Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help, i have a nasty bug


  • Please log in to reply
11 replies to this topic

#1 italianyg

italianyg

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 31 July 2010 - 01:20 PM

Hello all,

Iv lurked here from time to time (long enough to know not to run combofix without posting here first), reading up on the useful info on these forums but its my first time posting. Im no security expert so ill try my best to explain.

A few days ago i downloaded a computer game mod and picked up "antimalware doctor". I ran Rkill first, then both Malwarebytes and AVG free and was pleased to see MB picked it up and "removed" it, no more annoying popups and all the other annoyances that come with amd.

However i noticed afterwards that my browser (Firefox) was taking a very long time to load websites, and more often then not the site would time out altogether forcing me to refresh the page to get it to load at all (slowly). After taking a good look i noticed on the bottom "load bar" all these websites flashing in between the actual site i was trying to get to. The browser would never load these sites but it looked like it was recieving information from them anyways. Also my Malwarebytes (purchased version) went on non stop about blocked ips even when i didnt have my browser open, as well as some files picked up but the dreaded "object is not accessible" during the clean up. I ran TDSSKiller and it found 1 threat "suspicious", it was a locked service called hsdtz.sys inside C:\WINDOWS\system32\drivers\hsdtz.sys. It wouldnt give me a log or i would have included it, i didnt know rather to quarantine or delete so i left it alone for the time being.

Anyways for some reason both my Malwarebytes and AVG are coming up with a clean read, but every so often my MB protection pops up with some issues, so ill post a couple examples of my malwarebytes protection logs and my Hijackthis log in hopes that my problems lies somewhere in it. Thanks in advance for any help, and if more info is needed it will be posted asap. Sorry for the longwinded post.

WinXP pro SP3, Malwarebytes 1.46, Hijackthis 2.0.4, TDSSKiller 2.4.0.0


Malwarebytes Protection logs
*************************************************************************************
07:09:22 (null) MESSAGE Protection started successfully
07:09:27 (null) MESSAGE IP Protection started successfully
07:29:45 (null) DETECTION C:\Documents and Settings\All Users\Application Data\Update\seupd.exe Trojan.Agent QUARANTINE
07:29:46 (null) ERROR Quarantine failed: UtilityReadFile failed with error code 2
08:24:00 (null) DETECTION C:\Documents and Settings\All Users\Application Data\Update\seupd.exe Trojan.Agent DENY
12:38:35 (null) MESSAGE Protection started successfully
12:38:42 (null) MESSAGE IP Protection started successfully
13:51:25 (null) MESSAGE Protection started successfully
13:51:32 (null) MESSAGE IP Protection started successfully
***************************************************************************************
00:27:11 (null) DETECTION C:\WINDOWS\Temp\ntsp.tmp\setup.exe Trojan.Dropper QUARANTINE
02:47:29 (null) DETECTION C:\WINDOWS\Temp\tfpo.tmp\setup.exe Trojan.Dropper QUARANTINE
04:54:43 (null) DETECTION C:\WINDOWS\Temp\ikbf.tmp\setup.exe Trojan.Dropper QUARANTINE
04:58:52 (null) DETECTION C:\WINDOWS\Temp\gnts.tmp\setup.exe Trojan.Dropper QUARANTINE
04:58:53 (null) DETECTION C:\WINDOWS\Temp\gnts.tmp\setup.exe Trojan.Dropper DENY
***************************************************************************************
This one goes on and on and on so ill only post some of it...

17:19:13 (null) IP-BLOCK 222.76.212.40
17:19:16 (null) IP-BLOCK 222.76.212.40
17:19:20 (null) IP-BLOCK 217.16.16.81
17:19:22 (null) IP-BLOCK 222.76.212.40
17:19:23 (null) IP-BLOCK 217.16.16.81
17:19:29 (null) IP-BLOCK 217.16.16.81
17:22:28 (null) IP-BLOCK 195.161.136.121
17:22:31 (null) IP-BLOCK 195.161.136.121
17:22:37 (null) IP-BLOCK 61.135.132.110
17:22:40 (null) IP-BLOCK 61.135.132.110
17:22:46 (null) IP-BLOCK 61.135.132.110
17:24:00 (null) DETECTION C:\Documents and Settings\All Users\Application Data\Update\seupd.exe Trojan.Agent ALLOW
17:24:00 (null) DETECTION C:\Documents and Settings\All Users\Application Data\Update\seupd.exe Trojan.Agent ALLOW
17:24:10 (null) IP-BLOCK 208.73.210.28
17:24:11 (null) IP-BLOCK 87.242.98.87
17:24:13 (null) IP-BLOCK 208.73.208.97
17:24:13 (null) IP-BLOCK 208.73.210.28
17:24:14 (null) IP-BLOCK 87.242.98.87
17:24:16 (null) IP-BLOCK 208.73.208.97
17:24:19 (null) IP-BLOCK 208.73.210.28
17:24:20 (null) IP-BLOCK 87.242.98.87
17:24:22 (null) IP-BLOCK 208.73.208.97
17:25:21 (null) IP-BLOCK 213.163.89.104
17:25:24 (null) IP-BLOCK 213.163.89.104
17:25:30 (null) IP-BLOCK 213.163.89.104
17:25:42 (null) IP-BLOCK 61.61.20.135
17:25:45 (null) IP-BLOCK 61.61.20.135
17:25:51 (null) IP-BLOCK 61.61.20.135
17:26:33 (null) IP-BLOCK 208.73.210.28
17:26:36 (null) IP-BLOCK 208.73.210.28
17:26:42 (null) IP-BLOCK 208.73.210.28
17:27:35 (null) IP-BLOCK 82.100.220.161
17:27:38 (null) IP-BLOCK 82.100.220.161
17:27:44 (null) IP-BLOCK 82.100.220.161
17:28:27 (null) IP-BLOCK 95.154.193.161
17:28:30 (null) IP-BLOCK 95.154.193.161
17:28:36 (null) IP-BLOCK 95.154.193.161
17:31:52 (null) MESSAGE Protection started successfully
17:31:58 (null) ERROR IP protection failed: PfBindInterfaceToIPAddress failed with error code 87
20:43:07 (null) DETECTION C:\WINDOWS\Temp\txkc.tmp\setup.exe Trojan.Dropper QUARANTINE
*******************************************************************************************
******************************HIJACKTHIS LOG***********************************************
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:25:19 PM, on 7/31/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [F5D7050v3] C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Turbine Download Manager Tray Icon] "C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WebcamMaxAutoRun] "C:\Program Files\WebcamMax\WebcamMax.exe" -a
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: RailNotification - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5877 bytes

Edited by hamluis, 31 July 2010 - 02:54 PM.
Moved to Malware Removal Logs per request ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:09:12 PM

Posted 31 July 2010 - 02:45 PM

Hi italianyg,

I'm going to get one of the 'mods' to move this thread to the malware removal forum.
It'll be easier to continue there..
There are a few reports we need, but we can't get them done here.

Please bare with me for a short time.

Thanks.

BBPP6nz.png


#3 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:09:12 PM

Posted 31 July 2010 - 02:50 PM

While we are waiting for the thread to be moved, please follow these steps:

Step 1

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Step 2
  • Download OTL to your desktop.
    right click on the link and select 'Save Link/Target As'.

    if you have problems, try this download link:
    OTL
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check
.

.
    Now copy the lines in bold below.

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    CREATERESTOREPOINT


  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


    .
  • Click the Run Scan button.


  • Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.


In your next reply, please submit:
Both reports from OTL.


Thanks.

BBPP6nz.png


#4 italianyg

italianyg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 31 July 2010 - 05:33 PM

Thank you very much for the fast reply. Iv followed your directions, i did a scan for 60 days to be safe but when i saw you said not to change anything i went back and redid it for 30 as shown in your screen shot. Here are the logs.

Here is the OTL.Txt
**************************************************************


OTL logfile created on: 7/31/2010 5:55:33 PM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 2.90 Gb Free Space | 3.89% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANONYMOUS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\slserv.exe (Smart Link)
PRC - C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe (Belkin)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5705_x-ww_36cfed49\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (wscsvc) -- C:\WINDOWS\System32\wscsvc.dll File not found
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (avg9emc) -- C:\Program Files\AVG\AVG9\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg9wd) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (SLService) -- C:\WINDOWS\System32\slserv.exe (Smart Link)
SRV - (NetSvc) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe (Intel® Corporation)


========== Driver Services (SafeList) ==========

DRV - (catchme) -- C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys File not found
DRV - (AvgTdiX) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgLdx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (sptd) -- C:\WINDOWS\system32\drivers\sptd.sys (Duplex Secure Ltd.)
DRV - (DumpDrv) -- C:\WINDOWS\System32\drivers\dumpdrv.sys (Microsoft Corporation)
DRV - (AR5416) -- C:\WINDOWS\system32\drivers\athw.sys (Atheros Communications, Inc.)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (SlNtHal) -- C:\WINDOWS\system32\drivers\slnthal.sys (Smart Link)
DRV - (SlWdmSup) -- C:\WINDOWS\system32\drivers\slwdmsup.sys (Smart Link)
DRV - (Slntamr) -- C:\WINDOWS\system32\drivers\slntamr.sys (Smart Link)
DRV - (RecAgent) -- C:\WINDOWS\system32\DRIVERS\RecAgent.sys (Smart Link)
DRV - (NtMtlFax) -- C:\WINDOWS\system32\drivers\ntmtlfax.sys (Smart Link)
DRV - (Mtlmnt5) -- C:\WINDOWS\system32\drivers\mtlmnt5.sys (Smart Link)
DRV - (Mtlstrm) -- C:\WINDOWS\system32\drivers\mtlstrm.sys (Smart Link)
DRV - (RT73) -- C:\WINDOWS\system32\drivers\rt73.sys (Ralink Technology, Corp.)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (GTNDIS5) -- C:\Program Files\Belkin\F5D7050v3\GTNDIS5.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (QCDonner) -- C:\WINDOWS\system32\drivers\OVCD.sys (Microsoft Corporation)
DRV - (MODEMCSA) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = EC AB 7D D2 99 92 C1 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643

========== FireFox ==========

FF - prefs.js..browser.search.order.1: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: DeviceDetection@logitech.com:1.0.176.0
FF - prefs.js..extensions.enabledItems: {32C3C3D8-B9D6-409A-93DD-DF66B8F12C2C}:1.9.1
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.845
FF - prefs.js..keyword.URL: "http://search.search-star.net/?sid=10101040100&s="
FF - prefs.js..network.proxy.type: 0

FF - user.js..browser.search.selectedEngine: "Google"
FF - user.js..browser.search.order.1: "Google"
FF - user.js..keyword.URL: "http://search.search-star.net/?sid=10101040100&s="

FF - HKLM\software\mozilla\Firefox\extensions\\{32C3C3D8-B9D6-409A-93DD-DF66B8F12C2C}: C:\Documents and Settings\Owner\Local Settings\Application Data\{32C3C3D8-B9D6-409A-93DD-DF66B8F12C2C} [2010/07/25 21:26:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/07/26 09:14:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/25 20:20:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/25 20:20:06 | 000,000,000 | ---D | M]

[2002/01/01 03:59:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/07/28 19:19:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cyo81xfz.default\extensions
[2010/02/19 04:20:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cyo81xfz.default\extensions\DeviceDetection@logitech.com
[2010/07/26 05:21:13 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/24 18:15:58 | 000,002,076 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml

O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [F5D7050v3] C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe (Belkin)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe (Intel® Corporation)
O4 - HKLM..\Run: [Turbine Download Manager Tray Icon] C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe File not found
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [WebcamMaxAutoRun] C:\Program Files\WebcamMax\WebcamMax.exe (CoolwareMax)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\RailNotification: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/01/01 03:25:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 30 Days ==========

[2010/07/31 17:35:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\New Folder
[2010/07/31 17:25:48 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/07/31 17:25:17 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\TFC.exe
[2010/07/31 13:57:38 | 001,170,256 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\Desktop\tdsskiller.exe
[2010/07/31 12:52:18 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/07/31 10:11:38 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/31 10:11:38 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/31 10:11:37 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/31 10:11:37 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/31 10:11:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/31 10:09:36 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/07/31 10:08:51 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/31 07:31:55 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/07/31 07:31:47 | 000,000,000 | ---D | C] -- C:\!KillBox
[2010/07/31 07:30:11 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HJTInstall.exe
[2010/07/30 03:47:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/07/30 03:47:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/07/27 22:43:18 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Owner\Desktop\spybotsd162.exe
[2010/07/27 19:02:30 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/07/26 06:00:23 | 000,012,536 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/07/26 06:00:20 | 000,243,024 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/07/26 06:00:12 | 000,216,400 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/07/26 06:00:09 | 000,029,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/07/26 06:00:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2010/07/26 05:42:00 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/07/26 05:41:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/07/26 05:04:18 | 002,133,536 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\avg_free_stb_all_9_115_cnet.exe
[2010/07/25 23:45:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\malwarebyte's 1 46 beta + keyz & keygen TESTED
[2010/07/25 23:11:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/07/25 23:11:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/25 23:11:01 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/25 23:11:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/25 23:11:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/25 23:09:05 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
[2010/07/25 22:35:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/07/25 22:35:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/07/25 21:36:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/25 21:36:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/25 21:26:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\{32C3C3D8-B9D6-409A-93DD-DF66B8F12C2C}
[2010/07/25 21:24:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\wwqclsvmt
[2010/07/25 21:24:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update
[2010/07/25 21:24:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\556CF92480E553F2C5611454527F6A18
[2010/07/25 20:53:19 | 000,000,000 | ---D | C] -- C:\SAVE
[2010/07/25 20:27:31 | 000,000,000 | ---D | C] -- C:\Sierra
[2010/07/05 06:33:44 | 000,000,000 | ---D | C] -- C:\Program Files\CDisplay
[2010/07/03 02:12:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\World of Warcraft

========== Files - Modified Within 30 Days ==========

[2010/07/31 17:58:17 | 000,766,464 | ---- | M] () -- C:\WINDOWS\System32\drivers\hsdtz.sys
[2010/07/31 17:35:16 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/07/31 17:35:13 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/31 17:35:08 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/31 17:35:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/31 17:29:57 | 002,621,440 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/07/31 17:29:57 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/07/31 17:25:54 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/07/31 17:25:21 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\TFC.exe
[2010/07/31 17:24:00 | 000,000,414 | ---- | M] () -- C:\WINDOWS\tasks\Updater.job
[2010/07/31 17:09:45 | 062,815,507 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/07/31 15:40:17 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\prvlcl.dat
[2010/07/31 13:57:52 | 001,170,256 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\Desktop\tdsskiller.exe
[2010/07/31 13:48:03 | 004,255,576 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/07/31 10:02:57 | 003,747,840 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/07/31 07:30:20 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HJTInstall.exe
[2010/07/31 06:55:04 | 000,078,848 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/27 22:48:05 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Owner\Desktop\spybotsd162.exe
[2010/07/26 17:31:42 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Uqiseqijolozik.bin
[2010/07/26 06:00:26 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/07/26 06:00:25 | 000,012,536 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/07/26 06:00:23 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/07/26 06:00:12 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/07/26 06:00:11 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/07/26 06:00:09 | 000,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/07/26 05:04:42 | 002,133,536 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\avg_free_stb_all_9_115_cnet.exe
[2010/07/25 23:11:04 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/25 23:10:44 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
[2010/07/25 22:51:06 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\rkill.exe
[2010/07/25 21:26:02 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Rdujip.dat
[2010/07/25 21:24:34 | 000,000,150 | ---- | M] () -- C:\zrpt.xml
[2010/07/25 20:28:47 | 000,001,434 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Half-Life.lnk
[2010/07/25 20:28:47 | 000,000,057 | ---- | M] () -- C:\WINDOWS\sierra.ini
[2010/07/20 19:15:25 | 005,179,278 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Inception.2010.CAM.XviD.UNDEAD-Sample.avi
[2010/07/05 06:33:45 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CDisplay.lnk
[2010/07/05 06:32:51 | 002,842,011 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\installer_cdisplay_1_8_1_0_English.exe
[2010/07/03 03:18:15 | 000,000,606 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MoltenWOW.lnk
[2010/07/03 03:17:35 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\UB-AW1.lnk
[2010/07/03 03:16:19 | 000,000,751 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk

========== Files Created - No Company Name ==========

[2010/07/31 12:40:36 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\prvlcl.dat
[2010/07/31 10:11:38 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/31 10:11:38 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/31 10:11:37 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/31 10:11:37 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/31 10:11:37 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/31 10:02:17 | 003,747,840 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/07/26 06:00:26 | 000,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/07/26 06:00:09 | 000,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/07/26 06:00:07 | 062,815,507 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/07/25 23:11:04 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/25 22:50:59 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\rkill.exe
[2010/07/25 21:26:02 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Rdujip.dat
[2010/07/25 21:26:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Uqiseqijolozik.bin
[2010/07/25 21:25:18 | 000,766,464 | ---- | C] () -- C:\WINDOWS\System32\drivers\hsdtz.sys
[2010/07/25 21:24:36 | 000,000,414 | ---- | C] () -- C:\WINDOWS\tasks\Updater.job
[2010/07/25 21:24:34 | 000,000,150 | ---- | C] () -- C:\zrpt.xml
[2010/07/25 20:28:47 | 000,001,434 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Half-Life.lnk
[2010/07/25 20:28:47 | 000,000,057 | ---- | C] () -- C:\WINDOWS\sierra.ini
[2010/07/21 00:36:04 | 005,179,278 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Inception.2010.CAM.XviD.UNDEAD-Sample.avi
[2010/07/05 06:33:45 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\CDisplay.lnk
[2010/07/05 06:32:32 | 002,842,011 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\installer_cdisplay_1_8_1_0_English.exe
[2010/07/03 03:17:35 | 000,000,714 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\UB-AW1.lnk
[2006/10/22 14:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 14:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 14:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 14:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 14:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 14:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 14:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2002/01/02 10:41:09 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2002/01/01 03:54:16 | 000,005,224 | ---- | C] () -- C:\WINDOWS\System32\ucuiinfo.ini
[2002/01/01 03:21:35 | 000,052,836 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2002/01/01 03:21:27 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\libpng13.dll
[2002/01/01 03:21:26 | 000,394,752 | ---- | C] () -- C:\WINDOWS\System32\cygwinb19.dll
[2001/12/31 21:08:38 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== LOP Check ==========

[2010/07/26 05:42:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/02/23 15:58:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2010/07/25 23:37:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Update
[2010/02/19 12:07:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WebcamMax
[2010/07/25 21:24:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\556CF92480E553F2C5611454527F6A18
[2010/02/21 17:14:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Bioshock
[2010/07/25 20:27:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DAEMON Tools Lite
[2002/01/06 10:20:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ImgBurn
[2010/07/26 04:30:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SystemRequirementsLab
[2010/07/31 07:06:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\uTorrent
[2010/02/19 11:54:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\WebcamMax
[2010/07/31 17:24:00 | 000,000,414 | ---- | M] () -- C:\WINDOWS\Tasks\Updater.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/12/12 15:50:17 | 012,338,090 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 01:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\Qoobox\32788R22FWJFW\AGP440.SYS
[2008/04/14 01:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\AGP440.SYS
[2008/04/13 19:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2009/12/12 15:50:17 | 012,338,090 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 01:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\Qoobox\32788R22FWJFW\atapi.sys
[2008/04/14 01:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/13 19:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 07:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2009/12/12 15:33:53 | 000,407,552 | ---- | M] (Microsoft Corporation) MD5=DAB13813B25B3D009B2AC1194CF5D0A2 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 07:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/07/31 18:02:14 | 000,766,464 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\hsdtz.sys
< End of report >

And the Extras.Txt
********************************************



"TigerGame Superjoy Box Series" = TigerGame Superjoy Box Series
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.5
"WebcamMax" = WebcamMax
"WinRAR archiver" = WinRAR archiver
"World of Warcraft" = World of Warcraft

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/19/2010 3:41:32 PM | Computer Name = ANONYMOUS | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3667, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/19/2010 3:51:48 PM | Computer Name = ANONYMOUS | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3667, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/21/2010 5:13:12 PM | Computer Name = ANONYMOUS | Source = Application Error | ID = 1000
Description = Faulting application bioshock.exe, version 1.0.0.0, faulting module
bioshock.exe, version 1.0.0.0, fault address 0x0028a4b2.

Error - 2/21/2010 5:14:24 PM | Computer Name = ANONYMOUS | Source = Application Error | ID = 1000
Description = Faulting application bioshock.exe, version 1.0.0.0, faulting module
bioshock.exe, version 1.0.0.0, fault address 0x0028a4b2.

Error - 1/6/2002 10:17:39 AM | Computer Name = ANONYMOUS | Source = Application Error | ID = 1000
Description = Faulting application setupx.exe, version 4.2.1.100, faulting module
mshtml.dll, version 8.0.6001.22945, fault address 0x00209fdc.

Error - 7/5/2010 6:33:25 AM | Computer Name = ANONYMOUS | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3828, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 7/25/2010 9:27:12 PM | Computer Name = ANONYMOUS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 7/25/2010 9:27:13 PM | Computer Name = ANONYMOUS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 7/25/2010 10:27:57 PM | Computer Name = ANONYMOUS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 7/25/2010 10:27:57 PM | Computer Name = ANONYMOUS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 7/25/2010 11:41:16 PM | Computer Name = ANONYMOUS | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 7/25/2010 11:42:30 PM | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 7/26/2010 5:31:18 PM | Computer Name = ANONYMOUS | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.2.3 on
the Network Card with network address 0022754D2430.

Error - 7/26/2010 5:31:38 PM | Computer Name = ANONYMOUS | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 7/26/2010 5:31:38 PM | Computer Name = ANONYMOUS | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 7/26/2010 5:32:32 PM | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 7/26/2010 9:21:50 PM | Computer Name = ANONYMOUS | Source = DCOM | ID = 10010
Description = The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register
with DCOM within the required timeout.

Error - 7/26/2010 11:14:20 PM | Computer Name = ANONYMOUS | Source = DCOM | ID = 10010
Description = The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register
with DCOM within the required timeout.

Error - 7/27/2010 2:31:50 AM | Computer Name = ANONYMOUS | Source = DCOM | ID = 10010
Description = The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register
with DCOM within the required timeout.

Error - 7/27/2010 4:12:20 AM | Computer Name = ANONYMOUS | Source = DCOM | ID = 10010
Description = The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register
with DCOM within the required timeout.


< End of report >


#5 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:09:12 PM

Posted 01 August 2010 - 04:26 AM

Hi italianyg,

Before i can continue, i need you to explain this to me:

C:\Documents and Settings\Owner\Desktop\malwarebyte's 1 46 beta + keyz & keygen TESTED

It would appear that you have installed a cracked version of this program.
If so, please uninstall it straight away and install the version from .... Malwarebytes Anti-Malware

Thanks.

BBPP6nz.png


#6 italianyg

italianyg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 01 August 2010 - 09:39 AM

Hi starbuck,

I got my Malwarebytes program from Cnet, the folder you see on my desktop is empty. I originally got it for a serial number for the mbams ongoing protection until i worked out this problem, but none of the serials worked so i just gave in and bought the program. But the actual program which is in C:\Program Files\Malwarebytes' Anti-Malware was downloaded through Cnet. Hope this clears this up.

#7 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:09:12 PM

Posted 01 August 2010 - 12:21 PM

Hi italianyg,

Step 1
Double click on OTL.exe to run it.
Copy the lines in the codebox below. (make sure that :Otl is on the first line )
CODE
:Otl
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643
FF - HKLM\software\mozilla\Firefox\extensions\\{32C3C3D8-B9D6-409A-93DD-DF66B8F12C2C}: C:\Documents and Settings\Owner\Local Settings\Application Data\{32C3C3D8-B9D6-409A-93DD-DF66B8F12C2C} [2010/07/25 21:26:02 | 000,000,000 | ---D | M]
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O20 - Winlogon\Notify\RailNotification: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
[2010/07/25 21:26:02 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Rdujip.dat
[2010/07/25 21:26:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Uqiseqijolozik.bin
[2010/07/25 21:25:18 | 000,766,464 | ---- | C] () -- C:\WINDOWS\System32\drivers\hsdtz.sys
[2010/07/25 21:24:36 | 000,000,414 | ---- | C] () -- C:\WINDOWS\tasks\Updater.job
[2010/07/25 21:24:34 | 000,000,150 | ---- | C] () -- C:\zrpt.xml
[2010/07/25 21:24:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\556CF92480E553F2C5611454527F6A18
[2010/07/25 23:45:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\malwarebyte's 1 46 beta + keyz & keygen TESTED
[2010/07/25 21:26:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\{32C3C3D8-B9D6-409A-93DD-DF66B8F12C2C}
[2010/07/25 21:24:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\wwqclsvmt
[2010/07/25 21:24:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update

:commands
[emptytemp]
[purity]
[RESETHOSTS]
[EMPTYFLASH]
  • Return to OTL,
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


  • Click the red Run Fix button.


  • OTL will reboot your system once the fix has completed.
  • After the reboot, you may need to double click OTL to launch the program and retrieve the log.

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

if you lose the report, there will be a copy here:
C:\_OTL\MovedFiles

Step 2
Please remove the copy of Combofix you have on your system.
Then download a fresh copy using these instructions:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2






This is an example, you may rename ComboFix to anything you want.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
    For more information read:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

    Then:

    Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    If running Vista, you may not see this screen
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please submit:
Otl fix report
Combofix.txt


Thanks.

BBPP6nz.png


#8 italianyg

italianyg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 02 August 2010 - 12:42 AM

Hi Starbuck,

Again thank you for the extremely fast replies, you are simply spectacular. Pleasantries aside, iv followed all of your steps and everything appears to have run smoothly. Here are the logs beginnning with OTL.

OTL Log
*************************************************************************************************



All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{32C3C3D8-B9D6-409A-93DD-DF66B8F12C2C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32C3C3D8-B9D6-409A-93DD-DF66B8F12C2C}\ not found.
C:\Documents and Settings\Owner\Local Settings\Application Data\{32C3C3D8-B9D6-409A-93DD-DF66B8F12C2C}\chrome\content folder moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\{32C3C3D8-B9D6-409A-93DD-DF66B8F12C2C}\chrome folder moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\{32C3C3D8-B9D6-409A-93DD-DF66B8F12C2C} folder moved successfully.
File oft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RailNotification\ deleted successfully.
C:\WINDOWS\Rdujip.dat moved successfully.
C:\WINDOWS\Uqiseqijolozik.bin moved successfully.
File move failed. C:\WINDOWS\system32\drivers\hsdtz.sys scheduled to be moved on reboot.
C:\WINDOWS\tasks\Updater.job moved successfully.
C:\zrpt.xml moved successfully.
C:\Documents and Settings\Owner\Application Data\556CF92480E553F2C5611454527F6A18 folder moved successfully.
C:\Documents and Settings\Owner\Desktop\malwarebyte's 1 46 beta + keyz & keygen TESTED folder moved successfully.
Folder C:\Documents and Settings\Owner\Local Settings\Application Data\{32C3C3D8-B9D6-409A-93DD-DF66B8F12C2C}\ not found.
C:\Documents and Settings\Owner\Local Settings\Application Data\wwqclsvmt folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Update folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Owner
->Temp folder emptied: 37037 bytes
->Temporary Internet Files folder emptied: 35883 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 85457015 bytes
->Flash cache emptied: 1975 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1731836 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 320526 bytes

Total Files Cleaned = 84.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: Owner
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08022010_010819

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\system32\drivers\hsdtz.sys scheduled to be moved on reboot.

Registry entries deleted on Reboot...




Cfix Log
*******************************************************************************************



ComboFix 10-08-01.01 - Owner 08/02/2010 1:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1579 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\google_search.xml

.
((((((((((((((((((((((((( Files Created from 2010-07-02 to 2010-08-02 )))))))))))))))))))))))))))))))
.

2010-08-02 05:08 . 2010-08-02 05:08 -------- d-----w- C:\_OTL
2010-07-31 16:40 . 2010-08-02 05:25 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
2010-07-31 14:09 . 2010-08-02 05:23 -------- d-----w- C:\ComboFix
2010-07-31 11:31 . 2010-07-31 11:31 -------- d-----w- c:\program files\Trend Micro
2010-07-31 11:31 . 2010-07-31 11:31 -------- d-----w- C:\!KillBox
2010-07-30 07:47 . 2010-07-30 07:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-27 23:02 . 2010-07-27 23:02 -------- d-----w- C:\$AVG
2010-07-26 13:14 . 2010-07-26 13:14 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-07-26 13:14 . 2010-07-26 13:14 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-07-26 13:14 . 2010-07-26 13:14 921440 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgemc.exe
2010-07-26 13:14 . 2010-07-26 13:14 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-26 13:14 . 2010-07-26 13:14 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-26 10:00 . 2010-07-26 10:00 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-26 10:00 . 2010-07-26 10:00 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-26 10:00 . 2010-07-26 10:00 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-26 10:00 . 2010-07-26 10:00 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-07-26 10:00 . 2010-08-01 22:10 -------- d-----w- c:\windows\system32\drivers\Avg
2010-07-26 09:42 . 2010-07-26 09:42 -------- d-----w- c:\program files\AVG
2010-07-26 09:41 . 2010-07-26 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-07-26 08:30 . 2010-07-26 08:30 85504 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll
2010-07-26 03:11 . 2010-07-26 03:11 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-26 03:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-26 03:11 . 2010-07-26 03:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-26 03:11 . 2010-07-26 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-26 03:11 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-26 01:25 . 2010-08-02 05:31 766464 ----a-w- c:\windows\system32\drivers\hsdtz.sys
2010-07-26 00:53 . 2010-07-26 00:53 -------- d-----w- C:\SAVE
2010-07-26 00:27 . 2010-07-26 00:27 -------- d-----w- C:\Sierra
2010-07-05 10:33 . 2010-07-05 10:33 -------- d-----w- c:\program files\CDisplay

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-02 05:13 . 2002-02-06 11:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-08-02 04:04 . 2002-02-06 11:54 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-08-01 08:31 . 2010-02-17 11:52 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-07-31 10:56 . 2010-02-21 20:27 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-07-26 09:58 . 2010-05-28 02:41 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-07-26 08:30 . 2010-02-17 05:09 -------- d-----w- c:\program files\SystemRequirementsLab
2010-07-26 08:30 . 2010-02-17 05:09 -------- d-----w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2010-07-26 00:27 . 2010-02-23 19:58 -------- d-----w- c:\documents and settings\Owner\Application Data\DAEMON Tools Lite
2010-07-11 10:50 . 2010-02-19 03:44 -------- d-----w- c:\program files\World of Warcraft
2010-05-25 01:22 . 2010-05-25 01:22 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5e7a53b7-n\msvcp71.dll
2010-05-25 01:22 . 2010-05-25 01:22 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5e7a53b7-n\jmc.dll
2010-05-25 01:22 . 2010-05-25 01:22 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5e7a53b7-n\msvcr71.dll
2010-05-25 01:22 . 2010-05-25 01:22 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-34f0aabd-n\decora-sse.dll
2010-05-25 01:22 . 2010-05-25 01:22 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-34f0aabd-n\decora-d3d.dll
.

------- Sigcheck -------

[-] 2009-12-12 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys


c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-31 1654784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-26 2065760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-12-12 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-26 10:00 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\World of Warcraft\\Repair.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/26/2010 6:00 AM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/26/2010 6:00 AM 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/26/2010 5:58 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/26/2010 5:58 AM 308136]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/25/2010 11:11 PM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/25/2010 11:11 PM 20952]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [12/12/2009 3:37 PM 9472]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/23/2010 3:59 PM 691696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*Deregistered* - hsdtz
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\cyo81xfz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101040100&s=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\cyo81xfz.default\extensions\DeviceDetection@logitech.com\plugins\npLogitechDeviceDetection.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101040100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Turbine Download Manager Tray Icon - c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe
AddRemove-Gmask 1.70 English - c:\program files\Gmask 1.70 English\uninstal.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-02 01:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hsdtz]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-790525478-1284227242-1644491937-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:27,53,35,5a,ef,f5,7f,cf,0a,3e,ec,28,eb,39,59,f6,a7,6f,ee,f8,17,1a,fe,
49,32,52,07,24,a4,d4,f4,77,ab,da,8f,2b,e1,6c,9a,79,5c,fe,39,38,72,fd,d9,68,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
Completion time: 2010-08-02 01:34:09
ComboFix-quarantined-files.txt 2010-08-02 05:34

Pre-Run: 3,555,504,128 bytes free
Post-Run: 3,520,053,248 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - B3ECED97809254832F70436DA7D18E7D


#9 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:09:12 PM

Posted 03 August 2010 - 04:23 AM

Hi italianyg,

Download FileFind.zip to your desktop.
Right click the icon and select 'extract' (or unzip).
We need the contents unzipping to a separate folder.
  • Double-click FindFile.exe
  • In the box labeled "Enter the directory to search" enter the Drive: C:\
  • In the box labeled "Enter the File to Search" enter wscntfy.exe.
  • Click "Find" to begin the search.
  • When the search is done, it will list the total number of files found.
  • Double-click on "Export"
  • This will create and save a text file named export.txt in the root of your C:\ directory.
  • Locate export.txt and copy/paste its contents in your next post.

Thanks

BBPP6nz.png


#10 italianyg

italianyg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 03 August 2010 - 08:26 AM

Hi StarBuck,

I ran FileFind and it comes up with 0 Files found in 3162 Directories, when i hit export it opens up an empty txt file.

#11 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:09:12 PM

Posted 03 August 2010 - 10:19 AM

Hi italianyg,

Let's try this then:

Step 1
Double click on OTL.exe to run it.
Click the none button at the top.



Now copy the lines in bold below.


/md5start
wscntfy.exe
/md5stop

  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


    .
  • Click the Run Scan button.


You will only get a very short report.
Please copy/paste that report in your next reply.

Step 2
I'd like you to do an ESET OnlineScan

You may find it beneficial to close your resident AV program before running the scan.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer.
      Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Click , and save the file to your desktop using a unique name, such as ESETScan.
    Include the contents of this report in your next reply.
  • Click the button.
  • Click
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

In your next reply, please submit:
Otl report
Eset scan report.


Thanks.

BBPP6nz.png


#12 italianyg

italianyg
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 03 August 2010 - 01:51 PM

Hi StarBuck,

Iv followed your directions, the otl scan ran smoothly. But with the ESET scan it freezes at roughly the same spot at 87%, iv run the scan twice as i type this i am preparing a 3rd scan. I will reply with any updated log info i get then. In the meanttime ill post the current logs. The first scan seems to have found and deleted 5 infections.

*****EDIT*****
I was able to get ESET to run to the end and it found an additional 2 threats. Iv updated the log accordingly.


OTL Log
**************************************************************************


OTL logfile created on: 8/3/2010 2:49:10 PM - Run 4
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 71.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 1.38 Gb Free Space | 1.85% Space Free | Partition Type: NTFS
Drive D: | 585.95 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANONYMOUS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Custom Scans ==========


< End of report >



ESET Logs
***************************************************************************


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=028ec9b5bc80334bbfb6675dcf296d3d
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-03 06:19:08
# local_time=2010-08-03 02:19:08 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=crash
# scanned=20032
# found=5
# cleaned=5
# scan_time=2590
C:\Documents and Settings\Owner\Desktop\FreeSoundRecorder.exe a variant of Win32/Adware.OneStep.F application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Desktop\Nero 9.2.5.0+Keygen[h33t]MasterUploader\Setup\Nero-9.2.5.0.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\32788R22FWJFW\dmio.sys Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{EFF1FDDC-99B4-4251-91CB-0FB6C6A884C0}\RP75\A0032841.rbf a variant of Win32/Adware.SpywareRemover.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{EFF1FDDC-99B4-4251-91CB-0FB6C6A884C0}\RP84\A0034819.exe a variant of Win32/Adware.OneStep.F application (deleted - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=028ec9b5bc80334bbfb6675dcf296d3d
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-03 06:48:12
# local_time=2010-08-03 02:48:12 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=crash
# scanned=20014
# found=0
# cleaned=0
# scan_time=1446
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=028ec9b5bc80334bbfb6675dcf296d3d
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-03 07:45:31
# local_time=2010-08-03 03:45:31 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=crash
# scanned=28788
# found=2
# cleaned=2
# scan_time=2238
C:\System Volume Information\_restore{EFF1FDDC-99B4-4251-91CB-0FB6C6A884C0}\RP84\A0034820.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{EFF1FDDC-99B4-4251-91CB-0FB6C6A884C0}\RP84\A0034821.sys Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C

Edited by italianyg, 03 August 2010 - 03:17 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users