Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virus Win32/Alureon.H


  • This topic is locked This topic is locked
37 replies to this topic

#1 String911

String911

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 13 August 2010 - 07:38 PM

I'm pretty much computer illiterate and could use some help. I attempted to read through the logs of other people on this site who have had the same problem and get lost pretty quickly. Some info. I run XP, it's an old computer. I use Microsoft Security Essentials and Malwarebytes anti-malware. I cannot get MSE to update. It finds the virus, but no longer tells me it can disinfect. If I restart the computer, apparently the virus takes over and I get a blue screen of death, unless I'm able to turn MSE back on manually and run a scan quickly enough.

If I can't rid the computer of the virus, is it safe to try to move my photos and the other contents of my hard drive (iTunes and such) to an external hard drive or would that be corrupted as well? I'm desperate for help. Thanks in advance if anyone can help.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:58 AM

Posted 13 August 2010 - 08:48 PM

Hello and welcome.
Please run the tool here How to remove Google Redirects

When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 String911

String911
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 13 August 2010 - 09:32 PM

Understood. Only problem is that I may not be able to reboot because the computer crashes when I do. After my daughter mistakenly rebooted the computer today, it took 19 attempts to restart. With that in mind, should I still follow the steps as you've outlined them?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:58 AM

Posted 13 August 2010 - 10:05 PM

Well I cannot promise but I suspect the malware to be at fault. We will need to reboot only if the first tool finds something and MBAM only if it asks. I ak too as reboting after changes makes them stick.

Edited by boopme, 13 August 2010 - 10:08 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 String911

String911
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 13 August 2010 - 10:43 PM

2010/08/13 23:40:17.0250 TDSS rootkit removing tool 2.4.1.1 Aug 10 2010 14:48:09
2010/08/13 23:40:17.0250 ================================================================================
2010/08/13 23:40:17.0250 SystemInfo:
2010/08/13 23:40:17.0250
2010/08/13 23:40:17.0250 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/13 23:40:17.0250 Product type: Workstation
2010/08/13 23:40:17.0250 ComputerName: CHRIS-MJLO59ZBX
2010/08/13 23:40:17.0250 UserName: Owner
2010/08/13 23:40:17.0250 Windows directory: C:\WINDOWS
2010/08/13 23:40:17.0250 System windows directory: C:\WINDOWS
2010/08/13 23:40:17.0250 Processor architecture: Intel x86
2010/08/13 23:40:17.0250 Number of processors: 2
2010/08/13 23:40:17.0250 Page size: 0x1000
2010/08/13 23:40:17.0250 Boot type: Safe boot with network
2010/08/13 23:40:17.0250 ================================================================================
2010/08/13 23:40:17.0437 Initialize success
2010/08/13 23:40:27.0281 ================================================================================
2010/08/13 23:40:27.0281 Scan started
2010/08/13 23:40:27.0281 Mode: Manual;
2010/08/13 23:40:27.0281 ================================================================================
2010/08/13 23:40:28.0734 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/13 23:40:28.0859 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/13 23:40:29.0031 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/13 23:40:29.0140 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/13 23:40:29.0968 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/13 23:40:30.0046 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/13 23:40:30.0156 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/13 23:40:30.0250 ATWPKT2 (6276b02b10e55ccbb2a23979ad345aa9) C:\WINDOWS\system32\drivers\ATWPKT2.SYS
2010/08/13 23:40:30.0343 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/13 23:40:30.0453 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/13 23:40:30.0609 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/13 23:40:30.0734 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/13 23:40:30.0828 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/13 23:40:30.0890 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/13 23:40:31.0406 Disk (f00f3ce71ede724e4c5aaa1fc5236421) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/13 23:40:31.0406 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\disk.sys. Real md5: f00f3ce71ede724e4c5aaa1fc5236421, Fake md5: d655f94b369ade3c38c7e320526f0ed4
2010/08/13 23:40:31.0421 Disk - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/13 23:40:31.0515 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/13 23:40:31.0640 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/13 23:40:31.0687 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/13 23:40:31.0796 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/13 23:40:31.0937 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/13 23:40:32.0046 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/08/13 23:40:32.0156 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/13 23:40:32.0234 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/13 23:40:32.0296 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/13 23:40:32.0359 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/13 23:40:32.0484 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/13 23:40:32.0578 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/13 23:40:32.0640 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/13 23:40:32.0734 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/08/13 23:40:32.0812 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/13 23:40:32.0890 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/08/13 23:40:32.0984 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/13 23:40:33.0140 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/13 23:40:33.0453 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/08/13 23:40:33.0625 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/13 23:40:33.0843 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2010/08/13 23:40:33.0968 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2010/08/13 23:40:34.0031 IntelC53 (de2686c0e012e6ae24acd6e79eb7ff5d) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2010/08/13 23:40:34.0203 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/13 23:40:34.0265 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/13 23:40:34.0328 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/13 23:40:34.0406 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/13 23:40:34.0500 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/13 23:40:34.0593 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\IPSEC.SYS
2010/08/13 23:40:34.0656 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/13 23:40:34.0734 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/13 23:40:34.0812 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/13 23:40:34.0859 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/13 23:40:34.0937 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/13 23:40:35.0031 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/13 23:40:35.0250 MBAMSwissArmy (c7dd7d9739785bd3a6b8499eec1dee7e) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010/08/13 23:40:35.0359 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/13 23:40:35.0484 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/13 23:40:35.0562 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/08/13 23:40:35.0625 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2010/08/13 23:40:35.0687 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/13 23:40:35.0812 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/13 23:40:35.0875 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/13 23:40:35.0937 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2010/08/13 23:40:36.0234 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/13 23:40:36.0343 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/13 23:40:36.0484 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/13 23:40:36.0562 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/13 23:40:36.0625 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/13 23:40:36.0703 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/13 23:40:36.0828 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/13 23:40:36.0890 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/13 23:40:36.0968 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/13 23:40:37.0031 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/13 23:40:37.0109 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/13 23:40:37.0171 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/13 23:40:37.0234 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/13 23:40:37.0312 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/13 23:40:37.0390 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/13 23:40:37.0515 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/13 23:40:37.0593 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/13 23:40:37.0687 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/13 23:40:37.0781 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/13 23:40:37.0859 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/13 23:40:37.0937 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/08/13 23:40:38.0000 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/13 23:40:38.0078 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/13 23:40:38.0156 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/13 23:40:38.0312 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/13 23:40:38.0375 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/13 23:40:38.0468 PCTCore (807ff1dd6e1bdf8e7d2062fca0daecaf) C:\WINDOWS\system32\drivers\PCTCore.sys
2010/08/13 23:40:38.0984 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/13 23:40:39.0046 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/08/13 23:40:39.0125 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/13 23:40:39.0187 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/13 23:40:39.0312 PulseUsb (82749a87e49fdc46e6d1b9627507dd75) C:\WINDOWS\system32\DRIVERS\PulseUsb.sys
2010/08/13 23:40:39.0718 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/13 23:40:39.0796 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/13 23:40:39.0859 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/13 23:40:39.0937 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/13 23:40:40.0000 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/13 23:40:40.0062 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/13 23:40:40.0171 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/13 23:40:40.0250 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/13 23:40:40.0406 RT61 (581e74880aeb1dba1cb5ac8e6e6c0a69) C:\WINDOWS\system32\DRIVERS\RT61.sys
2010/08/13 23:40:40.0546 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/13 23:40:40.0640 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/08/13 23:40:40.0796 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/13 23:40:40.0984 SmartpenBus (a9daca3ef219e4739a0b59591d55b637) C:\WINDOWS\system32\DRIVERS\SmartpenBus.sys
2010/08/13 23:40:41.0046 SmartpenCom (347e3175be86affc15fed84c7ce2bf1c) C:\WINDOWS\system32\DRIVERS\SmartpenCom.sys
2010/08/13 23:40:41.0218 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/13 23:40:41.0296 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/13 23:40:41.0421 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/13 23:40:41.0593 STHDA (2a2dc39623adef8ab3703ab9fac4b440) C:\WINDOWS\system32\drivers\sthda.sys
2010/08/13 23:40:41.0734 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/13 23:40:41.0812 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/13 23:40:42.0140 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/13 23:40:42.0265 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/13 23:40:42.0343 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/13 23:40:42.0406 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/13 23:40:42.0500 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/13 23:40:42.0687 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/13 23:40:42.0875 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/13 23:40:43.0015 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/08/13 23:40:43.0078 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/13 23:40:43.0140 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/13 23:40:43.0218 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/13 23:40:43.0265 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/13 23:40:43.0359 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/13 23:40:43.0390 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/13 23:40:43.0484 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/13 23:40:43.0578 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/13 23:40:43.0625 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2010/08/13 23:40:43.0718 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2010/08/13 23:40:43.0796 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/13 23:40:44.0015 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/08/13 23:40:44.0109 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/13 23:40:44.0156 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/13 23:40:44.0296 ================================================================================
2010/08/13 23:40:44.0296 Scan finished
2010/08/13 23:40:44.0296 ================================================================================
2010/08/13 23:40:44.0328 Detected object count: 1


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:58 AM

Posted 13 August 2010 - 10:54 PM

did it ask you to Cure??

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 String911

String911
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 13 August 2010 - 11:05 PM

Yes, and then it triggered a reboot and I can no longer get the system up. I am now on my wife's laptop.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:58 AM

Posted 13 August 2010 - 11:12 PM

I will get a specialist for this.. I doubt it will be tonight.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 String911

String911
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 13 August 2010 - 11:41 PM

Through much perseverance, I was able to restart the computer safely, though only in safe mode. Here are the results of the Malwarebytes log and then I will attempt to reboot in normal mode. Wish me luck!

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4427

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

8/14/2010 12:36:38 AM
mbam-log-2010-08-14 (00-36-38).txt

Scan type: Quick scan
Objects scanned: 247951
Time elapsed: 27 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 5
Files Infected: 83

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{19090308-636d-4e9b-a1ce-a647b6f794bf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{19090308-636d-4e9b-a1ce-a647b6f794bf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{19090308-636d-4e9b-a1ce-a647b6f794bf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{19090308-636d-4e9b-a1ce-a647b6f794bf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qtupdate (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Wireshark Antivirus (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WinServers (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\Program Files\conhost.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\scdata (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService.NT AUTHORITY\Start Menu\Programs\Wireshark Antivirus (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Wireshark Antivirus (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Wireshark Antivirus (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\shk_v10.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win699.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win69B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win69D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win69F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6A1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6A3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6A5.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6A7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6A9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6AB.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6AD.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6AF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6B1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6B3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6B5.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6B8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6BA.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6BC.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6BE.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6C6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6C8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6CA.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6CD.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6CF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6D1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6D3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6D5.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6D7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6D9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6DB.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6DD.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6E2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6E4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\win6E6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win10.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win11.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win13.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win15.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win16.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win18.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win1A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\winC.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\winE.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Q3S1Z2QS\PC_protect[2].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\scdata\wispex.html (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\wskinn.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\i1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\i2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\i3.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\j1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\j2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\j3.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\jj1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\jj2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\jj3.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\l1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\l2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\l3.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\pix.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\t1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\t2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\Thumbs.db (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\up1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\up2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\w1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\w11.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\w2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\w3.jpg (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\word.doc (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\wt1.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\wt2.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\scdata\images\wt3.gif (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService.NT AUTHORITY\Start Menu\Programs\Wireshark Antivirus\Wireshark Antivirus.lnk (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Wireshark Antivirus\Wireshark Antivirus.lnk (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Wireshark Antivirus\Wireshark Antivirus.exe (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\conhost.exe (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\csrss.exe (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\sh4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\sh3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Wireshark Antivirus.LNK (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\nuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\skynet.dat (Malware.Trace) -> Quarantined and deleted successfully.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 14 August 2010 - 05:32 AM

Hello, please let me know how things are running now and if you are able to boot in normal mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 String911

String911
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 14 August 2010 - 09:57 AM

I can only seem to reboot now in safe mode. I attempted to restart in normal mode for an hour this morning, to no avail. MSE is still shut off at startup, so it seems as if something survived the cleansing. Next step?

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 14 August 2010 - 10:31 AM

I will move this topic to the Malware Removal forum so we can see what might be wrong here.

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 String911

String911
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 14 August 2010 - 10:52 AM

OTL logfile created on: 8/14/2010 11:40:37 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\All Users.WINDOWS\Documents
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 640.00 Mb Available Physical Memory | 63.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.17 Gb Total Space | 104.34 Gb Free Space | 72.38% Space Free | Partition Type: NTFS
Drive D: | 126.45 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CHRIS-MJLO59ZBX
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/14 11:39:23 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\All Users.WINDOWS\Documents\OTL.exe
PRC - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2010/03/25 21:40:42 | 000,203,312 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/08/14 11:39:23 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\All Users.WINDOWS\Documents\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/07/14 21:51:02 | 000,198,608 | ---- | M] (Threat Expert Ltd.) [Auto | Stopped] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/05/24 09:55:34 | 000,444,928 | ---- | M] (Livescribe) [Auto | Stopped] -- C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe -- (PenCommService)
SRV - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/03/18 16:47:22 | 000,035,160 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe -- (aspnet_state)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/15 12:50:36 | 001,142,224 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2010/03/11 12:09:22 | 000,366,840 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Auto | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)
SRV - [2003/08/27 10:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Stopped] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9C2F2765-3D9F-4AF4-9886-D303D595E43C}\MpKsl96fe4b00.sys -- (MpKsl96fe4b00)
DRV - [2010/06/24 01:25:03 | 000,218,592 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/05/24 09:55:34 | 000,020,480 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PulseUsb.sys -- (PulseUsb)
DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/03/25 21:30:22 | 000,151,216 | ---- | M] (Microsoft Corporation) [File_System | System | Stopped] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/11 18:12:44 | 000,035,328 | ---- | M] (Livescribe) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SmartpenCom.sys -- (SmartpenCom)
DRV - [2008/02/11 18:12:40 | 000,038,528 | ---- | M] (Livescribe) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SmartpenBus.sys -- (SmartpenBus)
DRV - [2005/11/16 15:36:00 | 001,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/10/27 15:06:30 | 000,356,096 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt61.sys -- (RT61) Linksys Wireless-G PCI Adapter Driver(RT61)
DRV - [2004/03/05 22:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2004/03/05 22:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2004/03/05 22:13:52 | 000,060,949 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2004/03/05 22:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2003/01/10 17:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-746137067-1770027372-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-746137067-1770027372-725345543-1003\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)
IE - HKU\S-1-5-21-746137067-1770027372-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-746137067-1770027372-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

FF - HKLM\software\mozilla\Firefox\extensions\\{cb84136f-9c44-433a-9048-c5cd9df1dc16}: C:\Program Files\Spyware Doctor\BDT\FireFox\ [2010/06/25 15:34:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{83B59C40-24F5-4C48-8389-336B83894D79}: C:\Documents and Settings\Owner\Local Settings\Application Data\{83B59C40-24F5-4C48-8389-336B83894D79} [2010/07/28 21:33:35 | 000,000,000 | ---D | M]

[2008/09/14 19:14:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/07/18 12:19:40 | 002,998,784 | ---- | M] (Tamarack Software, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nptgeqplugin.dll

O1 HOSTS File: ([2003/07/16 16:29:34 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (AOL Toolbar Loader) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)
O3 - HKU\S-1-5-21-746137067-1770027372-725345543-1003\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKU\S-1-5-21-746137067-1770027372-725345543-1003\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1243088407\ee\aolsoftware.exe (AOL LLC)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NavaBridge] C:\Program Files\Nava Labs\NavaShield\NavaBridge.exe File not found
O4 - HKLM..\Run: [NavaDebugger] C:\Program Files\Nava Labs\NavaShield\NavaDebugger.exe File not found
O4 - HKLM..\Run: [NavaUpdater] C:\Program Files\Nava Labs\NavaShield\NavaUpdater.exe File not found
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKU\.DEFAULT..\Run: [skarmigp] C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\hgvqrlarb\sacdekptssd.exe File not found
O4 - HKU\S-1-5-18..\Run: [skarmigp] C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\hgvqrlarb\sacdekptssd.exe File not found
O4 - HKU\S-1-5-21-746137067-1770027372-725345543-1003..\Run: [AOL Fast Start] C:\Program Files\AOL 9.1a\AOL.EXE (AOL, LLC.)
O4 - HKU\S-1-5-21-746137067-1770027372-725345543-1003..\Run: [NavaBridge] C:\Program Files\Nava Labs\NavaShield\NavaBridge.exe File not found
O4 - HKU\S-1-5-21-746137067-1770027372-725345543-1003..\Run: [NavaDebugger] C:\Program Files\Nava Labs\NavaShield\NavaDebugger.exe File not found
O4 - HKU\S-1-5-21-746137067-1770027372-725345543-1003..\Run: [NavaUpdater] C:\Program Files\Nava Labs\NavaShield\NavaUpdater.exe File not found
O4 - HKU\S-1-5-21-746137067-1770027372-725345543-1003..\Run: [pronto] C:\Program Files\Wimba\Pronto\pronto.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Virtual Assistant.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe (Motive Communications, Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-746137067-1770027372-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\ieToolbar\resources\en-US\local\search.html ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O15 - HKU\S-1-5-21-746137067-1770027372-725345543-1003\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-746137067-1770027372-725345543-1003\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} http://dl.tvunetworks.com/TVUAx.cab (CTVUAxCtrl Object)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 06:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/09/01 09:39:33 | 000,000,041 | R--- | M] () - D:\Autorun.inf -- [ CDFS ]
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\Setup.exe -- [2005/08/31 16:39:44 | 077,538,860 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/14 11:39:21 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\All Users.WINDOWS\Documents\OTL.exe
[2010/08/13 23:39:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\tdsskiller
[2010/08/09 07:11:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\isnmrkgkn
[2010/08/08 15:08:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Windows Server
[2010/08/07 22:36:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Church forms
[2010/08/04 15:42:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\attf1b02
[2010/08/04 15:26:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\FallSemesterSchedule2010
[2010/08/01 08:28:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\fjgntebro
[2010/07/31 16:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\lycgdulkm
[2010/07/28 21:33:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\{83B59C40-24F5-4C48-8389-336B83894D79}
[2010/07/28 21:30:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\nnxnixrtg
[2010/07/16 10:28:51 | 096,768,824 | ---- | C] (Apple Inc.) -- C:\Documents and Settings\All Users.WINDOWS\Documents\iTunesSetup.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/14 11:39:23 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\All Users.WINDOWS\Documents\OTL.exe
[2010/08/14 10:56:25 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/08/14 10:50:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/14 10:49:51 | 002,883,584 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/08/14 10:49:28 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/14 10:10:48 | 000,098,256 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/14 03:33:48 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/08/14 03:16:36 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/14 03:13:37 | 000,609,074 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/14 03:13:37 | 000,521,986 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/14 03:13:37 | 000,094,006 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/14 00:50:12 | 000,051,843 | ---- | M] () -- C:\VETlog.dmp
[2010/08/14 00:49:36 | 000,000,623 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/14 00:41:57 | 002,656,656 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/08/13 23:38:04 | 001,132,196 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\tdsskiller.zip
[2010/08/13 20:16:15 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\rkill.scr
[2010/08/12 07:39:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/08/07 22:36:24 | 000,746,440 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Church forms.zip
[2010/08/04 15:42:57 | 000,349,345 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\attf1b02.zip
[2010/08/04 15:26:17 | 000,153,390 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\FallSemesterSchedule2010.zip
[2010/08/03 07:18:59 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Fhotimevocogir.bin
[2010/08/02 18:17:58 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Trajedakok.dat
[2010/08/01 20:39:43 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\rkill.exe
[2010/07/29 19:16:18 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/28 20:59:38 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Adobe Reader 9.lnk
[2010/07/28 08:53:54 | 000,013,504 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Reference2.docx
[2010/07/27 02:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll
[2010/07/23 11:58:13 | 000,017,405 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\DilantinPatientEducation.docx
[2010/07/21 17:52:43 | 000,850,496 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\MFKLessons-Fibonacci-All mensa.pdf
[2010/07/19 21:16:01 | 000,767,928 | ---- | M] () -- C:\WINDOWS\BDTSupport.dll
[2010/07/19 17:31:29 | 000,000,930 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Let's ride Dreamer.lnk
[2010/07/16 10:50:22 | 000,014,012 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/07/16 10:28:51 | 096,768,824 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\All Users.WINDOWS\Documents\iTunesSetup.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/13 23:37:59 | 001,132,196 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\tdsskiller.zip
[2010/08/13 20:16:12 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\rkill.scr
[2010/08/07 22:36:18 | 000,746,440 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Church forms.zip
[2010/08/04 15:42:54 | 000,349,345 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\attf1b02.zip
[2010/08/04 15:26:13 | 000,153,390 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\FallSemesterSchedule2010.zip
[2010/08/01 20:40:41 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\rkill.exe
[2010/07/28 21:33:35 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Trajedakok.dat
[2010/07/28 21:33:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Fhotimevocogir.bin
[2010/07/28 20:59:38 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Adobe Reader 9.lnk
[2010/07/28 08:53:53 | 000,013,504 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Reference2.docx
[2010/07/23 11:58:11 | 000,017,405 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\DilantinPatientEducation.docx
[2010/07/21 17:52:43 | 000,850,496 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\MFKLessons-Fibonacci-All mensa.pdf
[2010/06/24 01:06:24 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/06/24 01:06:24 | 000,767,928 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2010/02/19 18:36:51 | 000,594,160 | ---- | C] () -- C:\WINDOWS\System32\wodCertificate.dll
[2010/02/19 18:36:49 | 000,589,960 | ---- | C] () -- C:\WINDOWS\System32\brgrt.dll
[2009/07/25 14:53:11 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.Owner.ini
[2009/06/04 12:10:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2009/05/04 15:03:00 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2009/05/04 14:53:28 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\libcurl.dll
[2009/05/04 14:53:10 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\libexpatw.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2003/07/16 16:39:32 | 000,022,150 | ---- | C] () -- C:\WINDOWS\msyuv.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 165 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:430C6D84
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A8ADE5D8
< End of report >





OTL Extras logfile created on: 8/14/2010 11:40:37 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\All Users.WINDOWS\Documents
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 640.00 Mb Available Physical Memory | 63.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.17 Gb Total Space | 104.34 Gb Free Space | 72.38% Space Free | Partition Type: NTFS
Drive D: | 126.45 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CHRIS-MJLO59ZBX
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer -- (AOL LLC)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL Connectivity Service -- (AOL LLC)
"C:\Program Files\Common Files\AOL\1243088407\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1243088407\ee\aolsoftware.exe:*:Enabled:AOL Shared Components -- (AOL LLC)
"C:\Program Files\AOL 9.1a\waol.exe" = C:\Program Files\AOL 9.1a\waol.exe:*:Enabled:AOL -- (AOL, LLC.)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL System Information -- (AOL LLC)
"C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe" = C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
""Let's Ride!" = "Let's Ride! Dreamer"
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{169CE656-4BF8-4253-B60A-570DBFF63AAE}" = Livescribe Desktop
"{238DCFCD-70B3-46B2-B90B-2CDCC69A3D03}" = Zoo Tycoon 2 - Zookeeper Collection
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 15
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{5C2F32AB-4D59-48AF-9AB1-1684FCC427C5}" = Lets Ride Silver Buckle Stables
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}" = Microsoft VC9 runtime libraries
"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"119B0642D93485253315CC5A682621B74C3A6931" = Windows Driver Package - Livescribe (PulseUsb) DigitalPen (04/12/2010 2.2.6.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AOL Toolbar" = AOL Toolbar
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"BREE5" = Brownstone Equation Editor 5
"Browser Defender_is1" = Browser Defender 3.0.0.11
"ie8" = Windows Internet Explorer 8
"InstallShield_{238DCFCD-70B3-46B2-B90B-2CDCC69A3D03}" = Zoo Tycoon 2 - Zookeeper Collection
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Security Essentials" = Microsoft Security Essentials
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PROSet" = Intel® PRO Network Connections Drivers
"Reader Rabbit Math Ages 6-9" = Reader Rabbit Math Ages 6-9
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Spyware Doctor" = Spyware Doctor 7.0
"Tutor" = Tutor
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 14 August 2010 - 11:06 AM

Hello again, please follow the steps below, then try to boot in normal mode.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 String911

String911
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 14 August 2010 - 12:32 PM

ComboFix 10-08-12.03 - Owner 08/14/2010 13:01:09.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.669 [GMT -4:00]
Running from: c:\documents and settings\All Users.WINDOWS\Documents\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1665925660
c:\documents and settings\Jennifer\g2mdlhlpx.exe
c:\documents and settings\Jennifer\System
c:\documents and settings\Jennifer\System\win_qs8.jqx
c:\documents and settings\Owner\Local Settings\Application Data\{83B59C40-24F5-4C48-8389-336B83894D79}
c:\documents and settings\Owner\Local Settings\Application Data\{83B59C40-24F5-4C48-8389-336B83894D79}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{83B59C40-24F5-4C48-8389-336B83894D79}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{83B59C40-24F5-4C48-8389-336B83894D79}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{83B59C40-24F5-4C48-8389-336B83894D79}\install.rdf
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\C8FP0lv2f.jpg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\CxgOx.jpg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\PQdutglOM.jpg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\S6E7226a.jpg
c:\program files\Shared
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\msyuv.dll

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-14 to 2010-08-14 )))))))))))))))))))))))))))))))
.

2010-08-09 11:11 . 2010-08-09 17:55 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\isnmrkgkn
2010-08-07 04:13 . 2010-08-07 08:39 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\hgvqrlarb
2010-08-01 12:28 . 2010-08-01 18:26 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\fjgntebro
2010-07-31 20:25 . 2010-08-01 01:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\lycgdulkm
2010-07-29 01:33 . 2010-08-03 11:18 0 ----a-w- c:\windows\Fhotimevocogir.bin
2010-07-29 01:33 . 2010-08-02 22:17 120 ----a-w- c:\windows\Trajedakok.dat
2010-07-29 01:30 . 2010-07-29 11:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\nnxnixrtg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-14 17:14 . 2010-04-09 06:53 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-08-14 03:44 . 2003-07-16 20:26 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-07-29 00:59 . 2005-12-05 16:43 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-20 01:16 . 2010-06-24 05:06 767928 ----a-w- c:\windows\BDTSupport.dll
2010-07-16 14:50 . 2010-02-21 22:45 14012 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-15 01:51 . 2010-06-24 05:06 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-07-15 01:51 . 2010-06-24 05:06 264144 ----a-w- c:\windows\PCTBDRes.dll
2010-07-15 01:51 . 2010-06-24 05:06 1435600 ----a-w- c:\windows\PCTBDCore.dll
2010-07-08 13:18 . 2008-03-31 15:40 -------- d-----w- c:\program files\iTunes
2010-07-08 13:17 . 2008-03-31 15:40 -------- d-----w- c:\program files\iPod
2010-07-08 13:17 . 2007-07-06 15:45 -------- d-----w- c:\program files\Common Files\Apple
2010-07-08 13:12 . 2010-07-08 13:12 -------- d-----w- c:\program files\Bonjour
2010-07-05 23:04 . 2010-04-09 06:18 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-07-05 22:39 . 2009-04-11 15:47 14792 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-04 13:15 . 2010-07-04 13:15 75264 ----a-w- c:\windows\system32\drivers\IPSEC.SYS
2010-07-04 05:00 . 2010-02-19 22:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Tutor
2010-07-04 04:43 . 2010-02-19 22:36 -------- d-----w- c:\program files\Tutor 6
2010-07-04 04:16 . 2010-07-04 04:16 -------- d-----w- c:\program files\FA Davis
2010-06-30 12:31 . 2003-07-16 20:43 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-25 06:09 . 2010-04-09 06:54 -------- d-----w- c:\program files\Spyware Doctor
2010-06-25 05:29 . 2010-06-25 05:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-06-25 05:29 . 2008-08-12 18:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-25 05:28 . 2010-06-25 05:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-06-25 04:37 . 2010-06-15 23:36 -------- d-----w- c:\program files\Wimba
2010-06-24 12:22 . 2003-07-16 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 05:25 . 2010-06-24 05:04 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-24 05:25 . 2010-06-24 05:04 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-24 05:06 . 2010-06-24 05:03 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-24 05:03 . 2010-06-24 05:03 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2010-06-24 05:03 . 2010-06-24 05:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2010-06-24 04:52 . 2010-06-24 04:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Windows Search
2010-06-23 13:44 . 2003-07-16 20:51 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 04:01 . 2010-06-24 05:06 192 ----a-w- c:\windows\UDB.zip
2010-06-22 13:42 . 2009-05-23 13:05 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2010-06-21 15:27 . 2003-07-16 20:46 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2003-07-16 20:29 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-15 23:37 . 2010-06-15 23:37 -------- d-----w- c:\documents and settings\Owner\Application Data\HorizonWimba
2010-06-14 07:41 . 2003-07-16 20:37 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-03 13:51 . 2009-06-04 21:44 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-01 17:37 . 2010-04-09 06:22 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-24 13:55 . 2010-06-04 19:59 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2010-05-24 13:55 . 2010-06-04 19:59 20480 ----a-w- c:\windows\system32\drivers\PulseUsb.sys
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="c:\program files\AOL 9.1a\AOL.EXE" [2008-11-06 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"HostManager"="c:\program files\Common Files\AOL\1243088407\ee\AOLSoftware.exe" [2008-06-24 41824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-27 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1243088407\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/24/2010 1:04 AM 218592]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [6/24/2010 1:06 AM 198608]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [5/24/2010 9:55 AM 444928]
S1 MpKsl96fe4b00;MpKsl96fe4b00;\??\c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9C2F2765-3D9F-4AF4-9886-D303D595E43C}\MpKsl96fe4b00.sys --> c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9C2F2765-3D9F-4AF4-9886-D303D595E43C}\MpKsl96fe4b00.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/25/2010 1:28 AM 38224]
S3 PulseUsb;Livescribe Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [6/4/2010 3:59 PM 20480]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/24/2010 1:04 AM 366840]
S3 SmartpenBus;Smartpen Enumerator;c:\windows\system32\drivers\SmartpenBus.sys [2/11/2008 6:12 PM 38528]
S3 SmartpenCom;Smartpen Communications;c:\windows\system32\drivers\SmartpenCom.sys [2/11/2008 6:12 PM 35328]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder

2010-08-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-08-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
IE: &AOL Toolbar Search - c:\documents and settings\All Users.WINDOWS\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-NavaBridge - c:\program files\Nava Labs\NavaShield\NavaBridge.exe
HKCU-Run-NavaDebugger - c:\program files\Nava Labs\NavaShield\NavaDebugger.exe
HKCU-Run-NavaUpdater - c:\program files\Nava Labs\NavaShield\NavaUpdater.exe
HKCU-Run-pronto - c:\program files\Wimba\Pronto\pronto.exe
HKLM-Run-NavaBridge - c:\program files\Nava Labs\NavaShield\NavaBridge.exe
HKLM-Run-NavaDebugger - c:\program files\Nava Labs\NavaShield\NavaDebugger.exe
HKLM-Run-NavaUpdater - c:\program files\Nava Labs\NavaShield\NavaUpdater.exe
HKU-Default-Run-skarmigp - c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\hgvqrlarb\sacdekptssd.exe
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-14 13:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(792)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(2648)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\stsystra.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\AOL 9.1a\waol.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchProtocolHost.exe
c:\program files\AOL 9.1a\shellmon.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-08-14 13:28:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-14 17:28

Pre-Run: 111,952,928,768 bytes free
Post-Run: 113,432,248,320 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 517C833063CBC988DEFA8BF49FE2D911




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users