Sadly still getting Google redirects, but hopefully I'm getting somewhere now with your help smile.gif

Here are the logs:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll NVATA.SYS
kernel: MBR read successfully
user & kernel MBR OK

22:09:27:921 0988 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17
22:09:27:921 0988 ================================================================================
22:09:27:921 0988 SystemInfo:

22:09:27:921 0988 OS Version: 5.1.2600 ServicePack: 3.0
22:09:27:921 0988 Product type: Workstation
22:09:27:921 0988 ComputerName: KATRINA-STUDY
22:09:27:921 0988 UserName: Katrina Davis
22:09:27:921 0988 Windows directory: C:\WINDOWS
22:09:27:921 0988 Processor architecture: Intel x86
22:09:27:921 0988 Number of processors: 1
22:09:27:921 0988 Page size: 0x1000
22:09:27:921 0988 Boot type: Normal boot
22:09:27:921 0988 ================================================================================
22:09:27:921 0988 UnloadDriverW: NtUnloadDriver error 2
22:09:27:921 0988 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2
22:09:27:984 0988 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
22:09:28:000 0988 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:09:28:000 0988 wfopen_ex: Trying to KLMD file open
22:09:28:000 0988 wfopen_ex: File opened ok (Flags 2)
22:09:28:000 0988 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
22:09:28:000 0988 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:09:28:000 0988 wfopen_ex: Trying to KLMD file open
22:09:28:000 0988 wfopen_ex: File opened ok (Flags 2)
22:09:28:000 0988 KLAVA engine initialized
22:09:28:140 0988 Initialize success
22:09:28:140 0988
22:09:28:140 0988 Scanning Services ...
22:09:28:171 0988 Raw services enum returned 325 services
22:09:28:171 0988
22:09:28:171 0988 Scanning Drivers ...
22:09:28:312 0988 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:09:28:375 0988 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:09:28:437 0988 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:09:28:500 0988 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
22:09:28:656 0988 ALCXWDM (37eb54a72554595fbc85c24e079e1c1b) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
22:09:28:765 0988 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
22:09:28:843 0988 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:09:28:859 0988 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:09:28:890 0988 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:09:28:921 0988 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:09:29:000 0988 AvgLdx86 (9c0a7e6d3cb9a8a7ad4e4575d9a42e94) C:\WINDOWS\System32\Drivers\avgldx86.sys
22:09:29:046 0988 AvgMfx86 (f9caeec3ff1545991f490264429724c5) C:\WINDOWS\System32\Drivers\avgmfx86.sys
22:09:29:078 0988 AvgTdiX (cf9ac576490bb6c547cd16ef0b782358) C:\WINDOWS\System32\Drivers\avgtdix.sys
22:09:29:125 0988 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:09:29:171 0988 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:09:29:203 0988 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:09:29:218 0988 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:09:29:250 0988 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:09:29:328 0988 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:09:29:359 0988 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:09:29:406 0988 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:09:29:437 0988 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:09:29:468 0988 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:09:29:484 0988 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:09:29:500 0988 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:09:29:515 0988 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
22:09:29:562 0988 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:09:29:578 0988 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
22:09:29:578 0988 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
22:09:29:593 0988 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:09:29:609 0988 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:09:29:656 0988 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:09:29:703 0988 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:09:29:765 0988 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:09:29:796 0988 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:09:29:812 0988 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:09:29:843 0988 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
22:09:29:875 0988 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:09:29:890 0988 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:09:29:921 0988 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:09:29:921 0988 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:09:29:953 0988 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:09:29:968 0988 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:09:29:968 0988 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:09:29:984 0988 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:09:30:000 0988 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:09:30:031 0988 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:09:30:046 0988 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:09:30:062 0988 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:09:30:062 0988 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:09:30:078 0988 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:09:30:140 0988 MRVW245 (513179a0e168b4d4cc6ff302b9c27568) C:\WINDOWS\system32\DRIVERS\MRVW245.sys
22:09:30:171 0988 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:09:30:218 0988 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:09:30:234 0988 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:09:30:281 0988 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:09:30:312 0988 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:09:30:328 0988 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:09:30:343 0988 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:09:30:343 0988 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
22:09:30:359 0988 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:09:30:390 0988 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:09:30:421 0988 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:09:30:437 0988 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:09:30:453 0988 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
22:09:30:484 0988 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:09:30:484 0988 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:09:30:500 0988 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:09:30:546 0988 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:09:30:562 0988 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:09:30:796 0988 nv (23b95a09677e62ec8d1641ecf39b9bfb) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
22:09:30:968 0988 nvata (c03e15101f6d9e82cd9b0e7d715f5de3) C:\WINDOWS\system32\DRIVERS\NVATA.SYS
22:09:31:046 0988 NVENETFD (b9333604527e02cd2223f200c0bae7e0) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
22:09:31:109 0988 nvnetbus (5e9e55f7ee644c7c5fd78a206fbe37ab) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
22:09:31:171 0988 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:09:31:187 0988 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:09:31:218 0988 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
22:09:31:218 0988 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:09:31:234 0988 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:09:31:250 0988 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:09:31:281 0988 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:09:31:312 0988 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:09:31:359 0988 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:09:31:375 0988 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
22:09:31:406 0988 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:09:31:437 0988 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:09:31:468 0988 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
22:09:31:515 0988 QV2KUX (0087f01d35a65b32393cc8bba46ee4a6) C:\WINDOWS\system32\DRIVERS\qv2kux.sys
22:09:31:546 0988 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:09:31:546 0988 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:09:31:562 0988 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:09:31:562 0988 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:09:31:593 0988 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:09:31:609 0988 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:09:31:640 0988 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
22:09:31:671 0988 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:09:31:703 0988 s616bus (ef4b5a8d53f15cb269469dd4e4bb0109) C:\WINDOWS\system32\DRIVERS\s616bus.sys
22:09:31:734 0988 s616mgmt (5f0be24e4d4fa134b0b2fef35d3a9d90) C:\WINDOWS\system32\DRIVERS\s616mgmt.sys
22:09:31:765 0988 s616obex (f123a1f2a04a0e8dba80b64f0072475a) C:\WINDOWS\system32\DRIVERS\s616obex.sys
22:09:31:781 0988 s616unic (e7e55048ebd5c17bfa791b4a6ec3d54b) C:\WINDOWS\system32\DRIVERS\s616unic.sys
22:09:31:828 0988 se59mdfl (3ced539f4373ccf8d3fe71ae51053d5d) C:\WINDOWS\system32\DRIVERS\se59mdfl.sys
22:09:31:906 0988 se59mdm (c6a6aa039d14f2ea1998e5f922014067) C:\WINDOWS\system32\DRIVERS\se59mdm.sys
22:09:31:937 0988 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:09:31:968 0988 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:09:31:984 0988 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
22:09:32:031 0988 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:09:32:093 0988 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:09:32:109 0988 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:09:32:187 0988 srescan (bb1cc49b817d2551eb321f4a9afb7d8c) C:\WINDOWS\system32\ZoneLabs\srescan.sys
22:09:32:234 0988 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
22:09:32:281 0988 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:09:32:343 0988 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:09:32:406 0988 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:09:32:453 0988 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:09:32:500 0988 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:09:32:515 0988 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:09:32:546 0988 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:09:32:578 0988 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:09:32:609 0988 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:09:32:671 0988 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:09:32:687 0988 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:09:32:718 0988 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:09:32:750 0988 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
22:09:32:796 0988 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
22:09:32:859 0988 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:09:32:859 0988 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:09:32:875 0988 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:09:32:890 0988 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:09:32:953 0988 vsdatant (13a225a31f8d64a395373e9434d2d1ab) C:\WINDOWS\system32\vsdatant.sys
22:09:33:000 0988 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:09:33:140 0988 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:09:33:187 0988 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:09:33:234 0988 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:09:33:234 0988
22:09:33:234 0988 Completed
22:09:33:234 0988
22:09:33:234 0988 Results:
22:09:33:234 0988 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
22:09:33:234 0988 File objects infected / cured / cured on reboot: 0 / 0 / 0
22:09:33:234 0988
22:09:33:234 0988 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
22:09:33:234 0988 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
22:09:33:234 0988 KLMD(ARK) unloaded successfully


#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:44 PM

Posted 19 May 2010 - 05:26 AM

Hi again Solecizm!!.. smile.gif..

QUOTE(Solecizm @ May 18 2010, 11:20 PM) View Post
Thanks for the fast reply! I ran both those programs as instructed. Sadly still getting Google redirects, but hopefully I'm getting somewhere now with your help smile.gif

HHmm, that's strange - I mean no infection is clearly visible in your logs... Anyway, we excluded one infection...
I'd like to confirm - the redirects seem to lead to legitimate and well known sites, right?.. Does it happen with every click on search engine results??..

Please do the following:

Firstly,
Open Notepad and copy and paste next present in the quotebox:

QUOTE
@echo off
attrib -r -h -s -a c:\windows\system32\pngfiltr.dll
copy c:\windows\system32\pngfiltr.dll c:\pngfiltr.old
dir c:\pngfiltr.dll /s > c:\logfile.txt
attrib +r +h +s +a c:\windows\system32\pngfiltr.dll
notepad c:\logfile.txt
del %0

Save this as look.bat , choose to save as *all files and place it on your Desktop.
It should look like this:
Doubleclick on it and Notepad should open.
Copy and paste the contents of it (c:\logfile.txt) in your next reply.

Then,
Please go to http://www.virustotal.com/ , click on Browse, and upload the following file for analysis:

c:\pngfiltr.old

Then click Send File. Allow the file to be uploaded and scanned. Then, please post a link to the results page for me to see.

Finally,
Download OTL.exe by OldTimer to your Desktop.
  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 Solecizm

Solecizm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 19 May 2010 - 05:06 PM

QUOTE(snemelk @ May 19 2010, 11:26 AM) View Post
HHmm, that's strange - I mean no infection is clearly visible in your logs... Anyway, we excluded one infection...
I'd like to confirm - the redirects seem to lead to legitimate and well known sites, right?.. Does it happen with every click on search engine results??..


Hi Snemelk

To answer your question above, I just now went to google.co.uk in Internet Explorer to test it. I searched for "bbc news". I opened the first search result (a link to news.bbc.co.uk) in a new tab, and the window redirected to Ask Jeeves instead. I clicked the same one again and this time it went to 411lawyerdirectory.com. The third time it went to btcar.com, and a pop-up window also opened, but I forgot to note down where it was to. The fourth and subsequent times (I did it several times more) it went to the BBC site as it should have done. So it doesn't happen with every click, but the sites are not always so well known.

I then tried to do the thing with pngfiltr.dll, but this file does not seem to exist, and the logfile.txt just said:

Volume in drive C has no label.
Volume Serial Number is F0FF-944C

I had a look in the directory though, and there is a file 'pngfilt.dll' so I changed the commands to this file name in look.bat and ran it again. Here is the logfile.txt:

Volume in drive C has no label.
Volume Serial Number is F0FF-944C

Directory of c:\WINDOWS\$hf_mig$\KB963027-IE7\SP3QFE

20/02/2009 19:09 44,544 pngfilt.dll
1 File(s) 44,544 bytes

Directory of c:\WINDOWS\$hf_mig$\KB969897-IE7\SP3QFE

29/04/2009 05:49 44,544 pngfilt.dll
1 File(s) 44,544 bytes

Directory of c:\WINDOWS\$NtServicePackUninstall$

04/08/2004 13:00 39,424 pngfilt.dll
1 File(s) 39,424 bytes

Directory of c:\WINDOWS\ie7

14/04/2008 01:12 39,424 pngfilt.dll
1 File(s) 39,424 bytes

Directory of c:\WINDOWS\ie7updates\KB963027-IE7

13/08/2007 18:36 44,544 pngfilt.dll
1 File(s) 44,544 bytes

Directory of c:\WINDOWS\ie7updates\KB969897-IE7

20/02/2009 19:09 44,544 pngfilt.dll
1 File(s) 44,544 bytes

Directory of c:\WINDOWS\ie8

29/04/2009 05:56 44,544 pngfilt.dll
1 File(s) 44,544 bytes

Directory of c:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 39,424 pngfilt.dll
1 File(s) 39,424 bytes

Directory of c:\WINDOWS\SoftwareDistribution\Download\baf4833efdfcb1ed85e5c9347d37106a\SP3GDR

20/02/2009 19:09 44,544 pngfilt.dll
1 File(s) 44,544 bytes

Directory of c:\WINDOWS\SoftwareDistribution\Download\baf4833efdfcb1ed85e5c9347d37106a\SP3QFE

20/02/2009 19:09 44,544 pngfilt.dll
1 File(s) 44,544 bytes

Directory of c:\WINDOWS\system32

08/03/2009 04:31 46,592 pngfilt.dll
1 File(s) 46,592 bytes

Directory of c:\WINDOWS\system32\dllcache

08/03/2009 04:31 46,592 pngfilt.dll
1 File(s) 46,592 bytes

Total Files Listed:
12 File(s) 523,264 bytes
0 Dir(s) 104,787,410,944 bytes free


Link to Virustotal.com result page:

http://www.virustotal.com/analisis/8b9fc6c...df8a-1271792840

And from OTL.txt:

OTL logfile created on: 19/05/2010 22:42:15 - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Katrina Davis\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 414.00 Mb Available Physical Memory | 41.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 97.59 Gb Free Space | 65.48% Space Free | Partition Type: NTFS
Unable to calculate disk information.
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KATRINA-STUDY
Current User Name: Katrina Davis
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/19 22:41:03 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Katrina Davis\Desktop\OTL.exe
PRC - [2010/04/22 07:19:15 | 002,064,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/04/22 07:19:14 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/04/09 13:21:15 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/03/18 09:28:39 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/03/18 09:28:36 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/03/18 09:28:04 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/03/18 09:28:04 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2009/02/16 00:10:22 | 000,981,384 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2008/09/16 12:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
PRC - [2008/09/10 11:15:24 | 000,676,520 | ---- | M] () -- C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
PRC - [2008/09/10 11:15:21 | 000,025,256 | ---- | M] () -- C:\Program Files\Lexmark 7600 Series\lxdwmsdmon.exe
PRC - [2008/05/16 16:33:10 | 000,594,600 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdwcoms.exe
PRC - [2008/05/16 16:32:56 | 000,098,984 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdwserv.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/25 09:44:26 | 002,121,728 | ---- | M] () -- C:\Program Files\NETGEAR\WN121T\wn121t.exe
PRC - [2007/03/28 01:07:42 | 000,593,920 | R--- | M] () -- C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
PRC - [2007/02/09 17:03:38 | 000,983,040 | R--- | M] (Teleca AB) -- C:\Program Files\Common Files\Teleca Shared\Generic.exe
PRC - [2005/11/11 14:07:40 | 000,090,112 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe


========== Modules (SafeList) ==========

MOD - [2010/05/19 22:41:03 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Katrina Davis\Desktop\OTL.exe
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/03/18 09:28:36 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/03/18 09:28:04 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/04/25 20:55:34 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2008/09/16 12:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor7.0)
SRV - [2008/05/16 16:33:10 | 000,594,600 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxdwcoms.exe -- (lxdw_device)
SRV - [2008/05/16 16:32:56 | 000,098,984 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdwserv.exe -- (lxdwCATSCustConnectService)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2010/05/13 08:30:16 | 000,100,736 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\NVATA.SYS -- (nvata)
DRV - [2010/04/22 07:19:14 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/03/18 09:28:39 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/18 09:28:04 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/03/27 10:03:00 | 006,280,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/02/16 00:10:26 | 000,353,672 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2008/11/17 02:24:00 | 000,051,688 | ---- | M] (Check Point Software Technologies LTD) [Kernel | Boot | Running] -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan)
DRV - [2007/11/18 19:42:52 | 000,461,952 | ---- | M] (Marvell Semiconductor, Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MRVW245.sys -- (MRVW245) Marvell TOPDOG 802.11n WLAN Driver for Windows XP (USB8x)
DRV - [2007/04/16 21:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2007/04/03 13:59:42 | 000,099,080 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616unic.sys -- (s616unic) Sony Ericsson Device 616 USB Ethernet Emulation SEMC616 (WDM)
DRV - [2007/04/03 13:59:42 | 000,098,568 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616obex.sys -- (s616obex)
DRV - [2007/04/03 13:59:40 | 000,100,360 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616mgmt.sys -- (s616mgmt) Sony Ericsson Device 616 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/03 13:59:30 | 000,083,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616bus.sys -- (s616bus) Sony Ericsson Device 616 driver (WDM)
DRV - [2006/09/05 20:07:52 | 000,097,088 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se59mdm.sys -- (se59mdm)
DRV - [2006/09/05 20:07:48 | 000,009,360 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se59mdfl.sys -- (se59mdfl)
DRV - [2006/02/17 11:28:32 | 000,013,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/02/17 11:28:30 | 000,034,176 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/12/02 14:11:40 | 003,841,856 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2001/08/17 13:53:32 | 000,003,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qv2kux.sys -- (QV2KUX)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://my.yahoo.co.uk/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.birminghamcourseonline.co.uk/co.../view.php?id=25
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2010/05/15 14:39:38 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/05/14 15:41:36 | 000,395,194 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13648 more lines...
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [lxdwamon] C:\Program Files\Lexmark 7600 Series\lxdwamon.exe ()
O4 - HKLM..\Run: [lxdwmon.exe] C:\Program Files\Lexmark 7600 Series\lxdwmon.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe ()
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WN121T Smart Wizard.lnk = C:\Program Files\NETGEAR\WN121T\wn121t.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (Reg Error: Key error.)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} http://www.musicnotes.com/download/mnviewer.cab (Musicnotes Viewer)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab (System Requirements Lab Class)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.98,93.188.166.141
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\WINDOWS\Soap Bubbles.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Soap Bubbles.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/22 16:16:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1a04f0ba-2f5e-11de-8958-eff48b70d09e}\Shell - "" = AutoRun
O33 - MountPoints2\{1a04f0ba-2f5e-11de-8958-eff48b70d09e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1a04f0ba-2f5e-11de-8958-eff48b70d09e}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/04/22 16:16:03 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
Unable to start service SrService!

========== Files/Folders - Created Within 30 Days ==========

[2010/05/19 22:41:01 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Katrina Davis\Desktop\OTL.exe
[2010/05/19 22:37:08 | 000,046,592 | ---- | C] (Microsoft Corporation) -- C:\pngfilt.old
[2010/05/18 22:08:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Katrina Davis\Desktop\tdsskiller
[2010/05/16 13:42:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Katrina Davis\Desktop\gmer
[2010/05/16 10:07:07 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/05/15 21:46:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Katrina Davis\Desktop\RegSeeker
[2010/05/15 20:55:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Katrina Davis\Desktop\NICE guide
[2010/05/15 20:22:22 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/05/13 18:29:53 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/13 18:29:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/05/13 08:30:16 | 000,100,736 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\drivers\NVATA.SYS
[2010/05/13 07:14:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/05/02 22:39:54 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2010/05/01 13:36:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/04/28 17:47:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Katrina Davis\Application Data\SoundSpectrum
[2010/04/28 17:44:28 | 003,734,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_36.dll
[2010/04/28 17:44:24 | 000,000,000 | ---D | C] -- C:\Program Files\SoundSpectrum
[2010/04/21 08:00:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Katrina Davis\My Documents\jobs 2009
[2009/12/19 15:18:15 | 000,438,272 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDWhcp.dll
[2009/12/19 15:18:14 | 001,069,056 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwserv.dll
[2009/12/19 15:18:14 | 000,851,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwusb1.dll
[2009/12/19 15:18:14 | 000,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwinpa.dll
[2009/12/19 15:18:14 | 000,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwiesc.dll
[2009/12/19 15:18:13 | 000,651,264 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwpmui.dll
[2009/12/19 15:18:13 | 000,577,536 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwlmpm.dll
[2009/12/19 15:18:12 | 000,679,936 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwhbn3.dll
[2009/12/19 15:18:11 | 000,765,952 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomc.dll
[2009/12/19 15:18:11 | 000,376,832 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomm.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/19 22:41:03 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Katrina Davis\Desktop\OTL.exe
[2010/05/19 22:35:56 | 008,126,464 | -H-- | M] () -- C:\Documents and Settings\Katrina Davis\NTUSER.DAT
[2010/05/19 22:20:00 | 000,000,304 | -H-- | M] () -- C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
[2010/05/19 22:12:28 | 060,157,816 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/05/19 22:08:55 | 000,350,192 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/05/19 22:08:34 | 000,215,383 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/19 22:08:24 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/19 22:08:23 | 000,000,326 | -HS- | M] () -- C:\WINDOWS\tasks\Fhabbkikww.job
[2010/05/19 22:08:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/19 22:08:08 | 1072,209,920 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/18 22:21:47 | 009,256,184 | -H-- | M] () -- C:\Documents and Settings\Katrina Davis\Local Settings\Application Data\IconCache.db
[2010/05/18 22:08:33 | 000,949,152 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\Desktop\tdsskiller.zip
[2010/05/18 22:05:32 | 000,077,312 | ---- | M] () -- C:\mbr.exe
[2010/05/18 21:54:35 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/16 13:42:26 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\Desktop\gmer.zip
[2010/05/16 13:39:32 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\Desktop\dds.scr
[2010/05/16 13:35:54 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\defogger_reenable
[2010/05/16 13:35:26 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\Desktop\Defogger.exe
[2010/05/16 09:58:36 | 000,042,688 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/16 09:57:47 | 000,177,856 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/15 20:35:11 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/15 14:34:21 | 000,010,899 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\My Documents\ideas.docx
[2010/05/14 15:41:36 | 000,395,194 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/13 08:37:02 | 000,521,942 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/13 08:37:02 | 000,441,432 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/13 08:37:02 | 000,071,176 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/13 08:30:16 | 000,100,736 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\drivers\NVATA.SYS
[2010/05/12 07:32:01 | 000,000,173 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/10 22:56:02 | 000,016,942 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\My Documents\psy hx.docx
[2010/05/06 10:36:38 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/05/01 13:37:08 | 000,000,507 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/01 13:37:08 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/01 13:37:08 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/04/30 14:13:42 | 000,084,992 | RHS- | M] () -- C:\WINDOWS\System32\pngfiltr.dll
[2010/04/28 22:29:11 | 000,013,699 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\My Documents\stal.docx
[2010/04/22 07:19:14 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/18 22:08:33 | 000,949,152 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\Desktop\tdsskiller.zip
[2010/05/18 22:07:17 | 000,000,275 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\mbr.log
[2010/05/18 22:05:31 | 000,077,312 | ---- | C] () -- C:\mbr.exe
[2010/05/16 13:42:25 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\Desktop\gmer.zip
[2010/05/16 13:39:27 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\Desktop\dds.scr
[2010/05/16 13:35:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\defogger_reenable
[2010/05/16 13:35:25 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\Desktop\Defogger.exe
[2010/05/12 07:32:01 | 000,000,173 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/10 22:56:02 | 000,016,942 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\My Documents\psy hx.docx
[2010/05/09 18:07:37 | 000,010,899 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\My Documents\ideas.docx
[2010/04/30 14:13:44 | 000,000,326 | -HS- | C] () -- C:\WINDOWS\tasks\Fhabbkikww.job
[2010/04/30 14:13:42 | 000,084,992 | RHS- | C] () -- C:\WINDOWS\System32\pngfiltr.dll
[2010/04/30 14:13:38 | 000,000,304 | -H-- | C] () -- C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
[2010/04/28 19:04:24 | 000,013,699 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\My Documents\stal.docx
[2009/12/19 15:24:24 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdwvs.dll
[2009/12/19 15:24:19 | 000,360,448 | ---- | C] () -- C:\WINDOWS\System32\lxdwcoin.dll
[2009/12/19 15:23:34 | 001,036,288 | ---- | C] () -- C:\WINDOWS\System32\lxdwdrs.dll
[2009/12/19 15:23:34 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\lxdwcaps.dll
[2009/12/19 15:23:34 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdwcnv4.dll
[2009/12/19 15:19:26 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxdwrwrd.ini
[2009/12/19 15:18:15 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\LXDWinst.dll
[2009/12/19 15:18:12 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdwgrd.dll
[2009/04/26 11:17:00 | 000,157,184 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2009/03/27 10:03:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/03/27 10:03:00 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/03/27 10:03:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/03/27 10:03:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2009/04/25 23:39:40 | 000,000,000 | ---- | M] () -- C:\AdobeDebug.txt
[2009/04/22 16:16:27 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/05/01 13:37:08 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2009/04/22 16:16:27 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/05/19 22:08:08 | 1072,209,920 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/22 16:16:27 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/05/19 22:37:08 | 000,002,038 | ---- | M] () -- C:\logfile.txt
[2010/05/18 22:05:32 | 000,077,312 | ---- | M] () -- C:\mbr.exe
[2009/04/22 16:16:27 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 13:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/04/22 18:42:39 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/19 22:08:07 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2009/03/08 04:31:36 | 000,046,592 | ---- | M] (Microsoft Corporation) -- C:\pngfilt.old
[2010/05/18 22:09:33 | 000,033,290 | ---- | M] () -- C:\TDSSKiller.2.3.0.0_18.05.2010_22.09.27_log.txt

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/04/30 14:13:42 | 000,084,992 | RHS- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\pngfiltr.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >
[2010/05/19 22:08:23 | 000,000,326 | -HS- | M] () Unable to obtain MD5 -- C:\WINDOWS\Tasks\Fhabbkikww.job

< %systemroot%\System32\config\*.sav >
[2009/04/22 16:55:54 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/04/22 16:55:54 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/04/22 16:55:54 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/03/18 09:28:04 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys
[2010/03/18 09:28:39 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys
[2010/04/22 07:19:14 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys
[2010/02/24 14:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/05/13 08:30:16 | 000,100,736 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\NVATA.SYS
< End of report >

I'll post the extras.txt in the next post.

Edited by Solecizm, 19 May 2010 - 05:11 PM.


#6 Solecizm

Solecizm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 19 May 2010 - 05:09 PM

Some of those hosts (whatever they are) look dodgy!

I should have mentioned that when I ran the scan in OTL.exe it returned an error part way through:

Windows - No Disk [this was a little pop up window]
Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c

Anyway I clicked through it and it continued. Here is the Extras.txt:

OTL Extras logfile created on: 19/05/2010 22:42:15 - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Katrina Davis\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 414.00 Mb Available Physical Memory | 41.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 97.59 Gb Free Space | 65.48% Space Free | Partition Type: NTFS
Unable to calculate disk information.
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KATRINA-STUDY
Current User Name: Katrina Davis
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd)
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\WINDOWS\system32\lxdwcoms.exe" = C:\WINDOWS\system32\lxdwcoms.exe:*:Enabled:7600 Series Server -- ( )


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002B1E90-3241-4D45-8831-E89020F8E7E6}" = EndNote X2
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{10812DE7-2E57-4740-B226-6B3BE34AF9D7}" = Lexmark Tools for Office
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 18
"{2A17F4DB-C3B7-4E45-AECC-7F9FF6909C4B}" = NETGEAR WN121T wireless USB 2.0 adapter
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB6075D9-F912-40AE-BEA6-E590DA24F16B}" = Adobe Photoshop Elements 7.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark Printable Web
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FE6397C1-CECA-4EC3-B064-42AED7676898}" = Sony Ericsson PC Suite
"{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}" = Disc2Phone
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 7" = Adobe Photoshop Elements 7.0
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.9
"AVG9Uninstall" = AVG Free 9.0
"Digital Editions" = Adobe Digital Editions
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{2A17F4DB-C3B7-4E45-AECC-7F9FF6909C4B}" = NETGEAR WN121T wireless USB 2.0 adapter
"Lexmark 7600 Series" = Lexmark 7600 Series
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Musicnotes Combined Installer_is1" = Musicnotes Software Suite 1.4.6
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Spotify" = Spotify
"WhiteCap" = WhiteCap
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoneAlarm" = ZoneAlarm

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 09/05/2010 16:46:44 | Computer Name = KATRINA-STUDY | Source = Application Error | ID = 1000
Description = Faulting application lxdwcoms.exe, version 8.4.13.0, faulting module
lxdwserv.dll, version 8.4.13.0, fault address 0x00076f57.

Error - 10/05/2010 17:52:00 | Computer Name = KATRINA-STUDY | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application excel.exe, version 12.0.6524.5003, stamp 4b4fba46,
faulting module excel.exe, version 12.0.6524.5003, stamp 4b4fba46, debug? 0, fault
address 0x000216ec.

Error - 15/05/2010 06:41:03 | Computer Name = KATRINA-STUDY | Source = Application Error | ID = 1000
Description = Faulting application spotify.exe, version 0.4.3.383, faulting module
spotify.exe, version 0.4.3.383, fault address 0x00053dc2.

Error - 15/05/2010 06:41:11 | Computer Name = KATRINA-STUDY | Source = Application Error | ID = 1001
Description = Fault bucket 1835758386.

Error - 16/05/2010 13:32:52 | Computer Name = KATRINA-STUDY | Source = Application Error | ID = 1000
Description = Faulting application foxitr~1.exe, version 1.3.0.104, faulting module
foxitr~1.exe, version 1.3.0.104, fault address 0x00097eb0.

Error - 16/05/2010 13:33:00 | Computer Name = KATRINA-STUDY | Source = Application Error | ID = 1000
Description = Faulting application foxitr~1.exe, version 1.3.0.104, faulting module
foxitr~1.exe, version 1.3.0.104, fault address 0x00097eb0.

Error - 16/05/2010 13:33:31 | Computer Name = KATRINA-STUDY | Source = Application Error | ID = 1000
Description = Faulting application foxitr~1.exe, version 1.3.0.104, faulting module
foxitr~1.exe, version 1.3.0.104, fault address 0x00097eb0.

Error - 16/05/2010 13:37:29 | Computer Name = KATRINA-STUDY | Source = Application Error | ID = 1000
Description = Faulting application foxitr~1.exe, version 1.3.0.104, faulting module
foxitr~1.exe, version 1.3.0.104, fault address 0x00097eb0.

Error - 16/05/2010 13:43:23 | Computer Name = KATRINA-STUDY | Source = Application Error | ID = 1000
Description = Faulting application foxitr~1.exe, version 1.3.0.104, faulting module
foxitr~1.exe, version 1.3.0.104, fault address 0x00097eb0.

Error - 16/05/2010 13:53:56 | Computer Name = KATRINA-STUDY | Source = Application Error | ID = 1000
Description = Faulting application foxitr~1.exe, version 1.3.0.104, faulting module
foxitr~1.exe, version 1.3.0.104, fault address 0x00097eb0.

[ OSession Events ]
Error - 17/05/2009 13:52:39 | Computer Name = KATRINA-STUDY | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6341.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 3276
seconds with 60 seconds of active time. This session ended with a crash.

Error - 10/06/2009 17:53:21 | Computer Name = KATRINA-STUDY | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6341.5001, Microsoft Office Version: 12.0.6215.1000. This session lasted 39193
seconds with 780 seconds of active time. This session ended with a crash.

Error - 15/11/2009 09:16:18 | Computer Name = KATRINA-STUDY | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 12322
seconds with 6120 seconds of active time. This session ended with a crash.

Error - 22/11/2009 13:03:27 | Computer Name = KATRINA-STUDY | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1552
seconds with 1140 seconds of active time. This session ended with a crash.

Error - 10/12/2009 04:15:52 | Computer Name = KATRINA-STUDY | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 187
seconds with 60 seconds of active time. This session ended with a crash.

Error - 02/03/2010 07:30:59 | Computer Name = KATRINA-STUDY | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1479
seconds with 780 seconds of active time. This session ended with a crash.

Error - 10/05/2010 17:51:57 | Computer Name = KATRINA-STUDY | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6524.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 925
seconds with 420 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 15/05/2010 09:38:03 | Computer Name = KATRINA-STUDY | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 15/05/2010 09:38:03 | Computer Name = KATRINA-STUDY | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 15/05/2010 09:38:03 | Computer Name = KATRINA-STUDY | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 15/05/2010 09:38:03 | Computer Name = KATRINA-STUDY | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 15/05/2010 09:38:03 | Computer Name = KATRINA-STUDY | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 15/05/2010 09:38:03 | Computer Name = KATRINA-STUDY | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 15/05/2010 09:38:03 | Computer Name = KATRINA-STUDY | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 15/05/2010 09:38:04 | Computer Name = KATRINA-STUDY | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 19/05/2010 17:43:58 | Computer Name = KATRINA-STUDY | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 19/05/2010 17:43:58 | Computer Name = KATRINA-STUDY | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2


< End of report >

Thanks again for taking the time to help us with this smile.gif

#7 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:44 PM

Posted 19 May 2010 - 06:00 PM

Hi again Solecizm!!.. smile.gif..

QUOTE(Solecizm @ May 20 2010, 12:09 AM) View Post
Thanks again for taking the time to help us with this smile.gif

No problem!!.. smile.gif. This log is a fun for me!.. And I think I'm going blind - there was an infection (DNS changer) clearly visible in the DDS logfile but my eyes missed the entry... There is also a second infection now visible in the OTL logfile...

Let's try this:

Firstly,
Please run OTL.exe.
  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.98,93.188.166.141
    [2010/05/19 22:37:08 | 000,046,592 | ---- | C] (Microsoft Corporation) -- C:\pngfilt.old
    [2010/04/30 14:13:44 | 000,000,326 | -HS- | C] () -- C:\WINDOWS\tasks\Fhabbkikww.job
    [2010/04/30 14:13:42 | 000,084,992 | RHS- | C] () -- C:\WINDOWS\System32\pngfiltr.dll
    [2010/04/30 14:13:38 | 000,000,304 | -H-- | C] () -- C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
    :Commands
    [EmptyTemp]
    [EMPTYFLASH]

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Secondly,
Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Thirdly,
Run OTL.exe, click Run Scan... Post the contents of the logfile (OTL.txt) generated... smile.gif

Edited by snemelk, 20 May 2010 - 03:52 AM.

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#8 Solecizm

Solecizm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 20 May 2010 - 02:18 PM

Snemelk,

Looking good! Did a quick test in Google after performing your suggested actions, and there were no redirects!

Here are the logs:

All processes killed
========== OTL ==========
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\NameServer| /E : value set successfully!
C:\pngfilt.old moved successfully.
C:\WINDOWS\tasks\Fhabbkikww.job moved successfully.
C:\WINDOWS\system32\pngfiltr.dll moved successfully.
C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Katrina Davis
->Temp folder emptied: 19503485 bytes
->Temporary Internet Files folder emptied: 83615711 bytes
->Flash cache emptied: 143824 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 160738 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3911150 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 13503542 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 2429311113 bytes

Total Files Cleaned = 2,434.00 mb


[EMPTYFLASH]

User: All Users

User: Default User

User: Katrina Davis
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.5.0 log created on 05202010_195203

Files\Folders moved on Reboot...
C:\Documents and Settings\Katrina Davis\Local Settings\Temp\~DF2ADC.tmp moved successfully.
File\Folder C:\Documents and Settings\Katrina Davis\Local Settings\Temp\~DF88E6.tmp not found!
File\Folder C:\Documents and Settings\Katrina Davis\Local Settings\Temp\~DF8920.tmp not found!
File\Folder C:\Documents and Settings\Katrina Davis\Local Settings\Temp\~DF8A4E.tmp not found!
File\Folder C:\Documents and Settings\Katrina Davis\Local Settings\Temp\~DF8A7C.tmp not found!
File\Folder C:\Documents and Settings\Katrina Davis\Local Settings\Temp\~DF8C0D.tmp not found!
File\Folder C:\Documents and Settings\Katrina Davis\Local Settings\Temp\~DF8C70.tmp not found!
C:\Documents and Settings\Katrina Davis\Local Settings\Temporary Internet Files\Content.IE5\QBOGA5DV\iframe[1].htm moved successfully.
C:\Documents and Settings\Katrina Davis\Local Settings\Temporary Internet Files\Content.IE5\MM2IWENN\topic317153[1].htm moved successfully.
C:\Documents and Settings\Katrina Davis\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File\Folder C:\WINDOWS\temp\ZLT05c87.TMP not found!

Registry entries deleted on Reboot...


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4121

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/05/2010 20:10:01
mbam-log-2010-05-20 (20-10-01).txt

Scan type: Quick scan
Objects scanned: 115616
Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\M5T8QL3YW3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


OTL logfile created on: 20/05/2010 20:11:03 - Run 2
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Katrina Davis\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 363.00 Mb Available Physical Memory | 36.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 99.96 Gb Free Space | 67.07% Space Free | Partition Type: NTFS
Unable to calculate disk information.
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KATRINA-STUDY
Current User Name: Katrina Davis
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/19 22:41:03 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Katrina Davis\Desktop\OTL.exe
PRC - [2010/04/22 07:19:15 | 002,064,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/04/22 07:19:14 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/04/09 13:21:15 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/03/18 09:28:39 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/03/18 09:28:36 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/03/18 09:28:04 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/03/18 09:28:04 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2009/02/16 00:10:22 | 000,981,384 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2008/09/16 12:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
PRC - [2008/09/10 11:15:24 | 000,676,520 | ---- | M] () -- C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
PRC - [2008/09/10 11:15:21 | 000,025,256 | ---- | M] () -- C:\Program Files\Lexmark 7600 Series\lxdwmsdmon.exe
PRC - [2008/05/16 16:33:10 | 000,594,600 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdwcoms.exe
PRC - [2008/05/16 16:32:56 | 000,098,984 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdwserv.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/25 09:44:26 | 002,121,728 | ---- | M] () -- C:\Program Files\NETGEAR\WN121T\wn121t.exe
PRC - [2007/03/28 01:07:42 | 000,593,920 | R--- | M] () -- C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
PRC - [2007/02/09 17:03:38 | 000,983,040 | R--- | M] (Teleca AB) -- C:\Program Files\Common Files\Teleca Shared\Generic.exe
PRC - [2005/11/11 14:07:40 | 000,090,112 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe


========== Modules (SafeList) ==========

MOD - [2010/05/19 22:41:03 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Katrina Davis\Desktop\OTL.exe
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/03/18 09:28:36 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/03/18 09:28:04 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/04/25 20:55:34 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2008/09/16 12:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor7.0)
SRV - [2008/05/16 16:33:10 | 000,594,600 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxdwcoms.exe -- (lxdw_device)
SRV - [2008/05/16 16:32:56 | 000,098,984 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdwserv.exe -- (lxdwCATSCustConnectService)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2010/05/13 08:30:16 | 000,100,736 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\NVATA.SYS -- (nvata)
DRV - [2010/04/22 07:19:14 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/03/18 09:28:39 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/18 09:28:04 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/03/27 10:03:00 | 006,280,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/02/16 00:10:26 | 000,353,672 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2008/11/17 02:24:00 | 000,051,688 | ---- | M] (Check Point Software Technologies LTD) [Kernel | Boot | Running] -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan)
DRV - [2007/11/18 19:42:52 | 000,461,952 | ---- | M] (Marvell Semiconductor, Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MRVW245.sys -- (MRVW245) Marvell TOPDOG 802.11n WLAN Driver for Windows XP (USB8x)
DRV - [2007/04/16 21:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2007/04/03 13:59:42 | 000,099,080 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616unic.sys -- (s616unic) Sony Ericsson Device 616 USB Ethernet Emulation SEMC616 (WDM)
DRV - [2007/04/03 13:59:42 | 000,098,568 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616obex.sys -- (s616obex)
DRV - [2007/04/03 13:59:40 | 000,100,360 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616mgmt.sys -- (s616mgmt) Sony Ericsson Device 616 USB WMC Device Management Drivers (WDM)
DRV - [2007/04/03 13:59:30 | 000,083,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s616bus.sys -- (s616bus) Sony Ericsson Device 616 driver (WDM)
DRV - [2006/09/05 20:07:52 | 000,097,088 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se59mdm.sys -- (se59mdm)
DRV - [2006/09/05 20:07:48 | 000,009,360 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se59mdfl.sys -- (se59mdfl)
DRV - [2006/02/17 11:28:32 | 000,013,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/02/17 11:28:30 | 000,034,176 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/12/02 14:11:40 | 003,841,856 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2001/08/17 13:53:32 | 000,003,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qv2kux.sys -- (QV2KUX)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://my.yahoo.co.uk/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.birminghamcourseonline.co.uk/co.../view.php?id=25
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2010/05/15 14:39:38 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/05/14 15:41:36 | 000,395,194 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13648 more lines...
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [lxdwamon] C:\Program Files\Lexmark 7600 Series\lxdwamon.exe ()
O4 - HKLM..\Run: [lxdwmon.exe] C:\Program Files\Lexmark 7600 Series\lxdwmon.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe ()
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WN121T Smart Wizard.lnk = C:\Program Files\NETGEAR\WN121T\wn121t.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (Reg Error: Key error.)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} http://www.musicnotes.com/download/mnviewer.cab (Musicnotes Viewer)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab (System Requirements Lab Class)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\WINDOWS\Soap Bubbles.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Soap Bubbles.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/22 16:16:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1a04f0ba-2f5e-11de-8958-eff48b70d09e}\Shell - "" = AutoRun
O33 - MountPoints2\{1a04f0ba-2f5e-11de-8958-eff48b70d09e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1a04f0ba-2f5e-11de-8958-eff48b70d09e}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/20 20:00:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Katrina Davis\Application Data\Malwarebytes
[2010/05/20 20:00:08 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/20 20:00:07 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/20 20:00:07 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/20 20:00:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/20 19:59:10 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Katrina Davis\Desktop\mbam-setup-1.46.exe
[2010/05/20 19:52:03 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/05/19 22:41:01 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Katrina Davis\Desktop\OTL.exe
[2010/05/18 22:08:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Katrina Davis\Desktop\tdsskiller
[2010/05/16 13:42:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Katrina Davis\Desktop\gmer
[2010/05/16 10:07:07 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/05/15 21:46:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Katrina Davis\Desktop\RegSeeker
[2010/05/15 20:55:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Katrina Davis\Desktop\NICE guide
[2010/05/15 20:22:22 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/05/13 18:29:53 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/13 18:29:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/05/13 08:30:16 | 000,100,736 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\drivers\NVATA.SYS
[2010/05/13 07:14:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/05/02 22:39:54 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2010/05/01 13:36:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/04/28 17:47:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Katrina Davis\Application Data\SoundSpectrum
[2010/04/28 17:44:28 | 003,734,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_36.dll
[2010/04/28 17:44:24 | 000,000,000 | ---D | C] -- C:\Program Files\SoundSpectrum
[2010/04/21 08:00:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Katrina Davis\My Documents\jobs 2009
[2009/12/19 15:18:15 | 000,438,272 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDWhcp.dll
[2009/12/19 15:18:14 | 001,069,056 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwserv.dll
[2009/12/19 15:18:14 | 000,851,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwusb1.dll
[2009/12/19 15:18:14 | 000,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwinpa.dll
[2009/12/19 15:18:14 | 000,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwiesc.dll
[2009/12/19 15:18:13 | 000,651,264 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwpmui.dll
[2009/12/19 15:18:13 | 000,577,536 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwlmpm.dll
[2009/12/19 15:18:12 | 000,679,936 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwhbn3.dll
[2009/12/19 15:18:11 | 000,765,952 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomc.dll
[2009/12/19 15:18:11 | 000,376,832 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomm.dll

========== Files - Modified Within 30 Days ==========

[2010/05/20 20:00:12 | 008,126,464 | -H-- | M] () -- C:\Documents and Settings\Katrina Davis\NTUSER.DAT
[2010/05/20 20:00:10 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/20 19:59:20 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Katrina Davis\Desktop\mbam-setup-1.46.exe
[2010/05/20 19:54:45 | 000,215,383 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/20 19:54:37 | 000,350,192 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/05/20 19:54:16 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/20 19:54:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/20 19:54:02 | 1072,209,920 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/20 19:49:28 | 060,199,940 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/05/19 22:41:03 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Katrina Davis\Desktop\OTL.exe
[2010/05/18 22:21:47 | 009,256,184 | -H-- | M] () -- C:\Documents and Settings\Katrina Davis\Local Settings\Application Data\IconCache.db
[2010/05/18 22:08:33 | 000,949,152 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\Desktop\tdsskiller.zip
[2010/05/18 22:05:32 | 000,077,312 | ---- | M] () -- C:\mbr.exe
[2010/05/18 21:54:35 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/16 13:42:26 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\Desktop\gmer.zip
[2010/05/16 13:39:32 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\Desktop\dds.scr
[2010/05/16 13:35:54 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\defogger_reenable
[2010/05/16 13:35:26 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\Desktop\Defogger.exe
[2010/05/16 09:58:36 | 000,042,688 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/16 09:57:47 | 000,177,856 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/15 20:35:11 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/15 14:34:21 | 000,010,899 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\My Documents\ideas.docx
[2010/05/14 15:41:36 | 000,395,194 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/13 08:37:02 | 000,521,942 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/13 08:37:02 | 000,441,432 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/13 08:37:02 | 000,071,176 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/13 08:30:16 | 000,100,736 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\drivers\NVATA.SYS
[2010/05/12 07:32:01 | 000,000,173 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/10 22:56:02 | 000,016,942 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\My Documents\psy hx.docx
[2010/05/06 10:36:38 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/05/01 13:37:08 | 000,000,507 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/01 13:37:08 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/01 13:37:08 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 22:29:11 | 000,013,699 | ---- | M] () -- C:\Documents and Settings\Katrina Davis\My Documents\stal.docx
[2010/04/22 07:19:14 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys

========== Files Created - No Company Name ==========

[2010/05/20 20:00:10 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/18 22:08:33 | 000,949,152 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\Desktop\tdsskiller.zip
[2010/05/18 22:07:17 | 000,000,275 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\mbr.log
[2010/05/18 22:05:31 | 000,077,312 | ---- | C] () -- C:\mbr.exe
[2010/05/16 13:42:25 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\Desktop\gmer.zip
[2010/05/16 13:39:27 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\Desktop\dds.scr
[2010/05/16 13:35:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\defogger_reenable
[2010/05/16 13:35:25 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\Desktop\Defogger.exe
[2010/05/12 07:32:01 | 000,000,173 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/10 22:56:02 | 000,016,942 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\My Documents\psy hx.docx
[2010/05/09 18:07:37 | 000,010,899 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\My Documents\ideas.docx
[2010/04/28 19:04:24 | 000,013,699 | ---- | C] () -- C:\Documents and Settings\Katrina Davis\My Documents\stal.docx
[2009/12/19 15:24:24 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdwvs.dll
[2009/12/19 15:24:19 | 000,360,448 | ---- | C] () -- C:\WINDOWS\System32\lxdwcoin.dll
[2009/12/19 15:23:34 | 001,036,288 | ---- | C] () -- C:\WINDOWS\System32\lxdwdrs.dll
[2009/12/19 15:23:34 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\lxdwcaps.dll
[2009/12/19 15:23:34 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdwcnv4.dll
[2009/12/19 15:19:26 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxdwrwrd.ini
[2009/12/19 15:18:15 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\LXDWinst.dll
[2009/12/19 15:18:12 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdwgrd.dll
[2009/04/26 11:17:00 | 000,157,184 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2009/03/27 10:03:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/03/27 10:03:00 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/03/27 10:03:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/03/27 10:03:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
< End of report >


#9 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:44 PM

Posted 20 May 2010 - 04:43 PM

Hi again Solecizm!!.. smile.gif

QUOTE(Solecizm @ May 20 2010, 09:18 PM) View Post
Looking good! Did a quick test in Google after performing your suggested actions, and there were no redirects!

That's good!.. thumbup2.gif

A quick question: do you have a default username and password on your router??.. If yes, I'll need to ask you to reset your router and secure it...

Firstly,
We need to update outdated programs (with security vulnerabilities) on your machine:

- Java

Go to Start > Control Panel double-click on Add or Remove Programs and remove:
Java™ 6 Update 18

Then,
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe that you downloaded to install the newest version.

- Adobe Flash Player:

To make sure you have the latest version of Adobe Flash Player installed:
1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe
2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger.
3. Double-click on the file you've downloaded to uninstall Flash.
4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).
Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

Secondly,
Please run an online scan to make sure we leave nothing behind...

Please scan your computer with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#10 Solecizm

Solecizm
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 22 May 2010 - 06:06 AM

Hi Snemelk

I changed the username and password on my router already, so no worries there smile.gif

I updated Java and Flash as you instructed then ran ESET. I couldn't see the "List of found threats" button once it finished, but it said it found 0 threats anyway, so that's probably why.

Still not getting any redirects, so it looks like it's all sorted! Thanks so much for your help!! I could never have figured all of this out without you :D

#11 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:44 PM

Posted 22 May 2010 - 05:22 PM

Hi again Solecizm!!.. smile.gif.

QUOTE(Solecizm @ May 22 2010, 01:06 PM) View Post
I changed the username and password on my router already, so no worries there smile.gif

Good!!.. thumbup2.gif

QUOTE
Still not getting any redirects, so it looks like it's all sorted! Thanks so much for your help!! I could never have figured all of this out without you :D

Glad to hear that!.. You're welcome!..

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.
  • Click the CleanUp button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Then,
Please, set up a new System Restore point:

Turn off System Restore

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

The to turn it back on
1. Wait for Windows to finish clearing Restore Points.
2. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Please check my site - snemelk.hekko.pl:
Also, I recommend you to read Grinler's excellent article: How did I get infected?, With steps so it does not happen again!

thumbup2.gif
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#12 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:44 PM

Posted 04 June 2010 - 10:26 AM

Glad we could help. smile.gif

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users