Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antivirus 8


  • This topic is locked This topic is locked
24 replies to this topic

#1 commonalias

commonalias

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Lauderdale, Florida
  • Local time:07:29 AM

Posted 21 December 2010 - 07:57 PM

I have paid for SpyHunter and Spyware Doctor, neither have been able to clean the computer. I have recently used your article, "Remove Antivirus Scan (Uninstall Guide)," which brings us up to now.

Half the time, a new browser is blocked from a site called "www.microsoftblacklists," (see attached screen shot). Random pop-up ads occur often.

A "File too big" error message occured attaching the Ark.txt file. I will try to add to this post momentarily. Thanks for all you do!!!


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/6/2010 4:18:18 PM
System Uptime: 12/21/2010 7:17:26 PM (0 hours ago)

Motherboard: ASUSTek Computer INC. | | LEONITE
Processor: Intel® Core™2 CPU 4400 @ 2.00GHz | Socket 775 | 2000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 185.607 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Beep
Device ID: ROOT\LEGACY_BEEP\0000
Manufacturer:
Name: Beep
PNP Device ID: ROOT\LEGACY_BEEP\0000
Service: Beep

==== System Restore Points ===================

RP71: 9/19/2010 9:50:43 AM - Software Distribution Service 3.0
RP72: 9/21/2010 5:07:33 PM - Software Distribution Service 3.0
RP73: 9/22/2010 7:06:19 PM - Software Distribution Service 3.0
RP74: 9/23/2010 9:05:57 PM - Software Distribution Service 3.0
RP75: 9/25/2010 12:08:04 PM - Software Distribution Service 3.0
RP76: 9/26/2010 9:18:54 PM - Software Distribution Service 3.0
RP77: 9/27/2010 9:48:45 PM - Software Distribution Service 3.0
RP78: 9/28/2010 5:48:49 PM - Software Distribution Service 3.0
RP79: 9/30/2010 6:49:43 PM - Software Distribution Service 3.0
RP80: 10/2/2010 10:09:47 AM - Software Distribution Service 3.0
RP81: 10/3/2010 10:58:01 AM - Software Distribution Service 3.0
RP82: 10/5/2010 9:37:06 PM - Software Distribution Service 3.0
RP83: 10/5/2010 11:56:12 PM - Software Distribution Service 3.0
RP84: 10/7/2010 8:32:36 PM - Software Distribution Service 3.0
RP85: 10/8/2010 9:19:39 PM - System Checkpoint
RP86: 10/9/2010 12:21:33 PM - Software Distribution Service 3.0
RP87: 10/10/2010 5:44:32 PM - Software Distribution Service 3.0
RP88: 10/11/2010 9:19:17 PM - Software Distribution Service 3.0
RP89: 10/13/2010 4:58:49 PM - Software Distribution Service 3.0
RP90: 10/13/2010 5:04:44 PM - Software Distribution Service 3.0
RP91: 10/13/2010 11:21:41 PM - Software Distribution Service 3.0
RP92: 10/14/2010 10:27:24 PM - Software Distribution Service 3.0
RP93: 10/16/2010 12:11:14 AM - Software Distribution Service 3.0
RP94: 10/17/2010 9:36:57 AM - Software Distribution Service 3.0
RP95: 10/18/2010 5:10:05 PM - Software Distribution Service 3.0
RP96: 10/19/2010 6:25:47 PM - Software Distribution Service 3.0
RP97: 10/20/2010 6:53:36 PM - Software Distribution Service 3.0
RP98: 10/22/2010 4:40:55 PM - Software Distribution Service 3.0
RP99: 10/23/2010 5:13:31 PM - Software Distribution Service 3.0
RP100: 10/24/2010 8:17:29 PM - Software Distribution Service 3.0
RP101: 10/26/2010 5:27:20 PM - Software Distribution Service 3.0
RP102: 10/27/2010 5:40:50 PM - Software Distribution Service 3.0
RP103: 11/1/2010 11:33:29 PM - Software Distribution Service 3.0
RP104: 11/3/2010 5:43:23 PM - Software Distribution Service 3.0
RP105: 11/3/2010 8:20:20 PM - Removed iTunes
RP106: 11/3/2010 9:01:34 PM - Installed Java™ 6 Update 22
RP107: 11/3/2010 9:14:18 PM - Installed iTunes
RP108: 11/4/2010 10:09:25 PM - Software Distribution Service 3.0
RP109: 11/5/2010 11:38:19 PM - Software Distribution Service 3.0
RP110: 11/7/2010 12:57:57 AM - Software Distribution Service 3.0
RP111: 11/8/2010 6:54:34 PM - Software Distribution Service 3.0
RP112: 11/10/2010 8:40:43 PM - Software Distribution Service 3.0
RP113: 11/10/2010 8:51:35 PM - Software Distribution Service 3.0
RP114: 11/13/2010 1:18:10 AM - Software Distribution Service 3.0
RP115: 11/14/2010 3:11:34 PM - Software Distribution Service 3.0
RP116: 11/15/2010 11:58:41 PM - Software Distribution Service 3.0
RP117: 11/17/2010 8:31:39 PM - Software Distribution Service 3.0
RP118: 11/20/2010 6:52:24 PM - Software Distribution Service 3.0
RP119: 11/21/2010 8:04:06 PM - Software Distribution Service 3.0
RP120: 11/22/2010 9:55:34 PM - Software Distribution Service 3.0
RP121: 11/28/2010 6:39:14 PM - Software Distribution Service 3.0
RP122: 11/30/2010 8:27:39 PM - System Checkpoint
RP123: 12/5/2010 6:41:52 PM - System Checkpoint
RP124: 12/6/2010 8:53:58 PM - System Checkpoint
RP125: 12/7/2010 8:53:09 PM - Installed SpyHunter
RP126: 12/12/2010 11:28:57 AM - System Checkpoint
RP127: 12/12/2010 9:58:44 PM - Installed WinZip 15.0
RP128: 12/17/2010 10:56:32 PM - System Checkpoint
RP129: 12/18/2010 10:31:49 AM - Removed MobileMe Control Panel
RP130: 12/18/2010 10:32:43 AM - Removed WinZip 15.0
RP131: 12/18/2010 10:34:21 AM - Removed iTunes
RP132: 12/18/2010 10:52:10 AM - Installed iTunes
RP133: 12/21/2010 5:56:17 PM - Advanced SystemCare RestorePoint

==== Installed Programs ======================


==== Event Viewer Messages From Past Week ========


==== End Of File ===========================

Attached Files



BC AdBot (Login to Remove)

 


#2 commonalias

commonalias
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Lauderdale, Florida
  • Local time:07:29 AM

Posted 21 December 2010 - 08:00 PM

.

Edited by commonalias, 21 December 2010 - 08:02 PM.


#3 commonalias

commonalias
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Lauderdale, Florida
  • Local time:07:29 AM

Posted 21 December 2010 - 08:02 PM

Here it is, zipped:

Attached Files

  • Attached File  ark.zip   57.57KB   0 downloads


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:29 PM

Posted 30 December 2010 - 06:33 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note - if you get the following warning, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Click on Cancel, then Accept.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 commonalias

commonalias
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Lauderdale, Florida
  • Local time:07:29 AM

Posted 30 December 2010 - 02:15 PM

OTL logfile created on: 12/30/2010 10:19:55 AM - Run 3
OTL by OldTimer - Version 3.2.18.2 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 10.00% Memory free
3.00 Gb Paging File | 1.00 Gb Available in Paging File | 44.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 182.42 Gb Free Space | 78.33% Space Free | Partition Type: NTFS

Computer Name: 62ECCB2B65314A8 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/30 09:55:37 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
PRC - [2010/12/16 16:19:34 | 002,402,512 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2010/11/05 17:53:56 | 000,327,000 | ---- | M] (Enigma Software Group USA, LLC.) -- C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
PRC - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/09/29 16:00:56 | 001,145,304 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Security\pctsSvc.exe
PRC - [2010/09/24 12:19:06 | 000,235,472 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
PRC - [2010/09/17 20:14:22 | 000,460,144 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2010/08/26 12:39:46 | 000,070,928 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Security\TFEngine\TFService.exe
PRC - [2010/07/30 16:42:12 | 004,753,208 | ---- | M] (Yahoo! Inc.) -- C:\Documents and Settings\user\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\BrowserPlusCore.exe
PRC - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360srv.exe
PRC - [2010/03/25 20:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2010/03/15 14:02:36 | 000,366,840 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Security\pctsAuxs.exe
PRC - [2009/10/14 13:32:46 | 009,085,760 | ---- | M] (Western Digital) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
PRC - [2009/10/14 13:32:46 | 002,049,344 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
PRC - [2009/10/14 13:31:02 | 000,098,304 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
PRC - [2009/06/16 08:58:08 | 000,020,480 | ---- | M] (Memeo) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/12/30 09:55:37 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
MOD - [2010/08/26 12:39:46 | 000,406,800 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Security\TFEngine\TFWAH.dll
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/08/04 13:19:26 | 000,157,768 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Security\smum32.dll
MOD - [2010/08/04 13:19:26 | 000,150,576 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Security\PCTGMhk.dll
MOD - [2009/07/12 00:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2009/07/11 19:41:02 | 000,097,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
MOD - [2008/04/14 07:00:00 | 000,208,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rsaenh.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/11/05 17:53:56 | 000,327,000 | ---- | M] (Enigma Software Group USA, LLC.) [Auto | Running] -- C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe -- (SpyHunter 4 Service)
SRV - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/09/29 16:00:56 | 001,145,304 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\PC Tools Security\pctsSvc.exe -- (sdCoreService)
SRV - [2010/09/24 12:19:06 | 000,235,472 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2010/09/17 20:14:22 | 000,460,144 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2010/08/26 12:39:46 | 000,070,928 | ---- | M] (PC Tools) [On_Demand | Running] -- C:\Program Files\PC Tools Security\TFEngine\TFService.exe -- (ThreatFire)
SRV - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
SRV - [2010/03/25 20:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/03/15 14:02:36 | 000,366,840 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\PC Tools Security\pctsAuxs.exe -- (sdAuxService)
SRV - [2009/10/14 13:31:02 | 000,098,304 | ---- | M] (WDC) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe -- (WDDMService)
SRV - [2009/06/16 08:58:08 | 000,020,480 | ---- | M] (Memeo) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe -- (WDSmartWareBackgroundService)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


========== Driver Services (SafeList) ==========

DRV - [2010/12/05 23:03:31 | 000,249,616 | ---- | M] (PC Tools) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pctgntdi.sys -- (pctgntdi)
DRV - [2010/08/27 09:26:40 | 000,070,536 | ---- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pctplsg.sys -- (pctplsg)
DRV - [2010/08/26 12:39:46 | 000,068,880 | --S- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - [2010/08/26 12:39:46 | 000,051,984 | --S- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2010/08/26 12:39:46 | 000,033,552 | --S- | M] (PC Tools) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2010/08/18 13:51:26 | 000,237,632 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/07/16 14:59:54 | 000,656,320 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pctEFA.sys -- (pctEFA)
DRV - [2010/07/16 14:59:54 | 000,338,880 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\pctDS.sys -- (pctDS)
DRV - [2010/02/02 23:10:32 | 000,030,880 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2010/01/27 17:10:44 | 000,005,248 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
DRV - [2009/02/13 11:02:52 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2009/02/11 11:40:40 | 005,028,352 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/07/21 00:44:44 | 000,324,120 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iastor.sys -- (iastor)
DRV - [2008/04/14 07:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/13 23:16:24 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2008/04/13 23:16:22 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2008/04/13 23:16:22 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2008/04/13 23:16:10 | 000,051,200 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)
DRV - [2007/06/11 12:49:22 | 000,968,064 | ---- | M] (Hauppauge Computer Works) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HCW85BDA.sys -- (HCW85BDA)
DRV - [2007/04/16 20:16:26 | 005,760,096 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2004/12/15 14:18:32 | 000,220,928 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2004/12/15 14:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/12/15 14:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2001/08/17 11:11:18 | 000,020,160 | ---- | M] (ADMtek Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ADM8511.SYS -- (ADM8511)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\extensions\\{cb84136f-9c44-433a-9048-c5cd9df1dc16}: C:\Program Files\PC Tools Security\BDT\Firefox\ [2010/12/05 23:01:34 | 000,000,000 | ---D | M]

[2010/08/14 16:35:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2010/08/14 16:35:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ISTray] C:\Program Files\PC Tools Security\pctsGui.exe File not found
O4 - HKCU..\Run: [{1355DCC1-766C-B33E-885D-85C236A1B6CE}] C:\Documents and Settings\user\Application Data\Ehet\uhlov.exe File not found
O4 - HKCU..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (WDC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk = C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe (Western Digital)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1278447772640 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/06 15:12:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{90fd65ec-8eb4-11df-ad16-001a92de59a9}\Shell - "" = AutoRun
O33 - MountPoints2\{90fd65ec-8eb4-11df-ad16-001a92de59a9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{90fd65ec-8eb4-11df-ad16-001a92de59a9}\Shell\AutoRun\command - "" = I:\WD SmartWare.exe -- File not found
O33 - MountPoints2\{db983dbe-979e-11df-ad25-001a92de59a9}\Shell\AutoRun\command - "" = I:\Setup_FlipShare.exe -- File not found
O33 - MountPoints2\{db983dbe-979e-11df-ad25-001a92de59a9}\Shell\Setup FlipShare\command - "" = I:\Setup_FlipShare.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/30 09:55:32 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2010/12/25 17:48:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\iPhone Music
[2010/12/22 21:52:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Gaol
[2010/12/22 21:52:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Ehet
[2010/12/21 19:34:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\gmer
[2010/12/21 19:05:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Malwarebytes
[2010/12/21 18:28:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/21 18:28:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/12/21 18:28:15 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/21 18:28:15 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/12/21 18:18:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/12/21 17:56:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2010/12/21 17:54:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\IObit
[2010/12/21 17:54:53 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2010/12/18 10:52:21 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/12/18 10:49:37 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/12/18 01:10:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
[2010/12/17 21:21:24 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/12/14 19:57:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\%APPDATA%
[2010/12/12 23:02:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/12/12 22:58:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/12/12 22:58:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/12/12 21:59:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/12/12 09:14:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2010/12/07 20:53:10 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2010/12/07 20:53:10 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2010/12/07 20:51:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\3636C9237AD64DE3978A09609AEE8ECF.TMP
[2010/12/07 20:51:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/12/06 18:38:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2010/12/05 23:10:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Threat Expert
[2010/12/05 23:03:31 | 000,249,616 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/12/05 23:01:19 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2010/12/05 23:01:16 | 001,914,832 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2010/12/05 23:01:16 | 000,743,376 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2010/12/05 23:01:11 | 000,068,880 | --S- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfSysMon.sys
[2010/12/05 23:01:11 | 000,051,984 | --S- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfFsMon.sys
[2010/12/05 23:01:11 | 000,033,552 | --S- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys
[2010/12/05 22:47:10 | 000,656,320 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctEFA.sys
[2010/12/05 22:47:10 | 000,338,880 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctDS.sys
[2010/12/05 22:46:48 | 000,237,632 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/12/05 22:46:48 | 000,159,936 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/12/05 22:46:32 | 000,087,400 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctNdis-PacketFilter.sys
[2010/12/05 22:46:32 | 000,031,960 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctNdis-DNS.sys
[2010/12/05 22:46:31 | 000,123,712 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplfw.sys
[2010/12/05 22:46:24 | 000,070,536 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/12/05 22:45:21 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2010/12/05 22:45:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/12/05 22:45:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\PC Tools
[2010/12/05 22:45:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/12/05 22:42:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/11/30 20:22:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/30 10:04:15 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\user\Desktop\RKUnhookerLE.EXE
[2010/12/30 09:55:37 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2010/12/30 09:47:17 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/30 09:45:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/28 00:33:53 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/25 13:18:13 | 000,000,392 | ---- | M] () -- C:\WINDOWS\tasks\SpyHunter4.job
[2010/12/24 08:43:48 | 000,000,375 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2010/12/22 21:16:10 | 000,001,976 | ---- | M] () -- C:\Documents and Settings\user\Desktop\SpyHunter.lnk
[2010/12/22 21:16:10 | 000,000,827 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/12/22 21:15:08 | 001,754,275 | ---- | M] () -- C:\Documents and Settings\user\Desktop\attachments_2010_12_22.zip
[2010/12/21 20:01:19 | 000,058,947 | ---- | M] () -- C:\Documents and Settings\user\Desktop\ark.zip
[2010/12/21 19:33:42 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\user\Desktop\gmer.zip
[2010/12/21 19:24:04 | 000,624,128 | ---- | M] () -- C:\Documents and Settings\user\Desktop\dds.scr
[2010/12/21 18:28:18 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/21 18:23:58 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\qA5TkdQ2.dat
[2010/12/21 17:56:04 | 000,000,733 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk
[2010/12/21 17:56:04 | 000,000,150 | ---- | M] () -- C:\Documents and Settings\user\Desktop\IObit Freeware.url
[2010/12/21 17:55:01 | 000,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
[2010/12/18 10:53:18 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/12/14 21:22:48 | 000,014,848 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/14 19:56:48 | 000,001,072 | ---- | M] () -- C:\WINDOWS\System32\Improve Your PC.lnk
[2010/12/12 12:17:04 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Word.lnk
[2010/12/05 23:03:31 | 000,249,616 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/12/05 22:47:15 | 000,565,894 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2010/11/30 11:22:20 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/30 11:22:06 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/30 10:04:13 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\user\Desktop\RKUnhookerLE.EXE
[2010/12/25 13:18:12 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\SpyHunter4.job
[2010/12/22 21:15:02 | 001,754,275 | ---- | C] () -- C:\Documents and Settings\user\Desktop\attachments_2010_12_22.zip
[2010/12/21 20:01:19 | 000,058,947 | ---- | C] () -- C:\Documents and Settings\user\Desktop\ark.zip
[2010/12/21 19:33:39 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\user\Desktop\gmer.zip
[2010/12/21 19:23:56 | 000,624,128 | ---- | C] () -- C:\Documents and Settings\user\Desktop\dds.scr
[2010/12/21 18:28:18 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/12/21 18:23:58 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\qA5TkdQ2.dat
[2010/12/21 17:56:04 | 000,000,733 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk
[2010/12/21 17:56:04 | 000,000,150 | ---- | C] () -- C:\Documents and Settings\user\Desktop\IObit Freeware.url
[2010/12/21 17:55:01 | 000,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
[2010/12/18 10:53:18 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/12/14 19:56:48 | 000,001,072 | ---- | C] () -- C:\WINDOWS\System32\Improve Your PC.lnk
[2010/12/07 20:53:15 | 000,001,976 | ---- | C] () -- C:\Documents and Settings\user\Desktop\SpyHunter.lnk
[2010/12/05 23:01:20 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2010/12/05 23:01:19 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2010/12/05 23:01:19 | 000,000,879 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2010/12/05 23:01:19 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2010/12/05 23:01:18 | 000,002,052 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2010/12/05 22:47:10 | 000,565,894 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2010/07/13 15:41:12 | 000,014,848 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/06 15:45:21 | 000,000,188 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2010/07/06 15:42:19 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2010/07/06 15:31:18 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2010/07/06 11:05:25 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/02/05 12:28:20 | 000,000,051 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\setup.txt
[2006/07/21 17:50:34 | 000,066,048 | ---- | C] () -- C:\WINDOWS\System32\hcwxds.dll

========== LOP Check ==========

[2010/10/10 16:53:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flip Video
[2010/12/27 23:42:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
[2010/12/30 10:09:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/09/06 16:05:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WD_SmartWareCommon
[2010/07/13 14:30:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Western Digital
[2010/12/18 10:32:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/07/14 21:50:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/11/06 00:54:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\BabylonToolbar
[2010/12/25 13:03:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Ehet
[2010/12/22 22:13:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Gaol
[2010/09/05 10:22:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\ImgBurn
[2010/12/21 17:56:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\IObit
[2010/07/13 15:02:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\SumatraPDF
[2010/11/08 18:50:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\VirtualStore
[2010/07/13 14:30:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Western Digital
[2010/12/25 13:18:13 | 000,000,392 | ---- | M] () -- C:\WINDOWS\Tasks\SpyHunter4.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 205 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84

< End of report >

OTL Extras logfile created on: 12/30/2010 9:55:57 AM - Run 1
OTL by OldTimer - Version 3.2.18.2 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 37.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 62.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 182.46 Gb Free Space | 78.35% Space Free | Partition Type: NTFS

Computer Name: 62ECCB2B65314A8 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htafile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{20ACB2F8-3BCA-45A8-80A2-9D3CB5C25F43}" = Safari
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 22
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3636C923-7AD6-4DE3-978A-09609AEE8ECF}" = SpyHunter
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{67D15B01-9A6B-0397-002A-D2A015212748}" = FlipShare
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7AAA00C4-26E6-4EC0-8069-955B0A9D6009}" = Intel® Network Connections 15.2.89.0
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CD0DC280-2489-4464-A2FC-16104676394A}" = WD SmartWare
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"Browser Defender_is1" = Browser Defender 3.0
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1" = Data Fax SoftModem with SmartCP
"DVD Flick_is1" = DVD Flick 1.3.0.7
"ENTERPRISE" = Microsoft Office Enterprise 2007
"HDMI" = Intel® Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"ImgBurn" = ImgBurn
"IObit Security 360_is1" = IObit Security 360
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Spyware Doctor" = Spyware Doctor 8.0
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/25/2010 5:31:37 PM | Computer Name = 62ECCB2B65314A8 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 12/25/2010 5:31:38 PM | Computer Name = 62ECCB2B65314A8 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 12/26/2010 5:20:48 PM | Computer Name = 62ECCB2B65314A8 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80072efe, P2 endsearch, P3 search, P4 2.1.6805.0,
P5 mpsigdwn.dll, P6 2.1.6805.0, P7 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P8 NIL, P9 NIL, P10 NIL.

Error - 12/27/2010 6:19:55 PM | Computer Name = 62ECCB2B65314A8 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80072efe, P2 endsearch, P3 search, P4 2.1.6805.0,
P5 mpsigdwn.dll, P6 2.1.6805.0, P7 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P8 NIL, P9 NIL, P10 NIL.

Error - 12/27/2010 11:53:55 PM | Computer Name = 62ECCB2B65314A8 | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/74F8A3C3EFE7B390064B83903C21646020E5DFCE.crt>
with error: The connection with the server was terminated abnormally

Error - 12/27/2010 11:53:55 PM | Computer Name = 62ECCB2B65314A8 | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/74F8A3C3EFE7B390064B83903C21646020E5DFCE.crt>
with error: This network connection does not exist.

Error - 12/27/2010 11:53:55 PM | Computer Name = 62ECCB2B65314A8 | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/74F8A3C3EFE7B390064B83903C21646020E5DFCE.crt>
with error: This network connection does not exist.

Error - 12/27/2010 11:53:55 PM | Computer Name = 62ECCB2B65314A8 | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/74F8A3C3EFE7B390064B83903C21646020E5DFCE.crt>
with error: This network connection does not exist.

Error - 12/28/2010 12:07:33 AM | Computer Name = 62ECCB2B65314A8 | Source = Application Error | ID = 1000
Description = Faulting application browserplusservice.exe, version 1.0.0.0, faulting
module browserplusservice.exe, version 1.0.0.0, fault address 0x0016933e.

Error - 12/30/2010 10:56:34 AM | Computer Name = 62ECCB2B65314A8 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80072efe, P2 endsearch, P3 search, P4 2.1.6805.0,
P5 mpsigdwn.dll, P6 2.1.6805.0, P7 microsoft antimalware (bcf43643-a118-4432-aede-d861fcbcfcde),
P8 NIL, P9 NIL, P10 NIL.

[ System Events ]
Error - 12/25/2010 1:35:02 PM | Computer Name = 62ECCB2B65314A8 | Source = Microsoft Antimalware | ID = 1008
Description = %%861 has encountered an error when taking action on spyware or other
potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wimpixo.E&threatid=2147638595

User:
NT AUTHORITY\SYSTEM Name: Trojan:Win32/Wimpixo.E ID: 2147638595 Severity: Severe Category:
Trojan Path: Action: %%808 Error Code: 0x80508023 Error description: The program could
not find the spyware and other potentially unwanted software on this computer.
Status: Signature Version: AV: 1.95.2271.0, AS: 1.95.2271.0 Engine Version: 1.1.6402.0

Error - 12/25/2010 1:45:06 PM | Computer Name = 62ECCB2B65314A8 | Source = Microsoft Antimalware | ID = 1008
Description = %%861 has encountered an error when taking action on spyware or other
potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wimpixo.E&threatid=2147638595

User:
NT AUTHORITY\SYSTEM Name: Trojan:Win32/Wimpixo.E ID: 2147638595 Severity: Severe Category:
Trojan Path: Action: %%808 Error Code: 0x80508023 Error description: The program could
not find the spyware and other potentially unwanted software on this computer.
Status: Signature Version: AV: 1.95.2271.0, AS: 1.95.2271.0 Engine Version: 1.1.6402.0

Error - 12/25/2010 1:58:48 PM | Computer Name = 62ECCB2B65314A8 | Source = Microsoft Antimalware | ID = 1008
Description = %%861 has encountered an error when taking action on spyware or other
potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wimpixo.E&threatid=2147638595

User:
NT AUTHORITY\SYSTEM Name: Trojan:Win32/Wimpixo.E ID: 2147638595 Severity: Severe Category:
Trojan Path: Action: %%808 Error Code: 0x80508023 Error description: The program could
not find the spyware and other potentially unwanted software on this computer.
Status: Signature Version: AV: 1.95.2271.0, AS: 1.95.2271.0 Engine Version: 1.1.6402.0

Error - 12/25/2010 11:03:39 PM | Computer Name = 62ECCB2B65314A8 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 12/26/2010 5:20:47 PM | Computer Name = 62ECCB2B65314A8 | Source = Microsoft Antimalware | ID = 2001
Description = %%861 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.95.2271.0 Update Source: %%859 Update Stage:
%%852 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error
code: 0x80072efe Error description: The connection with the server was terminated
abnormally

Error - 12/27/2010 6:19:55 PM | Computer Name = 62ECCB2B65314A8 | Source = Microsoft Antimalware | ID = 2001
Description = %%861 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.95.2271.0 Update Source: %%859 Update Stage:
%%852 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error
code: 0x80072efe Error description: The connection with the server was terminated
abnormally

Error - 12/27/2010 11:03:40 PM | Computer Name = 62ECCB2B65314A8 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 12/28/2010 12:12:03 AM | Computer Name = 62ECCB2B65314A8 | Source = Microsoft Antimalware | ID = 1008
Description = %%861 has encountered an error when taking action on spyware or other
potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Exploit:Java/CVE-2010-0840.W&threatid=2147641020

User:
NT AUTHORITY\SYSTEM Name: Exploit:Java/CVE-2010-0840.W ID: 2147641020 Severity: Severe

Category:
Exploit Path: Action: %%808 Error Code: 0x80508023 Error description: The program
could not find the spyware and other potentially unwanted software on this computer.
Status: Signature Version: AV: 1.95.2683.0, AS: 1.95.2683.0 Engine Version: 1.1.6402.0

Error - 12/30/2010 10:48:29 AM | Computer Name = 62ECCB2B65314A8 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 12/30/2010 10:56:32 AM | Computer Name = 62ECCB2B65314A8 | Source = Microsoft Antimalware | ID = 2001
Description = %%861 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.95.2683.0 Update Source: %%859 Update Stage:
%%852 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error
code: 0x80072efe Error description: The connection with the server was terminated
abnormally


< End of report >

Rootkit Unhooker:

After following the Note about the fake warning: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
Click on Cancel, then Accept.

I got an Error: Sorry, but unhandled exception has occurred. Program will be terminated.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:29 PM

Posted 30 December 2010 - 02:53 PM

Hello again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 commonalias

commonalias
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Lauderdale, Florida
  • Local time:07:29 AM

Posted 30 December 2010 - 06:35 PM

Thank you!


ComboFix 10-12-30.01 - user 12/30/2010 16:38:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1335 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\test\Application Data\Ymxa
c:\documents and settings\test\Application Data\Ymxa\ytecd.exe
c:\documents and settings\user\Application Data\Ehet
c:\documents and settings\user\Application Data\Ehet\uhlov.exe
c:\windows\system32\Oeminfo.ini

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-30 )))))))))))))))))))))))))))))))
.

2010-12-30 21:49 . 2010-12-30 21:49 41680 ----a-w- c:\windows\system32\drivers\vqdtjvij.sys
2010-12-27 22:20 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E624D6B8-460F-4822-A720-3A83E9A6BF3F}\mpengine.dll
2010-12-25 19:47 . 2010-12-25 19:47 -------- d-----w- c:\documents and settings\test
2010-12-23 02:52 . 2010-12-23 03:13 -------- d-----w- c:\documents and settings\user\Application Data\Gaol
2010-12-22 00:05 . 2010-12-22 00:05 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-12-21 23:29 . 2010-12-21 23:29 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2010-12-21 23:29 . 2010-12-21 23:29 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-12-21 23:28 . 2010-12-21 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-21 23:28 . 2010-11-30 16:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 23:28 . 2010-12-21 23:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-21 23:28 . 2010-11-30 16:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-21 23:18 . 2010-12-21 23:19 -------- d-----w- c:\documents and settings\Administrator
2010-12-21 22:56 . 2010-12-28 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-12-21 22:54 . 2010-12-21 22:56 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2010-12-21 22:54 . 2010-12-28 04:46 -------- d-----w- c:\program files\IObit
2010-12-18 15:52 . 2010-12-18 15:52 -------- d-----w- c:\program files\iPod
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2010-12-18 15:49 . 2010-12-18 15:49 -------- d-----w- c:\program files\Bonjour
2010-12-18 06:10 . 2010-12-18 06:10 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-12-18 02:21 . 2010-12-18 14:21 -------- d-----w- c:\program files\Windows Live Safety Center
2010-12-15 00:57 . 2010-12-15 00:57 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-13 04:14 . 2010-12-13 04:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-12-13 02:59 . 2010-12-18 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-12-12 17:32 . 2010-12-12 17:32 0 ----a-w- c:\windows\system32\lsp133.tmp
2010-12-12 14:14 . 2010-12-18 06:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-12-08 01:53 . 2010-12-08 01:53 110080 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconF7A21AF7.exe
2010-12-08 01:53 . 2010-12-08 01:53 110080 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconD7F16134.exe
2010-12-08 01:53 . 2010-12-08 01:53 -------- d-----w- C:\sh4ldr
2010-12-08 01:53 . 2010-12-08 01:53 -------- d-----w- c:\program files\Enigma Software Group
2010-12-08 01:51 . 2010-12-08 01:53 -------- d-----w- c:\windows\3636C9237AD64DE3978A09609AEE8ECF.TMP
2010-12-08 01:51 . 2010-12-08 01:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-12-06 23:38 . 2010-12-06 23:38 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2010-12-06 04:10 . 2010-12-06 04:10 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Threat Expert
2010-12-06 04:03 . 2010-12-06 04:03 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-12-06 04:01 . 2010-09-24 17:19 767952 ----a-w- c:\windows\BDTSupport.dll
2010-12-06 04:01 . 2010-09-24 17:19 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-12-06 04:01 . 2010-09-24 17:19 743376 ----a-w- c:\windows\PCTBDRes.dll
2010-12-06 04:01 . 2010-09-24 17:19 1914832 ----a-w- c:\windows\PCTBDCore.dll
2010-12-06 04:01 . 2010-08-26 17:39 68880 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2010-12-06 04:01 . 2010-08-26 17:39 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2010-12-06 04:01 . 2010-08-26 17:39 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2010-12-06 03:47 . 2010-07-16 19:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2010-12-06 03:47 . 2010-07-16 19:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2010-12-06 03:46 . 2010-09-30 13:58 159936 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-12-06 03:46 . 2010-08-18 18:51 237632 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-12-06 03:46 . 2010-09-03 17:28 87400 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-12-06 03:46 . 2010-08-10 22:58 31960 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-12-06 03:46 . 2010-10-05 16:11 123712 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-12-06 03:46 . 2010-08-27 14:26 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-12-06 03:45 . 2010-12-30 21:37 -------- d-----w- c:\program files\PC Tools Security
2010-12-06 03:45 . 2010-12-06 03:52 -------- d-----w- c:\program files\Common Files\PC Tools
2010-12-06 03:45 . 2010-12-06 03:45 -------- d-----w- c:\documents and settings\user\Application Data\PC Tools
2010-12-06 03:45 . 2010-12-30 21:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-12-06 03:42 . 2010-12-06 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-12-01 01:22 . 2010-12-01 01:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-10 04:33 . 2010-07-12 19:17 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-10-19 20:51 . 2010-07-06 20:47 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 17:23 . 2010-10-07 17:23 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 17:23 . 2010-10-07 17:23 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 17:23 . 2010-10-07 17:23 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 17:23 . 2010-10-07 17:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Enigma Software Group\SpyHunter\SpyHunter4 .exe
c:\program files\IObit\IObit Security 360\IS360tray .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\program files\Microsoft Security Essentials\msseces .exe
c:\program files\PC Tools Security\pctsGui .exe
c:\program files\PC Tools Security\BDT\FGuard .exe
c:\program files\QuickTime\qttask .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-12-16 2402512]
"{1355DCC1-766C-B33E-885D-85C236A1B6CE}"="c:\documents and settings\user\Application Data\Ehet\uhlov.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-16 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-16 138008]
"ISTray"="c:\program files\PC Tools Security\pctsGui.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
nymui.exe [2010-12-22 167424]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-10-14 9085760]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
vyqaxy.exe [2010-12-22 167424]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/5/2010 10:46 PM 237632]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [12/5/2010 10:47 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [12/5/2010 10:47 PM 656320]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [12/5/2010 11:01 PM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [12/5/2010 11:01 PM 68880]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [12/5/2010 11:03 PM 249616]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [12/5/2010 11:01 PM 235472]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [12/21/2010 5:55 PM 312152]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [12/5/2010 10:46 PM 366840]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [11/5/2010 5:53 PM 327000]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [10/14/2009 1:31 PM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [12/5/2010 10:46 PM 70536]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [12/5/2010 11:01 PM 33552]
R3 ThreatFire;ThreatFire;c:\program files\PC Tools Security\TFEngine\TFService.exe service --> c:\program files\PC Tools Security\TFEngine\TFService.exe service [?]
S0 cerc6;cerc6; [x]
S1 vqdtjvij;vqdtjvij;c:\windows\system32\drivers\vqdtjvij.sys [12/30/2010 4:49 PM 41680]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/6/2010 3:22 PM 20160]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [1/27/2010 5:10 PM 5248]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [6/11/2007 12:49 PM 968064]
S3 Normandy;Normandy SR2; [x]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [7/13/2010 2:30 PM 11520]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder

2010-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-30 16:57
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,59,e0,61,4f,af,bd,4c,93,b6,98,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,59,e0,61,4f,af,bd,4c,93,b6,98,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\program files\PC Tools Security\TFEngine\TFWAH.dll
c:\program files\PC Tools Security\TFEngine\TFNI.dll
c:\program files\PC Tools Security\TFEngine\TFMon.dll
c:\program files\PC Tools Security\TFEngine\TFRK.dll

- - - - - - - > 'lsass.exe'(876)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\PC Tools Security\TFEngine\TFWAH.dll
.
Completion time: 2010-12-30 17:06:25
ComboFix-quarantined-files.txt 2010-12-30 22:06

Pre-Run: 197,295,316,992 bytes free
Post-Run: 197,674,561,536 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 38B2916809C0B6153893FD14570ADBE5

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:29 PM

Posted 31 December 2010 - 02:59 AM

Unfortunately you had a nasty rootkit on board. Its gone now, but please read the following first:

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
RenV::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Enigma Software Group\SpyHunter\SpyHunter4 .exe
c:\program files\IObit\IObit Security 360\IS360tray .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\program files\Microsoft Security Essentials\msseces .exe
c:\program files\PC Tools Security\pctsGui .exe
c:\program files\PC Tools Security\BDT\FGuard .exe
c:\program files\QuickTime\qttask .exe

Driver::
vqdtjvij

File::
c:\windows\system32\drivers\vqdtjvij.sys
c:\documents and settings\Administrator\Start Menu\Programs\Startup\nymui.exe 
c:\documents and settings\Default User\Start Menu\Programs\Startup\vyqaxy.exe
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 commonalias

commonalias
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Lauderdale, Florida
  • Local time:07:29 AM

Posted 31 December 2010 - 06:43 PM

Thank you so much Elise! That backdoor info was alarming. I went ahead with the clean up. Have a wonderful 2011!!

====================================

ComboFix 10-12-31.01 - user 12/31/2010 16:14:14.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1002 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\Administrator\Start Menu\Programs\Startup\nymui.exe"
"c:\documents and settings\Default User\Start Menu\Programs\Startup\vyqaxy.exe"
"c:\windows\system32\drivers\vqdtjvij.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\Ehet\uhlov.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-31 )))))))))))))))))))))))))))))))
.

2010-12-31 01:02 . 2010-12-31 01:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\Flip Video
2010-12-25 19:47 . 2010-12-25 19:47 -------- d-----w- c:\documents and settings\test
2010-12-23 02:52 . 2010-12-23 03:13 -------- d-----w- c:\documents and settings\user\Application Data\Gaol
2010-12-22 00:05 . 2010-12-22 00:05 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-12-21 23:29 . 2010-12-21 23:29 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2010-12-21 23:29 . 2010-12-21 23:29 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-12-21 23:28 . 2010-12-21 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-21 23:28 . 2010-11-30 16:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 23:28 . 2010-12-21 23:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-21 23:28 . 2010-11-30 16:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-21 23:18 . 2010-12-21 23:19 -------- d-----w- c:\documents and settings\Administrator
2010-12-21 22:56 . 2010-12-28 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-12-21 22:54 . 2010-12-21 22:56 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2010-12-21 22:54 . 2010-12-28 04:46 -------- d-----w- c:\program files\IObit
2010-12-18 15:52 . 2010-12-18 15:52 -------- d-----w- c:\program files\iPod
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2010-12-18 15:49 . 2010-12-18 15:49 -------- d-----w- c:\program files\Bonjour
2010-12-18 06:10 . 2010-12-18 06:10 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-12-18 02:21 . 2010-12-18 14:21 -------- d-----w- c:\program files\Windows Live Safety Center
2010-12-15 00:57 . 2010-12-15 00:57 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-13 04:14 . 2010-12-13 04:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-12-13 02:59 . 2010-12-18 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-12-12 17:32 . 2010-12-12 17:32 0 ----a-w- c:\windows\system32\lsp133.tmp
2010-12-12 14:14 . 2010-12-18 06:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-12-08 01:53 . 2010-12-08 01:53 110080 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconF7A21AF7.exe
2010-12-08 01:53 . 2010-12-08 01:53 110080 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconD7F16134.exe
2010-12-08 01:53 . 2010-12-08 01:53 -------- d-----w- C:\sh4ldr
2010-12-08 01:53 . 2010-12-08 01:53 -------- d-----w- c:\program files\Enigma Software Group
2010-12-08 01:51 . 2010-12-08 01:53 -------- d-----w- c:\windows\3636C9237AD64DE3978A09609AEE8ECF.TMP
2010-12-08 01:51 . 2010-12-08 01:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-12-06 23:38 . 2010-12-06 23:38 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2010-12-06 04:10 . 2010-12-06 04:10 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Threat Expert
2010-12-06 04:03 . 2010-12-06 04:03 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-12-06 04:01 . 2010-09-24 17:19 767952 ----a-w- c:\windows\BDTSupport.dll
2010-12-06 04:01 . 2010-09-24 17:19 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-12-06 04:01 . 2010-09-24 17:19 743376 ----a-w- c:\windows\PCTBDRes.dll
2010-12-06 04:01 . 2010-09-24 17:19 1914832 ----a-w- c:\windows\PCTBDCore.dll
2010-12-06 03:47 . 2010-07-16 19:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2010-12-06 03:47 . 2010-07-16 19:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2010-12-06 03:46 . 2010-09-30 13:58 159936 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-12-06 03:46 . 2010-08-18 18:51 237632 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-12-06 03:46 . 2010-09-03 17:28 87400 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-12-06 03:46 . 2010-08-10 22:58 31960 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-12-06 03:46 . 2010-10-05 16:11 123712 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-12-06 03:46 . 2010-08-27 14:26 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-12-06 03:45 . 2010-12-31 22:04 -------- d-----w- c:\program files\PC Tools Security
2010-12-06 03:45 . 2010-12-06 03:52 -------- d-----w- c:\program files\Common Files\PC Tools
2010-12-06 03:45 . 2010-12-06 03:45 -------- d-----w- c:\documents and settings\user\Application Data\PC Tools
2010-12-06 03:45 . 2010-12-31 23:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-12-06 03:42 . 2010-12-06 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-10-19 20:51 . 2010-07-06 20:47 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 17:23 . 2010-10-07 17:23 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 17:23 . 2010-10-07 17:23 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 17:23 . 2010-10-07 17:23 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 17:23 . 2010-10-07 17:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-12-16 2402512]
"{1355DCC1-766C-B33E-885D-85C236A1B6CE}"="c:\documents and settings\user\Application Data\Ehet\uhlov.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-16 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-16 138008]
"ISTray"="c:\program files\PC Tools Security\pctsGui.exe" [2010-09-29 1588184]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-10-14 9085760]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/5/2010 10:46 PM 237632]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [12/5/2010 10:47 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [12/5/2010 10:47 PM 656320]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [12/5/2010 11:01 PM 235472]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 1:22 PM 1085440]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [12/21/2010 5:55 PM 312152]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [12/5/2010 10:46 PM 366840]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [11/5/2010 5:53 PM 327000]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [10/14/2009 1:31 PM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
R4 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [12/5/2010 11:03 PM 249616]
R4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [12/5/2010 10:46 PM 70536]
R4 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
R4 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
R4 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S0 cerc6;cerc6; [x]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/6/2010 3:22 PM 20160]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [1/27/2010 5:10 PM 5248]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [6/11/2007 12:49 PM 968064]
S3 Normandy;Normandy SR2; [x]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [7/13/2010 2:30 PM 11520]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder

2010-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-31 18:20
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,59,e0,61,4f,af,bd,4c,93,b6,98,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,59,e0,61,4f,af,bd,4c,93,b6,98,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\program files\PC Tools Security\TFEngine\TFMon.dll
c:\program files\PC Tools Security\TFEngine\TFRK.dll

- - - - - - - > 'lsass.exe'(872)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(516)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PC Tools Security\pctsSvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2010-12-31 18:31:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-31 23:31
ComboFix2.txt 2010-12-30 22:06

Pre-Run: 197,385,482,240 bytes free
Post-Run: 197,686,185,984 bytes free

- - End Of File - - D4623E9AE18C31E0DBF9B49766D5E47D

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:29 PM

Posted 01 January 2011 - 04:54 AM

Please let me know how things are running now.

Run the following as a CFScript and post me the new log.
RenV::
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 commonalias

commonalias
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Lauderdale, Florida
  • Local time:07:29 AM

Posted 01 January 2011 - 06:11 PM

Hello Elise,

I dragged the new CFScript into ComboFix, but it stalled twice on the blue screen that said "Please wait." I waited 8 hours.

Everything seems to be like new. No popups, no fake virus alerts, etc. Thanks again. I'll await your final decision on what to do.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:29 PM

Posted 02 January 2011 - 02:10 AM

Can you please download a new copy of combofix and run it straight (without script)? I am asking because the file in the last script was infected and had to be replaced. I need to know if that is still there or not.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 commonalias

commonalias
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Lauderdale, Florida
  • Local time:07:29 AM

Posted 02 January 2011 - 09:23 AM

ComboFix 11-01-01.03 - user 01/02/2011 9:17.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1237 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\Ehet\uhlov.exe
.
---- Previous Run -------
.
c:\documents and settings\user\Application Data\Ehet\uhlov.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-02 to 2011-01-02 )))))))))))))))))))))))))))))))
.

2011-01-01 23:53 . 2011-01-01 23:53 -------- d-----w- C:\N360_BACKUP
2011-01-01 15:12 . 2011-01-01 15:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-01-01 15:12 . 2011-01-01 15:12 -------- d-----w- c:\program files\Symantec
2011-01-01 15:12 . 2011-01-01 15:12 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-01-01 15:12 . 2011-01-01 15:12 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-12-31 01:02 . 2010-12-31 01:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\Flip Video
2010-12-25 19:47 . 2010-12-25 19:47 -------- d-----w- c:\documents and settings\test
2010-12-23 02:52 . 2010-12-23 03:13 -------- d-----w- c:\documents and settings\user\Application Data\Gaol
2010-12-22 00:05 . 2010-12-22 00:05 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-12-21 23:29 . 2010-12-21 23:29 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2010-12-21 23:29 . 2010-12-21 23:29 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-12-21 23:28 . 2010-12-21 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-21 23:28 . 2010-11-30 16:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 23:28 . 2010-12-21 23:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-21 23:28 . 2010-11-30 16:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-21 23:18 . 2010-12-21 23:19 -------- d-----w- c:\documents and settings\Administrator
2010-12-21 22:56 . 2010-12-28 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-12-21 22:54 . 2010-12-21 22:56 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2010-12-21 22:54 . 2010-12-28 04:46 -------- d-----w- c:\program files\IObit
2010-12-18 15:52 . 2010-12-18 15:52 -------- d-----w- c:\program files\iPod
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2010-12-18 15:49 . 2010-12-18 15:49 -------- d-----w- c:\program files\Bonjour
2010-12-18 06:10 . 2010-12-18 06:10 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-12-18 02:21 . 2010-12-18 14:21 -------- d-----w- c:\program files\Windows Live Safety Center
2010-12-15 00:57 . 2010-12-15 00:57 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-13 04:14 . 2010-12-13 04:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-12-13 02:59 . 2010-12-18 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-12-12 17:32 . 2010-12-12 17:32 0 ----a-w- c:\windows\system32\lsp133.tmp
2010-12-12 14:14 . 2010-12-18 06:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-12-08 01:53 . 2010-12-08 01:53 110080 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconF7A21AF7.exe
2010-12-08 01:53 . 2010-12-08 01:53 110080 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconD7F16134.exe
2010-12-08 01:53 . 2010-12-08 01:53 -------- d-----w- C:\sh4ldr
2010-12-08 01:53 . 2010-12-08 01:53 -------- d-----w- c:\program files\Enigma Software Group
2010-12-08 01:51 . 2010-12-08 01:53 -------- d-----w- c:\windows\3636C9237AD64DE3978A09609AEE8ECF.TMP
2010-12-08 01:51 . 2010-12-08 01:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-12-06 23:38 . 2010-12-06 23:38 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2010-12-06 04:10 . 2010-12-06 04:10 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Threat Expert
2010-12-06 04:03 . 2010-12-06 04:03 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-12-06 03:45 . 2011-01-01 08:18 -------- d-----w- c:\program files\PC Tools Security
2010-12-06 03:45 . 2011-01-01 08:18 -------- d-----w- c:\program files\Common Files\PC Tools
2010-12-06 03:45 . 2010-12-31 23:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-12-06 03:42 . 2010-12-31 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2010-07-06 20:09 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-02 15:17 . 2008-04-14 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-04-14 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51 . 2010-07-06 20:47 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 17:23 . 2010-10-07 17:23 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 17:23 . 2010-10-07 17:23 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 17:23 . 2010-10-07 17:23 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 17:23 . 2010-10-07 17:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
</pre>

((((((((((((((((((((((((((((( SnapShot@2010-12-30_21.58.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-01 23:05 . 2011-01-01 23:05 16384 c:\windows\Temp\Perflib_Perfdata_e0c.dat
+ 2011-01-01 23:03 . 2011-01-01 23:03 16384 c:\windows\Temp\Perflib_Perfdata_52c.dat
- 2008-04-14 12:00 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe
+ 2008-04-14 12:00 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe
+ 2010-07-26 20:35 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
- 2010-07-26 20:35 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
+ 2010-11-04 01:14 . 2009-05-18 22:17 26600 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspiWDM.sys
- 2010-11-04 01:14 . 2009-05-18 17:17 26600 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspiWDM.sys
+ 2011-01-01 22:50 . 2010-04-22 02:29 43696 c:\windows\system32\drivers\N360\0403000.005\srtspx.sys
+ 2010-11-04 01:14 . 2009-05-18 22:17 26600 c:\windows\system32\drivers\GEARAspiWDM.sys
- 2010-11-04 01:14 . 2009-05-18 17:17 26600 c:\windows\system32\drivers\GEARAspiWDM.sys
+ 2010-07-06 20:09 . 2010-10-11 14:59 45568 c:\windows\system32\dllcache\wab.exe
+ 2008-04-14 12:00 . 2010-11-02 15:17 40960 c:\windows\system32\dllcache\ndproxy.sys
- 2010-07-06 20:09 . 2008-04-14 09:41 81920 c:\windows\system32\dllcache\isign32.dll
+ 2010-07-06 20:09 . 2010-11-18 18:12 81920 c:\windows\system32\dllcache\isign32.dll
+ 2010-07-06 20:50 . 2011-01-01 08:02 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2010-07-06 20:50 . 2010-11-11 01:53 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2010-07-06 20:50 . 2011-01-01 08:02 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2010-07-06 20:50 . 2010-11-11 01:53 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2010-07-06 20:50 . 2010-11-11 01:53 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2010-07-06 20:50 . 2011-01-01 08:02 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
- 2010-11-04 01:14 . 2008-04-17 16:12 107368 c:\windows\system32\GEARAspi.dll
+ 2010-11-04 01:14 . 2008-04-17 21:12 107368 c:\windows\system32\GEARAspi.dll
+ 2010-07-06 16:04 . 2011-01-01 08:18 266208 c:\windows\system32\FNTCACHE.DAT
- 2010-07-06 16:04 . 2010-10-15 02:16 266208 c:\windows\system32\FNTCACHE.DAT
- 2010-11-04 01:14 . 2008-04-17 16:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspi.dll
+ 2010-11-04 01:14 . 2008-04-17 21:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspi.dll
+ 2011-01-01 22:50 . 2010-05-06 04:01 339504 c:\windows\system32\drivers\N360\0403000.005\symtdiv.sys
+ 2011-01-01 22:50 . 2010-05-06 04:01 361904 c:\windows\system32\drivers\N360\0403000.005\symtdi.sys
+ 2011-01-01 22:50 . 2010-04-22 03:02 173104 c:\windows\system32\drivers\N360\0403000.005\symefa.sys
+ 2011-01-01 22:50 . 2009-10-15 03:50 328752 c:\windows\system32\drivers\N360\0403000.005\symds.sys
+ 2011-01-01 22:50 . 2010-04-22 02:29 325680 c:\windows\system32\drivers\N360\0403000.005\srtsp.sys
+ 2011-01-01 22:50 . 2010-04-29 05:03 116784 c:\windows\system32\drivers\N360\0403000.005\ironx86.sys
+ 2011-01-01 22:50 . 2010-02-26 00:22 501888 c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys
+ 2008-04-14 12:00 . 2010-10-28 13:13 290048 c:\windows\system32\dllcache\atmfd.dll
+ 2010-12-06 04:09 . 2011-01-01 15:40 262144 c:\windows\system32\config\systemprofile\ntuser.dat
+ 2010-12-31 01:02 . 2010-12-31 01:02 659456 c:\windows\Installer\bc296e.msi
+ 2011-01-01 08:02 . 2011-01-01 08:02 195584 c:\windows\Installer\240b8ef.msi
+ 2010-07-23 06:03 . 2010-07-23 06:03 338432 c:\windows\Installer\240b8d3.msp
+ 2010-07-06 20:50 . 2011-01-01 08:02 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2010-07-06 20:50 . 2010-11-11 01:53 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2010-07-06 20:50 . 2010-11-11 01:53 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2010-07-06 20:50 . 2011-01-01 08:02 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2010-07-06 20:50 . 2011-01-01 08:02 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2010-07-06 20:50 . 2010-11-11 01:53 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2010-07-06 20:50 . 2010-11-11 01:53 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2010-07-06 20:50 . 2011-01-01 08:02 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2010-07-06 20:50 . 2011-01-01 08:02 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2010-07-06 20:50 . 2010-11-11 01:53 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2010-07-06 20:50 . 2010-11-11 01:53 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2010-07-06 20:50 . 2011-01-01 08:02 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2010-07-06 20:50 . 2011-01-01 08:02 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2010-07-06 20:50 . 2010-11-11 01:53 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2010-12-31 20:59 . 2010-12-31 20:59 897024 c:\windows\Installer\{6B9B0C6F-E5FA-4633-A640-AB98A272ECCA}\SafariIco.exe
+ 2008-11-04 08:13 . 2008-11-04 08:13 118128 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\MSCONV97.DLL
+ 2008-04-14 12:00 . 2010-10-26 13:25 1853312 c:\windows\system32\dllcache\win32k.sys
+ 2010-12-31 20:59 . 2010-12-31 20:59 3140608 c:\windows\Installer\5f742.msi
+ 2010-10-21 23:10 . 2010-10-21 23:10 3995136 c:\windows\Installer\240b908.msp
+ 2010-11-21 04:35 . 2010-11-21 04:35 3359744 c:\windows\Installer\240b8e9.msp
- 2010-07-06 20:50 . 2010-11-11 01:53 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2010-07-06 20:50 . 2011-01-01 08:02 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2010-07-06 20:50 . 2011-01-01 08:02 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2010-07-06 20:50 . 2010-11-11 01:53 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2010-07-06 20:33 . 2011-01-01 08:00 37366216 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"{1355DCC1-766C-B33E-885D-85C236A1B6CE}"="c:\documents and settings\user\Application Data\Ehet\uhlov.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-16 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-16 138008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-10-14 9085760]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [1/1/2011 5:50 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [1/1/2011 5:50 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [11/23/2010 3:34 AM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [1/1/2011 5:50 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [1/1/2011 5:50 PM 116784]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 1:22 PM 1085440]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [12/21/2010 5:55 PM 312152]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [1/1/2011 5:50 PM 126392]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [10/14/2009 1:31 PM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/1/2011 1:15 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101231.001\IDSXpx86.sys [1/1/2011 11:13 AM 341944]
S0 cerc6;cerc6; [x]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [11/5/2010 5:53 PM 327000]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/6/2010 3:22 PM 20160]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [1/27/2010 5:10 PM 5248]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [6/11/2007 12:49 PM 968064]
S3 Normandy;Normandy SR2; [x]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [7/13/2010 2:30 PM 11520]
S4 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [12/5/2010 11:03 PM 249616]
.
Contents of the 'Scheduled Tasks' folder

2010-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-02 09:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,59,e0,61,4f,af,bd,4c,93,b6,98,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,59,e0,61,4f,af,bd,4c,93,b6,98,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\igfxdev.dll
.
Completion time: 2011-01-02 09:22:41
ComboFix-quarantined-files.txt 2011-01-02 14:22
ComboFix2.txt 2010-12-31 23:31
ComboFix3.txt 2010-12-30 22:06

Pre-Run: 163,803,688,960 bytes free
Post-Run: 163,783,335,936 bytes free

- - End Of File - - A4EDCE8C48CB2B7E0A6746E79B76C1CB

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:29 PM

Posted 02 January 2011 - 10:03 AM

Well, the file is still there, so lets just delete it (it is not a necessary file, it belongs to Adobe).

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
File::
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 commonalias

commonalias
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Lauderdale, Florida
  • Local time:07:29 AM

Posted 02 January 2011 - 06:04 PM

ComboFix 11-01-02.02 - user 01/02/2011 15:59:21.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1351 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\Ehet\uhlov.exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe

.
((((((((((((((((((((((((( Files Created from 2010-12-02 to 2011-01-02 )))))))))))))))))))))))))))))))
.

2011-01-01 23:53 . 2011-01-01 23:53 -------- d-----w- C:\N360_BACKUP
2011-01-01 15:12 . 2011-01-01 15:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-01-01 15:12 . 2011-01-01 15:12 -------- d-----w- c:\program files\Symantec
2011-01-01 15:12 . 2011-01-01 15:12 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-01-01 15:12 . 2011-01-01 15:12 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-01-01 15:11 . 2011-01-01 23:04 -------- d-----w- c:\windows\system32\drivers\N360
2011-01-01 15:11 . 2011-01-01 15:11 -------- d-----w- c:\program files\Norton Security Suite
2011-01-01 15:11 . 2011-01-01 15:11 -------- d-----w- c:\program files\Windows Sidebar
2011-01-01 01:39 . 2011-01-01 01:39 -------- d-----w- c:\program files\NortonInstaller
2011-01-01 01:22 . 2011-01-01 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-12-31 01:02 . 2010-12-31 01:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\Flip Video
2010-12-25 19:47 . 2010-12-25 19:47 -------- d-----w- c:\documents and settings\test
2010-12-23 02:52 . 2010-12-23 03:13 -------- d-----w- c:\documents and settings\user\Application Data\Gaol
2010-12-22 00:05 . 2010-12-22 00:05 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-12-21 23:29 . 2010-12-21 23:29 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2010-12-21 23:29 . 2010-12-21 23:29 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-12-21 23:28 . 2010-12-21 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-21 23:28 . 2010-11-30 16:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 23:28 . 2010-12-21 23:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-21 23:28 . 2010-11-30 16:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-21 23:18 . 2010-12-21 23:19 -------- d-----w- c:\documents and settings\Administrator
2010-12-21 22:56 . 2010-12-28 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-12-21 22:54 . 2010-12-21 22:56 -------- d-----w- c:\documents and settings\user\Application Data\IObit
2010-12-21 22:54 . 2010-12-28 04:46 -------- d-----w- c:\program files\IObit
2010-12-18 15:52 . 2010-12-18 15:52 -------- d-----w- c:\program files\iPod
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2010-12-18 15:51 . 2010-12-25 23:13 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2010-12-18 15:49 . 2010-12-18 15:49 -------- d-----w- c:\program files\Bonjour
2010-12-18 06:10 . 2010-12-18 06:10 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-12-18 02:21 . 2010-12-18 14:21 -------- d-----w- c:\program files\Windows Live Safety Center
2010-12-15 00:57 . 2010-12-15 00:57 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-13 04:14 . 2010-12-13 04:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-12-13 02:59 . 2010-12-18 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-12-12 17:32 . 2010-12-12 17:32 0 ----a-w- c:\windows\system32\lsp133.tmp
2010-12-12 14:14 . 2010-12-18 06:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-12-08 01:53 . 2010-12-08 01:53 110080 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconF7A21AF7.exe
2010-12-08 01:53 . 2010-12-08 01:53 110080 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{3636C923-7AD6-4DE3-978A-09609AEE8ECF}\IconD7F16134.exe
2010-12-08 01:53 . 2010-12-08 01:53 -------- d-----w- C:\sh4ldr
2010-12-08 01:53 . 2010-12-08 01:53 -------- d-----w- c:\program files\Enigma Software Group
2010-12-08 01:51 . 2010-12-08 01:53 -------- d-----w- c:\windows\3636C9237AD64DE3978A09609AEE8ECF.TMP
2010-12-08 01:51 . 2010-12-08 01:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-12-06 23:38 . 2010-12-06 23:38 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2010-12-06 04:10 . 2010-12-06 04:10 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Threat Expert
2010-12-06 04:03 . 2010-12-06 04:03 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-12-06 03:45 . 2011-01-01 08:18 -------- d-----w- c:\program files\PC Tools Security
2010-12-06 03:45 . 2011-01-01 08:18 -------- d-----w- c:\program files\Common Files\PC Tools
2010-12-06 03:45 . 2010-12-31 23:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-12-06 03:42 . 2010-12-31 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2010-07-06 20:09 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-02 15:17 . 2008-04-14 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-04-14 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51 . 2010-07-06 20:47 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 17:23 . 2010-10-07 17:23 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 17:23 . 2010-10-07 17:23 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 17:23 . 2010-10-07 17:23 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 17:23 . 2010-10-07 17:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-16 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-16 138008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-10-14 9085760]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [1/1/2011 5:50 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [1/1/2011 5:50 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [11/23/2010 3:34 AM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [1/1/2011 5:50 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [1/1/2011 5:50 PM 116784]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 1:22 PM 1085440]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [12/21/2010 5:55 PM 312152]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [1/1/2011 5:50 PM 126392]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [10/14/2009 1:31 PM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/1/2011 1:15 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101231.001\IDSXpx86.sys [1/1/2011 11:13 AM 341944]
S0 cerc6;cerc6; [x]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [11/5/2010 5:53 PM 327000]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [7/6/2010 3:22 PM 20160]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [1/27/2010 5:10 PM 5248]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [6/11/2007 12:49 PM 968064]
S3 Normandy;Normandy SR2; [x]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [7/13/2010 2:30 PM 11520]
S4 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [12/5/2010 11:03 PM 249616]
.
Contents of the 'Scheduled Tasks' folder

2010-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{1355DCC1-766C-B33E-885D-85C236A1B6CE} - c:\documents and settings\user\Application Data\Ehet\uhlov.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-02 16:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,59,e0,61,4f,af,bd,4c,93,b6,98,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,59,e0,61,4f,af,bd,4c,93,b6,98,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\igfxdev.dll
.
Completion time: 2011-01-02 16:04:23
ComboFix-quarantined-files.txt 2011-01-02 21:04
ComboFix2.txt 2011-01-02 14:22
ComboFix3.txt 2010-12-31 23:31
ComboFix4.txt 2010-12-30 22:06

Pre-Run: 163,236,188,160 bytes free
Post-Run: 163,219,345,408 bytes free

- - End Of File - - C4FAE45625FAD4DC9F77926534F92FC5




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users