Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly infected with - Antivirus Solution Pro, Poss entries added to Toolbars and Extension's


  • This topic is locked This topic is locked
57 replies to this topic

#1 steeldarkstar

steeldarkstar

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:12:04 AM

Posted 06 August 2010 - 01:35 PM

When I found that I could get help on this forum came here and followed what the (Preparation Guide For Requesting Help) Instructed me to do. A friend of mine whom you helped "in the past" repair her computer refered BleepingComputer to me.

I was surfing the internet and what looked like a fake virus warning popped up and started running it was called - Antivirus Solution Pro - I am pretty sure, then I got 2 warnings from my antivirus program then 5 min's later the computer started having problems, I noticed something else a bunch of entries are visible in my "Toolbar and Extension's" under View and Manage your Internet Explorer add on's, when I click to have it show add on's that (run without permission) I found 9 Items listed under the name (SupportSoft Inc.) all seem to be ActiveX Control's and all are listed under the Name SupportSoft, Inc add on's, and I dont remember them being there in the past few months but maybe I just didnt notice I dont know if they are harmful or if they are necessary I just noticed the entries today. My browser keeps being redirected, I have to run Malwarebytes when I try to go to a website or to return to Bleeping Computer.com because if I close the IE browser it gets redirected when I open it again if I run Malwarebytes again the IE browser is not redirected This problem has been going on for 4 days but all I used the computer for during that time was search for info and repair / removal solution's - This is what Malwarebytes found (C:WINDOWSWsopea.exe) (Win32TrojanDownloader.) (FakeAlert.AQI trojan) these were found in the first scan "Way before I was refered to this Site or these Forums"


DDS (Ver_10-03-17.01) - NTFSx86
Run by Animal at 9:06:14.95 on Fri 08/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.481 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Mouse\Amoumain.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Animal\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.google.com/
mDefault_Search_URL =
mSearch Page =
mSearchAssistant =
mCustomizeSearch =
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [WheelMouse] Amoumain.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
R3 Amps2prt;Compatible PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [2001-12-17 9216]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-21 135664]

=============== Created Last 30 ================

2010-08-06 14:03:21 0 dc----w- c:\program files\FileHippo.com
2010-08-06 03:02:39 0 -c--a-w- c:\documents and settings\animal\defogger_reenable
2010-08-05 23:13:48 0 dc----w- c:\program files\Microsoft Security Essentials
2010-08-05 16:15:20 157712 -c--a-w- c:\windows\system32\drivers\tmcomm.sys
2010-08-05 05:36:17 0 dc----w- c:\program files\ESET
2010-08-05 05:00:12 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-05 05:00:11 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-08-04 21:54:23 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-08-04 21:54:20 21504 -c--a-w- c:\windows\system32\drivers\hidserv.dll
2010-08-04 16:40:14 12160 -c--a-w- c:\windows\system32\drivers\mouhid.sys
2010-08-04 16:40:12 21504 -c--a-w- c:\windows\system32\hidserv.dll
2010-08-04 16:40:09 10368 -c--a-w- c:\windows\system32\drivers\hidusb.sys
2010-08-04 16:01:19 0 dc----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-04 08:43:35 0 dc----w- c:\docume~1\animal\applic~1\Malwarebytes
2010-08-04 06:46:07 0 dc----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-04 02:29:17 102400 -csha-r- c:\windows\system32\auditusrv.dll
2010-08-03 16:59:03 14443 -c--a-w- c:\documents and settings\animal\.recently-used.xbel
2010-07-31 22:43:13 0 dc----w- c:\docume~1\animal\applic~1\Singlesnet
2010-07-31 20:13:35 0 dc----w- c:\program files\Free YouTube Downloader Converter
2010-07-29 00:11:54 0 dc----w- c:\docume~1\alluse~1\applic~1\DivX
2010-07-27 17:30:22 0 dc----w- C:\WINSSLog
2010-07-23 14:47:35 221568 -c----w- c:\windows\system32\MpSigStub.exe
2010-07-12 23:31:43 0 dc----w- c:\docume~1\animal\applic~1\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1

==================== Find3M ====================

2009-08-18 00:54:33 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009081020090817\index.dat
2009-08-18 00:54:33 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009081720090818\index.dat

============= FINISH: 9:06:44.57 ===============

I also found now that my IE-8 browser is randomly being hijacked by " Results5.Google " with my browser being randomly redirected to different search engines as well as random search results and when I use www.google.com or any of my preferred "set" home pages clicking on search result links provided send me to random sites but not the site I want, I have checked the settings in internet options under connections tab but they are fine and not using any proxies with no checkmarks or entries under same.

Attached Files


Edited by hamluis, 12 August 2010 - 04:19 PM.
Edited to add supplementary material ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:04 AM

Posted 14 August 2010 - 08:15 AM

Hello steeldarkstar

Welcome to BleepingComputer smile.gif
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 steeldarkstar

steeldarkstar
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:12:04 AM

Posted 14 August 2010 - 06:16 PM

These are the text files you asked for I had to run it 4 times before it produced the Extras.Txt on the 4th try.

OTL logfile created on: 8/14/2010 5:41:09 PM - Run 5
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Animal\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 464.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 66.54 Gb Free Space | 89.31% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANIMAL-12ACF40B
Current User Name: Animal
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Animal\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe (SupportSoft, Inc.)
PRC - C:\Program Files\Mouse\Amoumain.exe ()


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Animal\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
MOD - C:\WINDOWS\system32\Amhooker.dll ()


========== Win32 Services (SafeList) ==========

SRV - (gupdate) Google Update Service (gupdate) -- File not found
SRV - (AppMgmt) -- C:\WINDOWS\System32\appmgmts.dll File not found
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SRV - (sprtlisten) -- C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe (SupportSoft, Inc.)
SRV - (SupportSoft RemoteAssist) -- C:\Program Files\Common Files\supportsoft\bin\ssrc.exe (SupportSoft, Inc.)


========== Driver Services (SafeList) ==========

DRV - (smwdm) -- C:\WINDOWS\System32\drivers\smwdm.sys File not found
DRV - (senfilt) -- C:\WINDOWS\System32\drivers\senfilt.sys File not found
DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys File not found
DRV - (MpFilter) -- C:\WINDOWS\system32\drivers\MpFilter.sys (Microsoft Corporation)
DRV - (NuidFltr) -- C:\WINDOWS\system32\drivers\nuidfltr.sys (Microsoft Corporation)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (Amps2prt) -- C:\WINDOWS\system32\drivers\Amps2prt.sys ((Standard Mouse Types))
DRV - (MODEMCSA) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (HCF_MSFT) -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys (Conexant)
DRV - (Winachcf) -- C:\WINDOWS\system32\drivers\winachcf.sys (Conexant)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/18 07:32:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/08/12 16:50:00 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2004/08/12 08:57:48 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [WheelMouse] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: microsoft.com ([windowsupdate] https in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([www.update] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\avldr: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Animal\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Animal\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/16 09:52:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/08/14 16:47:24 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Animal\Desktop\OTL.exe
[2010/08/14 16:15:45 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/08/14 14:59:57 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/08/14 07:42:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Animal\Desktop\Uninstaller Cleaner Utilities read each one before using
[2010/08/13 18:32:07 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Animal\Recent
[2010/08/12 16:51:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/08/12 16:50:35 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/12 16:50:35 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/12 16:50:35 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/12 16:50:35 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/08/12 12:41:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Animal\Local Settings\Application Data\Browser Guard 2010
[2010/08/12 12:39:53 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/08/12 00:07:46 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/08/11 23:59:28 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/08/11 23:30:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Animal\Local Settings\Application Data\Sunbelt Software
[2010/08/11 23:27:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/08/11 12:33:39 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2010/08/11 02:47:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/08/11 02:47:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/08/11 02:44:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/08/06 09:03:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Animal\Desktop\Malware and Virus Removal KNOWN Help websites
[2010/08/06 09:03:21 | 000,000,000 | ---D | C] -- C:\Program Files\FileHippo.com
[2010/08/05 11:15:20 | 000,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/08/04 16:54:20 | 000,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\hidserv.dll
[2010/08/04 15:57:18 | 011,508,680 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Animal\Desktop\windows-kb890830-v3.9.exe
[2010/08/04 12:05:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Animal\Desktop\Malware Removal Tools and Guides For Malware Removal
[2010/08/04 12:03:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Animal\Desktop\mbam-logs
[2010/08/04 03:43:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Animal\Application Data\Malwarebytes
[2010/08/04 01:46:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/08/02 09:32:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Animal\My Documents\My Received Files
[2010/07/31 17:43:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Animal\Local Settings\Application Data\Singlesnet.com
[2010/07/31 17:43:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Animal\Application Data\Singlesnet
[2010/07/28 19:17:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Animal\Application Data\DivX
[2010/07/28 19:11:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DivX
[2010/07/27 12:30:22 | 000,000,000 | ---D | C] -- C:\WINSSLog
[2010/07/24 14:26:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/07/23 09:47:35 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/14 17:04:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/14 16:47:31 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Animal\Desktop\OTL.exe
[2010/08/14 16:22:06 | 003,670,016 | ---- | M] () -- C:\Documents and Settings\Animal\NTUSER.DAT
[2010/08/14 16:15:57 | 000,000,439 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/14 15:51:35 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/08/14 15:49:36 | 000,000,290 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\Possibly infected with - Antivirus Solution Pro, Poss entries added to Toolbars and Extension's.url
[2010/08/14 15:46:23 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\tasks\8d7817c0.job
[2010/08/14 15:46:22 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/14 15:46:07 | 000,000,316 | -HS- | M] () -- C:\WINDOWS\tasks\hvmlnr.job
[2010/08/14 15:46:07 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/14 15:46:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/14 15:46:01 | 1064,374,272 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/14 15:45:23 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Animal\ntuser.ini
[2010/08/14 14:59:59 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/08/14 14:59:44 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/14 11:25:17 | 000,043,441 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\In.rtf
[2010/08/14 11:21:21 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2010/08/14 07:21:51 | 000,000,304 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\Ultimate List of Uninstallers Having trouble uninstalling programs from your computer [1].url
[2010/08/14 07:19:28 | 000,000,868 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\Easy uninstaller is a fast, advanced, powerfu Stubborn programs ... uninstall them...!.url
[2010/08/14 07:09:55 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/08/13 18:34:33 | 000,009,242 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\cc_20100813_183302.reg
[2010/08/13 18:27:26 | 000,000,266 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\Security Tips & Download out-of-band security update's for Windows.url
[2010/08/12 16:49:56 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/12 16:49:56 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/12 16:49:56 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/12 16:49:56 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/08/12 16:49:55 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/08/12 16:22:21 | 000,000,262 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\My Anti Spyware.url
[2010/08/12 15:51:11 | 000,000,517 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\google redirects results5.google.com - Tech Support Guy Forums.url
[2010/08/12 15:51:00 | 000,000,337 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\browser hijacker, results5.google - Google Search.url
[2010/08/12 12:43:16 | 000,000,216 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\Browser Not Working Prevent Browser Hijacking - Microsoft Security (2).url
[2010/08/12 00:07:44 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/08/11 23:25:02 | 000,000,390 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\What is isearch - Tech Support Guy Forums.url
[2010/08/11 12:12:57 | 000,000,216 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\Browser Not Working Prevent Browser Hijacking - Microsoft Security.url
[2010/08/11 11:46:40 | 000,440,684 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/11 11:46:39 | 000,500,732 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/11 11:46:39 | 000,071,002 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/11 01:29:31 | 000,144,392 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\cc_20100811_012830.reg
[2010/08/10 20:06:58 | 000,012,998 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\cc_20100810_200629.reg
[2010/08/10 15:51:04 | 000,000,272 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\Remove Antivir Solution Pro (Uninstall Guide).url
[2010/08/10 15:40:31 | 000,000,360 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\reinstall SoundMAX Program - Google Search.url
[2010/08/10 15:40:26 | 000,000,277 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\SoundMAX Software Informer Comments.url
[2010/08/10 15:31:30 | 000,002,682 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\New Rich Text Document.rtf
[2010/08/10 15:19:15 | 000,001,847 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\Soundmax download and reinstall SoundMax..url
[2010/08/10 13:30:37 | 000,000,408 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\Utilities Articles the How-To Geek.url
[2010/08/10 12:23:33 | 000,000,299 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\www.malwareremoval.com They helped me repair My laptop in 2008 • MalWare Removal.url
[2010/08/10 11:31:26 | 000,000,298 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\Microsoft is aware of a vulnerability that affects only Windows XP Bulletin MS10-042 (2229593).url
[2010/08/10 11:29:18 | 000,000,247 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\Microsoft Fix it Solution Center.url
[2010/08/10 11:25:00 | 000,000,247 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\Microsoft One Click - Fix it Solution Center.url
[2010/08/10 11:23:17 | 000,000,280 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\Computer CD or DVD drive cannot read or write Repair FIX IT TOOL.url
[2010/08/10 10:24:01 | 000,000,608 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\Revo Uninstaller Pro - How-To Geek Reviews.url
[2010/08/10 10:21:42 | 000,000,406 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\how to remove hijacker, Antivirus Solution Pro - Google Search.url
[2010/08/05 22:04:21 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\dds.scr
[2010/08/05 22:02:39 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Animal\defogger_reenable
[2010/08/05 21:52:22 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Animal\Desktop\Defogger.exe
[2010/08/04 22:35:57 | 000,000,585 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/04 22:35:56 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Animal\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/08/04 16:54:23 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/08/04 15:57:18 | 011,508,680 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Animal\Desktop\windows-kb890830-v3.9.exe
[2010/08/04 06:57:05 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Animal\Local Settings\Application Data\housecall.guid.cache
[2010/08/03 21:29:18 | 000,102,400 | RHS- | M] () -- C:\WINDOWS\System32\auditusrv.dll
[2010/08/03 11:59:03 | 000,014,443 | ---- | M] () -- C:\Documents and Settings\Animal\.recently-used.xbel
[2010/08/02 12:58:29 | 000,031,232 | ---- | M] () -- C:\Documents and Settings\Animal\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/02 12:48:18 | 003,145,728 | ---- | M] () -- C:\Documents and Settings\Animal\NTUSER.DAT.bak
[2010/07/27 01:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll
[2010/07/26 13:27:29 | 000,008,627 | ---- | M] () -- C:\WINDOWS\System32\PAV_FOG.OPC
[2010/07/22 09:10:01 | 000,017,376 | ---- | M] () -- C:\Documents and Settings\Animal\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/14 15:05:19 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/08/14 14:59:59 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/08/13 18:33:05 | 000,009,242 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\cc_20100813_183302.reg
[2010/08/12 15:51:11 | 000,000,517 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\google redirects results5.google.com - Tech Support Guy Forums.url
[2010/08/12 15:51:00 | 000,000,337 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\browser hijacker, results5.google - Google Search.url
[2010/08/12 12:43:16 | 000,000,216 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\Browser Not Working Prevent Browser Hijacking - Microsoft Security (2).url
[2010/08/11 23:35:02 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/08/11 23:25:00 | 000,000,390 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\What is isearch - Tech Support Guy Forums.url
[2010/08/11 12:12:57 | 000,000,216 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\Browser Not Working Prevent Browser Hijacking - Microsoft Security.url
[2010/08/11 01:28:41 | 000,144,392 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\cc_20100811_012830.reg
[2010/08/10 20:06:38 | 000,012,998 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\cc_20100810_200629.reg
[2010/08/10 16:52:02 | 1064,374,272 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/10 15:51:04 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\Remove Antivir Solution Pro (Uninstall Guide).url
[2010/08/10 15:40:31 | 000,000,360 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\reinstall SoundMAX Program - Google Search.url
[2010/08/10 15:40:26 | 000,000,277 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\SoundMAX Software Informer Comments.url
[2010/08/10 15:19:15 | 000,001,847 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\Soundmax download and reinstall SoundMax..url
[2010/08/10 13:30:37 | 000,000,408 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\Utilities Articles the How-To Geek.url
[2010/08/10 12:23:33 | 000,000,299 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\www.malwareremoval.com They helped me repair My laptop in 2008 • MalWare Removal.url
[2010/08/10 11:36:46 | 000,000,266 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\Security Tips & Download out-of-band security update's for Windows.url
[2010/08/10 11:31:26 | 000,000,298 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\Microsoft is aware of a vulnerability that affects only Windows XP Bulletin MS10-042 (2229593).url
[2010/08/10 11:29:18 | 000,000,247 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\Microsoft Fix it Solution Center.url
[2010/08/10 11:25:00 | 000,000,247 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\Microsoft One Click - Fix it Solution Center.url
[2010/08/10 11:23:17 | 000,000,280 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\Computer CD or DVD drive cannot read or write Repair FIX IT TOOL.url
[2010/08/10 11:07:31 | 000,000,304 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\Ultimate List of Uninstallers Having trouble uninstalling programs from your computer [1].url
[2010/08/10 10:24:01 | 000,000,608 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\Revo Uninstaller Pro - How-To Geek Reviews.url
[2010/08/10 10:22:18 | 000,000,868 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\Easy uninstaller is a fast, advanced, powerfu Stubborn programs ... uninstall them...!.url
[2010/08/10 10:21:42 | 000,000,406 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\how to remove hijacker, Antivirus Solution Pro - Google Search.url
[2010/08/10 10:21:29 | 000,000,262 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\My Anti Spyware.url
[2010/08/06 13:36:41 | 000,000,290 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\Possibly infected with - Antivirus Solution Pro, Poss entries added to Toolbars and Extension's.url
[2010/08/06 09:16:15 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\gmer.exe
[2010/08/05 22:04:16 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\dds.scr
[2010/08/05 22:02:39 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Animal\defogger_reenable
[2010/08/05 21:52:22 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\Defogger.exe
[2010/08/05 20:36:30 | 000,002,682 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\New Rich Text Document.rtf
[2010/08/05 14:19:55 | 000,043,441 | ---- | C] () -- C:\Documents and Settings\Animal\Desktop\In.rtf
[2010/08/04 16:54:23 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/08/04 06:57:05 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Animal\Local Settings\Application Data\housecall.guid.cache
[2010/08/03 21:29:18 | 000,000,316 | -HS- | C] () -- C:\WINDOWS\tasks\hvmlnr.job
[2010/08/03 21:29:17 | 000,102,400 | RHS- | C] () -- C:\WINDOWS\System32\auditusrv.dll
[2010/08/03 21:24:41 | 000,000,282 | -H-- | C] () -- C:\WINDOWS\tasks\8d7817c0.job
[2010/08/03 11:59:03 | 000,014,443 | ---- | C] () -- C:\Documents and Settings\Animal\.recently-used.xbel
[2010/04/01 13:33:19 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2001/12/10 02:25:54 | 000,397,312 | ---- | C] () -- C:\WINDOWS\System32\Amsample.dll
[2001/11/06 04:03:28 | 000,331,776 | ---- | C] () -- C:\WINDOWS\System32\Amoucplx.dll
[2001/08/31 03:33:46 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\Amhooker.dll
[2000/12/13 02:10:40 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\Amoures.dll

========== LOP Check ==========

[2010/07/12 18:31:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Animal\Application Data\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1
[2010/07/24 10:42:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Animal\Application Data\gtk-2.0
[2010/07/31 17:43:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Animal\Application Data\Singlesnet
[2010/02/06 16:43:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Animal\Application Data\Thinstall
[2009/08/18 08:54:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Animal\Application Data\Windows Search
[2010/08/14 15:46:23 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\Tasks\8d7817c0.job
[2010/08/14 07:09:55 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/08/14 15:46:07 | 000,000,316 | -HS- | M] () -- C:\WINDOWS\Tasks\hvmlnr.job
[2010/08/14 15:51:35 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/08/14 07:07:01 | 000,002,762 | ---- | M] () -- C:\aaw7boot.log
[2009/08/17 15:20:31 | 000,006,240 | ---- | M] () -- C:\AEIusb.log
[2009/08/16 09:52:05 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/08/16 09:46:24 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2009/08/22 12:28:15 | 000,010,701 | R--- | M] () -- C:\CLDMA.LOG
[2009/08/16 09:52:05 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/08/14 15:46:01 | 1064,374,272 | -HS- | M] () -- C:\hiberfil.sys
[2009/08/16 09:52:05 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/08/16 09:52:05 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/12 09:02:34 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/08/17 18:48:09 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/08/14 15:46:00 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys
[2010/08/14 16:28:01 | 000,001,512 | ---- | M] () -- C:\PureRa.txt
[2010/08/12 16:09:31 | 000,001,982 | ---- | M] () -- C:\TDSSKiller.2.4.1.1_12.08.2010_16.09.17_log.txt

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/08/03 21:29:18 | 000,102,400 | RHS- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\auditusrv.dll
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >
[2010/08/14 15:46:07 | 000,000,316 | -HS- | M] () Unable to obtain MD5 -- C:\WINDOWS\Tasks\hvmlnr.job

< %systemroot%\System32\config\*.sav >
[2009/08/16 04:15:54 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/08/16 04:15:53 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/08/16 04:15:53 | 000,872,448 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/08/12 00:07:44 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\system32\drivers\SBREDrv.sys
[2010/06/21 10:27:11 | 000,354,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\srv.sys

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
< End of report >

-------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------

OTL Extras logfile created on: 8/14/2010 5:41:09 PM - Run 5
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Animal\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 464.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 66.54 Gb Free Space | 89.31% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANIMAL-12ACF40B
Current User Name: Animal
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\WINDOWS\system32\ieframe.DLL (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Qwest\QuickConnect\QuickConnect.exe" = C:\Program Files\Qwest\QuickConnect\QuickConnect.exe:*:Enabled:QuickConnect -- (Qwest Communications International Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"C:\WINDOWS\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Qwest\QuickConnect\QuickConnect.exe" = C:\Program Files\Qwest\QuickConnect\QuickConnect.exe:*:Disabled:QuickConnect -- (Qwest Communications International Inc.)
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 21
"{2EEE18E7-5C87-4506-A7E4-A42A6191B03E}" = Panda Antivirus Pro 2009
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4998FF95-709A-430A-B104-92A009ABB848}" = QuickConnect
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A63E18AC-B504-4045-AFE6-A279BBABB988}" = Qwest QuickAssist Desktop Tools
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"Eusing Free Registry Defrag" = Eusing Free Registry Defrag
"FileHippo.com" = FileHippo.com Update Checker
"Free Internet Window Washer" = Free Internet Window Washer
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WheelMouse" = iWheelWorks V7.36
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"winusb0100" = Microsoft WinUsb 1.0
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/23/2010 10:52:22 AM | Computer Name = ANIMAL-12ACF40B | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 7/24/2010 9:12:45 AM | Computer Name = ANIMAL-12ACF40B | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/24/2010 3:26:33 PM | Computer Name = ANIMAL-12ACF40B | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 0.0.0.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/24/2010 3:26:42 PM | Computer Name = ANIMAL-12ACF40B | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/24/2010 3:26:45 PM | Computer Name = ANIMAL-12ACF40B | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/24/2010 3:26:46 PM | Computer Name = ANIMAL-12ACF40B | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 timeout, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/24/2010 3:26:48 PM | Computer Name = ANIMAL-12ACF40B | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P2 2.1.6805.0, P3 passthrough, P4 1.1.6004.0, P5 local, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 7/24/2010 7:04:05 PM | Computer Name = ANIMAL-12ACF40B | Source = Google Update | ID = 20
Description =

Error - 7/24/2010 8:04:05 PM | Computer Name = ANIMAL-12ACF40B | Source = Google Update | ID = 20
Description =

Error - 7/24/2010 9:04:05 PM | Computer Name = ANIMAL-12ACF40B | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 8/12/2010 5:15:44 PM | Computer Name = ANIMAL-12ACF40B | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 8/12/2010 5:15:45 PM | Computer Name = ANIMAL-12ACF40B | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 8/12/2010 5:16:48 PM | Computer Name = ANIMAL-12ACF40B | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate) service failed to start due to
the following error: %%3

Error - 8/13/2010 2:27:24 AM | Computer Name = ANIMAL-12ACF40B | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate) service failed to start due to
the following error: %%3

Error - 8/13/2010 11:11:43 AM | Computer Name = ANIMAL-12ACF40B | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate) service failed to start due to
the following error: %%3

Error - 8/14/2010 8:07:15 AM | Computer Name = ANIMAL-12ACF40B | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate) service failed to start due to
the following error: %%3

Error - 8/14/2010 3:00:44 PM | Computer Name = ANIMAL-12ACF40B | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate) service failed to start due to
the following error: %%3

Error - 8/14/2010 3:53:45 PM | Computer Name = ANIMAL-12ACF40B | Source = DCOM | ID = 10010
Description = The server {D6015EC3-FA16-4813-9CA1-DA204574F5DA} did not register
with DCOM within the required timeout.

Error - 8/14/2010 3:54:47 PM | Computer Name = ANIMAL-12ACF40B | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate) service failed to start due to
the following error: %%3

Error - 8/14/2010 4:46:24 PM | Computer Name = ANIMAL-12ACF40B | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate) service failed to start due to
the following error: %%3


< End of report >


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:04 AM

Posted 15 August 2010 - 06:55 AM

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    CODE
    :OTL
    [2010/08/14 15:46:23 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\tasks\8d7817c0.job
    [2010/08/14 15:46:07 | 000,000,316 | -HS- | M] () -- C:\WINDOWS\tasks\hvmlnr.job
    [2010/08/03 21:29:18 | 000,102,400 | RHS- | M] () -- C:\WINDOWS\System32\auditusrv.dll

    :Commands
    [emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 steeldarkstar

steeldarkstar
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:12:04 AM

Posted 15 August 2010 - 01:23 PM

Here is the OTL text. 08152010_123306.text

All processes killed
========== OTL ==========
C:\WINDOWS\tasks\8d7817c0.job moved successfully.
C:\WINDOWS\tasks\hvmlnr.job moved successfully.
C:\WINDOWS\system32\auditusrv.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 131312 bytes
->Temporary Internet Files folder emptied: 1485420 bytes
->Flash cache emptied: 56960 bytes

User: All Users

User: Animal
->Temp folder emptied: 35330 bytes
->Temporary Internet Files folder emptied: 3119438 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 461 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 343 bytes

User: NetworkService
->Temp folder emptied: 312932 bytes
->Temporary Internet Files folder emptied: 33237 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 5118 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 43306598 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 48.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08152010_123306

Files\Folders moved on Reboot...
C:\Documents and Settings\Animal\Local Settings\Temporary Internet Files\Content.IE5\QO4RSRVY\topic337734[1].htm moved successfully.
C:\Documents and Settings\Animal\Local Settings\Temporary Internet Files\Content.IE5\GWL5HV3S\iframe[1].htm moved successfully.
C:\Documents and Settings\Animal\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Here is the ComboFix.txt

ComboFix 10-08-14.06 - Animal 08/15/2010 13:05:38.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.707 [GMT -5:00]
Running from: c:\documents and settings\Animal\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((( Files Created from 2010-07-15 to 2010-08-15 )))))))))))))))))))))))))))))))
.

2010-08-15 17:33 . 2010-08-15 17:33 -------- dc----w- C:\_OTL
2010-08-14 21:15 . 2010-08-14 21:15 -------- dc-h--w- c:\windows\PIF
2010-08-14 19:59 . 2010-08-14 20:00 -------- dc----w- c:\program files\Microsoft Security Essentials
2010-08-12 21:51 . 2010-08-12 21:51 -------- dc----w- c:\program files\Common Files\Java
2010-08-12 17:41 . 2010-08-12 17:42 -------- dc----w- c:\documents and settings\Animal\Local Settings\Application Data\Browser Guard 2010
2010-08-12 17:39 . 2010-08-12 17:39 -------- dc----w- c:\program files\Trend Micro
2010-08-12 05:07 . 2010-08-12 05:07 95024 -c--a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-12 04:59 . 2010-08-12 04:59 -------- dc----w- c:\program files\Lavasoft
2010-08-12 04:36 . 2010-08-12 04:36 -------- dcsh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-08-12 04:30 . 2010-08-12 04:30 -------- dc----w- c:\documents and settings\Animal\Local Settings\Application Data\Sunbelt Software
2010-08-12 04:27 . 2010-08-14 12:11 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-11 17:33 . 2010-08-11 17:33 -------- dc----w- c:\program files\Microsoft Silverlight
2010-08-11 07:44 . 2010-08-11 07:44 77184 -c--a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-08-11 07:44 . 2010-08-11 14:45 -------- dc----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-11 01:32 . 2010-08-11 01:32 503808 -c--a-w- c:\documents and settings\Animal\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36722a4f-n\msvcp71.dll
2010-08-11 01:32 . 2010-08-11 01:32 499712 -c--a-w- c:\documents and settings\Animal\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36722a4f-n\jmc.dll
2010-08-11 01:32 . 2010-08-11 01:32 348160 -c--a-w- c:\documents and settings\Animal\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36722a4f-n\msvcr71.dll
2010-08-11 01:32 . 2010-08-11 01:32 61440 -c--a-w- c:\documents and settings\Animal\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-520763f4-n\decora-sse.dll
2010-08-11 01:32 . 2010-08-11 01:32 12800 -c--a-w- c:\documents and settings\Animal\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-520763f4-n\decora-d3d.dll
2010-08-06 14:03 . 2010-08-06 14:03 -------- dc----w- c:\program files\FileHippo.com
2010-08-05 16:15 . 2009-05-07 07:04 157712 -c--a-w- c:\windows\system32\drivers\tmcomm.sys
2010-08-04 21:54 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\drivers\hidserv.dll
2010-08-04 16:40 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\drivers\mouhid.sys
2010-08-04 16:40 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\hidserv.dll
2010-08-04 16:40 . 2008-04-13 18:45 10368 -c--a-w- c:\windows\system32\drivers\hidusb.sys
2010-08-04 08:43 . 2010-08-04 08:43 -------- dc----w- c:\documents and settings\Animal\Application Data\Malwarebytes
2010-08-04 06:46 . 2010-08-04 06:46 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-04 06:46 . 2010-08-04 06:46 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-04 06:19 . 2010-08-04 06:19 -------- dcsh--w- c:\documents and settings\Administrator\PrivacIE
2010-08-04 04:54 . 2010-08-04 04:54 -------- dcsh--w- c:\documents and settings\Administrator\IECompatCache
2010-08-04 04:08 . 2010-08-04 04:08 17376 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-04 04:08 . 2010-08-04 04:08 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2010-07-31 22:43 . 2010-07-31 22:43 -------- dc----w- c:\documents and settings\Animal\Application Data\Singlesnet
2010-07-31 22:43 . 2010-07-31 22:43 -------- dc----w- c:\documents and settings\Animal\Local Settings\Application Data\Singlesnet.com
2010-07-29 00:30 . 2010-08-04 15:25 57344 -c--a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-29 00:17 . 2010-07-31 20:34 -------- dc----w- c:\documents and settings\Animal\Application Data\DivX
2010-07-29 00:11 . 2010-08-04 15:25 -------- dc----w- c:\documents and settings\All Users\Application Data\DivX
2010-07-27 17:30 . 2010-07-27 17:31 -------- dc----w- C:\WINSSLog
2010-07-24 19:26 . 2010-07-24 19:26 -------- dc----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-07-23 14:47 . 2010-06-01 17:37 221568 -c----w- c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-12 21:49 . 2010-04-24 18:30 423656 -c--a-w- c:\windows\system32\deployJava1.dll
2010-08-11 07:54 . 2009-08-18 14:04 -------- dc----w- c:\program files\Common Files\Adobe
2010-08-11 01:43 . 2009-08-18 13:15 -------- dc----w- c:\program files\Windows Media Connect 2
2010-08-11 01:32 . 2010-04-24 18:30 -------- dc----w- c:\program files\Java
2010-08-06 20:46 . 2009-08-16 09:18 -------- dc----w- c:\program files\Analog Devices
2010-08-06 14:00 . 2010-02-06 21:34 -------- dc----w- c:\program files\Eusing Free Registry Defrag
2010-08-06 14:00 . 2010-02-06 21:35 -------- dc----w- c:\program files\Eusing Free Registry Cleaner
2010-08-06 00:54 . 2010-06-06 21:46 -------- dc----w- c:\program files\Free Internet Window Washer
2010-08-05 03:07 . 2010-04-03 14:26 -------- dc----w- c:\program files\Windows Live
2010-08-05 03:05 . 2009-08-22 10:08 -------- dc----w- c:\program files\CyberLink
2010-08-05 02:12 . 2009-08-16 15:11 -------- dc-h--w- c:\program files\InstallShield Installation Information
2010-08-04 21:54 . 2010-08-04 21:54 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-08-04 15:32 . 2010-04-04 23:16 -------- dc----w- c:\program files\Yahoo!
2010-07-24 15:42 . 2010-04-05 16:09 -------- dc----w- c:\documents and settings\Animal\Application Data\gtk-2.0
2010-07-22 14:10 . 2009-08-16 15:12 17376 -c--a-w- c:\documents and settings\Animal\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 23:31 . 2010-07-12 23:31 -------- dc----w- c:\documents and settings\Animal\Application Data\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1
2010-06-30 12:31 . 2004-08-12 14:04 149504 -c--a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-12 14:09 916480 -c--a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-12 14:09 1851904 -c--a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-12 14:06 354304 -c--a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-12 13:57 80384 -c--a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-08-16 14:49 744448 -c--a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-12 14:01 1172480 -c--a-w- c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R3 Amps2prt;Compatible PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [12/17/2001 12:01 AM 9216]
S2 gupdate;Google Update Service (gupdate); [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-WheelMouse - Amoumain.exe
Notify-avldr - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-15 13:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\l3codeca.acm

- - - - - - - > 'explorer.exe'(3012)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\l3codeca.acm
.
Completion time: 2010-08-15 13:12:34
ComboFix-quarantined-files.txt 2010-08-15 18:12

Pre-Run: 71,330,275,328 bytes free
Post-Run: 71,310,123,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A134D2BDFDA1D8C0BA7F4698B59DC692


#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:04 AM

Posted 15 August 2010 - 02:09 PM

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 steeldarkstar

steeldarkstar
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:12:04 AM

Posted 15 August 2010 - 03:07 PM

When I opened the browser to bleepingcomputer.com to post the last (OTL-Run Fix txt & ComboFix txt files) a message popped up stating Internet Explorer is not my current browser would I like to set it as my default browser ? and I clicked yes

I had malwarebytes on my pc but I removed it before we started so I just now reinstalled it but it wont run or update giving me the error message MBAM_ERROR_UPDATING (12007,0, WinHttpSendRequest)

Edited by steeldarkstar, 15 August 2010 - 03:54 PM.


#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:04 AM

Posted 15 August 2010 - 07:06 PM

Try this scanner instead please.

Please download SUPERAntiSpyware Home Edition (free version).
–Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Scan for Alternate Data streams
  • Terminate memory threats before quarantining.
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.

Then run Superantispyware.
  • Double click on the icon to start Superantispyware.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
1. To retrieve the removal information for me please do the following:
2. After reboot, double-click the SUPERAntispyware icon on your desktop.
3. Click Preferences. Click the Statistics/Logs tab.
4. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
5. It will open in your default text editor (such as Notepad/Wordpad).
6. Please highlight everything in the notepad, then right-click and choose copy.
7. Click close and close again to exit the program.
Save the log information. If needed (still infected) paste this info along with your HijackThis log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 steeldarkstar

steeldarkstar
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:12:04 AM

Posted 15 August 2010 - 09:41 PM

I ran the Kaspersky Online Scanner (it ran for over 2.5 hrs) and when it finished I clicked on the report button on the left right under the scan button to copy and past the scan.txt file as you asked but all that came up was an empty white box and beneath the box was a link to a virus encylopedia that was all that came up.

Im confused in your last instructions you asked me to paste the SUPERAntiSpyware Scan Log (this part I understand), but along with my hijackthis log ? I checked back through all the instructions but could not find anything about highjackthis, where can I find the highjackthis log ?

Edited by steeldarkstar, 15 August 2010 - 10:02 PM.


#10 steeldarkstar

steeldarkstar
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:12:04 AM

Posted 15 August 2010 - 10:45 PM

After the SUPERAntiSpyware finished I did the reboot after the computer rebooted and loaded I clicked my desktop link for bleepingcomputer.com and 2 page tabs opened one was bleepingcomputer forums and the other was google5analyticalsearch so I closed both tabs (closed the browser) then clicked on my desktop link for bleepingcomputer.com again and this time it opened bleepingcomputer forums correctly with only one tab showing !

Here is the SUPERAntiSpyware Scan Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/15/2010 at 10:32 PM

Application Version : 4.41.1000

Core Rules Database Version : 5361
Trace Rules Database Version: 3173

Scan type : Complete Scan
Total Scan Time : 00:20:46

Memory items scanned : 365
Memory threats detected : 0
Registry items scanned : 4655
Registry threats detected : 0
File items scanned : 15058
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Animal\Cookies\animal@clicks.coolgreensearch[1].txt
C:\Documents and Settings\Animal\Cookies\animal@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Animal\Cookies\animal@admarketplace[1].txt
C:\Documents and Settings\Animal\Cookies\animal@apartmentfinder[1].txt
C:\Documents and Settings\Animal\Cookies\animal@bridge2.admarketplace[1].txt
C:\Documents and Settings\Animal\Cookies\animal@clicksor[2].txt
C:\Documents and Settings\Animal\Cookies\animal@www.apartmentfinder[1].txt

Edited by steeldarkstar, 15 August 2010 - 11:00 PM.


#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:04 AM

Posted 16 August 2010 - 06:43 AM

QUOTE
Im confused in your last instructions you asked me to paste the SUPERAntiSpyware Scan Log (this part I understand), but along with my hijackthis log ? I checked back through all the instructions but could not find anything about highjackthis, where can I find the highjackthis log ?
It was merely an oversight I didn't remove it from my last post accidentally.
When you opened the link did it happen to say restore last browsing session?
  1. Please download mbrcheck from Here
  2. Save that file to your desktop and double click on it to run it.
  3. It will show a Black screen with some data on it then hit any key to continue.
  4. Once it finishes there will be a log produced on your desktop that is labeled mbrcheck*.txt (where the * is date)
  5. Please post the contents of that log in your next reply.

Edited by kahdah, 16 August 2010 - 06:44 AM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 steeldarkstar

steeldarkstar
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:12:04 AM

Posted 16 August 2010 - 09:29 AM

I know what the (restore last browsing session) popup is but no it didnt come up, all I clicked on when the 2 tabs opened was the desktop link !, When I started my computer this morning and I clicked on the Bleepingcomputer desktop shortcut this morning and it happened again I clicked my desktop shortcut for bleepingcomputer.com and 2 page tabs opened one was bleepingcomputer forums and the other was googlesyndication something (it is a different site each time) it seems anytime I click on a link or enter any site that has something to do with malware or antivirus download websites I get 2 tabs opening instead of one there will be the site instructed to download from such as the ComboFix site and Kaspersky Online Scanner, and SUPERAntiSpyware site, all opened up a new tab just fine but with an extra tab trying to open to websites I was not familar with or had never seen before just like the googlesyndication & google5analyticalsearch etc but not all of them have google in the site name, But I will close them before they get a chance to fully load the page so they cant load anything bad just in case thats what they are trying to do!
Also I had mentioned in my first entry I found 9 Items listed under the name (SupportSoft Inc.) all seem to be ActiveX Control's the entries are visible in my "Toolbar and Extension's" under View and Manage your Internet Explorer add on's, when I click to have it show add on's that (run without permission), are these legit items ? Im just curious as I had never noticed them before, but then maybe they are part of my operating system and I just didnt see them there before.

Here is the mbrcheck text file.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 104):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7AD7000 \WINDOWS\system32\KDCOM.DLL
0xF79E7000 \WINDOWS\system32\BOOTVID.dll
0xF7588000 ACPI.sys
0xF7AD9000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7577000 pci.sys
0xF75D7000 isapnp.sys
0xF7B9F000 pciide.sys
0xF7857000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF75E7000 MountMgr.sys
0xF7558000 ftdisk.sys
0xF785F000 PartMgr.sys
0xF75F7000 VolSnap.sys
0xF7540000 atapi.sys
0xF7607000 disk.sys
0xF7617000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7520000 fltmgr.sys
0xF750E000 sr.sys
0xF74F7000 KSecDD.sys
0xF746A000 Ntfs.sys
0xF743D000 NDIS.sys
0xF7423000 Mup.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6D28000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF6D14000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7937000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6CF0000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF793F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6C45000 \SystemRoot\system32\DRIVERS\winachcf.sys
0xF7947000 \SystemRoot\System32\Drivers\Modem.SYS
0xF77F7000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF794F000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7807000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7957000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7A8F000 \SystemRoot\system32\DRIVERS\Amps2prt.sys
0xF795F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7817000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7A93000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF6C31000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7827000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7837000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7847000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6C0E000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7C1D000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7637000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A9F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6BF7000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7647000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7657000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7967000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6BE6000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7667000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF796F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7977000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7677000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7AFB000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6AFE000 \SystemRoot\system32\DRIVERS\update.sys
0xF7AAF000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF6E0E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF6DEE000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B23000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF71D9000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xED714000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xF7B81000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7BF8000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B83000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78B7000 \SystemRoot\System32\drivers\vga.sys
0xF7B85000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B87000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF78BF000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF78C7000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEE885000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEC67A000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEC621000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEC5F9000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEC5D7000 \SystemRoot\System32\drivers\afd.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEC5B5000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xEC58F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF78F7000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEC564000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEC4F4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xEE127000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7707000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEB248000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B67000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7AC3000 \SystemRoot\System32\drivers\Dxapi.sys
0xF788F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7CAD000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
0xBF06B000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEB224000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEB013000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7AED000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEB730000 \SystemRoot\system32\DRIVERS\srv.sys
0xEB447000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 26):
0 System Idle Process
4 System
544 C:\WINDOWS\system32\smss.exe
592 csrss.exe
616 C:\WINDOWS\system32\winlogon.exe
660 C:\WINDOWS\system32\services.exe
672 C:\WINDOWS\system32\lsass.exe
824 C:\WINDOWS\system32\svchost.exe
908 svchost.exe
1000 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
1040 C:\WINDOWS\system32\svchost.exe
1136 svchost.exe
1332 svchost.exe
1448 C:\WINDOWS\system32\spoolsv.exe
1668 C:\WINDOWS\explorer.exe
1700 svchost.exe
1800 C:\Program Files\Java\jre6\bin\jqs.exe
1860 C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
2040 C:\Program Files\Common Files\Java\Java Update\jusched.exe
120 C:\Program Files\Microsoft Security Essentials\msseces.exe
1600 alg.exe
3328 C:\Program Files\Internet Explorer\iexplore.exe
3472 C:\Program Files\Internet Explorer\iexplore.exe
2248 C:\Program Files\Internet Explorer\iexplore.exe
2860 MpCmdRun.exe
420 C:\Documents and Settings\Animal\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD800BB-75JHC0, Rev: 06.01C06

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Edited by steeldarkstar, 16 August 2010 - 09:45 AM.


#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:04 AM

Posted 16 August 2010 - 05:39 PM

Ok Download Kenco.exe to your desktop
  • Close all windows and run the program
  • It wont take long to run. Post the log it gives you ( it will also be saved in the same place as Kenco.exe

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14 steeldarkstar

steeldarkstar
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Minnesota
  • Local time:12:04 AM

Posted 16 August 2010 - 06:09 PM

Kenco by jpshortstuff (31.12.09.1)
Log created at 18:07 on 16/08/2010 (Animal)

========== Task Unlocker ==========

========== KencoScan ==========

========== C:\WINDOWS\Tasks ==========
MP Scheduled Scan.job -> [19:28 15/08/2010] 408 bytes

-=E.O.F=-

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:04 AM

Posted 16 August 2010 - 06:31 PM

Are you connected via a router by chance?
If so unplug the computer from the router and bypass it entirely then plug the cable from the modem in to the computer.
See then if the redirects stop.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users