Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kasspersky Anti-Virus disabled/Slow loading webpages


  • This topic is locked This topic is locked
25 replies to this topic

#1 phoenix85

phoenix85

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 28 June 2010 - 09:03 PM

Referral link: http://www.bleepingcomputer.com/forums/t/324772/my-pc-is-infected-with-trojan-virus/

Hi,

I have been instructed by moderator Boopme from this forum, to post a new thread concerning problems with installing Kaspersky Anti-Virus program.

A couple of weeks ago, I discovered that my computer was considerably slow in loading webpages using my Firefox browser. In addition,
both Kaspersky anti-virus and MalwareBytes had been disabled. I figured that my computer has been infected and discontinued using the internet.
From talking to my fellow user, I suspected that he might have brought in the bug from Myspace . Fortunately, on running SUPER scan, it picked up
some malware infection named Trojan.Dropper/Malevo-NV. I had it quarantined and removed immediately, but this wouldn't fix either the anti-virus
software or malwarebytes. I tried to fix this by accessing Windows Xp in safe mode and that failed too.


I posted a topic in Am I infected? What do I do? thread concerning the issue and got MalwareBytes to work again. I got it updated and, on scanning,
picked up a whole lot of infections including Trojan.IRCBrute. Got all of them deleted and removed successfully. I also got to run Windows Xp in safe mode.
I had removed Anti-Virus software using Kaspersky removal tool and tried to reinstall both in safe and normal mode unsuccessfully.
In safe mode, it gave me this error-"The system administrator has set policies to prevent this installation". On the other hand,in normal mode
it produced this error-"Error 1402. Could not open key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\klogon.
Verify that you have sufficient access to that key, or contact your support personnel
"

I have completed steps 6-8 described in the preparation guide without any problems . The DDS and GMER logs have been attached below.

Awaiting response.
Thanks

Attached Files


Edited by phoenix85, 28 June 2010 - 09:06 PM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:56 PM

Posted 29 June 2010 - 02:00 AM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the "Custom Scans/Fixes" section paste in the below in bold

    netsvc
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  • Push the button.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into the body of your next reply.

~Blade


In your next reply, please include the following:
OTL.txt
Extras.txt

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 phoenix85

phoenix85
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 29 June 2010 - 08:14 PM

Thank you for assisting me on a relatively short notice, Blade. I was expecting some delay, but this was quite fast.
Anyways, the contents of the OTL scan have been posted below.

A side note - I used my USB drive to transfer OTL.exe app from my clean PC to the infected one. Similarly,
I tranferred the .txt files and posted them here using the above procedure, just to be safe. I hope this is alright.


OTL.txt

OTL logfile created on: 6/29/2010 8:57:57 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Twinkle\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 624.00 Mb Available Physical Memory | 70.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 135.17 Gb Free Space | 90.70% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 15.01 Gb Total Space | 15.00 Gb Free Space | 99.95% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: E-MACHINES
Current User Name: Twinkle
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/29 20:46:14 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Twinkle\Desktop\OTL.exe
PRC - [2010/06/02 20:50:58 | 001,144,104 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/03/09 16:02:16 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/02/18 16:40:26 | 002,012,912 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/02/26 15:24:50 | 000,097,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
PRC - [2009/02/10 12:03:16 | 000,745,472 | R--- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/31 15:01:38 | 000,159,744 | R--- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
PRC - [2007/10/11 20:03:10 | 000,029,984 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe


========== Modules (SafeList) ==========

MOD - [2010/06/29 20:46:14 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Twinkle\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========


========== Driver Services (SafeList) ==========

DRV - [2010/02/17 10:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/17 10:15:58 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 10:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/01/12 13:03:34 | 010,276,768 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/08/01 19:36:26 | 000,022,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/08/01 19:36:20 | 000,054,784 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2008/05/20 18:53:00 | 004,800,000 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/01/25 21:01:06 | 000,132,096 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvgts.sys -- (nvgts)
DRV - [2007/04/16 22:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2004/10/15 13:50:20 | 000,015,295 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)
DRV - [2004/09/29 16:36:29 | 000,015,360 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NetMotCM.sys -- (ndiscm)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-842925246-57989841-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.ca
IE - HKU\S-1-5-21-842925246-57989841-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?rd=1
IE - HKU\S-1-5-21-842925246-57989841-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-842925246-57989841-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CE 51 7B 74 84 CC CA 01 [binary data]
IE - HKU\S-1-5-21-842925246-57989841-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/20 21:39:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/11 08:05:43 | 000,000,000 | ---D | M]

[2010/02/08 14:08:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Twinkle\Application Data\Mozilla\Extensions
[2010/06/15 19:32:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Twinkle\Application Data\Mozilla\Firefox\Profiles\j0x7jhp7.default\extensions
[2010/05/01 21:01:55 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Twinkle\Application Data\Mozilla\Firefox\Profiles\j0x7jhp7.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/06/15 19:32:17 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/09 19:09:13 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2008/08/16 18:42:02 | 000,070,456 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CgpCore.dll
[2008/08/16 18:42:12 | 000,091,448 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\confmgr.dll
[2008/08/16 18:42:08 | 000,020,800 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ctxlogging.dll
[2008/05/21 09:41:08 | 000,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcm80.dll
[2008/05/21 09:41:08 | 000,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcp80.dll
[2008/05/21 09:41:08 | 000,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcr80.dll
[2010/05/09 19:08:58 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2008/08/16 18:44:46 | 000,427,312 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npicaN.dll
[2008/08/16 18:42:04 | 000,023,864 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\TcpPServ.dll

O1 HOSTS File: ([2010/06/26 01:44:54 | 003,961,789 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 241.229.181.110 msnfix.changelog.fr
O1 - Hosts: 241.229.181.110 www.incodesolutions.com
O1 - Hosts: 241.229.181.110 virusinfo.prevx.com
O1 - Hosts: 241.229.181.110 download.bleepingcomputer.com
O1 - Hosts: 241.229.181.110 www.dazhizhu.cn
O1 - Hosts: 241.229.181.110 foro.noticias3d.com
O1 - Hosts: 241.229.181.110 www.spybotupdates.com
O1 - Hosts: 241.229.181.110 club.myce.com
O1 - Hosts: 241.229.181.110 www.k7computing.com
O1 - Hosts: 241.229.181.110 softwaresecuritysolutions.com
O1 - Hosts: 241.229.181.110 antonbi.web.id
O1 - Hosts: 241.229.181.110 igoblog.info
O1 - Hosts: 241.229.181.110 www.nabble.com
O1 - Hosts: 241.229.181.110 lurker.clamav.net
O1 - Hosts: 241.229.181.110 lexikon.ikarus.at
O1 - Hosts: 241.229.181.110 research.sunbelt-software.com
O1 - Hosts: 241.229.181.110 www.virusdoctor.jp
O1 - Hosts: 241.229.181.110 www.elitepvpers.de
O1 - Hosts: 241.229.181.110 guru.avg.com
O1 - Hosts: 241.229.181.110 downloads.sophos.com
O1 - Hosts: 241.229.181.110 share.skype.com
O1 - Hosts: 241.229.181.110 myantispyware.com
O1 - Hosts: 241.229.181.110 www.computerhilfen.de
O1 - Hosts: 241.229.181.110 fgsite.com
O1 - Hosts: 241.229.181.110 ca.answers.yahoo.com
O1 - Hosts: 13779 more lines...
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-842925246-57989841-682003330-1004\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [conime.exe] C:\WINDOWS\System32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] File not found
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [PPort11reminder] C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-842925246-57989841-682003330-1004..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\Twinkle\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/C/B.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} http://content.systemrequirementslab.com.s...ri_4.1.71.0.cab (SysInfo Class)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-842925246-57989841-682003330-1004 Winlogon: Shell - (EXPLORER.EXE) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\dimsntfy: DllName - Reg Error: Key error. - Reg Error: Key error. File not found
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - Reg Error: Key error. File not found
O24 - Desktop WallPaper: C:\WINDOWS\Prairie Wind.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Prairie Wind.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/10 13:36:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/06/29 20:51:19 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Twinkle\Desktop\OTL.exe
[2010/06/28 00:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Twinkle\Desktop\gmer
[2010/06/27 20:01:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Twinkle\Desktop\FixPolicies
[2010/06/27 04:27:52 | 000,288,654 | ---- | C] ( ) -- C:\Documents and Settings\Twinkle\Desktop\SafeBootKeyRepair.exe
[2010/06/26 09:59:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Twinkle\Desktop\tdsskiller
[2010/06/25 07:10:06 | 002,067,128 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Twinkle\Desktop\kavremover.exe
[2010/06/15 21:15:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/06/15 21:15:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Twinkle\Application Data\SUPERAntiSpyware.com
[2010/06/15 21:15:19 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/06/15 21:15:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/06/15 21:11:52 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/06/15 19:48:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/29 20:53:46 | 000,360,124 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/29 20:53:46 | 000,314,508 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/29 20:53:46 | 000,040,836 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/29 20:49:53 | 000,271,490 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/06/29 20:49:44 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/29 20:49:44 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/29 20:49:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/29 20:46:14 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Twinkle\Desktop\OTL.exe
[2010/06/28 01:13:24 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\Twinkle\NTUSER.DAT
[2010/06/28 01:13:24 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Twinkle\ntuser.ini
[2010/06/28 01:13:19 | 003,761,934 | -H-- | M] () -- C:\Documents and Settings\Twinkle\Local Settings\Application Data\IconCache.db
[2010/06/28 00:36:44 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Twinkle\defogger_reenable
[2010/06/27 23:32:48 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Twinkle\Desktop\gmer.zip
[2010/06/27 23:32:14 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Twinkle\Desktop\dds.scr
[2010/06/27 23:31:54 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Twinkle\Desktop\Defogger.exe
[2010/06/27 21:24:35 | 000,118,816 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/06/27 21:24:33 | 000,002,592 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/06/27 21:24:33 | 000,002,444 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/06/27 21:24:33 | 000,001,292 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/06/27 19:55:28 | 000,185,065 | ---- | M] () -- C:\Documents and Settings\Twinkle\Desktop\FixPolicies.exe
[2010/06/27 04:25:44 | 000,288,654 | ---- | M] ( ) -- C:\Documents and Settings\Twinkle\Desktop\SafeBootKeyRepair.exe
[2010/06/26 21:10:41 | 000,000,582 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/26 21:10:41 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/26 21:10:41 | 000,000,211 | -H-- | M] () -- C:\Boot.ini
[2010/06/26 20:50:23 | 000,000,209 | RHS- | M] () -- C:\WINDOWS\Boot.ini.bak
[2010/06/26 09:55:06 | 000,966,213 | ---- | M] () -- C:\Documents and Settings\Twinkle\Desktop\tdsskiller.zip
[2010/06/25 06:58:59 | 002,067,128 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Twinkle\Desktop\kavremover.exe
[2010/06/25 06:26:36 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Twinkle\Desktop\rkill.scr
[2010/06/15 21:56:15 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-842925246-57989841-682003330-1003.job
[2010/06/15 21:56:14 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-842925246-57989841-682003330-1004.job
[2010/06/15 21:15:21 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/06/15 19:54:04 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-842925246-57989841-682003330-1004.job
[2010/06/15 19:43:35 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-842925246-57989841-682003330-1003.job
[2010/06/10 16:22:50 | 000,265,416 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/10 16:21:27 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/04 14:24:31 | 000,001,475 | ---- | M] () -- C:\Documents and Settings\Twinkle\Desktop\DivX Movies.lnk
[2010/06/04 14:24:19 | 000,000,777 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/28 00:36:44 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Twinkle\defogger_reenable
[2010/06/28 00:35:55 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Twinkle\Desktop\dds.scr
[2010/06/28 00:35:55 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Twinkle\Desktop\gmer.zip
[2010/06/28 00:35:55 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Twinkle\Desktop\Defogger.exe
[2010/06/27 19:57:55 | 000,185,065 | ---- | C] () -- C:\Documents and Settings\Twinkle\Desktop\FixPolicies.exe
[2010/06/26 21:17:16 | 000,118,816 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/06/26 21:17:16 | 000,002,592 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/06/26 21:17:16 | 000,002,444 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/06/26 21:17:16 | 000,001,292 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/06/26 20:46:07 | 000,000,211 | -H-- | C] () -- C:\Boot.ini
[2010/06/26 09:58:29 | 000,966,213 | ---- | C] () -- C:\Documents and Settings\Twinkle\Desktop\tdsskiller.zip
[2010/06/25 07:10:06 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Twinkle\Desktop\rkill.scr
[2010/06/15 21:15:21 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/06/04 14:24:19 | 000,000,777 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
[2010/03/05 00:49:21 | 000,000,099 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/02/07 17:30:04 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2010/02/07 17:28:48 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI
[2010/02/07 17:26:22 | 000,031,567 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2010/01/10 06:28:58 | 000,000,209 | RHS- | C] () -- C:\WINDOWS\Boot.ini.bak
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2008/02/25 13:29:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll

========== Custom Scans ==========


< netsvc >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2010/02/07 22:00:32 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2010/02/07 22:00:32 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/02/07 22:00:32 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/02/07 22:00:32 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 06:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 06:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/02/12 15:36:54 | 000,277,784 | ---- | M] (Intel Corporation) MD5=FD7F9D74C2B35DBDA400804A3F5ED5D8 -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2006/03/16 20:51:32 | 000,099,840 | ---- | M] (NVIDIA Corporation) MD5=B7FB72492B753930EC70A0F49D04F12F -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys

< MD5 for: NVGTS.SYS >
[2008/01/25 21:01:06 | 000,132,096 | ---- | M] (NVIDIA Corporation) MD5=A117466B0ACB13288DEEE4F2E936E67F -- C:\Documents and Settings\John\My Documents\Drivers\CHIPSET_NVIDIA_v.15.15_XPx86\IDE\WINXP\SATA_IDE\FLOPPY\DISK1\NVGTS.SYS
[2008/01/25 21:01:06 | 000,132,096 | ---- | M] (NVIDIA Corporation) MD5=A117466B0ACB13288DEEE4F2E936E67F -- C:\Documents and Settings\John\My Documents\Drivers\CHIPSET_NVIDIA_v.15.15_XPx86\IDE\WINXP\SATA_IDE\NVGTS.SYS
[2008/01/25 21:01:06 | 000,132,096 | ---- | M] (NVIDIA Corporation) MD5=A117466B0ACB13288DEEE4F2E936E67F -- C:\Documents and Settings\John\My Documents\Drivers\CHIPSET_NVIDIA_v.15.15_XPx86\IDE\WINXP\SATARAID\FLOPPY\DISK1\NVGTS.SYS
[2008/01/25 21:01:06 | 000,132,096 | ---- | M] (NVIDIA Corporation) MD5=A117466B0ACB13288DEEE4F2E936E67F -- C:\Documents and Settings\John\My Documents\Drivers\CHIPSET_NVIDIA_v.15.15_XPx86\IDE\WINXP\SATARAID\NVGTS.SYS
[2008/01/25 21:01:06 | 000,132,096 | ---- | M] (NVIDIA Corporation) MD5=A117466B0ACB13288DEEE4F2E936E67F -- C:\Documents and Settings\John\My Documents\Drivers\LAN_NVIDIA_v.67.7.6.1_XPx86\IDE\WINXP\SATA_IDE\FLOPPY\DISK1\NVGTS.SYS
[2008/01/25 21:01:06 | 000,132,096 | ---- | M] (NVIDIA Corporation) MD5=A117466B0ACB13288DEEE4F2E936E67F -- C:\Documents and Settings\John\My Documents\Drivers\LAN_NVIDIA_v.67.7.6.1_XPx86\IDE\WINXP\SATA_IDE\NVGTS.SYS
[2008/01/25 21:01:06 | 000,132,096 | ---- | M] (NVIDIA Corporation) MD5=A117466B0ACB13288DEEE4F2E936E67F -- C:\Documents and Settings\John\My Documents\Drivers\LAN_NVIDIA_v.67.7.6.1_XPx86\IDE\WINXP\SATARAID\FLOPPY\DISK1\NVGTS.SYS
[2008/01/25 21:01:06 | 000,132,096 | ---- | M] (NVIDIA Corporation) MD5=A117466B0ACB13288DEEE4F2E936E67F -- C:\Documents and Settings\John\My Documents\Drivers\LAN_NVIDIA_v.67.7.6.1_XPx86\IDE\WINXP\SATARAID\NVGTS.SYS
[2008/01/25 21:01:06 | 000,132,096 | ---- | M] (NVIDIA Corporation) MD5=A117466B0ACB13288DEEE4F2E936E67F -- C:\Documents and Settings\John\My Documents\Drivers\VGA_NVIDIA_v.6.14.11.6401_XPx86\IDE\WINXP\SATA_IDE\FLOPPY\DISK1\NVGTS.SYS
[2008/01/25 21:01:06 | 000,132,096 | ---- | M] (NVIDIA Corporation) MD5=A117466B0ACB13288DEEE4F2E936E67F -- C:\Documents and Settings\John\My Documents\Drivers\VGA_NVIDIA_v.6.14.11.6401_XPx86\IDE\WINXP\SATA_IDE\NVGTS.SYS
[2008/01/25 21:01:06 | 000,132,096 | ---- | M] (NVIDIA Corporation) MD5=A117466B0ACB13288DEEE4F2E936E67F -- C:\Documents and Settings\John\My Documents\Drivers\VGA_NVIDIA_v.6.14.11.6401_XPx86\IDE\WINXP\SATARAID\FLOPPY\DISK1\NVGTS.SYS
[2008/01/25 21:01:06 | 000,132,096 | ---- | M] (NVIDIA Corporation) MD5=A117466B0ACB13288DEEE4F2E936E67F -- C:\Documents and Settings\John\My Documents\Drivers\VGA_NVIDIA_v.6.14.11.6401_XPx86\IDE\WINXP\SATARAID\NVGTS.SYS
[2008/01/25 21:01:06 | 000,132,096 | ---- | M] (NVIDIA Corporation) MD5=A117466B0ACB13288DEEE4F2E936E67F -- C:\WINDOWS\system32\drivers\nvgts.sys

< MD5 for: NVRD32.SYS >
[2008/01/25 21:01:00 | 000,125,440 | ---- | M] (NVIDIA Corporation) MD5=B71BFBC2FE958A6DA1E31357E03AD545 -- C:\Documents and Settings\John\My Documents\Drivers\CHIPSET_NVIDIA_v.15.15_XPx86\IDE\WINXP\SATARAID\FLOPPY\DISK1\NVRD32.SYS
[2008/01/25 21:01:00 | 000,125,440 | ---- | M] (NVIDIA Corporation) MD5=B71BFBC2FE958A6DA1E31357E03AD545 -- C:\Documents and Settings\John\My Documents\Drivers\CHIPSET_NVIDIA_v.15.15_XPx86\IDE\WINXP\SATARAID\NVRD32.SYS
[2008/01/25 21:01:00 | 000,125,440 | ---- | M] (NVIDIA Corporation) MD5=B71BFBC2FE958A6DA1E31357E03AD545 -- C:\Documents and Settings\John\My Documents\Drivers\LAN_NVIDIA_v.67.7.6.1_XPx86\IDE\WINXP\SATARAID\FLOPPY\DISK1\NVRD32.SYS
[2008/01/25 21:01:00 | 000,125,440 | ---- | M] (NVIDIA Corporation) MD5=B71BFBC2FE958A6DA1E31357E03AD545 -- C:\Documents and Settings\John\My Documents\Drivers\LAN_NVIDIA_v.67.7.6.1_XPx86\IDE\WINXP\SATARAID\NVRD32.SYS
[2008/01/25 21:01:00 | 000,125,440 | ---- | M] (NVIDIA Corporation) MD5=B71BFBC2FE958A6DA1E31357E03AD545 -- C:\Documents and Settings\John\My Documents\Drivers\VGA_NVIDIA_v.6.14.11.6401_XPx86\IDE\WINXP\SATARAID\FLOPPY\DISK1\NVRD32.SYS
[2008/01/25 21:01:00 | 000,125,440 | ---- | M] (NVIDIA Corporation) MD5=B71BFBC2FE958A6DA1E31357E03AD545 -- C:\Documents and Settings\John\My Documents\Drivers\VGA_NVIDIA_v.6.14.11.6401_XPx86\IDE\WINXP\SATARAID\NVRD32.SYS

< MD5 for: SCECLI.DLL >
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SYMMPI.SYS >
[2005/11/17 14:58:16 | 000,092,672 | ---- | M] (LSI Logic) MD5=1FD5249D5103125D2DA63F68D7BE1D35 -- C:\WINDOWS\dell\symmpi\symmpi.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/01/10 06:28:57 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/01/10 06:28:57 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/01/10 06:28:57 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >

Extras.txt

OTL Extras logfile created on: 6/29/2010 8:57:57 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Twinkle\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 624.00 Mb Available Physical Memory | 70.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 135.17 Gb Free Space | 90.70% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 15.01 Gb Total Space | 15.00 Gb Free Space | 99.95% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: E-MACHINES
Current User Name: Twinkle
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-842925246-57989841-682003330-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"ANTIVIRUSDISABLENOTIFY" = 0
"FIREWALLDISABLENOTIFY" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\wmpvs4.exe" = C:\windows\system32\wmpvs4.exe:*:Enabled:LAN Router -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\WINDOWS\system32\wmpvs4.exe" = C:\windows\system32\wmpvs4.exe:*:Enabled:LAN Router -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{047cb7c2-0cb6-4954-9e64-52fb3bc57c92}" = Nero 9 Lite
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{2BC2781A-F7F6-452E-95EB-018A522F1B2C}" = PaperPort Image Printer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{46E1B1F2-A279-4356-9B17-029F9CC72EAE}" = Brother MFL-Pro Suite
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7748AC8C-18E3-43BB-959B-088FAEA16FB2}" = Nero StartSmart
"{7A8FF745-BBC5-482B-88E4-18D3178249A9}" = ScanSoft PaperPort 11
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9E1BAB75-EB78-440D-94C0-A3857BE2E733}" = System Requirements Lab
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{B2EC4A38-B545-4A00-8214-13FE0E915E6D}" = Advertising Center
"{BD5CA0DA-71AD-43DA-B19E-6EEE0C9ADC9A}" = Nero ControlCenter
"{C81A2FE0-3574-00A9-CED4-BDAA334CBE8E}" = Nero Online Upgrade
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{E8A80433-302B-4FF1-815D-FCC8EAC482FF}" = Nero Installer
"{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}" = Citrix XenApp Web Plugin
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"7-Zip" = 7-Zip 4.65
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DivX Setup.divx.com" = DivX Setup
"ENTERPRISE" = Microsoft Office Enterprise 2007
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"RealPlayer 12.0" = RealPlayer
"SystemRequirementsLab" = System Requirements Lab
"VLC media player" = VLC media player 1.0.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/27/2010 7:22:32 PM | Computer Name = E-MACHINES | Source = MsiInstaller | ID = 1008
Description = The installation of C:\KAV\WinWorkstation\english\kav6ws.en.msi is
not permitted due to an error in software restriction policy processing. The object
cannot be trusted.

Error - 6/27/2010 7:23:06 PM | Computer Name = E-MACHINES | Source = MsiInstaller | ID = 1008
Description = The installation of C:\KAV\WinWorkstation\english\kav6ws.en.msi is
not permitted due to an error in software restriction policy processing. The object
cannot be trusted.

Error - 6/27/2010 7:24:01 PM | Computer Name = E-MACHINES | Source = MsiInstaller | ID = 1008
Description = The installation of C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_is2\Kaspersky
Anti-Virus 6.0 Console Plugin.msi is not permitted due to an error in software
restriction policy processing. The object cannot be trusted.

Error - 6/27/2010 7:25:26 PM | Computer Name = E-MACHINES | Source = MsiInstaller | ID = 1008
Description = The installation of C:\KAV\WinWorkstation\english\kav6ws.en.msi is
not permitted due to an error in software restriction policy processing. The object
cannot be trusted.

Error - 6/27/2010 7:28:13 PM | Computer Name = E-MACHINES | Source = MsiInstaller | ID = 1008
Description = The installation of C:\KAV\WinWorkstation\english\kav6ws.en.msi is
not permitted due to an error in software restriction policy processing. The object
cannot be trusted.

Error - 6/27/2010 8:03:36 PM | Computer Name = E-MACHINES | Source = MsiInstaller | ID = 1008
Description = The installation of C:\KAV\WinWorkstation\english\kav6ws.en.msi is
not permitted due to an error in software restriction policy processing. The object
cannot be trusted.

Error - 6/27/2010 8:05:16 PM | Computer Name = E-MACHINES | Source = MsiInstaller | ID = 1008
Description = The installation of C:\KAV\WinWorkstation\english\kav6ws.en.msi is
not permitted due to an error in software restriction policy processing. The object
cannot be trusted.

Error - 6/27/2010 8:10:32 PM | Computer Name = E-MACHINES | Source = MsiInstaller | ID = 1008
Description = The installation of C:\KAV\WinWorkstation\english\kav6ws.en.msi is
not permitted due to an error in software restriction policy processing. The object
cannot be trusted.

Error - 6/27/2010 9:21:26 PM | Computer Name = E-MACHINES | Source = MsiInstaller | ID = 11402
Description = Product: Kaspersky Anti-Virus 6.0 for Windows Workstations -- Error
1402.Could not open key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon.
System error 5. Verify that you have sufficient access to that key, or contact
your support personnel.

Error - 6/28/2010 1:03:52 AM | Computer Name = E-MACHINES | Source = Application Error | ID = 1000
Description = Faulting application divxupdate.exe, version 1.0.1.10, faulting module
msvcp80.dll, version 8.0.50727.4053, fault address 0x000100b5.

[ System Events ]
Error - 6/27/2010 8:05:06 PM | Computer Name = E-MACHINES | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 6/27/2010 8:06:33 PM | Computer Name = E-MACHINES | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 6/27/2010 8:06:33 PM | Computer Name = E-MACHINES | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 6/27/2010 8:06:33 PM | Computer Name = E-MACHINES | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 6/27/2010 8:06:33 PM | Computer Name = E-MACHINES | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 6/27/2010 8:06:33 PM | Computer Name = E-MACHINES | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD AmdPPM Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip

Error - 6/27/2010 8:09:12 PM | Computer Name = E-MACHINES | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 6/27/2010 8:09:14 PM | Computer Name = E-MACHINES | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 6/27/2010 8:10:20 PM | Computer Name = E-MACHINES | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 6/27/2010 8:10:24 PM | Computer Name = E-MACHINES | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >

Edited by phoenix85, 29 June 2010 - 08:15 PM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:56 PM

Posted 01 July 2010 - 10:56 AM

Hi phoenix85.

Sorry for the delay. I've mapped out the route we're going to take and will post instructions for you tonight. Gotta go to work right now though.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:56 PM

Posted 01 July 2010 - 10:47 PM

Hi phoenix85.

Again, my apologies for the delay.

Let's begin.

We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    :OTL
    O1 - Hosts: 241.229.181.110 download.bleepingcomputer.com
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.

***************************************************

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
OTL log
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 phoenix85

phoenix85
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 02 July 2010 - 05:09 AM

Hi Blade,

I can understand that you are busy , so need for any apologies.
As requested, I have posted the OTL and Combofix logs below.


========== OTL ==========
241.229.181.110 download.bleepingcomputer.com removed from HOSTS file successfully

OTL by OldTimer - Version 3.2.7.0 log created on 07022010_054928


ComboFix Log

ComboFix 10-07-01.02 - Twinkle 07/02/2010 5:58.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.586 [GMT -4:00]
Running from: c:\documents and settings\Twinkle\Desktop\Icombat.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-06-02 to 2010-07-02 )))))))))))))))))))))))))))))))
.

2010-07-02 09:49 . 2010-07-02 09:49 -------- d-----w- C:\_OTL
2010-06-27 01:17 . 2010-06-28 01:24 118816 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-06-27 01:17 . 2010-06-28 01:24 2592 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-06-16 02:05 . 2010-06-16 02:05 52224 ----a-w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-16 02:05 . 2010-06-16 02:05 117760 ----a-w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-16 02:05 . 2010-06-16 02:05 -------- d-----w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com
2010-06-16 01:15 . 2010-06-16 01:15 52224 ----a-w- c:\documents and settings\Twinkle\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-16 01:15 . 2010-07-02 09:48 117760 ----a-w- c:\documents and settings\Twinkle\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-16 01:15 . 2010-06-16 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-16 01:15 . 2010-06-16 01:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-16 01:15 . 2010-06-16 01:15 -------- d-----w- c:\documents and settings\Twinkle\Application Data\SUPERAntiSpyware.com
2010-06-16 01:15 . 2010-06-16 01:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-16 01:11 . 2010-06-16 01:11 -------- d-----w- c:\program files\ESET
2010-06-10 21:45 . 2010-06-10 21:45 290816 ----a-w- c:\documents and settings\Twinkle\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-06-10 21:45 . 2010-06-10 21:45 290816 ----a-w- c:\documents and settings\Twinkle\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-06-10 21:45 . 2010-06-10 21:45 290816 ----a-w- c:\documents and settings\Twinkle\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-06-10 21:45 . 2010-06-10 21:45 290816 ----a-w- c:\documents and settings\Twinkle\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-06-10 12:00 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-04 18:24 . 2010-06-04 18:24 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-04 18:24 . 2010-06-04 18:24 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-04 18:24 . 2010-06-04 18:24 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-04 18:24 . 2010-06-04 18:24 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-06-04 18:24 . 2010-06-04 18:24 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-06-04 18:23 . 2010-06-04 18:23 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-04 18:23 . 2010-06-04 18:23 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 01:24 . 2010-06-27 01:17 2444 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-06-28 01:24 . 2010-06-27 01:17 1292 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-06-11 12:06 . 2010-01-10 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-10 21:45 . 2010-03-16 22:32 -------- d-----w- c:\documents and settings\Twinkle\Application Data\SystemRequirementsLab
2010-06-10 21:45 . 2010-03-16 22:32 -------- d-----w- c:\program files\SystemRequirementsLab
2010-06-10 20:21 . 2010-02-04 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-04 18:28 . 2010-03-17 06:59 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-04 18:28 . 2010-05-05 05:22 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-04 18:24 . 2010-03-17 07:00 -------- d-----w- c:\program files\DivX
2010-06-04 18:22 . 2010-03-17 07:02 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-04 18:22 . 2010-03-17 07:02 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-27 01:36 . 2010-03-14 07:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-09 23:08 . 2010-05-09 23:09 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-09 23:08 . 2010-05-09 23:08 -------- d-----w- c:\program files\Java
2010-05-06 10:41 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-05 06:45 . 2010-03-17 02:29 -------- d-----w- c:\documents and settings\Twinkle\Application Data\vlc
2010-05-05 05:21 . 2010-05-05 05:21 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-05 05:21 . 2010-05-05 05:21 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-05 05:21 . 2010-05-05 05:21 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-05 05:21 . 2010-05-05 05:21 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-05 04:14 . 2010-03-23 05:42 -------- d-----w- c:\documents and settings\Twinkle\Application Data\dvdcss
2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-03-14 07:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-03-14 07:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2008-08-16 22:42 . 2008-08-16 22:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 22:42 . 2008-08-16 22:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 22:42 . 2008-08-16 22:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 22:42 . 2008-08-16 22:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 22:43 . 2008-08-16 22:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 22:42 . 2008-08-16 22:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 22:42 . 2008-08-16 22:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 18:58 . 2008-06-05 18:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 22:42 . 2008-08-16 22:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-09 202256]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"conime.exe"="conime.exe" [2008-04-14 27648]

c:\documents and settings\Twinkle\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S3 NVIDIAHWAccess;NVIDIAHWAccess;\??\c:\documents and settings\Twinkle\Application Data\NVIDIA\HWAccess.sys --> c:\documents and settings\Twinkle\Application Data\NVIDIA\HWAccess.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-842925246-57989841-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-07-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-842925246-57989841-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-06-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-842925246-57989841-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-07-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-842925246-57989841-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.ca
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:suggest@redflagdeals.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
FF - ProfilePath - c:\documents and settings\Twinkle\Application Data\Mozilla\Firefox\Profiles\j0x7jhp7.default\
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-nwiz - nwiz.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-02 06:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2136)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-02 06:03:48
ComboFix-quarantined-files.txt 2010-07-02 10:03

Pre-Run: 144,961,826,816 bytes free
Post-Run: 145,238,802,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 64F3E612C5C1EF625875D87C768E411A

Edited by phoenix85, 02 July 2010 - 05:10 AM.


#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:56 PM

Posted 03 July 2010 - 06:50 AM

Hello.

Please download HostsXpert 4.2
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

***************************************************

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade

In your next reply, please include the following:
ComboFix log

Edited by Blade Zephon, 03 July 2010 - 06:51 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 phoenix85

phoenix85
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 03 July 2010 - 10:23 PM

Hi Blade,

I couldn't run HostsXpert to restore MS hosts file. Gave me this error-' Cannot create C:\WINDOWS\system32\DRIVERS\ETC\hosts'.
. To be more specific, when I first ran the application, a message popped up about hidden file/folder in WINDOWS ( I don't remember
exactly!) I checked to see if the hidden files were viewable in Windows Explorer and it is.

Besides that issue, I was able to run Combofix with the updated .txt file.


ComboFix 10-07-01.02 - Twinkle 07/03/2010 23:11:30.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.618 [GMT -4:00]
Running from: c:\documents and settings\Twinkle\Desktop\Icombat.exe
Command switches used :: c:\documents and settings\Twinkle\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-06-04 to 2010-07-04 )))))))))))))))))))))))))))))))
.

2010-07-02 09:49 . 2010-07-02 09:49 -------- d-----w- C:\_OTL
2010-06-27 01:17 . 2010-06-28 01:24 118816 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-06-27 01:17 . 2010-06-28 01:24 2592 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-06-16 02:05 . 2010-06-16 02:05 52224 ----a-w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-16 02:05 . 2010-06-16 02:05 117760 ----a-w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-16 02:05 . 2010-06-16 02:05 -------- d-----w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com
2010-06-16 01:15 . 2010-06-16 01:15 52224 ----a-w- c:\documents and settings\Twinkle\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-16 01:15 . 2010-07-02 09:48 117760 ----a-w- c:\documents and settings\Twinkle\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-16 01:15 . 2010-06-16 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-16 01:15 . 2010-06-16 01:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-16 01:15 . 2010-06-16 01:15 -------- d-----w- c:\documents and settings\Twinkle\Application Data\SUPERAntiSpyware.com
2010-06-16 01:15 . 2010-06-16 01:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-16 01:11 . 2010-06-16 01:11 -------- d-----w- c:\program files\ESET
2010-06-10 21:45 . 2010-06-10 21:45 290816 ----a-w- c:\documents and settings\Twinkle\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-06-10 21:45 . 2010-06-10 21:45 290816 ----a-w- c:\documents and settings\Twinkle\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-06-10 21:45 . 2010-06-10 21:45 290816 ----a-w- c:\documents and settings\Twinkle\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-06-10 21:45 . 2010-06-10 21:45 290816 ----a-w- c:\documents and settings\Twinkle\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-06-10 12:00 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-04 18:24 . 2010-06-04 18:24 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-04 18:24 . 2010-06-04 18:24 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-04 18:24 . 2010-06-04 18:24 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-04 18:24 . 2010-06-04 18:24 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-06-04 18:24 . 2010-06-04 18:24 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-06-04 18:23 . 2010-06-04 18:23 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-04 18:23 . 2010-06-04 18:23 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 01:24 . 2010-06-27 01:17 2444 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-06-28 01:24 . 2010-06-27 01:17 1292 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-06-11 12:06 . 2010-01-10 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-10 21:45 . 2010-03-16 22:32 -------- d-----w- c:\documents and settings\Twinkle\Application Data\SystemRequirementsLab
2010-06-10 21:45 . 2010-03-16 22:32 -------- d-----w- c:\program files\SystemRequirementsLab
2010-06-10 20:21 . 2010-02-04 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-04 18:28 . 2010-03-17 06:59 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-04 18:28 . 2010-05-05 05:22 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-04 18:24 . 2010-03-17 07:00 -------- d-----w- c:\program files\DivX
2010-06-04 18:22 . 2010-03-17 07:02 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-04 18:22 . 2010-03-17 07:02 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-27 01:36 . 2010-03-14 07:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-09 23:08 . 2010-05-09 23:09 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-09 23:08 . 2010-05-09 23:08 -------- d-----w- c:\program files\Java
2010-05-06 10:41 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-05 06:45 . 2010-03-17 02:29 -------- d-----w- c:\documents and settings\Twinkle\Application Data\vlc
2010-05-05 05:21 . 2010-05-05 05:21 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-05 05:21 . 2010-05-05 05:21 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-05 05:21 . 2010-05-05 05:21 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-05 05:21 . 2010-05-05 05:21 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-05 04:14 . 2010-03-23 05:42 -------- d-----w- c:\documents and settings\Twinkle\Application Data\dvdcss
2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-03-14 07:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-03-14 07:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2008-08-16 22:42 . 2008-08-16 22:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 22:42 . 2008-08-16 22:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 22:42 . 2008-08-16 22:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 22:42 . 2008-08-16 22:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 22:43 . 2008-08-16 22:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 22:42 . 2008-08-16 22:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 22:42 . 2008-08-16 22:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 18:58 . 2008-06-05 18:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 22:42 . 2008-08-16 22:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-02_10.02.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-04 03:03 . 2010-07-04 03:03 16384 c:\windows\Temp\Perflib_Perfdata_5b4.dat
+ 2004-08-04 10:00 . 2010-07-04 03:07 40836 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2010-07-02 09:47 40836 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2010-07-04 03:07 314508 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2010-07-02 09:47 314508 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-09 202256]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"conime.exe"="conime.exe" [2008-04-14 27648]

c:\documents and settings\Twinkle\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S3 NVIDIAHWAccess;NVIDIAHWAccess;\??\c:\documents and settings\Twinkle\Application Data\NVIDIA\HWAccess.sys --> c:\documents and settings\Twinkle\Application Data\NVIDIA\HWAccess.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-842925246-57989841-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-07-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-842925246-57989841-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-06-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-842925246-57989841-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-07-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-842925246-57989841-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.ca
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:suggest@redflagdeals.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
FF - ProfilePath - c:\documents and settings\Twinkle\Application Data\Mozilla\Firefox\Profiles\j0x7jhp7.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-03 23:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2732)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-03 23:16:42
ComboFix-quarantined-files.txt 2010-07-04 03:16
ComboFix2.txt 2010-07-02 10:03

Pre-Run: 145,255,268,352 bytes free
Post-Run: 145,244,815,360 bytes free

- - End Of File - - E53BC59663399F418CAE0FABBCB35AE3

Edited by phoenix85, 03 July 2010 - 10:25 PM.


#9 phoenix85

phoenix85
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 04 July 2010 - 09:41 PM

Blade,

I have a couple of things to update you.

Earlier today, my co-user used the infected computer to access email and social networking website (Orkut/Facebook). You could not begin
to imagine how upset I was, since I told this person to not go online. Now, the system has been compromised again and my scanners picked up trojans.
I can assure you that I have restricted this user's login settings by changing the user password.

I noticed a new symptom (was present before this user went online today). Windows Security Alert pops up when I login and Automatic updates have been turned off. I tried to turn the settings back on but failed(in Windows Security Center window). Strangely, automatic updates are turned on when I go to
My Computer>Automatic Updates.

I had to run both MalwareBytes and ESET OnlineScanner (after updates) which gave me new threats. I have posted the logs below for your reference.

ESETScanReport

C:\Documents and Settings\John\My Documents\Downloads\IMAGEN006.JPG.zip a variant of Win32/Injector.CAH trojan deleted - quarantined
C:\System Volume Information\_restore{544AABCA-D009-412C-8BDA-68B0E357C453}\RP128\A0017360.exe a variant of Win32/Injector.BUS trojan cleaned by deleting - quarantined

MBAM Report

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4275

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/4/2010 9:03:26 PM
mbam-log-2010-07-04 (21-03-26).txt

Scan type: Full scan (C:\|D:\|F:\|G:\|)
Objects scanned: 183032
Time elapsed: 22 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Worm.AutoRun) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\games (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I apologize for the added inconvenience on this particular user's behalf.

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:56 PM

Posted 05 July 2010 - 02:23 PM

Hello phoenix85.

QUOTE
Earlier today, my co-user used the infected computer to access email and social networking website (Orkut/Facebook). You could not begin
to imagine how upset I was


Lol. . . aren't end-users fun? tongue.gif I know exactly how you feel. . . it can be maddening to deal with a person on the forums who won't follow instructions.

No big deal. . . we'll just backpedal a bit.

Please run ComboFix as you did in Post 5. Post the log for my review when complete.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 phoenix85

phoenix85
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 05 July 2010 - 10:30 PM

Hello Blade,

Here's the ComboFix Log.

ComboFix 10-07-01.02 - Twinkle 07/05/2010 23:21:08.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.523 [GMT -4:00]
Running from: c:\documents and settings\Twinkle\Desktop\Icombat.exe
.

((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))
.

2010-07-02 09:49 . 2010-07-02 09:49 -------- d-----w- C:\_OTL
2010-06-27 01:17 . 2010-06-28 01:24 118816 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-06-27 01:17 . 2010-06-28 01:24 2592 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-06-16 02:05 . 2010-06-16 02:05 52224 ----a-w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-16 02:05 . 2010-06-16 02:05 117760 ----a-w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-16 02:05 . 2010-06-16 02:05 -------- d-----w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com
2010-06-16 01:15 . 2010-06-16 01:15 52224 ----a-w- c:\documents and settings\Twinkle\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-16 01:15 . 2010-07-02 09:48 117760 ----a-w- c:\documents and settings\Twinkle\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-16 01:15 . 2010-06-16 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-16 01:15 . 2010-06-16 01:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-16 01:15 . 2010-06-16 01:15 -------- d-----w- c:\documents and settings\Twinkle\Application Data\SUPERAntiSpyware.com
2010-06-16 01:15 . 2010-06-16 01:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-16 01:11 . 2010-06-16 01:11 -------- d-----w- c:\program files\ESET
2010-06-10 21:45 . 2010-06-10 21:45 290816 ----a-w- c:\documents and settings\Twinkle\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-06-10 21:45 . 2010-06-10 21:45 290816 ----a-w- c:\documents and settings\Twinkle\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-06-10 21:45 . 2010-06-10 21:45 290816 ----a-w- c:\documents and settings\Twinkle\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-06-10 21:45 . 2010-06-10 21:45 290816 ----a-w- c:\documents and settings\Twinkle\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-06-10 12:00 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 01:24 . 2010-06-27 01:17 2444 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-06-28 01:24 . 2010-06-27 01:17 1292 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-06-11 12:06 . 2010-01-10 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-10 21:45 . 2010-03-16 22:32 -------- d-----w- c:\documents and settings\Twinkle\Application Data\SystemRequirementsLab
2010-06-10 21:45 . 2010-03-16 22:32 -------- d-----w- c:\program files\SystemRequirementsLab
2010-06-10 20:21 . 2010-02-04 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-04 18:28 . 2010-03-17 06:59 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-06-04 18:28 . 2010-05-05 05:22 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-04 18:24 . 2010-06-04 18:24 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-06-04 18:24 . 2010-06-04 18:24 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-04 18:24 . 2010-03-17 07:00 -------- d-----w- c:\program files\DivX
2010-06-04 18:24 . 2010-06-04 18:24 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-06-04 18:24 . 2010-06-04 18:24 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-06-04 18:24 . 2010-06-04 18:24 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-06-04 18:23 . 2010-06-04 18:23 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-04 18:23 . 2010-06-04 18:23 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-06-04 18:22 . 2010-03-17 07:02 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-06-04 18:22 . 2010-03-17 07:02 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-27 01:36 . 2010-03-14 07:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-09 23:08 . 2010-05-09 23:09 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-09 23:08 . 2010-05-09 23:08 -------- d-----w- c:\program files\Java
2010-05-06 10:41 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-05 05:21 . 2010-05-05 05:21 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-05 05:21 . 2010-05-05 05:21 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-05 05:21 . 2010-05-05 05:21 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-05 05:21 . 2010-05-05 05:21 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-03-14 07:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-03-14 07:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2008-08-16 22:42 . 2008-08-16 22:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 22:42 . 2008-08-16 22:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 22:42 . 2008-08-16 22:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 22:42 . 2008-08-16 22:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 22:43 . 2008-08-16 22:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 22:42 . 2008-08-16 22:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 22:42 . 2008-08-16 22:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 18:58 . 2008-06-05 18:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 22:42 . 2008-08-16 22:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-02_10.02.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-06 03:19 . 2010-07-06 03:19 16384 c:\windows\Temp\Perflib_Perfdata_5ac.dat
+ 2004-08-04 10:00 . 2010-07-06 03:23 40836 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2010-07-02 09:47 40836 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2010-07-06 03:23 314508 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2010-07-02 09:47 314508 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-09 202256]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"conime.exe"="conime.exe" [2008-04-14 27648]

c:\documents and settings\Twinkle\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S3 NVIDIAHWAccess;NVIDIAHWAccess;\??\c:\documents and settings\Twinkle\Application Data\NVIDIA\HWAccess.sys --> c:\documents and settings\Twinkle\Application Data\NVIDIA\HWAccess.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-842925246-57989841-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-07-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-842925246-57989841-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-07-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-842925246-57989841-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-07-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-842925246-57989841-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.ca
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:suggest@redflagdeals.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
FF - ProfilePath - c:\documents and settings\Twinkle\Application Data\Mozilla\Firefox\Profiles\j0x7jhp7.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-05 23:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3048)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-05 23:26:44
ComboFix-quarantined-files.txt 2010-07-06 03:26
ComboFix2.txt 2010-07-04 03:16
ComboFix3.txt 2010-07-02 10:03

Pre-Run: 145,095,532,544 bytes free
Post-Run: 145,092,239,360 bytes free

- - End Of File - - 4C3003405FBAB5D044EF76CAF566BBA8


#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:56 PM

Posted 05 July 2010 - 10:39 PM

How's the computer running now?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 phoenix85

phoenix85
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 06 July 2010 - 05:13 PM

Not convincing, I'm afraid.

On the positive side, I got Kaspersky Anti-Virus running back up again and had no issues updating virus definitions.
Now, for some bad issues.

1) I can feel the computer is running slower than before, at startup. Kaspersky takes some time to show up at taskbar when I login.
Following a full system scan, it picked up another trojan infection. I have the highlight of the scan report below.
The full report has not been added (24MB).

2) At startup, Windows Security Alert pops up notifying me that Automatic Updates has been turned off. I clicked on the message and attempted,
unsuccessfully, to turn it back on. Confusingly, it is turned on (recommended setting) under My Computer>Automatic Updates.

KasperskyScan Report

Detected
--------
Status Object
------ ------
deleted: Trojan program Packed.Win32.Krap.hc File: C:\System Volume Information\_restore{544AABCA-D009-412C-8BDA-68B0E357C453}\RP128\A0017368.exe
Events

7/6/2010 10:12:14 AM File: c:\system volume information\_restore{544aabca-d009-412c-8bda-68b0e357c453}\rp128\a0017368.exe detected Trojan program 'Packed.Win32.Krap.hc'
7/6/2010 11:06:30 AM File: c:\system volume information\_restore{544aabca-d009-412c-8bda-68b0e357c453}\rp128\a0017368.exe cannot be deleted


Edited by phoenix85, 06 July 2010 - 05:50 PM.


#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:56 PM

Posted 09 July 2010 - 08:27 PM

Hello.

Sorry for the delay. I was without internet for two days until yesterday and didn't have enough time to catch up on everything then, and spent all of today on the road.

The stuff Kaspersky found is located in the system restore archives. As it stands that stuff is harmless. However, to prevent an accidental reinfection by using an infected restore point, we will address it at the very end.

Regarding Windows updates, let's see if we can get them running.
  1. Please download Dial-A-Fix from one of the following mirrors:
  2. Extract the zip file to your desktop.
  3. Double click Dial-a-Fix.exe to start the program.
  4. Press the green double checkmark box (Looks like this: )
  5. UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
  6. When the window looks like this, press the GO button in the bottom of the window.
  7. Exit/Close Dial-A-Fix

Please reboot the computer and see if the update issues are resolved.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 phoenix85

phoenix85
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 10 July 2010 - 05:08 PM

Blade,

I ran the Dial a Fix app reasonably well. When I clicked on the application,the following error popped up.

'Dial-a-fix was unable to determine your version of Internet Explorer.Certain DLL registrations will be skipped'

Nevertheless, I got the Automatic Updates to set it back on. So, I thought this was good and decided to run both Kaspersky scan and MBAM again. Kaspersky came clean and MBAM scan resulted in notifying me of two infections(backdoor.bot). Deleted them and upon restart, this black screen with safe mode options and 'Start Windows normally' showed up.
I could login using my username in normal mode.

I couldn't access My Computer ( the animated flash light/folder icon keeps showing). I am not able to save MBAM report to my pen drive because the windows gets stuck upon scrolling. I had been using my USB drive to transfer files to the clean computer.

I'll see if I can attach the MBAM report using my infected PC.Otherwise, I'll simply type it out.

Edit: My Computer and its folders shows up after some delay (3-5min). I remember this was much faster earlier.
Maybe Dial-a-Fix screwed up Windows Explorer.

I am attaching the MBAM report using the infected machine.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4299

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/10/2010 8:32:28 AM
mbam-log-2010-07-10 (08-32-28).txt

Scan type: Full scan (C:\|F:\|G:\|)
Objects scanned: 188144
Time elapsed: 26 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\conime.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Edited by phoenix85, 10 July 2010 - 05:29 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users