Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem loading page


  • This topic is locked This topic is locked
14 replies to this topic

#1 k988

k988

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 25 October 2010 - 10:33 AM

Continuation of the topic at http://www.bleepingcomputer.com/forums/topic354536.html/
Directed here by boopme

Basically I've been running into some occasional problems connecting to websites; my browser tells me "problem loading page" - usually a few refreshes and I'm okay, but now I'm getting the search result redirects too. Same problems on the other computer sharing the network, right down to getting redirects from the exact same websites. boopme thinks it has to do with the wireless router that the computers use, and since we didn't get anywhere in the above thread, he sent me here.

I tried running GMER several times, but it froze on startup each time so I couldn't get it to work.



DDS (Ver_10-10-21.02) - NTFSx86
Run by User at 10:33:24.75 on Mon 10/25/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.191 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/firefox
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\user\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\lyvfk7du.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-11 165584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-11 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-11 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-11 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-11 40384]
R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [2010-6-11 72576]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-6-11 11520]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-12-2 9472]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2009-12-2 14848]

=============== Created Last 30 ================

2010-10-25 02:43:27 -------- d-----w- c:\program files\Everything
2010-10-21 23:06:13 -------- d-----w- c:\program files\RegScrubXP
2010-10-18 19:58:46 -------- d-----w- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2010-10-18 19:58:38 -------- d-----w- c:\program files\SUPERAntiSpyware

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:57:25 919552 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:57:23 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:57:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
2010-09-01 11:48:34 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:01:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-25 00:38:39 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:43:28 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 10:34:03.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 02 November 2010 - 06:29 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 k988

k988
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 02 November 2010 - 07:22 PM

Still had problems running GMER. It just froze on startup, as before. OTL logs below


OTL log

OTL logfile created on: 11/2/2010 7:53:22 PM - Run 1
OTL by OldTimer - Version 3.2.17.2 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 302.00 Mb Available Physical Memory | 59.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 62.36 Gb Free Space | 83.71% Space Free | Partition Type: NTFS
Drive E: | 446.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 232.23 Gb Total Space | 40.02 Gb Free Space | 17.23% Space Free | Partition Type: NTFS

Computer Name: K988 | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/02 19:51:55 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2010/09/07 11:12:02 | 002,838,912 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/09/07 11:11:59 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/12/02 17:21:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [1996/11/21 00:00:00 | 000,111,376 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
PRC - [1996/11/21 00:00:00 | 000,051,984 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\OSA.EXE


========== Modules (SafeList) ==========

MOD - [2010/11/02 19:51:55 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/09/07 11:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/09/07 11:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/09/07 11:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)


========== Driver Services (SafeList) ==========

DRV - [2010/09/07 10:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/09/07 10:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/09/07 10:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/09/07 10:47:19 | 000,100,176 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/09/07 10:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/09/07 10:46:51 | 000,028,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/05/10 14:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/02 17:27:17 | 000,009,472 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\dumpdrv.sys -- (DumpDrv)
DRV - [2009/02/13 15:02:52 | 000,011,520 | R--- | M] (Western Digital Technologies) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/04/14 05:16:24 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2008/04/14 05:16:22 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2008/04/14 05:16:22 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2008/04/14 05:16:10 | 000,051,200 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)
DRV - [2008/04/14 05:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/01/29 20:20:04 | 000,361,728 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emBDA.sys -- (USB28xxBGA)
DRV - [2007/01/29 20:19:48 | 000,039,680 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emOEM.sys -- (USB28xxOEM)
DRV - [2007/01/12 16:55:24 | 000,022,912 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emAudio.sys -- (emAudio)
DRV - [2006/08/15 11:48:00 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003/11/17 15:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 15:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 15:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2002/02/19 14:34:18 | 000,072,576 | R--- | M] (The LinkSys Group, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\netusbxp.sys -- (USBNET_XP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-725345543-1060284298-1547161642-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/firefox
IE - HKU\S-1-5-21-725345543-1060284298-1547161642-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-725345543-1060284298-1547161642-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-725345543-1060284298-1547161642-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7E AD 05 50 36 58 CB 01 [binary data]
IE - HKU\S-1-5-21-725345543-1060284298-1547161642-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.4

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/31 10:24:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/29 20:50:26 | 000,000,000 | ---D | M]

[2010/06/11 14:40:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2010/11/02 19:50:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\lyvfk7du.default\extensions
[2010/10/29 20:36:18 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\lyvfk7du.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/08/24 20:53:19 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/24 20:38:42 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/09/29 15:53:39 | 000,620,296 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 fr.a2dfp.net
O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 abcstats.com
O1 - Hosts: 127.0.0.1 a.abv.bg
O1 - Hosts: 127.0.0.1 adserver.abv.bg
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 ca.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 achmedia.com
O1 - Hosts: 127.0.0.1 aconti.net
O1 - Hosts: 127.0.0.1 secure.aconti.net
O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti]
O1 - Hosts: 127.0.0.1 ads.active.com
O1 - Hosts: 127.0.0.1 am1.activemeter.com
O1 - Hosts: 127.0.0.1 www.activemeter.com #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ads.activepower.net
O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ad2games.com
O1 - Hosts: 16355 more lines...
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-725345543-1060284298-1547161642-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O13 - gopher Prefix: missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\RailNotification: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/04 19:14:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/06/18 17:12:18 | 000,000,088 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


Drivers32: aux - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer2 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer3 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.IYUV - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: VIDC.UYVY - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YUY2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVU9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVYU - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)
Drivers32: wave2 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave3 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave4 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/11/02 19:51:54 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/10/28 18:25:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\ElevatedDiagnostics
[2010/10/24 22:43:27 | 000,000,000 | ---D | C] -- C:\Program Files\Everything
[2010/10/21 19:06:13 | 000,000,000 | ---D | C] -- C:\Program Files\RegScrubXP
[2010/10/18 22:37:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\tdsskiller
[2010/10/18 15:58:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
[2010/10/18 15:58:38 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/10/08 16:53:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2010/10/08 16:53:30 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2010/10/08 16:52:09 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/02 19:51:55 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/11/02 19:37:30 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/02 19:36:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/02 19:36:28 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/01 22:07:42 | 000,933,888 | -H-- | M] () -- C:\ffastun0.ffx
[2010/11/01 22:07:42 | 000,188,416 | -H-- | M] () -- C:\ffastun.ffl
[2010/11/01 22:07:42 | 000,077,824 | -H-- | M] () -- C:\ffastun.ffo
[2010/11/01 22:07:42 | 000,004,795 | -H-- | M] () -- C:\ffastun.ffa
[2010/10/29 10:02:45 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/10/23 08:47:15 | 000,110,992 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/18 22:36:03 | 001,211,285 | ---- | M] () -- C:\Documents and Settings\User\Desktop\tdsskiller.zip
[2010/10/13 21:39:58 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/12 22:39:39 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/25 11:22:48 | 534,827,008 | -HS- | C] () -- C:\hiberfil.sys
[2010/10/18 22:35:53 | 001,211,285 | ---- | C] () -- C:\Documents and Settings\User\Desktop\tdsskiller.zip
[2010/06/11 17:03:45 | 000,000,611 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/06/11 17:03:45 | 000,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini
[2010/06/11 11:38:01 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2010/06/06 12:59:49 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/05 11:14:13 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2010/06/04 14:53:28 | 000,004,346 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/12/03 11:28:51 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\msvcrt10.dll
[1996/11/21 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1996/11/21 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1996/11/21 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2010/06/11 14:34:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/10/31 10:20:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/09/08 17:36:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Audacity
[2010/10/28 18:25:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\ElevatedDiagnostics

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.sys /90 >
[2010/08/31 09:38:48 | 001,861,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/06/04 14:43:05 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/06/04 14:43:05 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/06/04 14:43:05 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %SYSTEMDRIVE%\*.* >
[2010/06/04 19:14:35 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/06/11 10:29:18 | 000,000,320 | RHS- | M] () -- C:\boot.ini
[2010/06/04 19:14:35 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/11/01 22:07:42 | 000,004,795 | -H-- | M] () -- C:\ffastun.ffa
[2010/11/01 22:07:42 | 000,188,416 | -H-- | M] () -- C:\ffastun.ffl
[2010/11/01 22:07:42 | 000,077,824 | -H-- | M] () -- C:\ffastun.ffo
[2010/11/01 22:07:42 | 000,933,888 | -H-- | M] () -- C:\ffastun0.ffx
[2010/11/02 19:36:28 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/04 19:14:35 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/06/04 19:14:35 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 12:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 12:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/11/02 19:36:28 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys
[2010/06/04 19:30:58 | 000,000,165 | ---- | M] () -- C:\setup.log

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2009/08/14 10:19:28 | 000,091,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007/03/28 13:57:34 | 000,274,944 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5ha.dll

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >



Extras log

OTL Extras logfile created on: 11/2/2010 7:53:22 PM - Run 1
OTL by OldTimer - Version 3.2.17.2 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 302.00 Mb Available Physical Memory | 59.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 62.36 Gb Free Space | 83.71% Space Free | Partition Type: NTFS
Drive E: | 446.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 232.23 Gb Total Space | 40.02 Gb Free Space | 17.23% Space Free | Partition Type: NTFS

Computer Name: K988 | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-725345543-1060284298-1547161642-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3717C4F2-7412-4793-9BB8-D73D2817B3D6}" = USB TV Device Driver
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5EF2B896-B1C1-46E8-83AD-4F940B7A5982}" = MathGV 4
"{62BFB4C2-8C4E-4D91-BD7D-81C06EAAC3C0}" = Windows Rights Management Client with Service Pack 2
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}" = Windows Rights Management Client with Service Pack 2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 Service Pack 1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 Service Pack 1
"{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management Client Backwards Compatibility SP2
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.12 (Unicode)
"avast5" = avast! Free Antivirus
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"Everything" = Everything 1.2.1.371
"FLV Player" = FLV Player 2.0 (build 25)
"JAIELangPack" = Japanese Language Support
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft Silverlight" = Microsoft Silverlight
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"Office8.0" = Microsoft Office 97, Professional Edition
"RegScrubXP_is1" = RegScrubXP 3.25
"SpywareBlaster_is1" = SpywareBlaster 4.4

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/8/2010 6:46:44 PM | Computer Name = K988 | Source = Application Hang | ID = 1001
Description = Fault bucket 337816799.

Error - 10/18/2010 10:38:11 PM | Computer Name = K988 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 10/18/2010 10:38:11 PM | Computer Name = K988 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 10/25/2010 4:00:53 PM | Computer Name = K988 | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 8.0.0.3514, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/25/2010 4:04:04 PM | Computer Name = K988 | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 8.0.0.3514, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/25/2010 4:10:05 PM | Computer Name = K988 | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 8.0.0.3514, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/29/2010 10:02:44 AM | Computer Name = K988 | Source = EventSystem | ID = 4614
Description = The COM+ Event System detected an inconsistency in its internal state.
The assertion "GetLastError() == 122L" failed at line 162 of d:\comxp_sp3\com\com1x\src\events\shared\sectools.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 10/29/2010 8:19:44 PM | Computer Name = K988 | Source = Application Hang | ID = 1002
Description = Hanging application Xspcv2x.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 10/29/2010 8:19:48 PM | Computer Name = K988 | Source = Application Hang | ID = 1001
Description = Fault bucket 05701387.

Error - 10/29/2010 8:36:33 PM | Computer Name = K988 | Source = Application Hang | ID = 1002
Description = Hanging application Xspcv2x.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 10/29/2010 10:02:42 AM | Computer Name = K988 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 10/29/2010 10:02:42 AM | Computer Name = K988 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 10/29/2010 10:02:42 AM | Computer Name = K988 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 10/29/2010 10:02:52 AM | Computer Name = K988 | Source = Service Control Manager | ID = 7022
Description = The avast! Antivirus service hung on starting.

Error - 10/29/2010 10:02:52 AM | Computer Name = K988 | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for FailureActions with the following
error: %%5

Error - 10/29/2010 10:02:52 AM | Computer Name = K988 | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for FailureActions with the following
error: %%5

Error - 10/29/2010 10:02:52 AM | Computer Name = K988 | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for FailureActions with the following
error: %%5

Error - 10/29/2010 10:05:18 AM | Computer Name = K988 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 10/29/2010 10:05:18 AM | Computer Name = K988 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 10/31/2010 10:21:08 AM | Computer Name = K988 | Source = Service Control Manager | ID = 7000
Description = The SASDIFSV service failed to start due to the following error: %%183


< End of report >

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 03 November 2010 - 05:30 PM

Hello, k988.

Since you can't run GMER, please do these:




Registry Cleaner Warning


I also see that you have a registry cleaner installed (in your case RegScrubXP). Here at BC, we do not recommend using registry cleaners. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578&#entry1326578












Step 1

Scan With RKUnHooker

  • Please Rootkit Unhooker and save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"




Step 2

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 k988

k988
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 04 November 2010 - 08:22 PM

Uh, not sure how to tell you this, but power outage at the house last night has everything working again. Not getting browser redirects from pages, so maybe the router just needed to be reset again/for longer period of time. Logs below


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d

Kernel Drivers (total 137):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF8A37000 \WINDOWS\system32\KDCOM.DLL
0xF8947000 \WINDOWS\system32\BOOTVID.dll
0xF84E8000 ACPI.sys
0xF8A39000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF84D7000 pci.sys
0xF8537000 isapnp.sys
0xF8547000 ohci1394.sys
0xF8557000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF8AFF000 pciide.sys
0xF87B7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8567000 MountMgr.sys
0xF84B8000 ftdisk.sys
0xF8A3B000 dmload.sys
0xF8492000 dmio.sys
0xF87BF000 PartMgr.sys
0xF8577000 VolSnap.sys
0xF847A000 atapi.sys
0xF8587000 disk.sys
0xF8597000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF845A000 fltMgr.sys
0xF8448000 sr.sys
0xF85A7000 PxHelp20.sys
0xF8431000 KSecDD.sys
0xF83A4000 Ntfs.sys
0xF8377000 NDIS.sys
0xF835D000 Mup.sys
0xF8617000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF81C6000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF81B2000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF8817000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF818E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF881F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF815A000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xF8137000 \SystemRoot\system32\DRIVERS\ks.sys
0xF8038000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF7F91000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF8827000 \SystemRoot\System32\Drivers\Modem.SYS
0xF882F000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF8627000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF8837000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8637000 \SystemRoot\system32\DRIVERS\serial.sys
0xF89D3000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7F7D000 \SystemRoot\system32\DRIVERS\parport.sys
0xF8647000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8657000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF8667000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7F3D000 \SystemRoot\system32\drivers\smwdm.sys
0xF7F19000 \SystemRoot\system32\drivers\portcls.sys
0xF8677000 \SystemRoot\system32\drivers\drmk.sys
0xF7E66000 \SystemRoot\system32\drivers\senfilt.sys
0xF8BE4000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF8687000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF89DB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7E4F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF8697000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF86A7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF883F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF7E3D000 \SystemRoot\system32\DRIVERS\psched.sys
0xF86B7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF8847000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF884F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7D6D000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF86F7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF8857000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF8A53000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF7D0F000 \SystemRoot\system32\DRIVERS\update.sys
0xF89F7000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF8747000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF8767000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8A61000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF8320000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF887F000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF8310000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8B3D000 \SystemRoot\System32\Drivers\Null.SYS
0xF8A71000 \SystemRoot\System32\Drivers\Beep.SYS
0xF888F000 \SystemRoot\System32\drivers\vga.sys
0xF8A73000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8A75000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF8897000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF889F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF830C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEFC0C000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEFBB3000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF87A7000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xEFB8B000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEFB69000 \SystemRoot\System32\drivers\afd.sys
0xF85C7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEFB47000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF88A7000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEFB1C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEFAAC000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF85D7000 \SystemRoot\System32\Drivers\Fips.SYS
0xEFA86000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF85E7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xEFA37000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF88B7000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF8607000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF88C7000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF88CF000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF7DDD000 \SystemRoot\system32\DRIVERS\emOEM.sys
0xEF93E000 \SystemRoot\system32\DRIVERS\emBDA.sys
0xF8A07000 \SystemRoot\system32\DRIVERS\BdaSup.SYS
0xF88D7000 \SystemRoot\system32\drivers\emAudio.sys
0xF8A0B000 \SystemRoot\system32\DRIVERS\wdcsam.sys
0xEF92C000 \SystemRoot\system32\DRIVERS\netusbxp.sys
0xEFC53000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7DCD000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF88F7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xEFA6E000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xEF8EC000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8ACB000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEFA5E000 \SystemRoot\System32\drivers\Dxapi.sys
0xF892F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8C1F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xEFA7A000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xEF7B8000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEF8B4000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xEF565000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xEF504000 \SystemRoot\System32\Drivers\Udfs.SYS
0xEF4E0000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xEF194000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xEF17F000 \SystemRoot\system32\drivers\wdmaud.sys
0xEF378000 \SystemRoot\system32\drivers\sysaudio.sys
0xEF121000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEEFB9000 \SystemRoot\system32\DRIVERS\srv.sys
0xEEC30000 \SystemRoot\System32\Drivers\HTTP.sys
0xF880F000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xEEA72000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 26):
0 System Idle Process
4 System
376 C:\WINDOWS\system32\smss.exe
628 csrss.exe
652 C:\WINDOWS\system32\winlogon.exe
696 C:\WINDOWS\system32\services.exe
708 C:\WINDOWS\system32\lsass.exe
860 C:\WINDOWS\system32\svchost.exe
960 svchost.exe
1000 C:\WINDOWS\system32\svchost.exe
1144 svchost.exe
1296 svchost.exe
1468 C:\WINDOWS\explorer.exe
1636 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1780 C:\WINDOWS\system32\hkcmd.exe
1788 C:\WINDOWS\system32\igfxpers.exe
1796 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
1864 C:\WINDOWS\system32\ctfmon.exe
812 C:\WINDOWS\system32\spoolsv.exe
1180 svchost.exe
1568 C:\WINDOWS\system32\svchost.exe
2788 alg.exe
204 C:\Program Files\Microsoft Office\Office\WINWORD.EXE
1292 C:\Program Files\QuickTime\QuickTimePlayer.exe
3480 C:\Program Files\Mozilla Firefox\firefox.exe
1388 C:\Documents and Settings\User\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD800BB-75JHC0, Rev: 06.01C06
PhysicalDrive1 Model Number: WDMy Passport 070A, Rev: 1028

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
232 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!



RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2190080 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2190080 bytes
0x804D7000 RAW 2190080 bytes
0x804D7000 WMIxWDM 2190080 bytes
0xBF800000 Win32k 1863680 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1863680 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF81C6000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1302528 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xF8038000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xF7E66000 C:\WINDOWS\system32\drivers\senfilt.sys 733184 bytes (Creative Technology Ltd., Creative WDM Audio Driver)
0xF7F91000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 684032 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF83A4000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xEFAAC000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF7D0F000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xEF93E000 C:\WINDOWS\system32\DRIVERS\emBDA.sys 364544 bytes (eMPIA Technology, Inc., USB 28xx BDA Driver)
0xEFBB3000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xEEFB9000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xEEC30000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF7F3D000 C:\WINDOWS\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xF815A000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 212992 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xF7D6D000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF84E8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF8377000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xEF194000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 180224 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xEEA72000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEFB1C000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xEFB8B000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xEFA37000 C:\WINDOWS\System32\Drivers\aswSP.SYS 159744 bytes (AVAST Software, avast! self protection module)
0xF8492000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xEFA86000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xEF4E0000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF7F19000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF818E000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF8137000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xEFB69000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xEFB47000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806EE000 ACPI_HAL 131968 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131968 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF845A000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF84B8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF835D000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF847A000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEF8EC000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xEF565000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 94208 bytes (AVAST Software, avast! File System Filter Driver for Windows XP)
0xF8431000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF7E4F000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xEF17F000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF7F7D000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF81B2000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEFC0C000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xEF92C000 C:\WINDOWS\system32\DRIVERS\netusbxp.sys 73728 bytes (The LinkSys Group, Inc., NDIS 5.1 driver)
0xF7E3D000 C:\WINDOWS\system32\DRIVERS\psched.sys 73728 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF8448000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF84D7000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xEF504000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xF8607000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF8657000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF8547000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xEF8B4000 C:\WINDOWS\system32\DRIVERS\rspndr.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0xF8637000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF8677000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF8667000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xEF378000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF8767000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF8557000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF8597000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF8627000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF8687000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF8577000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF86A7000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF85D7000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF8647000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF8567000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF8697000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF87A7000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 40960 bytes (AVAST Software, avast! TDI Filter Driver)
0xF7DDD000 C:\WINDOWS\system32\DRIVERS\emOEM.sys 40960 bytes (eMPIA Technology, Inc., USB 28xx BDA Lower filter)
0xF8537000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF8747000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF85A7000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF86F7000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF8587000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7DCD000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF8617000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF86B7000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF85C7000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xEF278000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF85E7000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF8827000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF889F000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF88C7000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF881F000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF882F000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF88F7000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF87B7000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF88CF000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF88B7000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 24576 bytes (AVAST Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)
0xF88D7000 C:\WINDOWS\system32\drivers\emAudio.sys 24576 bytes (eMPIA Technology, Inc., USB EMP Audio Device)
0xF8837000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF8857000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF88A7000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xF8817000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF888F000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF880F000 C:\WINDOWS\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
0xF887F000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF8897000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF87BF000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF8847000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF884F000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF883F000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF892F000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF8320000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xF89F7000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xEF7B8000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF89D3000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xEFA7A000 C:\WINDOWS\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
0xF8A07000 C:\WINDOWS\system32\DRIVERS\BdaSup.SYS 12288 bytes (Microsoft Corporation, Microsoft BDA Driver Support Library)
0xF8947000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xEFA5E000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF8310000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 12288 bytes (Microsoft Corporation, File System Recognizer Driver)
0xEFC53000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xEF121000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xEFA6E000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF89DB000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF830C000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF8A0B000 C:\WINDOWS\system32\DRIVERS\wdcsam.sys 12288 bytes (Western Digital Technologies, WD SCSI Architecture Model (SAM) driver)
0xF8A71000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8A3B000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF8ACB000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8A37000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8A73000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8A75000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8A53000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8A61000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8A39000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8BE4000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8C1F000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8B3D000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF8AFF000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 05 November 2010 - 05:53 PM

Hello, k988.

Which makes sense given the log results. Did you put a strong password on it? Let's do that before we proceed. Do you know how to do that? It will keep malware from infected it by using the default password.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 k988

k988
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 05 November 2010 - 07:34 PM

Strong password would be 8-10 characters, letters+numbers (right?) The new password has that

Also set up the router for 128-bit WEP - encrypted password

Thanks for your help here :)

Edited by k988, 05 November 2010 - 07:48 PM.


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 06 November 2010 - 09:55 AM

Hello, k988.

Sounds like a good password to me. Let's ensure your system is clean.



Step 1

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.

You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.



Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 3

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    O13 - gopher Prefix: missing
    O20 - Winlogon\Notify\RailNotification: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
    @Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.



Step 4

Please go to the Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Note: Kaspersky online scan may take time to complete, please be patient.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 k988

k988
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 08 November 2010 - 04:56 PM

Hey, Kaspersky didn't find anything, and didn't give me a log, just a blank black window where the log should've been; the "Save Report" button was grayed out.

Error: Unable to interpret <O13 - gopher Prefix: missing> in the current context!
Error: Unable to interpret <O20 - Winlogon\Notify\RailNotification: DllName - Reg Error: Value error. - Reg Error: Value error. File not found> in the current context!
Error: Unable to interpret <@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34> in the current context!

OTL by OldTimer - Version 3.2.17.3 log created on 11082010_105316



OTL logfile created on: 11/8/2010 10:54:10 AM - Run 2
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\User\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 213.00 Mb Available Physical Memory | 42.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 61.79 Gb Free Space | 82.94% Space Free | Partition Type: NTFS
Drive E: | 446.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 232.23 Gb Total Space | 40.00 Gb Free Space | 17.23% Space Free | Partition Type: NTFS

Computer Name: K988 | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/08 10:52:01 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe
PRC - [2010/10/29 19:50:12 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/09/07 10:12:02 | 002,838,912 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/03/17 22:28:24 | 001,230,128 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QuickTimePlayer.exe
PRC - [2009/12/02 16:21:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [1996/11/20 23:00:00 | 000,111,376 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
PRC - [1996/11/20 23:00:00 | 000,051,984 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\OSA.EXE


========== Modules (SafeList) ==========

MOD - [2010/11/08 10:52:01 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/05/13 12:13:36 | 000,077,824 | ---- | M] (SuperAdBlocker.com) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)


========== Driver Services (SafeList) ==========

DRV - [2010/09/07 09:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/09/07 09:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/09/07 09:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/09/07 09:47:19 | 000,100,176 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/09/07 09:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/09/07 09:46:51 | 000,028,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/02 16:27:17 | 000,009,472 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\dumpdrv.sys -- (DumpDrv)
DRV - [2009/02/13 14:02:52 | 000,011,520 | R--- | M] (Western Digital Technologies) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/04/14 04:16:24 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2008/04/14 04:16:22 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2008/04/14 04:16:22 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2008/04/14 04:16:10 | 000,051,200 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)
DRV - [2008/04/14 04:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/01/29 19:20:04 | 000,361,728 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emBDA.sys -- (USB28xxBGA)
DRV - [2007/01/29 19:19:48 | 000,039,680 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emOEM.sys -- (USB28xxOEM)
DRV - [2007/01/12 15:55:24 | 000,022,912 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emAudio.sys -- (emAudio)
DRV - [2006/08/15 10:48:00 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003/11/17 14:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 14:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 14:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2002/02/19 13:34:18 | 000,072,576 | R--- | M] (The LinkSys Group, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\netusbxp.sys -- (USBNET_XP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-725345543-1060284298-1547161642-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/firefox
IE - HKU\S-1-5-21-725345543-1060284298-1547161642-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-725345543-1060284298-1547161642-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-725345543-1060284298-1547161642-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7E AD 05 50 36 58 CB 01 [binary data]
IE - HKU\S-1-5-21-725345543-1060284298-1547161642-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.4

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/31 09:24:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/29 19:50:26 | 000,000,000 | ---D | M]

[2010/06/11 13:40:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2010/11/07 10:57:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\lyvfk7du.default\extensions
[2010/10/29 19:36:18 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\lyvfk7du.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/08/24 19:53:19 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/24 19:38:42 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/09/29 14:53:39 | 000,620,296 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 fr.a2dfp.net
O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 abcstats.com
O1 - Hosts: 127.0.0.1 a.abv.bg
O1 - Hosts: 127.0.0.1 adserver.abv.bg
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 ca.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 achmedia.com
O1 - Hosts: 127.0.0.1 aconti.net
O1 - Hosts: 127.0.0.1 secure.aconti.net
O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti]
O1 - Hosts: 127.0.0.1 ads.active.com
O1 - Hosts: 127.0.0.1 am1.activemeter.com
O1 - Hosts: 127.0.0.1 www.activemeter.com #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ads.activepower.net
O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]
O1 - Hosts: 127.0.0.1 ad2games.com
O1 - Hosts: 16355 more lines...
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-725345543-1060284298-1547161642-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O13 - gopher Prefix: missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\RailNotification: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/04 18:14:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/06/18 16:12:18 | 000,000,088 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O33 - MountPoints2\{7ff8e0c2-718c-11df-88eb-00132055dc11}\Shell - "" = AutoRun
O33 - MountPoints2\{7ff8e0c2-718c-11df-88eb-00132055dc11}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7ff8e0c2-718c-11df-88eb-00132055dc11}\Shell\AutoRun\command - "" = E:\WD SmartWare.exe -- [2009/08/17 12:53:00 | 002,770,432 | R--- | M] (Western Digital)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/08 10:53:16 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/11/07 22:40:20 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/11/07 22:19:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/11/05 20:13:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/10/28 17:25:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\ElevatedDiagnostics
[2010/10/24 21:43:27 | 000,000,000 | ---D | C] -- C:\Program Files\Everything
[2010/10/21 18:06:13 | 000,000,000 | ---D | C] -- C:\Program Files\RegScrubXP
[2010/10/18 14:58:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
[2010/10/18 14:58:38 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/08 10:45:18 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/08 10:44:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/08 10:44:32 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/07 22:43:25 | 000,921,600 | -H-- | M] () -- C:\ffastun0.ffx
[2010/11/07 22:43:25 | 000,188,416 | -H-- | M] () -- C:\ffastun.ffl
[2010/11/07 22:43:25 | 000,077,824 | -H-- | M] () -- C:\ffastun.ffo
[2010/11/07 22:43:25 | 000,004,795 | -H-- | M] () -- C:\ffastun.ffa
[2010/11/07 22:40:23 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\User\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/11/07 08:42:35 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/07 08:42:35 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/06 10:19:44 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/29 09:02:45 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/10/23 07:47:15 | 000,110,992 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/12 21:39:39 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/07 22:40:23 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\User\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/10/25 10:22:48 | 534,827,008 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/11 16:03:45 | 000,000,611 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/06/11 16:03:45 | 000,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini
[2010/06/11 10:38:01 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2010/06/06 11:59:49 | 000,028,672 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/05 10:14:13 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2010/06/04 13:53:28 | 000,004,346 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/12/03 10:28:51 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\msvcrt10.dll
[1996/11/20 23:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1996/11/20 23:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1996/11/20 23:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5069

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/7/2010 10:31:29 PM
mbam-log-2010-11-07 (22-31-29).txt

Scan type: Quick scan
Objects scanned: 140560
Time elapsed: 9 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 08 November 2010 - 07:12 PM

Hello, k988.

OK, the script didn't work (my fault), but it's not a big deal. It looks like it was just your router, so that's good news.


Ok, good news. Your log appears clean. Let's clean up our mess. If your computer is running well; please do the steps listed below. At the end, I've also listed a few completely optional things you can do to further secure your computer. Safe surfing!



Step 1

Next, we need to remove the other tools we have used.
  • Please download OTC by OldTimer and save it to you desktop
  • If that link doesn't work, try this one.
  • Doubleclick the Posted Image icon to start the program.
  • Then, click the big Posted Image button.
  • You will get a prompt saying Begin Cleanup Process. Click Yes.
  • Restart your computer when prompted.



Step 2

We need to purge your system restore so malware is not accidently restored. First, let's create a new restore point.
  • Go to Start --> All Programs --> Accessories --> System Tools --> System Restore.
  • Select Create a Restore Point and click Next.
  • Give the restore point a name and press create.
  • You'll see it work, then say that it was created sucessfully. Click Close.


Now, we need to remove the old, infected points using DiskCleanup.
  • Click on Start --> Run.
  • Type in cleanmgr into the run box and hit OK.
  • Select C: and press OK
  • Select the More Options tab.
  • Click on Clean up in the System Restore section..
  • Click OK.
  • You'll get a couple of prompts asking if you're sure you want do to this, select Yes and OK for them.
  • Disk cleanup will remove the old restore points that included the malware.

If you ran Defogger and disabled your emulator, please don't forget to run it again and reenable it. See the instructions here to do so.


Optional Items

Please take the time to read below to secure your machine and take the necessary steps to keep it that way.


System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If you are running Windows Vista or Windows 7, please right-click on the icon, and select "Run As Administrator"; otherwise it won't work.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

Protect yourself from malicious sites

The HOSTS file can protect you from connecting to bad sites. See The Hosts File and what it can do for you for more background.

Please download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Keep Windows Up to Date
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program isMalwarebytes Anti-Malware. You can download the free version..

Installing this program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Update all these programs regularly
Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 k988

k988
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 09 November 2010 - 09:59 PM

I did step 1, but clicking the link for "DiskCleanup" (in Step 2) leads to a 404 message

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 10 November 2010 - 07:18 PM

I'll have to update that link. The instructions below tell you how to do it, that link explained more about the tool with screenshots. Just follow the steps below that link and you'll be good to go.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 k988

k988
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 11 November 2010 - 03:56 PM

Okay, I cleaned up old restore points. Thanks for the links, especially the Startup Lite (I already had most of the other stuff). But that's it, I'm not getting anymore redirects or anything. I think we're all done here.

Thanks again for your help :)

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 11 November 2010 - 06:41 PM

No problem, safe surfing!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 17 November 2010 - 06:42 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users