Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Unknown rootkit possible / google random redirect


  • This topic is locked This topic is locked
19 replies to this topic

#1 hortoholic

hortoholic

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 26 May 2010 - 11:09 AM

I have a possible rootkit that causes redirection of google results to other sites. Had a a few popups as well. I thank you for your help. If you need anymore details, please do not hesitate to ask.

hortoholic

Below are the logs:






DDS (Ver_10-03-17.01) - NTFSx86
Run by Jonathan at 11:19:41.76 on Wed 05/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.88 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jonathan\Desktop\Copy of dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [tsnp2std] c:\windows\tsnp2std.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\documents and settings\jonathan\my documents\programs\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\documents and settings\jonathan\my documents\programs\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-11-22 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-11-22 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2011-11-22 242896]
R1 SASDIFSV;SASDIFSV;c:\documents and settings\jonathan\my documents\programs\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\documents and settings\jonathan\my documents\programs\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-14 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-14 308064]
S0 cerc6;cerc6; [x]
S0 qxxf;qxxf;c:\windows\system32\drivers\lyhdl.sys --> c:\windows\system32\drivers\lyhdl.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\documents and settings\jonathan\my documents\programs\ad aware\ad-aware\AAWService.exe [2010-2-4 1314704]

=============== Created Last 30 ================


==================== Find3M ====================

2011-11-22 12:39:44 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-22 16:39:57 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-22 16:39:53 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-19 18:33:51 29286 ----a-w- c:\windows\system32\nvModes.dat
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 09:47:50 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-17 02:12:18 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-03-16 02:11:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-14 15:02:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll

============= FINISH: 11:21:24.67 ===============


Thanks!

Attached Files


Edited by hortoholic, 26 May 2010 - 11:10 AM.


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 26 May 2010 - 06:34 PM

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

==========

RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
  • It shall produce a log located at C:\RKill. Please copy and paste it into your next reply.

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* RKill.txt
* Combofix.txt
* Are you still redirected and do you still have pop-up's?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 hortoholic

hortoholic
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 27 May 2010 - 10:12 PM

Ran combofix as you said, an it appears to have worked. No Popups or redirects as of yet. Now even webpages load faster. Thank You! thumbup.gif . . I have attached the logs below. If you do find something, do you know what kind of infection it was?

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Jonathan on 05/27/2010 at 22:29:53.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Jonathan\Desktop\Copy of rkill.scr


Rkill completed on 05/27/2010 at 22:30:04.



Attached: Combofix Log

Thank you!

Attached Files


Edited by hortoholic, 27 May 2010 - 10:13 PM.


#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 28 May 2010 - 03:43 PM

Well done thumbup2.gif

===========

Please do not attach the logs. Copy and paste them directly in your reply.

===========

excl.gif Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! excl.gif

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the all of the text in the quotebox below (including the hyperlink if present) into it:

4. Combofix might upload a few suspicious files. Please allow this!!

QUOTE


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

==========

Please rerun MBAM.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
    • Update Malwarebytes' Anti-Malware <--- Important!!
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

==========

With your next post please provide:

* Combofix.txt
* MBAM.txt
* ESET.txt
* How is it running?

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 31 May 2010 - 04:53 PM

Do you still desire help?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#6 hortoholic

hortoholic
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 01 June 2010 - 12:00 AM

hey sorry for they delayed reply! something happened at work and I coudlnt be on the computer lately, I will upload the files later today.

#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 01 June 2010 - 09:06 AM

Ok
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 hortoholic

hortoholic
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 01 June 2010 - 09:43 AM

Here are my logs:

ComboFix
=========


ComboFix 10-05-31.02 - Jonathan 05/31/2010 23:03:45.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.335 [GMT -4:00]
Running from: c:\documents and settings\Jonathan\My Documents\thcbytes.exe
Command switches used :: c:\documents and settings\Jonathan\My Documents\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_qxxf


((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))
.

2011-11-22 14:10 . 2009-12-05 15:02 -------- d-----w- C:\$AVG
2011-11-22 14:10 . 2010-05-01 00:03 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-11-22 14:10 . 2010-03-14 14:59 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-11-22 14:10 . 2010-03-14 15:02 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-11-22 14:10 . 2010-05-31 22:46 -------- d-----w- c:\windows\system32\drivers\Avg
2011-11-22 14:10 . 2010-04-01 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2011-11-22 14:09 . 2011-11-22 14:09 -------- d-----w- c:\program files\AVG
2011-11-22 14:09 . 2011-11-22 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2011-11-22 14:02 . 2010-05-17 15:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2011-11-22 14:02 . 2011-11-22 14:02 -------- d-----w- c:\program files\Broadcom
2011-11-22 14:02 . 2011-11-22 14:02 -------- d-----w- c:\windows\Downloaded Installations
2011-11-22 14:02 . 2009-11-23 02:24 -------- d-----w- c:\program files\Common Files\InstallShield
2011-11-22 14:01 . 2009-11-29 23:11 -------- d-----w- C:\Dell-5160
2011-11-22 14:01 . 2008-04-14 05:15 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2011-11-22 13:27 . 2011-11-22 13:27 -------- d-s---w- c:\windows\system32\Microsoft
2011-11-22 13:27 . 2011-11-22 13:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Microsoft
2011-11-22 13:27 . 2010-05-22 16:53 -------- d-sh--w- c:\documents and settings\LocalService

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-22 14:09 . 2009-12-19 03:30 1082648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2011-11-22 14:09 . 2009-12-19 03:30 1074456 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcmgr.exe
2011-11-22 14:09 . 2009-12-19 03:29 615704 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcertx.dll
2011-11-22 14:09 . 2009-12-19 03:30 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2011-11-22 14:09 . 2009-12-19 03:29 502040 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgrsx.exe
2011-11-22 14:09 . 2009-12-19 03:30 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2011-11-22 14:09 . 2009-12-19 03:30 1946392 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgapix.dll
2011-11-22 14:09 . 2010-03-14 14:58 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2011-11-22 14:09 . 2009-12-22 16:51 916248 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2011-11-22 14:09 . 2009-12-19 03:30 744728 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgscanx.exe
2011-11-22 14:09 . 2009-12-19 03:30 361752 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmax.exe
2011-11-22 12:44 . 2011-11-22 12:44 -------- d-----w- c:\program files\microsoft frontpage
2011-11-22 12:39 . 2011-11-22 12:39 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-31 12:54 . 2010-05-31 12:52 14394700 ----a-w- C:\458ygruthwhwibae geuitg g'.zip
2010-05-28 14:46 . 2010-05-28 14:46 61440 ----a-w- c:\documents and settings\Music\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-19aaa479-n\decora-sse.dll
2010-05-28 14:46 . 2010-05-28 14:46 503808 ----a-w- c:\documents and settings\Music\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5fcff72f-n\msvcp71.dll
2010-05-28 14:46 . 2010-05-28 14:46 499712 ----a-w- c:\documents and settings\Music\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5fcff72f-n\jmc.dll
2010-05-28 14:46 . 2010-05-28 14:46 348160 ----a-w- c:\documents and settings\Music\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5fcff72f-n\msvcr71.dll
2010-05-28 14:46 . 2010-05-28 14:46 12800 ----a-w- c:\documents and settings\Music\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-19aaa479-n\decora-d3d.dll
2010-05-28 14:40 . 2009-11-22 14:47 35097 ----a-w- c:\windows\system32\nvModes.dat
2010-05-27 17:11 . 2009-11-28 14:02 -------- d-----w- c:\documents and settings\Jonathan\Application Data\vlc
2010-05-27 15:16 . 2009-11-29 23:23 -------- d-----w- c:\documents and settings\Jonathan\Application Data\dvdcss
2010-05-25 21:30 . 2009-11-29 23:29 12912 ----a-w- c:\documents and settings\Jonathan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-25 21:29 . 2010-05-25 21:29 -------- d-----w- c:\program files\Microsoft
2010-05-25 21:29 . 2010-05-25 21:28 -------- d-----w- c:\program files\Windows Live
2010-05-25 21:29 . 2010-05-25 21:29 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-05-25 21:24 . 2010-05-25 21:24 -------- d-----w- c:\program files\Common Files\Windows Live
2010-05-25 19:22 . 2010-05-25 19:22 -------- d-----w- c:\program files\Panda Security
2010-05-25 17:01 . 2011-11-22 12:42 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-25 12:48 . 2010-05-24 14:45 63488 ----a-w- c:\documents and settings\Jonathan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-25 12:48 . 2010-05-24 14:45 117760 ----a-w- c:\documents and settings\Jonathan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-24 21:32 . 2010-05-24 21:32 61440 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-35648a79-n\decora-sse.dll
2010-05-24 21:32 . 2010-05-24 21:32 503808 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3d52c532-n\msvcp71.dll
2010-05-24 21:32 . 2010-05-24 21:32 499712 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3d52c532-n\jmc.dll
2010-05-24 21:32 . 2010-05-24 21:32 348160 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3d52c532-n\msvcr71.dll
2010-05-24 21:32 . 2010-05-24 21:32 12800 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-35648a79-n\decora-d3d.dll
2010-05-24 21:32 . 2010-03-21 12:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-24 14:45 . 2010-05-24 14:45 52224 ----a-w- c:\documents and settings\Jonathan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-24 14:45 . 2010-05-24 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-24 14:41 . 2010-05-24 14:40 65024 ----a-r- c:\documents and settings\Jonathan\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2010-05-24 14:41 . 2010-05-24 14:40 5120 ----a-r- c:\documents and settings\Jonathan\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2010-05-24 14:41 . 2010-05-24 14:40 18944 ----a-r- c:\documents and settings\Jonathan\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2010-05-24 14:40 . 2010-05-24 14:40 -------- d-----w- c:\documents and settings\Jonathan\Application Data\SUPERAntiSpyware.com
2010-05-24 14:39 . 2010-05-24 14:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-24 01:42 . 2010-05-24 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-23 22:59 . 2010-05-23 22:59 -------- d-----w- c:\documents and settings\Jonathan\Application Data\AVG9
2010-05-22 18:02 . 2010-05-22 18:02 -------- d-----w- c:\documents and settings\Jonathan\Application Data\Malwarebytes
2010-05-22 18:01 . 2010-05-22 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-22 16:39 . 2010-05-22 16:40 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-22 16:39 . 2010-05-22 17:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-22 16:35 . 2010-05-22 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-22 16:33 . 2010-05-22 16:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-18 18:44 . 2009-11-28 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-18 02:35 . 2010-05-18 02:35 -------- d-----w- c:\documents and settings\Jonathan\Application Data\VBA-M
2010-05-17 15:27 . 2010-05-17 15:27 2232 ----a-w- c:\windows\java\Packages\Data\HVZJ3TJN.DAT
2010-05-17 15:27 . 2010-05-17 15:27 155995 ----a-w- c:\windows\java\Packages\R1VNH7JJ.ZIP
2010-05-17 15:27 . 2010-05-17 15:27 2678 ----a-w- c:\windows\java\Packages\Data\CD7VTVFP.DAT
2010-05-17 15:27 . 2010-05-17 15:27 2678 ----a-w- c:\windows\java\Packages\Data\A7NR1RN5.DAT
2010-05-17 15:27 . 2010-05-17 15:27 2678 ----a-w- c:\windows\java\Packages\Data\9N9JV571.DAT
2010-05-17 15:27 . 2010-05-17 15:27 2678 ----a-w- c:\windows\java\Packages\Data\SO7H7RHZ.DAT
2010-05-17 15:27 . 2010-05-17 15:27 2678 ----a-w- c:\windows\java\Packages\Data\DRR3FXRH.DAT
2010-05-17 15:10 . 2010-05-17 15:10 -------- d-----w- c:\program files\Common Files\snp2std
2010-05-17 15:09 . 2010-05-17 15:09 -------- d-----w- c:\documents and settings\Jonathan\Application Data\InstallShield
2010-05-09 15:29 . 2010-05-09 15:29 8854 ----a-r- c:\documents and settings\Jonathan\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2010-05-09 15:29 . 2010-05-09 15:29 40960 ----a-r- c:\documents and settings\Jonathan\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-05-09 15:29 . 2010-05-09 15:29 40960 ----a-r- c:\documents and settings\Jonathan\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2010-05-01 19:05 . 2010-05-01 18:58 -------- d-----w- c:\documents and settings\Jonathan\Application Data\AccurateRip
2010-05-01 02:26 . 2010-05-01 02:26 -------- d-----w- c:\documents and settings\Jonathan\Application Data\FreeAudioPack
2010-04-29 19:39 . 2010-05-22 18:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-05-22 18:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 09:47 . 2010-04-29 09:47 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-17 02:12 . 2010-04-17 02:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-04-02 22:50 . 2009-11-28 15:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-17 17:03 . 2010-03-17 17:03 64200 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-16 02:12 . 2010-03-16 02:12 61440 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2c6cc6ae-n\decora-sse.dll
2010-03-16 02:12 . 2010-03-16 02:12 503808 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-617506f4-n\msvcp71.dll
2010-03-16 02:12 . 2010-03-16 02:12 499712 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-617506f4-n\jmc.dll
2010-03-16 02:12 . 2010-03-16 02:12 348160 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-617506f4-n\msvcr71.dll
2010-03-16 02:12 . 2010-03-16 02:12 12800 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2c6cc6ae-n\decora-d3d.dll
2010-03-16 02:11 . 2010-03-16 02:11 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-14 15:02 . 2010-03-14 15:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-28_02.59.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-01 03:12 . 2010-06-01 03:12 16384 c:\windows\Temp\Perflib_Perfdata_15c.dat
+ 2010-05-28 14:40 . 2008-04-14 12:00 221184 c:\windows\system32\wmpns.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="nwiz.exe" [2004-10-26 921600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"snp2std"="c:\windows\vsnp2std.exe" [2006-09-15 675840]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\documents and settings\Jonathan\My Documents\Programs\SuperAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\documents and settings\Jonathan\My Documents\Programs\SuperAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-14 15:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/25/2010 3:23 PM 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/22/2011 10:10 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/22/2011 10:10 AM 242896]
R1 SASDIFSV;SASDIFSV;c:\documents and settings\Jonathan\My Documents\Programs\SuperAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\documents and settings\Jonathan\My Documents\Programs\SuperAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/14/2010 10:59 AM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/14/2010 11:01 AM 308064]
S0 cerc6;cerc6; [x]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\documents and settings\Jonathan\My Documents\Programs\Ad Aware\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1314704]
.
Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\documents and settings\Jonathan\My Documents\Programs\Ad Aware\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 16:38]

2010-06-01 c:\windows\Tasks\User_Feed_Synchronization-{8F284665-3F06-4A69-ABAD-FE2804B0561F}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

2010-06-01 c:\windows\Tasks\User_Feed_Synchronization-{D5A40F8A-3DAB-4202-9D3E-82852412FDEE}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-31 23:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\documents and settings\Jonathan\My Documents\Programs\SuperAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3704)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-31 23:16:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-01 03:16
ComboFix2.txt 2010-05-28 03:01

Pre-Run: 16,390,963,200 bytes free
Post-Run: 16,649,707,520 bytes free

- - End Of File - - BF65070A63F31140EF855B33414E6B94


MBAM
====

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4160

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/31/2010 11:35:24 PM
mbam-log-2010-05-31 (23-35-24).txt

Scan type: Quick scan
Objects scanned: 140533
Time elapsed: 12 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET:

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\dmio.sys.vir Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{04FC1D8E-C839-46C9-891D-9885EAED17AC}\RP79\A0008832.sys Win32/Olmarik.ZC trojan



It just think the quarantine is a virus, but it is quarantined so it think its ok to ignore? if you know what I mean. As far as the computer, it is srill running great.



#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 01 June 2010 - 10:18 AM

Well done. thumbup2.gif

Yes. The detections are quarantined or in System restore and are harmless. I will guide you how to purge System Restore soon.

Send me a copy of a suspicious file(s) for analysis

Please download the Suspicious File Packer.
  • Unzip it to the desktop and run it.
  • Copy and paste the contents of the codebox into the Suspicious File Packer window:

CODE
c:\windows\system32\emptyregdb.dat
C:\458ygruthwhwibae geuitg g'.zip


Allow SFP to pack the files. This will generate a CAB archive on your desktop.
  1. Please go to here.
  2. Where it asks for the "Link to topic where this file was requested" copy and paste the contents of the codebox.

    CODE
    http://www.bleepingcomputer.com/forums/t/319367/infected-with-unknown-rootkit-possible-google-random-redirect/

  3. Where it says "Browse to the file you want to submit", browse to the CAB archive that was created on your desktop.
  4. The cab file will be called requested-files*.cab (the * stands for the date and hour).
  5. Press the Send File button.

==========

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

==========

With your next post please provide:

* Notification of a successful upload
* Any further troubles?

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 hortoholic

hortoholic
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 02 June 2010 - 08:23 AM

Hey,

My file was successfully submitted. As of now, no further troubles. And thank you soo much for your help and your time! If you need me to do anything else, please dont hesitate to let me know.

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 02 June 2010 - 09:59 AM

Hi,

Your welcome. smile.gif

Received the upload. They scanned out clean. Do you know those files? They look very suspicious and I find little info about them in my research.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\system32\emptyregdb.dat
C:\458ygruthwhwibae geuitg g'.zip


If you get...

QUOTE
This file has been scanned before. The results for this previous scan are listed below.


Please choose "Scan Again"!!!!!!!!!

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal

==========

One last scan please....

  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.


    Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All

  4. Copy and Paste the following code into the textbox. Do not include the word "Code"


    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    CREATERESTOREPOINT

  5. Push
  6. A report will open. Copy and Paste that report in your next reply.
  7. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

==========

With your next post please provide:

* Do you know those files?
* Upload results
* OTL.txt
* Extra.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 hortoholic

hortoholic
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 02 June 2010 - 09:23 PM

Hello,
Both files came clean here as well
c:\windows\system32\emptyregdb.dat - this is a funny file in that the created date is listed as 11/22/2011, did not create this file, unknown, doesnt look harmful. thoughts?
C:\458ygruthwhwibae geuitg g'.zip - File I created, random key presses, contains images of google logos. My apologies.


I attached the logs because they are too long for the text box.

Attached Files

  • Attached File  OTL.Txt   468.1KB   5 downloads

Edited by hortoholic, 02 June 2010 - 09:33 PM.


#13 hortoholic

hortoholic
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 02 June 2010 - 09:35 PM

OTL Extras logfile created on: 6/2/2010 9:35:41 PM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\Jonathan\My Documents
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 151.00 Mb Available Physical Memory | 30.00% Memory free
1.00 Gb Paging File | 0.00 Gb Available in Paging File | 22.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.94 Gb Total Space | 14.95 Gb Free Space | 53.52% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-2928FE18CF
Current User Name: Jonathan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{75438C0E-9925-412E-AD85-D0E71C6CE2ED}" = USB2.0 PC Camera (SN9C201&202)
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"7-Zip" = 7-Zip 4.65
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AVG9Uninstall" = AVG Free 9.0
"ESET Online Scanner" = ESET Online Scanner v3
"Free Mp3 Wma Converter_is1" = Free Mp3 Wma Converter V 1.9
"ie8" = Windows Internet Explorer 8
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NVIDIA Drivers" = NVIDIA Drivers
"Windows Essentials Media Codec Pack" = Windows Essentials Media Codec Pack 2.3d
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/17/2010 4:14:56 PM | Computer Name = HOME-2928FE18CF | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/17/2010 9:21:19 PM | Computer Name = HOME-2928FE18CF | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/15/2010 6:59:49 PM | Computer Name = HOME-2928FE18CF | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/21/2010 1:44:18 PM | Computer Name = HOME-2928FE18CF | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/21/2010 1:44:18 PM | Computer Name = HOME-2928FE18CF | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/21/2010 11:31:54 PM | Computer Name = HOME-2928FE18CF | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/1/2010 12:57:41 PM | Computer Name = HOME-2928FE18CF | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x098f600b.

Error - 4/2/2010 7:07:19 PM | Computer Name = HOME-2928FE18CF | Source = ESENT | ID = 490
Description = svchost (1020) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 4/2/2010 7:07:19 PM | Computer Name = HOME-2928FE18CF | Source = ESENT | ID = 470
Description = Catalog Database (1020) Database C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
is partially attached. Attachment stage: 3. Error: -1032.

Error - 5/17/2010 11:33:53 AM | Computer Name = HOME-2928FE18CF | Source = MsiInstaller | ID = 1013
Description = Product: Spider-Man On Command -- 1: This installation cannot be run
by directly launching the MSI package. You must run setup.exe.

[ System Events ]
Error - 11/22/2009 10:25:22 PM | Computer Name = HOME-2928FE18CF | Source = NIC1394 | ID = 5002
Description = 1394 Net Adapter #2 : Has determined that the adapter is not functioning
properly.

Error - 11/25/2009 11:24:44 PM | Computer Name = HOME-2928FE18CF | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the avg9wd service.

Error - 11/29/2009 2:41:13 PM | Computer Name = HOME-2928FE18CF | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 11/29/2009 2:41:13 PM | Computer Name = HOME-2928FE18CF | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 12/23/2009 11:04:26 AM | Computer Name = HOME-2928FE18CF | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000243'
while processing the file 'avgcorex.dll.old' on the volume 'HarddiskVolume1'.
It has stopped monitoring the volume.

Error - 3/13/2010 11:44:20 PM | Computer Name = HOME-2928FE18CF | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 3/20/2010 9:30:58 AM | Computer Name = HOME-2928FE18CF | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 3/20/2010 9:30:58 AM | Computer Name = HOME-2928FE18CF | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.


< End of report >




#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 03 June 2010 - 06:43 AM

Hi,

Looks great except....
QUOTE
11/22/2011


Right click on the time in your lower right and choose "Adjust date and time." What is the current date and time you see?

Is your computer still running alright? Any further troubles?

Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 hortoholic

hortoholic
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 03 June 2010 - 08:19 AM

I see June 3, 2010 9:10 AM. My computer is still running great. Just the creation date of the file is odd. bug?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users