Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost phishing malware


  • Please log in to reply
11 replies to this topic

#1 Eldon2

Eldon2

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 27 July 2010 - 11:07 PM

Thank you for considering my problem and any help you can give me. I have XP professional operating system and Earthlink DSL internet service which includes Protection Control Center (7.0.1.325) antivirus software. PCC is regularly alerting me that there is "Hidden Data Sending" riskware using the process "C;\windows\system32\svchost.exe". When I first saw the message I did a complete scan (using PCC) which found two trojans that I deleted. This did not stop the alerts. When an alert happens and I try to quarantine the process I get an "access denied" message. I am able to click on "Deny" to prevent the operation from being completed and get the following details:

Process C:\WINDOWS\System32\svchost.exe (PID: 1224) is trying to send data using a trusted application.

Intended address:
http://94.228.209.202/

Data:
xurl=http://94.228.209.202/PkC4qZOl7i3MAEo3f758a7195c898f2abdf44eec340f2a8d35g&xref=http://christmastreemall.com/result.php?Keywords=new+jersey+dui+lawyer&r=1ed461e47880cc0cc941129d51e9b228e256446597e51f518c28bc1a895ced98a7c48dbd201fcfe4c78757f2e33b1055&Submit=Go

When these alerts happen I cannot complete any other task until I click on "Deny" and eventually other applications such as Internet Explorer start acting strangely, slowing down or not responding.

I was able to attach a DDS.txt file but was unable to upload dds.scr, possibly because it is 514k, thus exceeding your 493k max. single upload size. I tried twice to get a gmer scan to but my computer locked up 3 hours into the scan both times. I think the lockup was related to "Webshots" files that I have installed on this computer but I am not sure.

What can I do to get rid of these alerts but still be confident I'm not exposing personal info to some ripoff hacker?

Thanks again for your time!

Eldon

Attached Files

  • Attached File  DDS.txt   9.93KB   6 downloads

Edited by Blade Zephon, 28 July 2010 - 12:25 AM.
Moved from XP to Logs Forum; deactivated Link. ~BZ


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:35 PM

Posted 06 August 2010 - 12:47 PM

Hello Eldon2

Welcome to BleepingComputer smile.gif
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Download the following GMER Rootkit Scanner from Here
  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 Eldon2

Eldon2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 07 August 2010 - 04:28 PM

Thank you for taking the time to reply to my problem. I tried my best to follow your instructions but may have had a problem with the gmer program. Never-the-less, here is the contents of the OTL.txt: I am having trouble getting my replies to go thru so I am sending the contents of the other files in seperate replies.



OTL logfile created on: 8/6/2010 2:18:44 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 220.00 Mb Available Physical Memory | 43.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 59.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 75.43 Gb Free Space | 67.48% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-YN0CO7YWJ1
Current User Name: Eldon Hofeling
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\EarthLink\EarthLink Protection Control Center\avp.exe (EarthLink)
PRC - C:\WINDOWS\system32\hpzipm12.exe (HP)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\EarthLink TotalAccess\MailClnt.exe (EarthLink, Inc.)
PRC - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe (Boingo Wireless, Inc.)
PRC - C:\Program Files\Webshots\webshots.scr (Webshots.com)
PRC - C:\WINDOWS\system32\ezSP_Px.exe (Easy Systems Japan Ltd.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\EarthLink\EarthLink Protection Control Center\miscr3.dll (EarthLink)
MOD - C:\Program Files\EarthLink\EarthLink Protection Control Center\fssync.dll (EarthLink)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll (Microsoft Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files\EarthLink TotalAccess\MonIdle.dll (EarthLink, Inc.)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (AVP) -- C:\Program Files\EarthLink\EarthLink Protection Control Center\avp.exe (EarthLink)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\hpzipm12.exe (HP)
SRV - (EarthLinkMonitor) -- C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe (Boingo Wireless, Inc.)
SRV - (PACSPTISVR) -- C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe ()
SRV - (SPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe (Sony Corporation)


========== Driver Services (SafeList) ==========

DRV - (EarthLinkSafeConnectFilter) -- C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys File not found
DRV - (kl1) -- C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Lab)
DRV - (klif) -- C:\WINDOWS\system32\drivers\klif.sys (Kaspersky Lab)
DRV - (klim5) -- C:\WINDOWS\system32\drivers\klim5.sys (Kaspersky Lab)
DRV - (ADSMonitor) ADSMonitor - (EarthLink Monitor Driver) -- C:\WINDOWS\system32\drivers\ADSMonitor.sys (EarthLink, Inc.)
DRV - (BW2NDIS5) -- C:\WINDOWS\system32\drivers\BW2NDIS5.SYS (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (ALCXSENS) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS (Sensaura Ltd)
DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\R8139n51.sys (Realtek Semiconductor Corporation )
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (HCF_MSFT) -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys (Conexant)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/?e15=PSP_OGP_ELNKNAV
IE - HKCU\..\URLSearchHook: {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll (EarthLink, Inc.)
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\..\URLSearchHook: ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/03/02 06:31:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/14 23:47:12 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2008/09/25 09:54:25 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ElnkBhoGuard Class) - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll (EarthLink, Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ElnkScamBHO Class) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll (EarthLink, Inc.)
O2 - BHO: (ElnkPubBHO Class) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll (EarthLink, Inc.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (ElnkProtectionBHO Class) - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll (EarthLink, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (ElnkLegacyUninstBHO Class) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll (EarthLink, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll (EarthLink, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll (EarthLink, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVP] C:\Program Files\EarthLink\EarthLink Protection Control Center\avp.exe (EarthLink)
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe (Easy Systems Japan Ltd.)
O4 - HKLM..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Start Menu\Programs\Startup\Webshots.lnk = C:\Program Files\Webshots\Launcher.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: EarthLink Google Search - C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll (EarthLink, Inc.)
O9 - Extra Button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Start Menu\Programs\UltimateBet\UltimateBet.lnk ()
O9 - Extra 'Tools' menuitem : UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Start Menu\Programs\UltimateBet\UltimateBet.lnk ()
O9 - Extra Button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\EarthLink\EarthLink Protection Control Center\SCIEPlgn.dll (EarthLink)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: taxactonline.com ([www] https in Trusted sites)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab (StagingUI Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://fpdownload.macromedia.com/pub/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab (MSN Games Buddy Invite)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab (ZonePAChat Object)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} https://www.taxsimple.com/tsweb/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} http://mt1972.ghinconnect.com/ghinwebreports/arview2.cab (ActiveReports Viewer2)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9E515FE4-2A60-4D08-8E96-CF9A967BE49B} http://check.earthlinksecurity.com/SSMEarthLink.cab (SSMEarthLink Control)
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab (ZPA_SHVL Object)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} http://zone.msn.com/binframework/v10/StProxy.cab55579.cab (MSN Games Game Communicator)
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326 (QDiagHUpdateObj Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\lid {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\AutorunsDisabled: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (EarthLink)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/30 09:57:13 | 000,000,056 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{866f3d44-de8a-11dc-acbc-000d8759af18}\Shell - "" = AutoRun
O33 - MountPoints2\{866f3d44-de8a-11dc-acbc-000d8759af18}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{866f3d44-de8a-11dc-acbc-000d8759af18}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (70100879952314368)

========== Files/Folders - Created Within 30 Days ==========

[2018/06/18 07:21:57 | 000,000,000 | ---D | C] -- C:\Program Files\DirectX
[2018/06/18 07:20:49 | 000,000,000 | -H-D | C] -- C:\Program Files\Uninstall Information
[2010/08/06 14:15:46 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\OTL.exe
[2010/08/05 09:09:34 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Recent
[2010/07/09 15:28:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[8 C:\*.tmp files -> C:\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2018/06/18 07:21:20 | 000,011,079 | -H-- | M] () -- C:\Program Files\folder.htt
[2010/08/06 14:27:35 | 000,095,008 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/08/06 14:26:20 | 000,000,032 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/08/06 14:24:05 | 000,000,902 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/06 14:23:11 | 000,000,272 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2010/08/06 14:16:04 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\OTL.exe
[2010/08/06 14:15:47 | 002,438,944 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/08/06 13:28:45 | 000,000,898 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/06 11:56:22 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/06 11:56:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/06 05:45:30 | 000,229,508 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/08/06 05:45:12 | 006,553,600 | -H-- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\NTUSER.DAT
[2010/08/06 05:45:12 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\ntuser.ini
[2010/08/05 17:56:51 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/05 08:35:32 | 000,155,136 | ---- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/03 13:10:11 | 000,000,086 | ---- | M] () -- C:\WINDOWS\qwshellx.ini
[2010/08/02 20:53:16 | 000,000,591 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2010/07/31 14:21:48 | 000,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/30 14:46:54 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/07/29 07:53:00 | 000,113,933 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2010/07/29 07:53:00 | 000,097,549 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2010/07/28 11:26:18 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Google Chrome.lnk
[2010/07/27 09:36:18 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Favorites\My Documents\phishing site.doc
[2010/07/25 11:45:37 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\Microsoft Streets & Trips (2).lnk
[2010/07/11 06:36:10 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/11 06:36:10 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/11 06:36:09 | 000,521,942 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[8 C:\*.tmp files -> C:\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2018/06/18 07:21:19 | 000,011,079 | -H-- | C] () -- C:\Program Files\folder.htt
[2010/07/27 06:44:52 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Favorites\My Documents\phishing site.doc
[2010/03/09 06:27:24 | 000,000,031 | ---- | C] () -- C:\WINDOWS\System32\wsoviedsini.dll
[2010/03/09 06:27:08 | 000,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx14_ic.ini
[2008/11/23 17:15:24 | 000,000,118 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/11/14 17:41:13 | 000,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx12_ic.ini
[2008/11/14 17:41:12 | 000,663,552 | ---- | C] () -- C:\WINDOWS\System32\tx12.dll
[2008/06/05 08:09:22 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2007/02/05 16:06:31 | 000,000,050 | ---- | C] () -- C:\WINDOWS\rblky.sys
[2007/02/05 06:27:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WinInit.Ini
[2007/01/31 16:51:18 | 000,000,034 | ---- | C] () -- C:\WINDOWS\AuthMgr.INI
[2007/01/23 15:20:52 | 000,171,008 | ---- | C] () -- C:\WINDOWS\KPCP32.DLL
[2007/01/23 15:20:52 | 000,093,184 | ---- | C] () -- C:\WINDOWS\KPAPI32.DLL
[2007/01/23 15:20:52 | 000,038,912 | ---- | C] () -- C:\WINDOWS\KPSYS32.DLL
[2007/01/23 15:20:52 | 000,000,707 | ---- | C] () -- C:\WINDOWS\PHOTOS30.INI
[2007/01/23 15:19:12 | 000,000,127 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2006/03/08 22:12:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Oro5.INI
[2006/03/08 22:12:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\00049324.INI
[2006/03/08 22:09:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Oro4.INI
[2006/03/08 22:09:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\000380CA.INI
[2006/03/08 22:08:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Oro3.INI
[2006/03/08 22:08:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\0003130C.INI
[2006/03/08 22:08:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Oro2.INI
[2006/03/08 22:08:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\0002BA8C.INI
[2006/03/08 22:07:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\0001C648.INI
[2006/03/08 22:06:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Oro1.INI
[2006/03/08 22:06:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\00014CC3.INI
[2005/08/23 16:16:58 | 000,000,208 | ---- | C] () -- C:\WINDOWS\HpBestModeUpdatePatchLog.ini
[2005/08/04 14:51:51 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2005/02/10 02:22:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2005/01/19 03:44:16 | 000,639,052 | ---- | C] () -- C:\WINDOWS\System32\BBPDFPortMon.dll
[2004/12/24 15:09:29 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2004/09/27 11:22:58 | 000,000,043 | ---- | C] () -- C:\WINDOWS\INTUIT.INI
[2004/08/30 10:01:28 | 000,000,086 | ---- | C] () -- C:\WINDOWS\qwshellx.ini
[2004/08/30 09:57:29 | 000,000,189 | ---- | C] () -- C:\WINDOWS\INTU_ONL.INI
[2004/08/30 09:57:13 | 000,003,433 | ---- | C] () -- C:\WINDOWS\WPR.INI
[2004/08/30 09:57:13 | 000,000,591 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/08/30 09:57:13 | 000,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2004/08/23 07:21:37 | 000,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2004/08/14 16:04:14 | 000,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2004/08/11 17:52:54 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/08/11 17:36:51 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/08/11 17:17:15 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2004/01/05 00:30:18 | 000,565,248 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2003/07/14 20:43:38 | 000,577,635 | ---- | C] () -- C:\WINDOWS\System32\InstallPrinter.dll
[2003/02/25 21:59:18 | 003,907,655 | ---- | C] () -- C:\WINDOWS\System32\Bbgspdf.dll
[2003/01/29 16:04:00 | 000,618,496 | ---- | C] () -- C:\WINDOWS\System32\stlpmt45.dll
[2002/03/13 15:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\zlib.dll

========== LOP Check ==========

[2007/02/25 09:21:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
[2005/01/19 03:40:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Bluebeam Software
[2010/08/06 13:29:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\EarthLink
[2009/02/25 17:16:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\EarthLink Setup Files
[2008/10/21 09:02:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Drivers HeadQuarters
[2007/11/16 14:46:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\UTour Golf
[2007/02/25 09:21:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Application Data\AVG7
[2007/12/16 07:29:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Application Data\Earthlink
[2007/02/01 12:39:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Application Data\EarthLink Toolbar
[2004/12/27 11:29:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Application Data\FileOpen
[2007/08/18 13:53:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Application Data\ScamBlocker
[2006/02/09 10:17:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Application Data\Webshots
[2010/08/06 14:23:11 | 000,000,272 | ---- | M] () -- C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2007/01/31 16:47:08 | 000,000,000 | ---- | M] () -- C:\ADSClient.txt
[2007/02/02 16:55:29 | 000,151,552 | ---- | M] () -- C:\AluriaCacheFile.dat
[1997/03/15 16:00:00 | 000,106,496 | ---- | M] () -- C:\ANVIL1K.txt.TXT
[2008/09/11 10:14:07 | 000,000,000 | ---- | M] () -- C:\asoutput.log
[2004/08/30 09:57:13 | 000,000,056 | ---- | M] () -- C:\AUTOEXEC.BAT
[2005/10/28 08:34:29 | 014,893,986 | RHS- | M] () -- C:\AVG7DB_F.DAT
[2008/01/31 18:39:26 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2004/06/25 07:25:16 | 000,000,512 | -HS- | M] () -- C:\BOOTSECT.DOS
[2004/06/18 07:46:06 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2005/09/21 16:29:37 | 000,000,004 | -HS- | M] () -- C:\dllimp_regmsft985
[2007/02/02 16:23:03 | 000,000,308 | ---- | M] () -- C:\elnkserv.log
[2004/07/26 04:32:30 | 000,000,014 | ---- | M] () -- C:\ftplog.txt
[2001/09/05 22:00:58 | 001,700,352 | ---- | M] (Microsoft Corporation) -- C:\gdiplus.dll
[1999/04/23 15:22:00 | 000,222,390 | RHS- | M] () -- C:\IO.SYS
[2006/03/09 15:18:16 | 000,001,369 | -H-- | M] () -- C:\IPH.PH
[2004/12/24 15:07:46 | 000,000,017 | ---- | M] () -- C:\log.txt
[2009/06/01 14:56:47 | 000,000,503 | ---- | M] () -- C:\LOG4.log
[2008/02/26 11:27:31 | 000,000,503 | ---- | M] () -- C:\LOG915.log
[2008/02/18 18:33:19 | 000,000,503 | ---- | M] () -- C:\LOG919.log
[2008/02/18 18:45:35 | 000,000,476 | ---- | M] () -- C:\LOG91A.log
[2008/02/21 12:05:57 | 000,000,503 | ---- | M] () -- C:\LOG93D.log
[2008/03/13 07:25:03 | 000,000,503 | ---- | M] () -- C:\LOG9A1.log
[2008/04/24 11:55:59 | 000,000,503 | ---- | M] () -- C:\LOGAEE.log
[2008/05/22 08:12:20 | 000,000,503 | ---- | M] () -- C:\LOGB31.log
[2004/06/18 07:19:46 | 000,001,685 | RHS- | M] () -- C:\MSDOS.SYS
[2004/10/18 10:36:58 | 000,047,564 | RHS- | M] () -- C:\ntdetect.com
[2004/10/18 10:36:58 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2010/08/06 11:56:14 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys
[2001/08/18 05:00:00 | 000,003,204 | ---- | M] () -- C:\README.HTM
[2004/06/18 07:46:06 | 000,000,000 | ---- | M] () -- C:\ROXIOAUTOEXEC.BAT
[2003/09/01 07:07:00 | 000,001,151 | ---- | M] () -- C:\SERIAL#.TXT
[2006/03/09 15:18:17 | 000,000,058 | -H-- | M] () -- C:\T4Metrics.log
[2007/11/28 17:35:50 | 000,004,608 | -HS- | M] () -- C:\Thumbs.db
[2008/11/26 05:28:08 | 000,012,371 | ---- | M] () -- C:\UBSoftUpdate.log
[2001/08/18 05:00:00 | 000,000,010 | ---- | M] () -- C:\WIN51
[2001/08/18 05:00:00 | 000,000,010 | ---- | M] () -- C:\WIN51IP
[8 C:\*.tmp files -> C:\*.tmp -> ]

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/06/29 09:12:14 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/06/29 09:12:14 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2004/08/04 00:56:44 | 001,028,096 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\mfc42.dll
[2001/08/23 05:00:00 | 001,355,776 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm50.dll
[2004/02/23 15:42:40 | 001,386,496 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm60.dll
[2007/08/13 19:54:10 | 000,413,696 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\vbscript.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/08/11 09:52:26 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/11 09:52:26 | 000,630,784 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/11 09:52:26 | 000,397,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 05:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

========== Files - Unicode (All) ==========
[2008/01/30 17:59:22 | 000,000,152 | ---- | M] ()(C:\WINDOWS\System32\???????????????????????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥䕜牡桴楌歮䕜牡桴楌歮倠潲整瑣潩潃瑮潲敃瑮牥卜湡屡潃普杩塜楖睥挮湯楦g
[2007/08/18 12:37:01 | 000,000,152 | ---- | C] ()(C:\WINDOWS\System32\???????????????????????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥䕜牡桴楌歮䕜牡桴楌歮倠潲整瑣潩潃瑮潲敃瑮牥卜湡屡潃普杩塜楖睥挮湯楦g
< End of report >


#4 Eldon2

Eldon2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 07 August 2010 - 04:38 PM

This is the 2nd of three replies because it wouldn't all go thru as one reply:

I tried to put the contents of Extras.txt here but it seems to be too big to go thru so I attached the file


Attached Files



#5 Eldon2

Eldon2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 07 August 2010 - 04:43 PM

Lastly, the contents of ark.txt:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-08-06 17:44:44
Windows 5.1.2600 Service Pack 2
Running: xwdwqtg8.exe; Driver: C:\DOCUME~1\ELDONH~1.HOM\LOCALS~1\Temp\ffnirpoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwEnumerateKey [0xF68589B0]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwEnumerateValueKey [0xF6858A60]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) ZwQuerySystemInformation [0xF6868460]

Code \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) IoIsOperationSynchronous

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device -> \Driver\atapi \Device\Harddisk0\DR0 81CF6EC5

---- Threads - GMER 1.0.15 ----

Thread System [4:456] 81DC6140
Thread System [4:460] 81DC6140
Thread System [4:464] 81D92520
Thread System [4:468] 81D92520
Thread System [4:476] 81D94580
Thread System [4:480] 81D94580
Thread System [4:484] 81D92520
Thread System [4:2732] 814D84B0
Thread System [4:2820] 814B1B00
Thread System [4:2824] 814B1B00

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----




Please note: when I clicked on "run" to run the gmer program it immediately did a brief scan. Then I unchecked the 3 items per your instructions and clicked on "scan". That scan lasted many hours then ultimately disabled my mouse, making it impossible to save it as an ark.txt file. I had to restart my computer to get my mouse back. Then I reran the GMER program and saved the initial brief scan results as ark.txt and later posted the contents above. I then retried clicking on "scan" and once again got locked up. I had a similar problem when I tried first running gmer.exe for my initial inquiry. I hope what I provided is sufficient, if not I don't know how to proceed further.

Thanks again for all your help!
Eldon Hofeling


#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:35 PM

Posted 07 August 2010 - 04:51 PM

You are welcome smile.gif


One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following

===================
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

========
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 Eldon2

Eldon2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 10 August 2010 - 09:28 AM

I can't express how grateful I am for the help you have given me and plan to give a modest donation once I figure out a safe way to do so. You guys do a great service to the cyberworld!

I carefully read all your warnings and am taking them very seriously. I did follow the instructions to try and clean my machine without reformatting and seem to have been successful. I will post my text files at the end of this message. I first became aware of my computer's infection when I was getting messages from my anti-virus software's firewall (& always clicked on "deny" access) and also noticed I was getting redirected when using my IE search field. Neither of those are happening anymore and my computer is responding a lot faster now.

I plan on buying a second computer in the near future, but would like to use my current one online in the interim while I shop for then configure the new one. I am not going to have the two networked but will move document files, address books, etc. via a memory stick, then ultimately reformat the original computer harddrive.

What do you think of my speculation that my machine is clean for now (although more susceptable) and if I was to be reinfected in the future I would very likely be alerted one or more of the symptoms that happened recently?


Contents of TDSS log:


2010/08/08 16:19:30.0812 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41
2010/08/08 16:19:30.0812 ================================================================================
2010/08/08 16:19:30.0812 SystemInfo:
2010/08/08 16:19:30.0812
2010/08/08 16:19:30.0812 OS Version: 5.1.2600 ServicePack: 2.0
2010/08/08 16:19:30.0812 Product type: Workstation
2010/08/08 16:19:30.0812 ComputerName: HOME-YN0CO7YWJ1
2010/08/08 16:19:30.0828 UserName: Eldon Hofeling
2010/08/08 16:19:30.0828 Windows directory: C:\WINDOWS
2010/08/08 16:19:30.0828 System windows directory: C:\WINDOWS
2010/08/08 16:19:30.0828 Processor architecture: Intel x86
2010/08/08 16:19:30.0828 Number of processors: 1
2010/08/08 16:19:30.0828 Page size: 0x1000
2010/08/08 16:19:30.0828 Boot type: Normal boot
2010/08/08 16:19:30.0828 ================================================================================
2010/08/08 16:19:32.0109 Initialize success
2010/08/08 16:19:49.0687 ================================================================================
2010/08/08 16:19:49.0687 Scan started
2010/08/08 16:19:49.0687 Mode: Manual;
2010/08/08 16:19:49.0687 ================================================================================
2010/08/08 16:19:51.0828 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/08 16:19:51.0906 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/08 16:19:52.0062 ADSMonitor (3e20790a3206c78e94f65b1b4b6cbeaa) C:\WINDOWS\system32\drivers\ADSMonitor.sys
2010/08/08 16:19:52.0359 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2010/08/08 16:19:52.0484 AFD (3a293f4b1b9316814a45d7d2977c83c7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/08 16:19:52.0484 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 3a293f4b1b9316814a45d7d2977c83c7, Fake md5: 55e6e1c51b6d30e54335750955453702
2010/08/08 16:19:52.0484 AFD - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/08 16:19:52.0562 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/08/08 16:19:52.0796 ALCXSENS (a9355a51698f6901b362ef738b15631d) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
2010/08/08 16:19:52.0921 ALCXWDM (b191753b1aa2e7b11a18d5fde8248aa2) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/08/08 16:19:53.0421 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/08 16:19:53.0515 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/08 16:19:53.0656 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/08 16:19:53.0781 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/08 16:19:53.0906 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/08 16:19:54.0031 BW2NDIS5 (71cb7616cb36d43ea787c41ab55fe458) C:\WINDOWS\system32\Drivers\BW2NDIS5.sys
2010/08/08 16:19:54.0109 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/08 16:19:54.0218 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/08 16:19:54.0312 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/08 16:19:54.0359 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/08 16:19:54.0765 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/08 16:19:54.0859 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/08 16:19:55.0015 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/08 16:19:55.0062 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/08 16:19:55.0125 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/08 16:19:55.0265 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/08 16:19:55.0546 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/08 16:19:55.0609 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/08/08 16:19:55.0703 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/08 16:19:55.0781 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/08/08 16:19:55.0890 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/08 16:19:55.0968 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/08 16:19:56.0062 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/08 16:19:56.0109 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/08 16:19:56.0265 HCF_MSFT (4236e014632f4163f53ebb717f41594c) C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys
2010/08/08 16:19:56.0468 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/08 16:19:57.0062 HPZid412 (287a63bd8509bd78e7978823b38afa81) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/08/08 16:19:57.0125 HPZipr12 (0b4fda2657c3e0315eaa57f9c6d4fd1f) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/08/08 16:19:57.0218 HPZius12 (29559db25258b60510a60c4e470fce32) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/08/08 16:19:57.0359 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/08 16:19:57.0515 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/08 16:19:57.0578 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/08 16:19:57.0843 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/08 16:19:57.0937 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/08 16:19:58.0046 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/08 16:19:58.0140 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/08 16:19:58.0265 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/08 16:19:58.0328 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/08 16:19:58.0390 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/08 16:19:58.0531 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/08 16:19:58.0609 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/08 16:19:58.0671 kl1 (45056287cdd70803bad130bf71fe6890) C:\WINDOWS\system32\drivers\kl1.sys
2010/08/08 16:19:58.0781 klif (854167a8a1c7300282ee5e157c3e1fbe) C:\WINDOWS\system32\drivers\klif.sys
2010/08/08 16:19:58.0921 klim5 (fab690ad3d3949b9ed227508734c8a85) C:\WINDOWS\system32\DRIVERS\klim5.sys
2010/08/08 16:19:59.0062 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/08 16:19:59.0125 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/08 16:19:59.0281 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/08 16:19:59.0375 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/08 16:19:59.0437 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/08 16:19:59.0562 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/08 16:19:59.0671 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/08 16:19:59.0781 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/08 16:19:59.0906 MRxSmb (6f2d483b97b395544e59749c47963c6a) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/08 16:20:00.0015 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/08 16:20:00.0125 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/08 16:20:00.0218 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/08 16:20:00.0312 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/08 16:20:00.0421 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/08 16:20:00.0515 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/08 16:20:00.0578 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/08 16:20:00.0625 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/08 16:20:00.0687 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/08 16:20:00.0781 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/08 16:20:00.0828 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/08 16:20:00.0906 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/08 16:20:00.0984 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/08 16:20:01.0109 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/08 16:20:01.0218 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/08 16:20:01.0328 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/08 16:20:01.0437 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/08 16:20:01.0531 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/08 16:20:01.0609 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/08 16:20:01.0656 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/08 16:20:01.0718 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/08 16:20:01.0812 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/08 16:20:01.0906 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/08 16:20:01.0984 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/08 16:20:02.0234 pfc (ed2e7f396b4098608c95bc3806bdf6fc) C:\WINDOWS\system32\drivers\pfc.sys
2010/08/08 16:20:02.0343 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/08 16:20:02.0437 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/08/08 16:20:02.0515 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/08 16:20:02.0609 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/08 16:20:02.0718 PxHelp20 (951d4769ba5b8a3c58404b5cef4a65ca) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2010/08/08 16:20:03.0140 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/08 16:20:03.0281 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/08 16:20:03.0375 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/08 16:20:03.0453 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/08 16:20:03.0562 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/08 16:20:03.0609 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/08 16:20:03.0703 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/08 16:20:03.0828 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/08 16:20:03.0937 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/08 16:20:04.0046 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/08/08 16:20:04.0218 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS
2010/08/08 16:20:04.0375 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/08 16:20:04.0500 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/08 16:20:04.0593 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/08 16:20:04.0734 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/08 16:20:05.0062 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/08 16:20:05.0156 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/08 16:20:05.0250 Srv (ab9c79ed12d65e800aaad3d72a04792f) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/08 16:20:05.0390 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/08 16:20:05.0484 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/08 16:20:05.0750 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/08 16:20:05.0906 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/08 16:20:06.0000 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/08 16:20:06.0093 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/08 16:20:06.0625 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/08 16:20:06.0812 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/08 16:20:06.0984 Update (7b2170ee3d858ce8fbe503904cc9b663) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/08 16:20:07.0093 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/08 16:20:07.0171 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/08 16:20:07.0265 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/08 16:20:07.0343 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/08 16:20:07.0421 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/08 16:20:07.0500 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/08 16:20:07.0562 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/08/08 16:20:07.0656 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/08 16:20:07.0750 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/08 16:20:07.0828 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2010/08/08 16:20:07.0968 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/08 16:20:08.0312 ================================================================================
2010/08/08 16:20:08.0312 Scan finished
2010/08/08 16:20:08.0312 ================================================================================
2010/08/08 16:20:08.0359 Detected object count: 1
2010/08/08 16:20:26.0937 AFD (3a293f4b1b9316814a45d7d2977c83c7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/08 16:20:26.0937 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 3a293f4b1b9316814a45d7d2977c83c7, Fake md5: 55e6e1c51b6d30e54335750955453702
2010/08/08 16:20:28.0375 Backup copy found, using it..
2010/08/08 16:20:28.0421 C:\WINDOWS\System32\drivers\afd.sys - will be cured after reboot
2010/08/08 16:20:28.0421 Rootkit.Win32.TDSS.tdl3(AFD) - User select action: Cure
2010/08/08 16:20:54.0453 Deinitialize success


Contents of Combofix.txt:

ComboFix 10-08-08.01 - Eldon Hofeling 08/08/2010 16:38:27.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.309 [GMT -7:00]
Running from: c:\documents and settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\ComboFix.exe
AV: Protection Control Center *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Protection Control Center *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Application Data\020000000fa2c022C.manifest
c:\documents and settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Application Data\020000000fa2c022O.manifest
c:\documents and settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Application Data\020000000fa2c022P.manifest
c:\documents and settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Application Data\020000000fa2c022R.manifest
c:\documents and settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Application Data\020000000fa2c022S.manifest
c:\documents and settings\Eldon Hofeling.HOME-YN0CO7YWJ1\musicmatch10.exe
c:\documents and settings\Eldon Hofeling.HOME-YN0CO7YWJ1\wbsamp.exe
C:\LOG4.tmp
C:\LOG915.tmp
C:\LOG919.tmp
C:\LOG91A.tmp
C:\LOG93D.tmp
C:\LOG9A1.tmp
C:\LOGAEE.tmp
C:\LOGB31.tmp
C:\Thumbs.db
c:\windows\Temp\tmp3.tmp

.
((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))
.

2018-06-18 14:21 . 2018-06-18 14:21 -------- d-----w- c:\program files\DirectX
2010-07-28 18:24 . 2010-07-28 18:24 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Temp
2010-07-27 14:51 . 2010-07-27 14:51 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\Earthlink
2010-07-25 12:03 . 2010-07-25 12:30 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\FullTiltPoker.NET
2010-07-25 01:34 . 2010-07-25 01:35 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2018-06-18 14:21 . 2018-06-18 14:21 11079 -c-ha-w- c:\program files\folder.htt
2010-08-08 23:46 . 2009-02-26 00:29 1087776 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-08-08 23:45 . 2009-02-26 00:29 2450720 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-08-08 23:38 . 2009-02-26 00:29 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-08-08 23:23 . 2009-02-26 00:16 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\EarthLink
2010-08-08 23:22 . 2001-08-23 12:00 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2010-08-08 23:21 . 2009-02-26 00:29 230444 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-08-08 17:30 . 2008-10-27 23:24 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-06 12:43 . 2008-11-26 13:09 -------- d-----w- c:\program files\Full Tilt Poker.Net
2010-07-29 14:53 . 2009-02-26 00:30 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-29 14:53 . 2009-02-26 00:30 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-25 11:54 . 2010-07-25 11:51 664 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\d3d9caps.tmp
2008-01-31 00:37 . 2008-01-31 00:37 292328 ----a-w- c:\program files\elnk_pcc.exe
2006-04-10 21:53 . 2005-01-19 10:45 14392 ----a-w- c:\program files\SolidWorksswxJRNL.BAK
2003-03-21 13:37 . 2003-03-21 13:37 16056 ----a-w- c:\program files\owcstp16.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2006-2-9 45056]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
WgaLogon.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-05-01 18:44 65536 ----a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2003-08-15 07:34 57344 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Microsoft Games\\Links 2001\\LinksMMI.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EarthLink\\EarthLink Protection Control Center\\avp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [12/13/2007 2:28 PM 24592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2010 2:12 PM 136176]
S3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);c:\windows\system32\drivers\ADSMonitor.sys [8/3/2007 7:35 AM 38384]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;\??\c:\program files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys --> c:\program files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb
.
Contents of the 'Scheduled Tasks' folder

2010-08-08 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-24 21:12]

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-24 21:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.earthlink.net/?e15=PSP_OGP_ELNKNAV
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: EarthLink Google Search - c:\program files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: taxactonline.com\www
TCP: {A523D060-EDBC-4D60-8B73-D26C07D34139} = 207.69.188.185,207.69.188.186
DPF: {9E515FE4-2A60-4D08-8E96-CF9A967BE49B} - hxxp://check.earthlinksecurity.com/SSMEarthLink.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
SafeBoot-klmdb.sys
MSConfigStartUp-RoxioAudioCentral - c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
MSConfigStartUp-RoxioDragToDisc - c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-08 16:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-08-08 16:50:26
ComboFix-quarantined-files.txt 2010-08-08 23:50
ComboFix2.txt 2008-09-25 17:01

Pre-Run: 80,972,843,520 bytes free
Post-Run: 81,269,222,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - EC3C996368DD45527C05E77E87EFDDA5


Thanks again!
Eldon Hofeling


#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:35 PM

Posted 10 August 2010 - 12:57 PM

You are welcome. smile.gif

You are safe to do what you want with the computer.
Some experts say that it is impossible to fully clean but honestly with this infection it only hides in a certain place and it has been removed.
So in this case you are clean.
I still would like to run a few more scans to double check for any thing else.
====================
Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 Eldon2

Eldon2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 11 August 2010 - 03:47 PM

Below is the contents of the MBAM logfile. I also did a scan with Kaspersky Online Scanner which ran for many hours and was over 90% complete when it slowed to a crawl pace while scanning some old Win98_##.CAB files and I accidently interupted it while trying to figure out why it was acting so slow. At this point the scan had found no threats. I am also not too worried about this scan because Kaspersky is the source of the Earthlink Protection Control Service that I have on my computer, which gets updated daily and I used to scan recently.

MBAM logfile:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4414

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

8/10/2010 2:25:12 PM
mbam-log-2010-08-10 (14-25-12).txt

Scan type: Full scan (C:\|)
Objects scanned: 313993
Time elapsed: 1 hour(s), 2 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a072ec12-a40b-41dd-9a1a-cdb848b70f3c} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bd4f7a6d-0107-4bdf-b72b-021b717b06ce} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\XP1A\KEYGEN\XP_SP1\WINDOW~1.EXE (Hacktool.KeySteal) -> Quarantined and deleted successfully.
C:\junk\WindowsXP Product Key Viewer.exe (Hacktool.KeySteal) -> Quarantined and deleted successfully.
C:\Program Files\owcstp16.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.


I did surf the web a little and also played online Poker (play $ only) with the computer between the ComboFix and these last two scans. I wonder if any of the above happened during this period?
Thanks so much for your help!
Eldon Hofeling


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:35 PM

Posted 12 August 2010 - 06:37 AM

Thank you for your donation much appreciated smile.gif

These files here are false positives.
QUOTE
C:\XP1A\KEYGEN\XP_SP1\WINDOW~1.EXE (Hacktool.KeySteal) -> Quarantined and deleted successfully.
C:\junk\WindowsXP Product Key Viewer.exe (Hacktool.KeySteal) -> Quarantined and deleted successfully.
C:\Program Files\owcstp16.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

This one > C:\Program Files\owcstp16.dll seems to be related to an Intel usb driver made for Windows 98 it shouldn't be on Windows xp but it is not malicious,
You can safely restore these files from quarantine.
The rest were left over from a previous infection.

How are things running now?
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 Eldon2

Eldon2
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 12 August 2010 - 10:23 AM

Everything seems to be fine now based on how my computer operates. thumbup.gif

I really appreciate all the help and sorry I can't afford to donate more. Feel free to email me for any reason. The OTL log file follows.

Eldon Hofeling wink.gif
N. California



OTL logfile created on: 8/12/2010 6:56:09 AM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\Unused Desktop Shortcuts
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 248.00 Mb Available Physical Memory | 49.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 75.43 Gb Free Space | 67.48% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-YN0CO7YWJ1
Current User Name: Eldon Hofeling
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\Unused Desktop Shortcuts\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\EarthLink\EarthLink Protection Control Center\avp.exe (EarthLink)
PRC - C:\WINDOWS\system32\hpzipm12.exe (HP)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe (Boingo Wireless, Inc.)
PRC - C:\Program Files\Webshots\webshots.scr (Webshots.com)
PRC - C:\WINDOWS\system32\ezSP_Px.exe (Easy Systems Japan Ltd.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\Unused Desktop Shortcuts\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\EarthLink\EarthLink Protection Control Center\miscr3.dll (EarthLink)
MOD - C:\Program Files\EarthLink\EarthLink Protection Control Center\fssync.dll (EarthLink)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll (Microsoft Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (AVP) -- C:\Program Files\EarthLink\EarthLink Protection Control Center\avp.exe (EarthLink)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\hpzipm12.exe (HP)
SRV - (EarthLinkMonitor) -- C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe (Boingo Wireless, Inc.)
SRV - (PACSPTISVR) -- C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe ()
SRV - (SPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe (Sony Corporation)


========== Driver Services (SafeList) ==========

DRV - (EarthLinkSafeConnectFilter) -- C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys File not found
DRV - (catchme) -- C:\DOCUME~1\ELDONH~1.HOM\LOCALS~1\Temp\catchme.sys File not found
DRV - (kl1) -- C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Lab)
DRV - (klif) -- C:\WINDOWS\system32\drivers\klif.sys (Kaspersky Lab)
DRV - (klim5) -- C:\WINDOWS\system32\drivers\klim5.sys (Kaspersky Lab)
DRV - (ADSMonitor) ADSMonitor - (EarthLink Monitor Driver) -- C:\WINDOWS\system32\drivers\ADSMonitor.sys (EarthLink, Inc.)
DRV - (BW2NDIS5) -- C:\WINDOWS\system32\drivers\BW2NDIS5.SYS (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (ALCXSENS) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS (Sensaura Ltd)
DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\R8139n51.sys (Realtek Semiconductor Corporation )
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (HCF_MSFT) -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys (Conexant)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/1me10enus/2
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/?e15=PSP_OGP_ELNKNAV
IE - HKCU\..\URLSearchHook: {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll (EarthLink, Inc.)
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/03/02 06:31:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/14 23:47:12 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/08/08 16:45:33 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ElnkBhoGuard Class) - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll (EarthLink, Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ElnkScamBHO Class) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll (EarthLink, Inc.)
O2 - BHO: (ElnkPubBHO Class) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll (EarthLink, Inc.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (ElnkProtectionBHO Class) - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll (EarthLink, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (ElnkLegacyUninstBHO Class) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll (EarthLink, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll (EarthLink, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (EarthLink Toolbar) - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll (EarthLink, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVP] C:\Program Files\EarthLink\EarthLink Protection Control Center\avp.exe (EarthLink)
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe (Easy Systems Japan Ltd.)
O4 - HKLM..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Start Menu\Programs\Startup\Webshots.lnk = C:\Program Files\Webshots\Launcher.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: EarthLink Google Search - C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll (EarthLink, Inc.)
O9 - Extra Button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Start Menu\Programs\UltimateBet\UltimateBet.lnk ()
O9 - Extra 'Tools' menuitem : UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Start Menu\Programs\UltimateBet\UltimateBet.lnk ()
O9 - Extra Button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\EarthLink\EarthLink Protection Control Center\SCIEPlgn.dll (EarthLink)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: taxactonline.com ([www] https in Trusted sites)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab (StagingUI Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://fpdownload.macromedia.com/pub/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab (MSN Games Buddy Invite)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab (ZonePAChat Object)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} https://www.taxsimple.com/tsweb/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} http://mt1972.ghinconnect.com/ghinwebreports/arview2.cab (ActiveReports Viewer2)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9E515FE4-2A60-4D08-8E96-CF9A967BE49B} http://check.earthlinksecurity.com/SSMEarthLink.cab (SSMEarthLink Control)
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab (ZPA_SHVL Object)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} http://zone.msn.com/binframework/v10/StProxy.cab55579.cab (MSN Games Game Communicator)
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326 (QDiagHUpdateObj Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\lid {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\AutorunsDisabled: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (EarthLink)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/30 09:57:13 | 000,000,056 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2018/06/18 07:21:57 | 000,000,000 | ---D | C] -- C:\Program Files\DirectX
[2018/06/18 07:20:49 | 000,000,000 | -H-D | C] -- C:\Program Files\Uninstall Information
[2010/08/11 16:35:48 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Recent
[2010/08/10 13:17:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Application Data\Malwarebytes
[2010/08/10 13:17:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/10 13:17:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2010/08/10 13:17:22 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/10 13:17:21 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/10 13:15:19 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\mbam-setup.exe
[2010/08/08 16:36:01 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/08 16:28:36 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/08 16:28:36 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/08 16:28:36 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/08 16:28:36 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/08 16:14:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\tdsskiller
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2018/06/18 07:21:20 | 000,011,079 | -H-- | M] () -- C:\Program Files\folder.htt
[2010/08/12 07:03:15 | 000,383,520 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/08/12 07:00:33 | 000,000,032 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/08/12 06:43:30 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/12 06:40:22 | 002,476,064 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/08/12 06:24:16 | 000,000,902 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/12 06:23:03 | 000,000,272 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2010/08/12 06:05:11 | 000,000,898 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/12 05:53:59 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/12 05:53:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/11 21:23:41 | 006,553,600 | -H-- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\NTUSER.DAT
[2010/08/11 21:23:41 | 000,233,060 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/08/11 21:23:13 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\ntuser.ini
[2010/08/11 15:45:47 | 000,156,672 | ---- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/10 16:28:12 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Google Chrome.lnk
[2010/08/10 13:17:28 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/10 13:15:34 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\mbam-setup.exe
[2010/08/10 13:10:54 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Favorites\My Documents\bleeping computer reply 3.doc
[2010/08/09 16:01:58 | 000,000,591 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2010/08/09 16:01:06 | 000,000,086 | ---- | M] () -- C:\WINDOWS\qwshellx.ini
[2010/08/08 17:17:24 | 000,051,712 | ---- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Favorites\My Documents\bleeping computer reply 2.doc
[2010/08/08 16:46:01 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/08 16:45:33 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/08 16:36:11 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/08/08 16:16:18 | 003,817,265 | R--- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\ComboFix.exe
[2010/08/08 16:13:42 | 001,130,629 | ---- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\tdsskiller.zip
[2010/08/08 16:11:41 | 000,028,160 | ---- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Favorites\My Documents\Malware Cleaning Instructions.doc
[2010/08/07 13:53:58 | 000,135,168 | ---- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Favorites\My Documents\bleeping computer reply 1.doc
[2010/07/31 14:21:48 | 000,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/30 14:46:54 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/07/29 07:53:00 | 000,113,933 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2010/07/29 07:53:00 | 000,097,549 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2010/07/27 09:36:18 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Favorites\My Documents\phishing site.doc
[2010/07/25 11:45:37 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\Microsoft Streets & Trips (2).lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2018/06/18 07:21:19 | 000,011,079 | -H-- | C] () -- C:\Program Files\folder.htt
[2010/08/10 13:17:28 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/10 13:07:41 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Favorites\My Documents\bleeping computer reply 3.doc
[2010/08/08 17:17:23 | 000,051,712 | ---- | C] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Favorites\My Documents\bleeping computer reply 2.doc
[2010/08/08 16:36:10 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/08/08 16:36:06 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/08 16:28:36 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/08 16:28:36 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/08 16:28:36 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/08 16:28:36 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/08 16:28:36 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/08 16:16:18 | 003,817,265 | R--- | C] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\ComboFix.exe
[2010/08/08 16:13:41 | 001,130,629 | ---- | C] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Desktop\tdsskiller.zip
[2010/08/08 16:11:41 | 000,028,160 | ---- | C] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Favorites\My Documents\Malware Cleaning Instructions.doc
[2010/08/07 13:53:58 | 000,135,168 | ---- | C] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Favorites\My Documents\bleeping computer reply 1.doc
[2010/07/27 06:44:52 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Eldon Hofeling.HOME-YN0CO7YWJ1\Favorites\My Documents\phishing site.doc
[2010/03/09 06:27:24 | 000,000,031 | ---- | C] () -- C:\WINDOWS\System32\wsoviedsini.dll
[2010/03/09 06:27:08 | 000,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx14_ic.ini
[2008/11/23 17:15:24 | 000,000,118 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/11/14 17:41:13 | 000,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx12_ic.ini
[2008/11/14 17:41:12 | 000,663,552 | ---- | C] () -- C:\WINDOWS\System32\tx12.dll
[2008/06/05 08:09:22 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2007/02/05 16:06:31 | 000,000,050 | ---- | C] () -- C:\WINDOWS\rblky.sys
[2007/02/05 06:27:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WinInit.Ini
[2007/01/31 16:51:18 | 000,000,034 | ---- | C] () -- C:\WINDOWS\AuthMgr.INI
[2007/01/23 15:20:52 | 000,171,008 | ---- | C] () -- C:\WINDOWS\KPCP32.DLL
[2007/01/23 15:20:52 | 000,093,184 | ---- | C] () -- C:\WINDOWS\KPAPI32.DLL
[2007/01/23 15:20:52 | 000,038,912 | ---- | C] () -- C:\WINDOWS\KPSYS32.DLL
[2007/01/23 15:20:52 | 000,000,707 | ---- | C] () -- C:\WINDOWS\PHOTOS30.INI
[2007/01/23 15:19:12 | 000,000,127 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2006/03/08 22:12:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Oro5.INI
[2006/03/08 22:12:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\00049324.INI
[2006/03/08 22:09:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Oro4.INI
[2006/03/08 22:09:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\000380CA.INI
[2006/03/08 22:08:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Oro3.INI
[2006/03/08 22:08:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\0003130C.INI
[2006/03/08 22:08:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Oro2.INI
[2006/03/08 22:08:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\0002BA8C.INI
[2006/03/08 22:07:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\0001C648.INI
[2006/03/08 22:06:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Oro1.INI
[2006/03/08 22:06:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\00014CC3.INI
[2005/08/23 16:16:58 | 000,000,208 | ---- | C] () -- C:\WINDOWS\HpBestModeUpdatePatchLog.ini
[2005/08/04 14:51:51 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2005/02/10 02:22:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2005/01/19 03:44:16 | 000,639,052 | ---- | C] () -- C:\WINDOWS\System32\BBPDFPortMon.dll
[2004/12/24 15:09:29 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2004/09/27 11:22:58 | 000,000,043 | ---- | C] () -- C:\WINDOWS\INTUIT.INI
[2004/08/30 10:01:28 | 000,000,086 | ---- | C] () -- C:\WINDOWS\qwshellx.ini
[2004/08/30 09:57:29 | 000,000,189 | ---- | C] () -- C:\WINDOWS\INTU_ONL.INI
[2004/08/30 09:57:13 | 000,003,433 | ---- | C] () -- C:\WINDOWS\WPR.INI
[2004/08/30 09:57:13 | 000,000,591 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/08/30 09:57:13 | 000,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2004/08/23 07:21:37 | 000,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2004/08/14 16:04:14 | 000,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2004/08/11 17:52:54 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/08/11 17:36:51 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/08/11 17:17:15 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2004/01/05 00:30:18 | 000,565,248 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2003/07/14 20:43:38 | 000,577,635 | ---- | C] () -- C:\WINDOWS\System32\InstallPrinter.dll
[2003/02/25 21:59:18 | 003,907,655 | ---- | C] () -- C:\WINDOWS\System32\Bbgspdf.dll
[2003/01/29 16:04:00 | 000,618,496 | ---- | C] () -- C:\WINDOWS\System32\stlpmt45.dll
[2002/03/13 15:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\zlib.dll

========== Files - Unicode (All) ==========
[2008/01/30 17:59:22 | 000,000,152 | ---- | M] ()(C:\WINDOWS\System32\???????????????????????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥䕜牡桴楌歮䕜牡桴楌歮倠潲整瑣潩潃瑮潲敃瑮牥卜湡屡潃普杩塜楖睥挮湯楦g
[2007/08/18 12:37:01 | 000,000,152 | ---- | C] ()(C:\WINDOWS\System32\???????????????????????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥䕜牡桴楌歮䕜牡桴楌歮倠潲整瑣潩潃瑮潲敃瑮牥卜湡屡潃普杩塜楖睥挮湯楦g
< End of report >


#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:35 PM

Posted 12 August 2010 - 01:05 PM

=======Cleanup
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.
======Next======
  • Double click on OTL to run it.
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  • This will remove itself and other tools we may have used.
===============Update Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
======================Clear out infected System Restore points======================


Then we need to reset your System Restore points.
The link below shows how to do this.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.


After that your all set.


===The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance===

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

"How did I get infected in the first place?" Also this one by Tony Klein.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...



===Free antimalware tools used for on demand scanning and cleaning no real time unless purchased===

Malwarebytes Antimalware
superantispyware

===Free antivirus links===

This is antivirus and antispyware.
Microsoft Security Essentials
This is free antispyware protection and Antivirus protection.
AVG free 9.0
This is just antivirus protection.
Antivir
This is antivirus and antispyware protection.
Avast


Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users