Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown malware


  • This topic is locked This topic is locked
25 replies to this topic

#1 gwinneriii

gwinneriii

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 26 June 2010 - 09:08 PM

Around three days ago my web browser began acting up. Any search engine sends me to random useless websites, not a results page. Most times when loading any page the computer bogs down to the point that I have to do a hard reset. I can't even alt-ctrl-del out of my browser window; task manager won't pop up. I've attempted gmer twice now, but the computer bogs down before it has a chance to finish. Below is my DDS report and attachment. Any advise would be MUCH appreciated. After several stalled attempts I was lucky enough to get on bp and post today!


DDS (Ver_10-03-17.01) - NTFSx86
Run by _ at 19:34:34.82 on Wed 06/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1558 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\avgchsvx.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe -k ppdrv
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG\avgnsx.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\George & Jessica\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: PlaySushi: {21608b66-026f-4dcb-9244-0daca328dced} - c:\program files\playsushi\PSText.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GEST] =
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avgtray.exe
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - c:\program files\playsushi\PSText.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R?2 ppdrv;ppdrv;c:\windows\system32\svchost.exe -k ppdrv [2001-8-18 14336]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-29 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-29 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-19 242896]
R1 PDRV;PDRV;c:\windows\system32\drivers\pdrv.sys [2010-6-21 47616]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avgwdsvc.exe [2010-3-12 308064]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;d:\program files\kodak\aio\center\ekdiscovery.exe [2009-8-5 284016]
S2 webserver;webserver;c:\program files\webserver\webserver.exe --> c:\program files\webserver\webserver.exe [?]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-5-29 36864]
S3 XDva259;XDva259;\??\c:\windows\system32\xdva259.sys --> c:\windows\system32\XDva259.sys [?]
S3 XDva279;XDva279;\??\c:\windows\system32\xdva279.sys --> c:\windows\system32\XDva279.sys [?]
S3 XDva346;XDva346;\??\c:\windows\system32\xdva346.sys --> c:\windows\system32\XDva346.sys [?]

=============== Created Last 30 ================

2010-06-23 23:30:07 20 ----a-w- c:\documents and settings\george & jessica\defogger_reenable
2010-06-23 22:49:23 0 d-----w- c:\program files\ReflexiveArcade
2010-06-22 17:33:51 0 d-----w- c:\program files\PlaySushi
2010-06-22 01:22:55 53760 ----a-w- c:\windows\system32\pdrv.dll
2010-06-22 01:22:55 47616 ----a-w- c:\windows\system32\drivers\pdrv.sys
2010-06-21 01:07:46 1 ---h--w- c:\windows\bk23567.dat
2010-06-21 01:07:46 1 ----a-w- c:\windows\lgo
2010-06-21 01:07:46 1 ----a-w- c:\windows\fdgg34353edfgdfdf
2010-06-21 01:01:33 76288 ---h--w- c:\windows\bill112.exe
2010-06-07 02:49:59 0 d-----w- c:\docume~1\george~1\applic~1\Turbine
2010-06-07 01:51:58 0 d-----w- c:\windows\system32\URTTEMP
2010-06-07 00:45:58 0 d-----w- c:\program files\Pando Networks

==================== Find3M ====================

2010-06-02 13:41:49 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-12 21:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2008-08-24 07:07:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat

============= FINISH: 19:35:01.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:26 PM

Posted 02 July 2010 - 03:48 AM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 gwinneriii

gwinneriii
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 02 July 2010 - 04:23 PM

Elle,

I have treid again and again to save a gmer log with no success. Typically gmer stalls out mid scan. I am not getting a BSOD nor is the computer totally frozen. In the latest attempt gmer completed a scan, but once I clicked save things went bad. I have resident shield disabled when scanning with gmer. Opening up task manager revealed that between AVG and lsass all my systems resources were used up. I waited for nearly two hours with no change. Finally I had to do a hard reset again. I'm posting my most recent DDS log. If you have any suggestions please post them!





DDS (Ver_10-03-17.01) - NTFSx86
Run by George & Jessica at 16:02:35.78 on Fri 07/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1443 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\avgchsvx.exe
svchost.exe
C:\Program Files\AVG\avgrsx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\avgcsrvx.exe
C:\Program Files\AVG\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe -k ppdrv
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG\avgnsx.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\AVG\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
D:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Documents and Settings\George & Jessica\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: PlaySushi: {21608b66-026f-4dcb-9244-0daca328dced} - c:\program files\playsushi\PSText.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GEST] =
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avgtray.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - c:\program files\playsushi\PSText.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R?2 ppdrv;ppdrv;c:\windows\system32\svchost.exe -k ppdrv [2001-8-18 14336]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-29 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-29 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-19 242896]
R1 PDRV;PDRV;c:\windows\system32\drivers\pdrv.sys [2010-6-21 47616]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avgwdsvc.exe [2010-3-12 308064]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;d:\program files\kodak\aio\center\ekdiscovery.exe [2009-8-5 284016]
S2 webserver;webserver;c:\program files\webserver\webserver.exe --> c:\program files\webserver\webserver.exe [?]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-5-29 36864]
S3 XDva259;XDva259;\??\c:\windows\system32\xdva259.sys --> c:\windows\system32\XDva259.sys [?]
S3 XDva279;XDva279;\??\c:\windows\system32\xdva279.sys --> c:\windows\system32\XDva279.sys [?]
S3 XDva346;XDva346;\??\c:\windows\system32\xdva346.sys --> c:\windows\system32\XDva346.sys [?]

=============== Created Last 30 ================

2010-06-23 23:30:07 20 ----a-w- c:\documents and settings\george & jessica\defogger_reenable
2010-06-23 22:49:23 0 d-----w- c:\program files\ReflexiveArcade
2010-06-22 17:33:51 0 d-----w- c:\program files\PlaySushi
2010-06-22 01:22:55 53760 ----a-w- c:\windows\system32\pdrv.dll
2010-06-22 01:22:55 47616 ----a-w- c:\windows\system32\drivers\pdrv.sys
2010-06-21 01:07:46 1 ---h--w- c:\windows\bk23567.dat
2010-06-21 01:07:46 1 ----a-w- c:\windows\lgo
2010-06-21 01:07:46 1 ----a-w- c:\windows\fdgg34353edfgdfdf
2010-06-21 01:01:33 76288 ---h--w- c:\windows\bill112.exe
2010-06-07 02:49:59 0 d-----w- c:\docume~1\george~1\applic~1\Turbine
2010-06-07 01:51:58 0 d-----w- c:\windows\system32\URTTEMP
2010-06-07 00:45:58 0 d-----w- c:\program files\Pando Networks

==================== Find3M ====================

2010-06-02 13:41:49 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-12 21:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2008-08-24 07:07:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat

============= FINISH: 16:02:43.84 ===============

Attached Files



#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:26 PM

Posted 05 July 2010 - 12:55 AM

Hello gwinneriii ! welcome.gif

I am Blind Faith or Elle(it's easier to remember,I think) and I will help you with your malware related problems.
As you can see I am still a trainee and that means my work is revised by a coach.
Therefore, it will take a bit longer for me to reply.
So don't be impatient because I won't leave your case suspended in the air,waiting forever.

NOTE: Do not make any type of changes to your system during the cleaning process.The steps you are following are based on strict information from your system.So changes which I did not give instructions for are not recommended.

I will need some time to research the files on your system so please click the Options button at the top bar of this topic and Track this Topic, where you should choose email notifications to know when I replied.



During the cleaning process many files may be hidden so please unhide them by following the instructions listed here: How to show hidden files and folders.

Remember to check your topic for new replies.

Probably, it will take a couple of days until the next reply but after that everything will go faster.

Also please let me know if you still need help after you have read this.



Elle





Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 gwinneriii

gwinneriii
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 06 July 2010 - 04:23 PM

Hidden files are viewable. Would you like me to re-run ddr. Still attempting gmer once or twice a day.

By the way. No worries about how long reposting takes. it gets finished when it gets finished. ;) Thanks for the help and glad to hear there's more help-in-training.

Edited by gwinneriii, 06 July 2010 - 04:24 PM.


#6 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:26 PM

Posted 08 July 2010 - 04:48 AM


Hi,


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  3. Open on your desktop.
  4. Click the tab.
  5. Click the button.
  6. Check all seven boxes:
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#7 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:26 PM

Posted 10 July 2010 - 06:49 PM

Hello,

Do you still need help? Please let me know if you have resolved the problem.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 PM

Posted 13 July 2010 - 07:28 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:26 PM

Posted 13 July 2010 - 03:32 PM

Re-opened per topic starter's PM..

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 gwinneriii

gwinneriii
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 13 July 2010 - 03:39 PM

Thanks! OTL and RootRepeal reports attached:

OTL logfile created on: 7/13/2010 4:22:21 PM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\George & Jessica\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 30.34 Gb Total Space | 6.41 Gb Free Space | 21.14% Space Free | Partition Type: NTFS
Drive D: | 97.65 Gb Total Space | 7.34 Gb Free Space | 7.51% Space Free | Partition Type: NTFS
Drive E: | 5.51 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ASTRO-TURF
Current User Name: George & Jessica
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/13 16:21:36 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\George & Jessica\Desktop\OTL.exe
PRC - [2010/06/02 09:41:49 | 002,065,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\avgtray.exe
PRC - [2010/06/02 09:41:49 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\avgnsx.exe
PRC - [2010/06/02 09:41:49 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\avgrsx.exe
PRC - [2010/06/02 09:41:22 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\avgchsvx.exe
PRC - [2010/06/02 09:41:22 | 000,722,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\avgcsrvx.exe
PRC - [2010/03/12 09:23:57 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\avgwdsvc.exe
PRC - [2010/02/11 18:36:50 | 000,449,536 | ---- | M] (www.CrazyBrowser.com) -- D:\Program Files\Crazy Browser\Crazy Browser.exe
PRC - [2009/08/05 12:49:38 | 000,120,176 | ---- | M] (Eastman Kodak Company) -- D:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe
PRC - [2009/08/03 09:33:06 | 001,626,112 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/06/02 04:52:58 | 000,339,456 | ---- | M] (O&O Software GmbH) -- C:\WINDOWS\system32\oodag.exe


========== Modules (SafeList) ==========

MOD - [2010/07/13 16:21:36 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\George & Jessica\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\webserver\webserver.exe -- (webserver)
SRV - File not found [Unknown | Stopped] -- C:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/21 21:22:56 | 000,053,760 | ---- | M] () [Auto | Start_Pending] -- C:\WINDOWS\system32\pdrv.dll -- (ppdrv)
SRV - [2010/03/12 09:23:57 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\avgwdsvc.exe -- (avg9wd)
SRV - [2009/08/05 12:49:44 | 000,284,016 | ---- | M] (Eastman Kodak Company) [Auto | Stopped] -- D:\Program Files\Kodak\AiO\Center\ekdiscovery.exe -- (Kodak AiO Network Discovery Service)
SRV - [2009/01/14 17:53:02 | 000,226,656 | ---- | M] (Microsoft Corp.) [Auto | Stopped] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2006/06/02 04:52:58 | 000,339,456 | ---- | M] (O&O Software GmbH) [Auto | Running] -- C:\WINDOWS\system32\oodag.exe -- (O&O Defrag)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva346.sys -- (XDva346)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva279.sys -- (XDva279)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva259.sys -- (XDva259)
DRV - [2010/06/21 21:22:55 | 000,047,616 | ---- | M] (pdrv) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pdrv.sys -- (PDRV)
DRV - [2010/06/02 09:41:49 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/06/02 09:41:49 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/12 09:23:34 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/01/16 20:05:46 | 000,279,712 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2010/01/16 20:05:46 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2009/01/01 22:36:45 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008/12/01 15:13:40 | 003,452,928 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/10/31 11:52:16 | 000,093,184 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2008/09/07 11:05:14 | 000,016,608 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2008/05/14 20:03:12 | 004,742,144 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/29 05:48:00 | 003,688,960 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtHDMI.sys -- (RTHDMIAzAudService)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/01/04 02:10:16 | 000,105,856 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/10/31 20:56:00 | 000,036,864 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\l151x86.sys -- (AtcL001)
DRV - [2007/10/11 18:40:12 | 000,009,096 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdide.sys -- (amdide)
DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2006/12/28 12:44:44 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AtiHdAud.sys -- (HdAudAddService)
DRV - [2004/08/12 22:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1606980848-879983540-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1606980848-879983540-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.msn.com/
IE - HKU\S-1-5-21-1606980848-879983540-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2010/06/22 13:33:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\George & Jessica\Application Data\Mozilla\Extensions
[2009/04/05 04:58:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\George & Jessica\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2009/05/23 18:23:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\George & Jessica\Application Data\Mozilla\Firefox\extensions
[2009/05/23 18:23:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\George & Jessica\Application Data\Mozilla\Firefox\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}

O1 HOSTS File: ([2001/08/18 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (PlaySushi) - {21608B66-026F-4DCB-9244-0DACA328DCED} - C:\Program Files\PlaySushi\PSText.dll ()
O3 - HKU\S-1-5-21-1606980848-879983540-839522115-1004\..\Toolbar\WebBrowser: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No CLSID value found.
O3 - HKU\S-1-5-21-1606980848-879983540-839522115-1004\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Conime] C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [GEST] File not found
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-21-1606980848-879983540-839522115-1004..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1606980848-879983540-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - D:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Go to PlaySushi web site - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - C:\Program Files\PlaySushi\PSText.dll ()
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\George & Jessica\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\George & Jessica\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/05/29 20:41:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/08/19 23:47:08 | 000,200,320 | ---- | M] () - D:\AUTO.pat -- [ NTFS ]
O32 - AutoRun File - [2009/08/19 23:47:08 | 000,000,020 | ---- | M] () - D:\AUTO.pst -- [ NTFS ]
O32 - AutoRun File - [2008/09/08 17:13:25 | 000,000,058 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O33 - MountPoints2\{20ef944c-4d98-11df-b984-001fd08f5b02}\Shell - "" = AutoRun
O33 - MountPoints2\{20ef944c-4d98-11df-b984-001fd08f5b02}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{20ef944c-4d98-11df-b984-001fd08f5b02}\Shell\AutoRun\command - "" = H:\PhotoViewer.exe -- File not found
O33 - MountPoints2\{90d4b200-7ceb-11dd-b8fe-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{90d4b200-7ceb-11dd-b8fe-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{90d4b200-7ceb-11dd-b8fe-806d6172696f}\Shell\AutoRun\command - "" = E:\FalloutLauncher.exe -- [2008/09/18 14:38:35 | 006,981,048 | R--- | M] (Bethesda Softworks)
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (OODBS) - C:\WINDOWS\System32\OODBS.exe (O&O Software GmbH)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/13 16:21:36 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\George & Jessica\Desktop\OTL.exe
[2010/07/12 11:22:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\George & Jessica\Desktop\monkey goo
[2010/06/23 19:36:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\George & Jessica\Desktop\gmer
[2010/06/23 18:49:23 | 000,000,000 | ---D | C] -- C:\Program Files\ReflexiveArcade
[2010/06/22 13:33:51 | 000,000,000 | ---D | C] -- C:\Program Files\PlaySushi
[2010/06/21 21:22:55 | 000,047,616 | ---- | C] (pdrv) -- C:\WINDOWS\System32\drivers\pdrv.sys
[2010/06/20 21:01:33 | 000,076,288 | -H-- | C] (Pbhbaxg) -- C:\WINDOWS\bill112.exe
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\George & Jessica\My Documents\*.tmp files -> C:\Documents and Settings\George & Jessica\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/13 16:21:36 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\George & Jessica\Desktop\OTL.exe
[2010/07/02 21:30:13 | 000,068,008 | ---- | M] () -- C:\Documents and Settings\George & Jessica\Desktop\DriverRecord_182137[1].pdf
[2010/07/02 20:55:07 | 000,036,864 | ---- | M] () -- C:\Documents and Settings\George & Jessica\Desktop\supplementals.doc
[2010/07/02 17:17:23 | 000,515,688 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/02 17:17:23 | 000,435,920 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/02 17:17:23 | 000,070,066 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/02 17:13:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/02 17:12:52 | 000,052,380 | ---- | M] () -- C:\WINDOWS\System32\OODBS.lor
[2010/07/02 16:07:53 | 000,012,656 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/23 19:30:24 | 005,767,168 | -H-- | M] () -- C:\Documents and Settings\George & Jessica\NTUSER.DAT
[2010/06/23 19:30:24 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\George & Jessica\ntuser.ini
[2010/06/23 19:30:13 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\George & Jessica\defogger_reenable
[2010/06/23 19:27:39 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\George & Jessica\Desktop\gmer.zip
[2010/06/23 19:18:24 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\George & Jessica\Desktop\Defogger.exe
[2010/06/22 13:35:39 | 009,297,524 | ---- | M] () -- C:\Documents and Settings\George & Jessica\Desktop\Bejeweled2DeluxeSetup.exe
[2010/06/22 13:35:29 | 023,420,879 | ---- | M] () -- C:\Documents and Settings\George & Jessica\Desktop\Avernum5Setup.exe
[2010/06/22 11:40:27 | 004,296,888 | -H-- | M] () -- C:\Documents and Settings\George & Jessica\Local Settings\Application Data\IconCache.db
[2010/06/22 11:26:03 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\George & Jessica\Local Settings\Application Data\04855511005551.xxe
[2010/06/22 11:26:03 | 000,000,001 | ---- | M] () -- C:\WINDOWS\lgo
[2010/06/22 11:20:37 | 000,156,160 | ---- | M] () -- C:\Documents and Settings\George & Jessica\Local Settings\Application Data\rdr_1277220034.exe
[2010/06/21 21:22:56 | 000,053,760 | ---- | M] () -- C:\WINDOWS\System32\pdrv.dll
[2010/06/21 21:22:55 | 000,047,616 | ---- | M] (pdrv) -- C:\WINDOWS\System32\drivers\pdrv.sys
[2010/06/21 08:18:16 | 061,273,118 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/06/20 21:07:46 | 000,000,001 | -H-- | M] () -- C:\WINDOWS\bk23567.dat
[2010/06/20 21:07:46 | 000,000,001 | ---- | M] () -- C:\WINDOWS\fdgg34353edfgdfdf
[2010/06/20 21:07:35 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\George & Jessica\Local Settings\Application Data\0995154505553.xxe
[2010/06/20 21:06:37 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\George & Jessica\Local Settings\Application Data\0535049569854.xxe
[2010/06/20 21:01:33 | 000,076,288 | -H-- | M] (Pbhbaxg) -- C:\WINDOWS\bill112.exe
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\George & Jessica\My Documents\*.tmp files -> C:\Documents and Settings\George & Jessica\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/02 21:30:13 | 000,068,008 | ---- | C] () -- C:\Documents and Settings\George & Jessica\Desktop\DriverRecord_182137[1].pdf
[2010/06/30 18:04:53 | 000,036,864 | ---- | C] () -- C:\Documents and Settings\George & Jessica\Desktop\supplementals.doc
[2010/06/23 19:30:07 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\George & Jessica\defogger_reenable
[2010/06/23 19:27:39 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\George & Jessica\Desktop\gmer.zip
[2010/06/23 19:18:21 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\George & Jessica\Desktop\Defogger.exe
[2010/06/22 13:35:33 | 009,297,524 | ---- | C] () -- C:\Documents and Settings\George & Jessica\Desktop\Bejeweled2DeluxeSetup.exe
[2010/06/22 13:35:28 | 023,420,879 | ---- | C] () -- C:\Documents and Settings\George & Jessica\Desktop\Avernum5Setup.exe
[2010/06/22 11:26:03 | 000,000,002 | ---- | C] () -- C:\Documents and Settings\George & Jessica\Local Settings\Application Data\04855511005551.xxe
[2010/06/22 11:20:36 | 000,156,160 | ---- | C] () -- C:\Documents and Settings\George & Jessica\Local Settings\Application Data\rdr_1277220034.exe
[2010/06/21 21:22:55 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\pdrv.dll
[2010/06/20 21:07:46 | 000,000,001 | -H-- | C] () -- C:\WINDOWS\bk23567.dat
[2010/06/20 21:07:46 | 000,000,001 | ---- | C] () -- C:\WINDOWS\lgo
[2010/06/20 21:07:46 | 000,000,001 | ---- | C] () -- C:\WINDOWS\fdgg34353edfgdfdf
[2010/06/20 21:07:35 | 000,000,002 | ---- | C] () -- C:\Documents and Settings\George & Jessica\Local Settings\Application Data\0995154505553.xxe
[2010/06/20 21:06:37 | 000,000,002 | ---- | C] () -- C:\Documents and Settings\George & Jessica\Local Settings\Application Data\0535049569854.xxe
[2009/11/22 21:37:26 | 000,279,712 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2009/11/22 21:37:26 | 000,025,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2009/06/09 20:21:29 | 000,000,287 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2009/01/28 15:03:55 | 000,000,169 | ---- | C] () -- C:\WINDOWS\clientshell.INI
[2009/01/05 22:02:30 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/01/05 20:57:00 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2008/05/29 21:26:11 | 000,029,368 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/05/29 21:26:10 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008/05/29 21:26:04 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/05/29 20:33:51 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/26 21:56:28 | 000,151,415 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat

========== Alternate Data Streams ==========

@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B211CA64
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9B7E8561
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BDCD0530
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C7DEC6B7
< End of report >


OTL Extras logfile created on: 7/13/2010 4:22:21 PM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\George & Jessica\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 30.34 Gb Total Space | 6.41 Gb Free Space | 21.14% Space Free | Partition Type: NTFS
Drive D: | 97.65 Gb Total Space | 7.34 Gb Free Space | 7.51% Space Free | Partition Type: NTFS
Drive E: | 5.51 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ASTRO-TURF
Current User Name: George & Jessica
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "D:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "D:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with FastStone] -- "d:\Program Files\FastStone Image Viewer\FSViewer.exe" "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"9322:TCP" = 9322:TCP:*:Enabled:EKDiscovery
"8085:TCP" = 8085:TCP:*:Enabled:pdrv
"1002:TCP" = 1002:TCP:*:Enabled:webserver
"4000:TCP" = 4000:TCP:*:Enabled:webserver
"53:TCP" = 53:TCP:*:Enabled:webserver

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- File not found
"D:\Program Files\World of Warcraft\Launcher.exe" = D:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"D:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe" = D:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main -- (Obsidian Entertainment, Inc.)
"D:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe" = D:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD -- (Obsidian Entertainment, Inc.)
"D:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe" = D:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater -- (Obsidian Entertainment, Inc.)
"D:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe" = D:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server -- (Obsidian Entertainment, Inc.)
"D:\Program Files\THQ\Dawn of War DEMO\W40k.exe" = D:\Program Files\THQ\Dawn of War DEMO\W40k.exe:*:Enabled:W40K -- File not found
"D:\Program Files\LimeWire\LimeWire.exe" = D:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"D:\Program Files\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\game.dat" = D:\Program Files\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\game.dat:*:Enabled:The Lord of the Rings, The Rise of the Witch-king -- (Electronic Arts Inc.)
"C:\Program Files\Sega\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe" = C:\Program Files\Sega\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet -- File not found
"D:\Program Files\Paradox Interactive\Majesty 2\Majesty2.exe" = D:\Program Files\Paradox Interactive\Majesty 2\Majesty2.exe:*:Enabled:Majesty 2 -- (1C:Ino-Co)
"D:\Program Files\Microsoft Games\Rise of Nations\rise.exe" = D:\Program Files\Microsoft Games\Rise of Nations\rise.exe:*:Enabled:Rise of Nations -- File not found
"D:\Program Files\Microsoft Games\Rise of Nations\thrones.exe" = D:\Program Files\Microsoft Games\Rise of Nations\thrones.exe:*:Enabled:Rise of Nations -- File not found
"D:\Program Files\Ubisoft\THE SETTLERS - Rise of an Empire\base\bin\Settlers6.exe" = D:\Program Files\Ubisoft\THE SETTLERS - Rise of an Empire\base\bin\Settlers6.exe:*:Enabled:THE SETTLERS - Rise of an Empire -- (Blue Byte GmbH)
"D:\Program Files\Microsoft Games\Dungeon Siege 2\DungeonSiege2.exe" = D:\Program Files\Microsoft Games\Dungeon Siege 2\DungeonSiege2.exe:*:Enabled:Dungeon Siege 2 Game Executable -- (Gas Powered Games)
"C:\Program Files\AVG\avgupd.exe" = C:\Program Files\AVG\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\avgnsx.exe" = C:\Program Files\AVG\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"D:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe" = D:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe:*:Enabled:Kodak.AiO.HomeCenter -- (Eastman Kodak Company)
"D:\Program Files\Kodak\AiO\Center\Kodak.Statistics.exe" = D:\Program Files\Kodak\AiO\Center\Kodak.Statistics.exe:*:Enabled:Kodak.AiO.Statistics -- (Eastman Kodak Company)
"D:\Program Files\Kodak\AiO\Center\NetworkPrinterDiscovery.exe" = D:\Program Files\Kodak\AiO\Center\NetworkPrinterDiscovery.exe:*:Enabled:Kodak.AiO.SetupUtility -- (Eastman Kodak Company)
"D:\Program Files\Kodak\AiO\Firmware\KodakAiOUpdater.exe" = D:\Program Files\Kodak\AiO\Firmware\KodakAiOUpdater.exe:*:Enabled:Kodak.AiO.FwUpdater -- (Eastman Kodak Company)
"C:\Documents and Settings\All Users\Application Data\Kodak\Installer\Setup.exe" = C:\Documents and Settings\All Users\Application Data\Kodak\Installer\Setup.exe:*:Enabled:Kodak.AiO.Installer -- (KODAK)
"D:\Program Files\Turbine\DDO Unlimited\dndclient.exe" = D:\Program Files\Turbine\DDO Unlimited\dndclient.exe:*:Enabled:dndclient -- (Turbine, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{0323C306-8B8C-BB5F-E644-5BFE9A42A7BF}" = Catalyst Control Center Localization Hungarian
"{054CCA19-DADE-A3C9-171A-8735E23CA6FA}" = Catalyst Control Center Localization Italian
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0645A454-AD44-4F0D-99CF-6B762735AD1F}" = aioprnt
"{08B21B7E-DC6F-69F0-780F-FE7918726A34}" = Catalyst Control Center Localization Korean
"{106E35DE-FFF3-033A-0D1B-288A231BDE64}" = Catalyst Control Center Localization Russian
"{10934A28-0CC6-4B98-A14F-76B3546003AF}" = ksDIP
"{15095BF3-A3D7-4DDF-B193-3A496881E003}" = Microsoft .NET Framework 3.0
"{193DDD97-B56A-511D-0CD6-78D5F421D5BD}" = Catalyst Control Center HydraVision Full
"{19CA0312-BD69-A0DE-D242-BD806E9D627A}" = CCC Help Dutch
"{1A8F390D-E05E-A124-3FB7-89E3E49F81E2}" = CCC Help Polish
"{1B4FC4DB-4ACD-77A1-BA99-C820E5CB68BC}" = CCC Help Chinese Standard
"{259A8A5E-2886-4BED-9EF1-D5485282CCC3}" = Overlord
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 20
"{2A9F95AB-65A3-432c-8631-B8BC5BF7477A}" = The Battle for Middle-earth ™ II
"{2BE013D0-4CF4-AA57-05E1-19F9FACCF622}" = CCC Help English
"{2ED57AFF-081D-3B60-0C76-E51F68A9F0D8}" = Catalyst Control Center Localization Polish
"{3248F0A8-6813-11D6-A77B-00B0D0150120}" = J2SE Runtime Environment 5.0 Update 12
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{336D9EAB-B952-6023-C94C-8DE52AD75E7D}" = Catalyst Control Center Localization German
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36753DE9-4B0F-1C39-D2C6-D9E9A1814FC3}" = CCC Help Hungarian
"{4891561F-8CE7-1162-5967-E741306F7616}" = CCC Help Italian
"{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AE31F12-E34D-83C1-BA1A-D65AF3BBB95F}" = Catalyst Control Center Localization Spanish
"{4C8E4664-A6A1-4847-61D0-D4FA02C42BB0}" = Skins
"{4CACC1AC-7EDF-4E73-0019-A446CE2CA02B}" = Catalyst Control Center Localization Chinese Standard
"{4F28C8B9-E1A5-7BC1-915A-29913E129042}" = Catalyst Control Center Localization Japanese
"{53480370-6CA2-47EC-BC05-02B4B9271C31}" = O&O Defrag Professional Edition
"{56BA241F-580C-43D2-8403-947241AAE633}" = center
"{57B2B2E4-A1D5-1097-C223-6A4E81554458}" = Catalyst Control Center Localization Danish
"{5BE36E29-4207-2D14-1413-DF103390CC19}" = CCC Help French
"{5D2B8C32-D051-0DB0-D8BD-5CA32E13723B}" = CCC Help Swedish
"{5E85647B-DAF4-E174-9954-210D18B123E6}" = Catalyst Control Center Localization Thai
"{63CA4C0D-7C03-69FE-AE5D-96319AD6AA08}" = CCC Help Norwegian
"{667B8F35-6242-50D3-D69E-69D3BE5445D5}" = Catalyst Control Center Localization Finnish
"{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package
"{6A6818AD-60CE-9346-60BB-0717876E40F4}" = ccc-core-preinstall
"{6DAC0917-50F5-7F70-9776-4215DA7E2D1B}" = CCC Help German
"{6E19F210-3813-4002-B561-94D66AA182B6}" = Atheros Communications Inc.® L1 Gigabit Ethernet Driver
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{76E3C633-BC8E-E33D-8774-4A3DF581C8FE}" = CCC Help Portuguese
"{788F45B5-816D-2294-33DD-BF080093D54D}" = Catalyst Control Center Graphics Previews Common
"{79A636B4-3FA8-1E2F-A85D-6B6A4A0DA43D}" = CCC Help Russian
"{7A14BF33-11BF-033B-02CC-732A30C09314}" = Catalyst Control Center Localization Greek
"{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III
"{7C7575F4-351D-8F62-5693-61D6E0171F85}" = CCC Help Korean
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation
"{82D1C246-2D78-5311-8D3F-8214B94EEFA4}" = CCC Help Turkish
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5
"{85B4D6CC-ADF6-A78F-1463-F70C2E274849}" = CCC Help Finnish
"{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}" = ATI AVIVO Codecs
"{8A183127-7EDB-B2DD-7D87-70FBFA3A33C1}" = Catalyst Control Center Localization Portuguese
"{8B35E3B4-0E9B-ED12-F102-EB8160DD1F46}" = Catalyst Control Center Localization Swedish
"{8BCAFB73-49AE-4AC4-00A1-70E4EC38BD4E}" = The Lord of the Rings, The Rise of the Witch-king
"{8FD6CA17-DB2B-9411-CEF5-B899DCBAB685}" = CCC Help Danish
"{90D73DED-670E-BE24-C645-C4D546A1F2C3}" = CCC Help Spanish
"{913D0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard for Students and Teachers
"{9210C991-FE28-2B30-3E27-0F921AB5B9EC}" = Catalyst Control Center Localization Chinese Traditional
"{926D18B2-11B5-7210-621A-5231DC005705}" = CCC Help Czech
"{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}" = Microsoft Games for Windows - LIVE Redistributable
"{98177940-C048-4831-A279-F3888B1E2C7F}" = InstallMgr
"{9B0CCE51-B328-D4F7-C4A4-65723AF20574}" = Catalyst Control Center Core Implementation
"{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{A13C84F5-B2FC-823B-ADB2-6F5B2A6EE9DE}" = ccc-utility
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A59BB15D-51B7-F12B-4548-8C0368243441}" = EA Download Manager UI
"{A8AC89BA-D8CB-4372-9743-1C54D23286B0}" = MSN Toolbar
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.3
"{B6EF6DCE-078E-4952-A7FA-352A9C349EB0}" = MSN Toolbar
"{B70E4F29-F9C9-4D32-80F3-6E24ED1DBCDF}" = Catalyst Control Center Localization Norwegian
"{B7148D71-0A8F-4501-96B4-4E1CC67F874E}" = Microsoft Default Manager
"{B9C149DB-E4F6-573A-DF3B-B9E392F1BA64}" = CCC Help Thai
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BDC209E0-8D38-F913-5246-4376FC4C3EF5}" = Catalyst Control Center Localization French
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C73B3D3A-2FDC-EE8F-F0E5-0269A85014D3}" = Catalyst Control Center Graphics Light
"{C8C08FE3-05DC-7A8B-C23B-9276FFE21183}" = Catalyst Control Center Localization Dutch
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDCA3C32-FCE7-40E8-8CB5-7B0E87ADDFC9}_is1" = Majesty 2: The Fantasy Kingdom Sim
"{D00A7B31-C764-94AF-7915-87676458CC66}" = Catalyst Control Center Localization Turkish
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{D3F80A98-05AB-4D8C-9272-766CCFA6A48D}" = THE SETTLERS - Rise of an Empire
"{D4B95A0D-CF13-633F-09A6-15D78B24F3AE}" = CCC Help Chinese Traditional
"{D9509DDD-74B4-A7CB-3669-7358BEE3C1AC}" = ccc-core-static
"{DA5BDB2A-12F0-4343-8351-21AAEB293990}" = PreReq
"{DE6B7599-D3EF-4436-8836-BAA0B0D7768D}" = aiofw
"{E0F274B7-592B-4669-8FB8-8D9825A09858}" = KODAK AiO Home Center
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E46B244B-9BF2-EA75-2D4C-7BD0BA12860A}" = CCC Help Japanese
"{EA5C28E2-3048-5BC5-67C4-E0BB33C60FDA}" = Catalyst Control Center Localization Czech
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{ECA89BA0-1C9B-237D-F59E-EC62534831A5}" = Catalyst Control Center Graphics Full New
"{ECB29C3B-4D64-17C0-430D-DEB933D76834}" = CCC Help Greek
"{ED862528-0058-F09F-F4B3-3E3276A3F3C7}" = Catalyst Control Center Graphics Full Existing
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F20C1251-1D0A-4944-B2AE-678581B33B19}" = Neverwinter Nights 2
"{FE24086F-3B0C-4C47-A874-97A7B8E2FBBE}" = aioscnnr
"15b35190-c6f9-11d9-9669-0800200c9a66_is1" = Dungeons & Dragons Online ®: Eberron Unlimited ™ v01.11.00.812
"AC3Filter" = AC3Filter (remove only)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"All ATI Software" = ATI - Software Uninstall Utility
"AMDAway INF" = AMDAway INF
"ATI Display Driver" = ATI Display Driver
"Avernum 5_is1" = Avernum 5
"AVG9Uninstall" = AVG Free 9.0
"Cliprex DVD Player Professional" = Cliprex DVD Player Professional Powered by Advantage
"com.ea.Vault.919CACB699904AC5D41B606703500DD39747C02D.1" = EA Download Manager UI
"Crazy Browser 3.0.0 RC1_is1" = Crazy Browser version 3.0.0 RC1
"Crazy Browser 3.0.3_is1" = Crazy Browser version 3.0.3
"Dungeon Keeper II" = Dungeon Keeper 2
"DungeonSiege2" = Dungeon Siege 2
"EA Download Manager" = EA Download Manager
"FastStone Image Viewer" = FastStone Image Viewer 3.6
"HijackThis" = HijackThis 2.0.2
"HospitalTycoon" = Hospital Tycoon
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III
"jZip" = jZip
"LimeWire" = LimeWire 5.3.6
"Magic ISO Maker v5.5 (build 0276)" = Magic ISO Maker v5.5 (build 0276)
"MagicDisc 2.7.106" = MagicDisc 2.7.106
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Microsoft .NET Framework 3.0" = Microsoft .NET Framework 3.0
"Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Playsushi" = Playsushi
"TBSB07183.TBSB07183Toolbar" = Fast Browser Search (My Web Tattoo)
"Tropico3" = Tropico 3 1.02
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WMV9_VCM" = Microsoft Windows Media Video 9 VCM
"World of Warcraft" = World of Warcraft
"WT015792" = FATE
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1606980848-879983540-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3
"BitTorrent DNA" = DNA
"Move Media Player" = Move Media Player
"Puzzle Pirates" = Puzzle Pirates

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/1/2009 2:23:24 PM | Computer Name = ASTRO-TURF | Source = Microsoft Office 10 | ID = 1000
Description = Faulting application excel.exe, version 10.0.2614.0, faulting module
excel.exe, version 10.0.2614.0, fault address 0x00009805.

Error - 3/14/2009 9:33:39 PM | Computer Name = ASTRO-TURF | Source = Application Error | ID = 1000
Description = Faulting application crazy browser.exe, version 3.0.0.0, faulting
module jvm.dll, version 11.0.0.16, fault address 0x000a96b6.

Error - 4/5/2009 4:53:25 AM | Computer Name = ASTRO-TURF | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module shell32.dll, version 6.0.2900.5622, fault address 0x0002b284.

Error - 4/9/2009 11:57:53 AM | Computer Name = ASTRO-TURF | Source = Application Error | ID = 1000
Description = Faulting application crazy browser.exe, version 3.0.0.0, faulting
module shlwapi.dll, version 6.0.2900.5512, fault address 0x000083d5.

Error - 5/10/2009 11:25:19 PM | Computer Name = ASTRO-TURF | Source = Application Error | ID = 1000
Description = Faulting application crazy browser.exe, version 3.0.0.0, faulting
module urlmon.dll, version 7.0.6000.16791, fault address 0x00004af9.

Error - 5/12/2009 8:53:49 PM | Computer Name = ASTRO-TURF | Source = Application Error | ID = 1000
Description = Faulting application crazy browser.exe, version 3.0.0.0, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 6/9/2009 8:29:23 PM | Computer Name = ASTRO-TURF | Source = Windows Product Activation | ID = 1012
Description = Due to hardware changes on this computer, you will need to reactivate
your Windows product.

Error - 6/30/2009 7:21:15 PM | Computer Name = ASTRO-TURF | Source = Application Error | ID = 1000
Description = Faulting application crazy browser.exe, version 3.0.0.0, faulting
module flash10b.ocx, version 10.0.22.87, fault address 0x000df9e8.

Error - 7/20/2009 9:27:54 AM | Computer Name = ASTRO-TURF | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module quartz.dll, version 6.5.2600.5822, fault address 0x000177d4.

Error - 7/20/2009 9:27:59 AM | Computer Name = ASTRO-TURF | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

[ System Events ]
Error - 7/2/2010 4:09:34 PM | Computer Name = ASTRO-TURF | Source = Service Control Manager | ID = 7022
Description = The ppdrv service hung on starting.

Error - 7/2/2010 4:15:46 PM | Computer Name = ASTRO-TURF | Source = Service Control Manager | ID = 7003
Description = The Kodak AiO Network Discovery Service service depends on the following
nonexistent service: Bonjour Service

Error - 7/2/2010 4:15:46 PM | Computer Name = ASTRO-TURF | Source = Service Control Manager | ID = 7000
Description = The webserver service failed to start due to the following error:
%%2

Error - 7/2/2010 4:16:06 PM | Computer Name = ASTRO-TURF | Source = Service Control Manager | ID = 7022
Description = The ppdrv service hung on starting.

Error - 7/2/2010 5:11:30 PM | Computer Name = ASTRO-TURF | Source = Service Control Manager | ID = 7031
Description = The AVG Free WatchDog service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 0 milliseconds:
Restart the service.

Error - 7/2/2010 5:14:28 PM | Computer Name = ASTRO-TURF | Source = Service Control Manager | ID = 7003
Description = The Kodak AiO Network Discovery Service service depends on the following
nonexistent service: Bonjour Service

Error - 7/2/2010 5:14:28 PM | Computer Name = ASTRO-TURF | Source = Service Control Manager | ID = 7000
Description = The webserver service failed to start due to the following error:
%%2

Error - 7/2/2010 5:15:34 PM | Computer Name = ASTRO-TURF | Source = Service Control Manager | ID = 7022
Description = The ppdrv service hung on starting.

Error - 7/2/2010 5:15:35 PM | Computer Name = ASTRO-TURF | Source = Service Control Manager | ID = 7034
Description = The SeaPort service terminated unexpectedly. It has done this 1 time(s).

Error - 7/5/2010 11:47:55 PM | Computer Name = ASTRO-TURF | Source = Service Control Manager | ID = 7031
Description = The ppdrv service terminated unexpectedly. It has done this 1 time(s).
The following corrective action will be taken in 60000 milliseconds: Restart the
service.


< End of report >


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/07/13 16:29
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8E11000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5E6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x8AB5A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\George & Jessica\Local Settings\Temporary Internet Files\Content.IE5\ZFLVBWZ2\bullet_pdf[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\George & Jessica\Local Settings\Temporary Internet Files\Content.IE5\ZFLVBWZ2\index[2].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\George & Jessica\Local Settings\Temporary Internet Files\Content.IE5\ZFLVBWZ2\subhead_r1_c4[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\George & Jessica\Local Settings\Temporary Internet Files\Content.IE5\ZFLVBWZ2\subhead_r6_c5[1].jpg
Status: Visible to the Windows API, but not on disk.

==EOF==

Attached Files



#11 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:26 PM

Posted 14 July 2010 - 01:18 PM

Hello,



Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Limewire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



Also, I would like you to uninstall Fast Browser Search (My Web Tattoo) via Add/Remove programs because it isn't safe.




From my research your system is infected with a Facebook worm called Koobface. To avoid infecting other systems you shouldn't log in into your Facebook account (or Myspace).




Try running GMER again but before starting the scan untick the options IAT/EAT and Devices from the right column. Tell me what happens and if it works, save the new logfile.



I will be back with other instructions as soon as you have accomplished the ones I have already given to you.





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#12 gwinneriii

gwinneriii
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 14 July 2010 - 08:15 PM

Ok, bad news in two parts.

Part One:
Fast Web Search (MyWebTattoo) will not uninstall. clicking Remove/Uninstall in the Add/Remove window does essentially nothing. No uninstall windows, no website popups, NOTHING, the program is obviously still in the list as well.

Part Two:
I'm now getting BSODs on gmer, two so far...still attempting.

Awaiting my next orders.

#13 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:26 PM

Posted 16 July 2010 - 12:57 AM

Hi,


We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :OTL
    O2 - BHO: (PlaySushi) - {21608B66-026F-4DCB-9244-0DACA328DCED} - C:\Program Files\PlaySushi\PSText.dll ()
    O3 - HKU\S-1-5-21-1606980848-879983540-839522115-1004\..\Toolbar\WebBrowser: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No CLSID value found.
    O3 - HKU\S-1-5-21-1606980848-879983540-839522115-1004\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll File not found
    O32 - AutoRun File - [2008/09/08 17:13:25 | 000,000,058 | R--- | M] () - E:\autorun.inf -- [ UDF ]
    O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
    O4 - HKLM..\Run: [GEST] File not found
    [2010/06/22 13:33:51 | 000,000,000 | ---D | C] -- C:\Program Files\PlaySushi
    [2010/06/21 21:22:55 | 000,047,616 | ---- | C] (pdrv) -- C:\WINDOWS\System32\drivers\pdrv.sys
    [2010/06/20 21:01:33 | 000,076,288 | -H-- | C] (Pbhbaxg) -- C:\WINDOWS\bill112.exe
    [2010/06/22 11:26:03 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\George & Jessica\Local Settings\Application Data\04855511005551.xxe
    [2010/06/22 11:26:03 | 000,000,001 | ---- | M] () -- C:\WINDOWS\lgo
    [2010/06/22 11:20:37 | 000,156,160 | ---- | M] () -- C:\Documents and Settings\George & Jessica\Local Settings\Application Data\rdr_1277220034.exe
    [2010/06/21 21:22:56 | 000,053,760 | ---- | M] () -- C:\WINDOWS\System32\pdrv.dll
    [2010/06/21 21:22:55 | 000,047,616 | ---- | M] (pdrv) -- C:\WINDOWS\System32\drivers\pdrv.sys
    [2010/06/20 21:07:46 | 000,000,001 | -H-- | M] () -- C:\WINDOWS\bk23567.dat
    [2010/06/20 21:07:46 | 000,000,001 | ---- | M] () -- C:\WINDOWS\fdgg34353edfgdfdf
    [2010/06/20 21:07:35 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\George & Jessica\Local Settings\Application Data\0995154505553.xxe
    [2010/06/20 21:06:37 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\George & Jessica\Local Settings\Application Data\0535049569854.xxe
    @Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B211CA64
    @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9B7E8561
    @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BDCD0530
    @Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C7DEC6B7
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva346.sys -- (XDva346)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva279.sys -- (XDva279)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva259.sys -- (XDva259)
    SRV - File not found [Auto | Stopped] -- C:\Program Files\webserver\webserver.exe -- (webserver)
    SRV - [2010/06/21 21:22:56 | 000,053,760 | ---- | M] () [Auto | Start_Pending] -- C:\WINDOWS\system32\pdrv.dll -- (ppdrv)
    DRV - [2010/06/21 21:22:55 | 000,047,616 | ---- | M] (pdrv) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pdrv.sys -- (PDRV)
    :commands
    [emptytemp]
    [resethosts]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.



How is the system working now? Try running GMER.


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#14 gwinneriii

gwinneriii
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 18 July 2010 - 08:03 AM

OTL and GMER logs. Finally I was able to complete a GMER scan without stalling the system out. ugh!
All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21608B66-026F-4DCB-9244-0DACA328DCED}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED}\ deleted successfully.
C:\Program Files\PlaySushi\PSText.dll moved successfully.
Registry value HKEY_USERS\S-1-5-21-1606980848-879983540-839522115-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{1BB22D38-A411-4B13-A746-C2A4F4EC7344} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB22D38-A411-4B13-A746-C2A4F4EC7344}\ not found.
Registry value HKEY_USERS\S-1-5-21-1606980848-879983540-839522115-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{3041D03E-FD4B-44E0-B742-2D9B88305F98} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041D03E-FD4B-44E0-B742-2D9B88305F98}\ deleted successfully.
File move failed. E:\autorun.inf scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H\ deleted successfully.
File H:\LaunchU3.exe not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\GEST deleted successfully.
C:\Program Files\PlaySushi folder moved successfully.
C:\WINDOWS\system32\drivers\pdrv.sys moved successfully.
C:\WINDOWS\bill112.exe moved successfully.
C:\Documents and Settings\George & Jessica\Local Settings\Application Data\04855511005551.xxe moved successfully.
C:\WINDOWS\lgo moved successfully.
C:\Documents and Settings\George & Jessica\Local Settings\Application Data\rdr_1277220034.exe moved successfully.
C:\WINDOWS\system32\pdrv.dll moved successfully.
File C:\WINDOWS\System32\drivers\pdrv.sys not found.
C:\WINDOWS\bk23567.dat moved successfully.
C:\WINDOWS\fdgg34353edfgdfdf moved successfully.
C:\Documents and Settings\George & Jessica\Local Settings\Application Data\0995154505553.xxe moved successfully.
C:\Documents and Settings\George & Jessica\Local Settings\Application Data\0535049569854.xxe moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B211CA64 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9B7E8561 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:BDCD0530 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C7DEC6B7 deleted successfully.
Service XDva346 stopped successfully!
Service XDva346 deleted successfully!
File C:\WINDOWS\System32\XDva346.sys not found.
Service XDva279 stopped successfully!
Service XDva279 deleted successfully!
File C:\WINDOWS\System32\XDva279.sys not found.
Service XDva259 stopped successfully!
Service XDva259 deleted successfully!
File C:\WINDOWS\System32\XDva259.sys not found.
Service webserver stopped successfully!
Service webserver deleted successfully!
File C:\Program Files\webserver\webserver.exe not found.
Error: Unable to stop service ppdrv!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ppdrv deleted successfully.
File C:\WINDOWS\system32\pdrv.dll not found.
Error: Unable to stop service PDRV!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PDRV deleted successfully.
File C:\WINDOWS\system32\drivers\pdrv.sys not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 13689524 bytes
->Flash cache emptied: 41620 bytes

User: George & Jessica
->Temp folder emptied: 2091634449 bytes
->Temporary Internet Files folder emptied: 13834843 bytes
->Java cache emptied: 343391994 bytes
->Flash cache emptied: 2362140 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1138618 bytes
%systemroot%\System32 .tmp files removed: 2832913 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 655789 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 21389 bytes

Total Files Cleaned = 2,355.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.9.0 log created on 07172010_085145

Files\Folders moved on Reboot...
File move failed. E:\autorun.inf scheduled to be moved on reboot.
File\Folder C:\Documents and Settings\George & Jessica\Local Settings\Temp\Temporary Internet Files\Content.IE5\ALQHMBSD\ws=2&show_join_link=0&show_profile=0&site=ffadult&size=6&text_color=%23abc8fa&this_page=banners_member_models_customize&thumb=bigthumb&title_color=%23ffffff&width=728px&iframe=1 not found!

Registry entries deleted on Reboot...



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-18 08:54:42
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\GEORGE~1\LOCALS~1\Temp\uglcapob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB5898000, 0x1B601E, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA6774300, 0x3AF78, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBA3F0300, 0x1BCE, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG08.00.00.01WORKSTATION 02B8A3BC1E96B0855C5A18B9FD44C5C8CF5CA8B05102B9DED2AF9EF7804E6EFA405999B02E4681E93A6430E8399F53054BEB585C0DB8D832E033A7BCC53941FD1647DE0B9A3D6CB4493B4105A1932B988368CB1FE10F57A8B8CA270A3166B56AC4E278D4E21CAC564D2F0192CD82FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79339DB7CE019D40AA5CA6A0AC4980AC7933A6A0AC4980AC793380745B21DBDD047F3031C882249F561457F419D19EE41A6FAF2019FD98F85F8FA5C307E4A326C2A70F09EF49B1666722AE9EDA59049849AF88C23A4563D2DDE107CCBA66AF31855E6FD5D772BC4C4B1826E74748FD2C74A343452FC102D4E2927733309840E1435E40E3BBE2B2AE10716B64C016C8145F28EBA29F1A9D2F067B01FB73F6063F08A72862AE07718DD4EB600DFEBD0E695DDDC1BE86FBCC3371C06013E6FEABF3F1F980E497CC4E0CCE0C9CBE8C3EF0E85827B75EB599A05663C584C6BDB249CE355C5662AC2611F144186A38C79C85F44D2DF6A8CEA419322E3313470316EEC298196CB67F0AF4AB941C489E6360D4104EDB592E4A58AD8537F764AD90B49F6878BDB7A1EE73ABC8ADE568FA6794DC640063EEDE747047B179C40673971B52F7C11D6145B361D77D168932B92D498DBE1BB87B90EB2C44BC848DB6F

---- EOF - GMER 1.0.15 ----


#15 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:26 PM

Posted 18 July 2010 - 09:20 AM

Hello,

Please run again OTL but with the settings I gave in my first post. smile.gif

Copy/paste the OTL.txt log here.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users