Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a virus.


  • This topic is locked This topic is locked
12 replies to this topic

#1 Viral_Frustration

Viral_Frustration

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 31 March 2011 - 03:29 PM

I have run several scans on this computer. There is one infection remaining that I know about. The file is c:\windows\system32\t5j.dll. If I remove the file, the computer blue screens on start up with a Winlogon service error. If I put the file back, the computer boots normally. The file has also changed at least once.

The first file was t5h.dll at 19,500 bytes. The current file is t5j.dll at 265,292 bytes.
The two links give some information on the infection.

http://www.virustotal.com/file-scan/report.html?id=68d708565019cf492a3f8eeedf6943135a8febc792973f73db8cc7686f60ed13-1301506036

http://www.virustotal.com/file-scan/report.html?id=12c8b7369f0f32b45bfa60cc1d46774bef323e5088bd0b4e952895bb489b618d-1301600164

I did run ComboFix before coming to this site. ComboFix mentioned a file was trying to hook into it. Since I just read to not run it until told to I will only post this bit of the log.
The following files were disabled during the run:
c:\windows\system32\t5j.dll

I searched through the registry with Windows offline, and there were no keys related to t5j.

Here is the blue screen error when I remove t5j.dll.
STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000135.


Here is my DDS log.
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 14:40:46.65 on Thu 03/31/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.548 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\RealVNC\WinVNC.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Work\bleepingcomputer\dds.scr
C:\WINDOWS\system32\rundll32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Connection Wizard,ShellNext = hxxp://www.superantispyware.com/uninstallsurvey.html?trial=no&installdate=2009-05-14&installtime=20:22:35&faultcount=1&version=4,%2025,%200,%201014
BHO: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [CPQEASYACC] c:\program files\compaq\easy access button support\StartEAK.exe
mRun: [WinVNC] "c:\program files\realvnc\WinVNC.EXE" -servicehelper
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38050.414375
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110322.002\naveng.sys [2011-3-23 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110322.002\navex15.sys [2011-3-23 1360760]
S2 mrtRate;mrtRate; [x]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
.
=============== Created Last 30 ================
.
2011-03-31 19:31:30 -------- d-----w- C:\~ErdUserProfile.$$$
2011-03-31 18:39:14 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-03-31 18:39:14 215920 ----a-w- c:\windows\system32\muweb.dll
2011-03-31 18:39:01 -------- d-----w- C:\Work
2011-03-29 03:04:24 -------- d-sh--w- c:\documents and settings\administrator.charlesxp\IETldCache
2011-03-28 20:20:15 -------- d-sha-r- C:\cmdcons
2011-03-28 20:11:33 -------- d-----w- c:\docume~1\admini~1.cha\locals~1\applic~1\Mozilla
2011-03-28 19:25:51 98816 ----a-w- c:\windows\sed.exe
2011-03-28 19:25:51 89088 ----a-w- c:\windows\MBR.exe
2011-03-28 19:25:51 256512 ----a-w- c:\windows\PEV.exe
2011-03-28 19:25:51 161792 ----a-w- c:\windows\SWREG.exe
2011-03-28 19:25:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trend Micro
2011-03-28 19:18:18 63744 ----a-w- c:\windows\system32\drivers\cdfs.sys
2011-03-28 19:06:58 -------- d-----w- c:\documents and settings\administrator.charlesxp\log
2011-03-28 19:01:58 215920 ----a-w- c:\windows\system32\muweb.dll.suspect
2011-03-28 19:01:56 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-03-28 19:01:47 274288 ----a-w- c:\windows\system32\mucltui.dll.suspect
2011-03-28 16:47:15 -------- d-----w- C:\VundoFix Backups
2011-03-28 15:32:42 -------- d-----w- c:\docume~1\admini~1.cha\applic~1\.clamwin
2011-03-28 14:00:28 -------- d-----w- c:\program files\ClamWin
2011-03-28 14:00:28 -------- d-----w- c:\documents and settings\all users\.clamwin
2011-03-28 13:53:24 -------- d-----w- C:\Downloads
2011-03-28 13:51:24 110080 ----a-w- c:\windows\system32\imm32.dll.suspect
2011-03-24 19:38:08 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-03-24 14:08:20 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2011-03-23 18:07:33 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-23 18:06:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
.
==================== Find3M ====================
.
2011-03-24 19:41:15 18944 ----a-w- c:\windows\system32\version.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 16:15:33 0 ----a-w- c:\windows\Hjowanawozavu.bin
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 14:43:13.95 ===============
============================================================================================
============================================================================================
And my GMER log file.

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-31 15:28:19
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400LB-60DNA1 rev.81.07A81
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.CHA\LOCALS~1\Temp\uxldapoc.sys


---- System - GMER 1.0.15 ----

SSDT 8963AD98 ZwConnectPort
SSDT 86DEB250 ZwDuplicateObject
SSDT 86ED57A8 ZwOpenProcess
SSDT 86ED5770 ZwOpenThread

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\ADMINI~1.CHA\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BBD4551A-9B23-41CD-9BCD-818AA2DA7B63}\iexplore@Type 3
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BBD4551A-9B23-41CD-9BCD-818AA2DA7B63}\iexplore@Count 4

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:01 AM

Posted 06 April 2011 - 06:39 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Viral_Frustration

Viral_Frustration
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 07 April 2011 - 10:14 AM

My description of the problem is in the first post. Here are the DDS log and attach that I just created.

DDS.txt
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 10:45:52.93 on Thu 04/07/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.686 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\RealVNC\WinVNC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Work\bleepingcomputer\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Connection Wizard,ShellNext = hxxp://www.superantispyware.com/uninstallsurvey.html?trial=no&installdate=2009-05-14&installtime=20:22:35&faultcount=1&version=4,%2025,%200,%201014
BHO: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [CPQEASYACC] c:\program files\compaq\easy access button support\StartEAK.exe
mRun: [WinVNC] "c:\program files\realvnc\WinVNC.EXE" -servicehelper
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38050.414375
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110322.002\naveng.sys [2011-3-23 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110322.002\navex15.sys [2011-3-23 1360760]
S2 mrtRate;mrtRate; [x]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2011-3-31 30136]
S4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
.
=============== Created Last 30 ================
.
2011-04-07 14:17:05 -------- d-----w- C:\~ErdUserProfile.$$$
2011-03-31 20:56:38 -------- d-----w- c:\docume~1\admini~1.cha\locals~1\applic~1\Adobe
2011-03-31 19:47:48 30136 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2011-03-31 19:47:47 -------- d-----w- c:\program files\SanityCheck
2011-03-31 19:38:09 110080 ----a-w- c:\windows\system32\imm32.dll
2011-03-31 19:38:09 110080 ----a-w- c:\windows\system32\dllcache\imm32.dll
2011-03-31 18:39:14 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-03-31 18:39:14 215920 ----a-w- c:\windows\system32\muweb.dll
2011-03-31 18:39:01 -------- d-----w- C:\Work
2011-03-29 03:04:24 -------- d-sh--w- c:\documents and settings\administrator.charlesxp\IETldCache
2011-03-28 20:20:15 -------- d-sha-r- C:\cmdcons
2011-03-28 20:11:33 -------- d-----w- c:\docume~1\admini~1.cha\locals~1\applic~1\Mozilla
2011-03-28 19:25:51 98816 ----a-w- c:\windows\sed.exe
2011-03-28 19:25:51 89088 ----a-w- c:\windows\MBR.exe
2011-03-28 19:25:51 256512 ----a-w- c:\windows\PEV.exe
2011-03-28 19:25:51 161792 ----a-w- c:\windows\SWREG.exe
2011-03-28 19:25:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Trend Micro
2011-03-28 19:18:18 63744 ----a-w- c:\windows\system32\drivers\cdfs.sys
2011-03-28 19:06:58 -------- d-----w- c:\documents and settings\administrator.charlesxp\log
2011-03-28 19:01:58 215920 ----a-w- c:\windows\system32\muweb.dll.suspect
2011-03-28 19:01:56 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-03-28 19:01:47 274288 ----a-w- c:\windows\system32\mucltui.dll.suspect
2011-03-28 16:47:15 -------- d-----w- C:\VundoFix Backups
2011-03-28 15:32:42 -------- d-----w- c:\docume~1\admini~1.cha\applic~1\.clamwin
2011-03-28 14:00:28 -------- d-----w- c:\program files\ClamWin
2011-03-28 14:00:28 -------- d-----w- c:\documents and settings\all users\.clamwin
2011-03-28 13:53:24 -------- d-----w- C:\Downloads
2011-03-28 13:51:24 110080 ----a-w- c:\windows\system32\imm32.dll.suspect
2011-03-24 19:38:08 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-03-24 14:08:20 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2011-03-23 18:07:33 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-23 18:06:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
.
==================== Find3M ====================
.
2011-03-24 19:41:15 18944 ----a-w- c:\windows\system32\version.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 16:15:33 0 ----a-w- c:\windows\Hjowanawozavu.bin
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
============= FINISH: 10:46:42.06 ===============

ATTACH.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/4/2004 11:44:19 AM
System Uptime: 4/7/2011 10:39:19 AM (0 hours ago)
.
Motherboard: Hewlett-Packard | | 085Ch
Processor: Intel® Pentium® 4 CPU 2.66GHz | XU1 PROCESSOR | 2660/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 27.839 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Ask Toolbar
Autodesk MapGuide® Viewer ActiveX Control Release 6.5
Belarc Advisor 7.0
Broadcom Management Programs
Displaysoft Main Install
Easy Access Button Support
Foxit Reader
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Image Web Server IE Plugins 2,0,0,104
Intel® Extreme Graphics 2 Driver
Java 2 Runtime Environment, SE v1.4.2_01
Java™ 6 Update 7
LiveUpdate 2.6 (Symantec Corporation)
Microsoft IntelliPoint 5.4
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Quicken 2004
SanityCheck 1.02
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shadow Copy Client
Software Setup
SoundMAX
Symantec AntiVirus
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows XP Service Pack 3
WordPerfect Productivity Pack
.
==== Event Viewer Messages From Past Week ========
.
3/31/2011 3:49:35 PM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.
3/31/2011 3:49:31 PM, error: NETLOGON [5719] - No Domain Controller is available for domain horizontitle due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
.
==== End Of File ===========================

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:01 AM

Posted 07 April 2011 - 10:47 AM

Hi, I see you have also run Combofix. Can you please post me the log from c:\combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Viral_Frustration

Viral_Frustration
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 07 April 2011 - 10:54 AM

Thanks for the quick reply.

Something else I remembered. imm32.dll was deleted by the antivirus. I replaced it from a clean installation of Windows. All log files are from after imm32.dll was replaced. Also the problem still exists that Windows will not boot if I delete t5j.dll.


Here is the ComboFix log.

ComboFix 11-03-28.01 - Administrator 03/28/2011 20:25:26.3.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.1043 [GMT -4:00]
Running from: c:\documents and settings\Administrator.CHARLESXP\Desktop\ComboFix.exe
Command switches used :: combofix
AV: Emsisoft Anti-Malware *Enabled/Updated* {0F8591BB-342B-4493-91C3-4E948ED21255}
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
The following files were disabled during the run:
c:\windows\system32\t5j.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-29 )))))))))))))))))))))))))))))))
.
.
2011-03-28 20:11 . 2011-03-28 20:11 -------- d-----w- c:\documents and settings\Administrator.CHARLESXP\Local Settings\Application Data\Mozilla
2011-03-28 19:32 . 2011-03-28 19:32 -------- d-----w- C:\~ErdUserProfile.$$$
2011-03-28 19:25 . 2011-03-28 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-03-28 19:18 . 2008-04-14 00:00 63744 ----a-w- c:\windows\system32\drivers\cdfs.sys
2011-03-28 19:06 . 2011-03-28 19:06 -------- d-----w- c:\documents and settings\Administrator.CHARLESXP\log
2011-03-28 19:05 . 2011-03-28 19:05 -------- d-----w- c:\program files\WinPcap
2011-03-28 19:01 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-03-28 19:01 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-03-28 16:47 . 2011-03-28 16:47 -------- d-----w- C:\VundoFix Backups
2011-03-28 16:27 . 2011-03-28 16:27 -------- d-----w- c:\program files\Emsisoft HiJackFree
2011-03-28 15:36 . 2011-03-28 19:00 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-03-28 15:32 . 2011-03-28 15:32 -------- d-----w- c:\documents and settings\Administrator.CHARLESXP\Application Data\.clamwin
2011-03-28 15:32 . 2011-03-28 15:32 -------- d-sh--w- c:\documents and settings\Administrator.CHARLESXP\IETldCache
2011-03-28 14:00 . 2011-03-28 14:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\.clamwin
2011-03-28 14:00 . 2011-03-28 14:00 -------- d-----w- c:\program files\ClamWin
2011-03-28 14:00 . 2011-03-28 14:00 -------- d-----w- c:\documents and settings\All Users\.clamwin
2011-03-28 13:53 . 2011-03-28 13:53 -------- d-----w- C:\Downloads
2011-03-28 13:51 . 2008-04-13 23:00 110080 ----a-w- c:\windows\system32\imm32.dll
2011-03-28 13:51 . 2008-04-13 23:00 110080 ----a-w- c:\windows\system32\dllcache\imm32.dll
2011-03-24 19:38 . 2011-03-24 19:38 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-03-24 14:35 . 2011-03-24 14:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-03-24 14:08 . 2010-10-19 20:51 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2011-03-23 18:07 . 2011-03-28 13:41 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-23 18:06 . 2011-03-23 18:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-28 19:06 . 2008-09-02 19:02 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-03-24 19:41 . 2003-03-31 02:00 18944 ----a-w- c:\windows\system32\version.dll
2011-02-09 13:53 . 2003-03-31 02:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2003-03-31 02:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2003-03-31 02:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2003-03-31 02:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2003-03-31 02:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2003-03-31 02:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2003-03-31 02:00 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
.
[-] 2011-03-24 . 874503CC289E548661DE1583CA7295B1 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll
[7] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\version.dll
[-] 2001-08-18 . 90D0D0BEA6FBC19E765E30B7DDF52B9A . 16384 . . [5.1.2600.0] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\backup\version.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 20:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-10-02 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-10-02 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"CPQEASYACC"="c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 32768]
"WinVNC"="c:\program files\RealVNC\WinVNC.EXE" [2003-03-05 335872]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2005-04-17 85184]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2011-02-16 86016]
"a-squared"="c:\program files\Emsisoft Anti-Malware\a2guard.exe" [2011-03-10 3438992]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
S1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [3/28/2011 11:36 AM 41928]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [3/28/2011 11:36 AM 11776]
S2 mrtRate;mrtRate; [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]
S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [3/28/2011 3:02 PM 439632]
S2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [3/28/2011 11:36 AM 73728]
S3 Normandy;Normandy SR2; [x]
S4 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [3/28/2011 11:36 AM 2964312]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MRTRATE
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-28 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 20:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Connection Wizard,ShellNext = hxxp://www.superantispyware.com/uninstallsurvey.html?trial=no&installdate=2009-05-14&installtime=20:22&faultcount=1&version=4,%2025,%200,%201014
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator.CHARLESXP\Application Data\Mozilla\Firefox\Profiles\2ioepqiq.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-28 20:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-969125504-3549729543-1025539173-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BBD4551A-9B23-41CD-9BCD-818AA2DA7B63}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Count"=dword:00000004
"Time"=hex:d9,07,05,00,05,00,0f,00,10,00,08,00,04,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(228)
c:\windows\system32\t5j.dll
.
- - - - - - - > 'lsass.exe'(284)
c:\windows\system32\t5j.dll
.
Completion time: 2011-03-28 20:33:36
ComboFix-quarantined-files.txt 2011-03-29 00:33
.
Pre-Run: 29,897,138,176 bytes free
Post-Run: 29,898,530,816 bytes free
.
- - End Of File - - 297EA1C3DDC2BA24BCFE9CDB0AED93DB

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:01 AM

Posted 07 April 2011 - 11:35 AM

Hi again,

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
FCopy::
c:\windows\ServicePackFiles\i386\version.dll | c:\windows\system32\version.dll
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Viral_Frustration

Viral_Frustration
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 07 April 2011 - 02:04 PM

ComboFix Log

ComboFix 11-04-06.03 - Administrator 04/07/2011 13:15:46.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.923 [GMT -4:00]
Running from: c:\documents and settings\Administrator.CHARLESXP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.CHARLESXP\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
The following files were disabled during the run:
c:\windows\system32\t5j.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\version.dll --> c:\windows\system32\version.dll
.
((((((((((((((((((((((((( Files Created from 2011-03-07 to 2011-04-07 )))))))))))))))))))))))))))))))
.
.
2011-04-07 14:17 . 2011-04-07 14:17 -------- d-----w- C:\~ErdUserProfile.$$$
2011-03-31 20:56 . 2011-03-31 20:57 -------- d-----w- c:\documents and settings\Administrator.CHARLESXP\Local Settings\Application Data\Adobe
2011-03-31 19:47 . 2009-03-08 01:23 30136 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2011-03-31 19:47 . 2011-03-31 19:47 -------- d-----w- c:\program files\SanityCheck
2011-03-31 19:38 . 2008-04-13 23:00 110080 ----a-w- c:\windows\system32\imm32.dll
2011-03-31 19:38 . 2008-04-13 23:00 110080 ----a-w- c:\windows\system32\dllcache\imm32.dll
2011-03-31 18:39 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-03-31 18:39 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-03-31 18:39 . 2011-04-07 16:51 -------- d-----w- C:\Work
2011-03-29 03:04 . 2011-03-29 03:04 -------- d-sh--w- c:\documents and settings\Administrator.CHARLESXP\IETldCache
2011-03-28 20:11 . 2011-03-28 20:11 -------- d-----w- c:\documents and settings\Administrator.CHARLESXP\Local Settings\Application Data\Mozilla
2011-03-28 19:25 . 2011-03-28 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-03-28 19:18 . 2008-04-14 00:00 63744 ----a-w- c:\windows\system32\drivers\cdfs.sys
2011-03-28 19:06 . 2011-03-28 19:06 -------- d-----w- c:\documents and settings\Administrator.CHARLESXP\log
2011-03-28 16:47 . 2011-03-28 16:47 -------- d-----w- C:\VundoFix Backups
2011-03-28 15:32 . 2011-03-28 15:32 -------- d-----w- c:\documents and settings\Administrator.CHARLESXP\Application Data\.clamwin
2011-03-28 14:00 . 2011-03-28 14:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\.clamwin
2011-03-28 14:00 . 2011-03-28 14:00 -------- d-----w- c:\program files\ClamWin
2011-03-28 14:00 . 2011-03-28 14:00 -------- d-----w- c:\documents and settings\All Users\.clamwin
2011-03-28 13:53 . 2011-03-28 13:53 -------- d-----w- C:\Downloads
2011-03-24 19:38 . 2011-03-24 19:38 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-03-24 14:35 . 2011-03-24 14:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-03-24 14:08 . 2010-10-19 20:51 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2011-03-23 18:07 . 2011-03-28 13:41 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-23 18:06 . 2011-03-23 18:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-28 19:06 . 2008-09-02 19:02 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-02-09 13:53 . 2003-03-31 02:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2003-03-31 02:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2003-03-31 02:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2003-03-31 02:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2003-03-31 02:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-29_03.40.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-03-31 02:00 . 2008-04-14 09:42 18944 c:\windows\system32\dllcache\version.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 20:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-10-02 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-10-02 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"CPQEASYACC"="c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 32768]
"WinVNC"="c:\program files\RealVNC\WinVNC.EXE" [2003-03-05 335872]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2005-04-17 85184]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
S2 mrtRate;mrtRate; [x]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [3/31/2011 3:47 PM 30136]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-07 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 20:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Connection Wizard,ShellNext = hxxp://www.superantispyware.com/uninstallsurvey.html?trial=no&installdate=2009-05-14&installtime=20:22&faultcount=1&version=4,%2025,%200,%201014
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-07 13:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-969125504-3549729543-1025539173-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BBD4551A-9B23-41CD-9BCD-818AA2DA7B63}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Count"=dword:00000004
"Time"=hex:d9,07,05,00,05,00,0f,00,10,00,08,00,04,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\t5j.dll
.
- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\t5j.dll
.
Completion time: 2011-04-07 13:25:19
ComboFix-quarantined-files.txt 2011-04-07 17:25
ComboFix2.txt 2011-03-29 03:42
ComboFix3.txt 2011-03-29 01:27
.
Pre-Run: 29,768,785,920 bytes free
Post-Run: 29,755,904,000 bytes free
.
- - End Of File - - 9F7DF3F678A52F4383E0FA8D8F2BD8A1

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:01 AM

Posted 07 April 2011 - 02:19 PM

Hi again, lets run another scan that may show us other instances of the t5j.dll file so we can delete it safely together with its loading points.

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Viral_Frustration

Viral_Frustration
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 07 April 2011 - 03:01 PM

I think the version.dll file was the problem. I was able to rename/delete the t5j.dll file while Windows was running. I could not do that before.

OTL log.
OTL logfile created on: 4/7/2011 3:47:35 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator.CHARLESXP\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 700 1500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 27.72 Gb Free Space | 74.41% Space Free | Partition Type: NTFS

Computer Name: CHARLESXP | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/07 15:47:03 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.CHARLESXP\My Documents\Downloads\OTL.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/04/17 12:30:42 | 000,124,608 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
PRC - [2005/04/17 12:30:32 | 000,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2005/04/08 15:54:52 | 000,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/04/08 15:52:32 | 000,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/03/30 21:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2003/03/05 13:49:00 | 000,335,872 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\winvnc.exe
PRC - [2002/09/20 20:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2011/04/07 15:47:03 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.CHARLESXP\My Documents\Downloads\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2005/04/17 12:30:42 | 000,124,608 | ---- | M] (symantec) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2005/04/17 12:30:40 | 001,706,176 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2005/04/17 12:30:32 | 000,019,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2005/04/08 15:54:52 | 000,161,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/04/08 15:54:50 | 000,083,568 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2005/04/08 15:52:32 | 000,185,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/04/05 11:17:22 | 000,206,552 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2005/03/30 21:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2003/03/05 13:49:00 | 000,335,872 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\WinVNC.EXE -- (WinVNC)
SRV - [2002/09/20 20:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2011/03/28 15:06:56 | 000,190,032 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2010/12/13 21:53:10 | 001,360,760 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110322.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/12/13 21:53:06 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110322.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/05/21 18:41:01 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\eengine\eeCtrl.sys -- (eeCtrl)
DRV - [2009/03/07 21:23:54 | 000,030,136 | ---- | M] (Resplendence Software Projects Sp.) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rspSanity32.sys -- (rspSanity)
DRV - [2008/04/13 22:04:34 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wvchntxx.sys -- (iAimFP4)
DRV - [2008/04/13 22:04:32 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wsiintxx.sys -- (iAimFP3)
DRV - [2008/04/13 22:04:30 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv04nt.sys -- (iAimTV3)
DRV - [2008/04/13 22:04:30 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv01nt.sys -- (iAimTV0)
DRV - [2008/04/13 22:04:30 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wch7xxnt.sys -- (iAimTV4)
DRV - [2008/04/13 22:04:30 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv02nt.sys -- (iAimTV1)
DRV - [2008/04/13 22:04:28 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2008/04/13 22:04:28 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv01nt.sys -- (iAimFP0)
DRV - [2008/04/13 22:04:28 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv02nt.sys -- (iAimFP1)
DRV - [2008/04/13 22:04:28 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv05nt.sys -- (iAimFP2)
DRV - [2005/04/07 17:18:34 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2005/04/05 11:17:02 | 000,267,192 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2005/04/05 11:17:00 | 000,017,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/04/01 20:36:04 | 000,123,200 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/03/30 21:48:20 | 000,372,832 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/02/04 20:14:32 | 000,053,896 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/02/04 20:14:30 | 000,324,232 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2003/02/17 08:22:24 | 000,170,880 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2003/02/05 16:22:32 | 000,050,816 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp)
DRV - [2002/04/04 02:32:06 | 000,028,416 | R--- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symmpi.sys -- (Symmpi)
DRV - [1999/10/30 00:35:08 | 000,024,348 | R--- | M] (Compaq Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\EAWDMFD.sys -- (EAWDMFD)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-969125504-3549729543-1025539173-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
IE - HKU\S-1-5-21-969125504-3549729543-1025539173-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Firefox\Extensions\\{E8E96117-C8B5-4D0B-900D-6A330D4461B3}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{E8E96117-C8B5-4D0B-900D-6A330D4461B3}\

[2011/03/28 16:11:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.CHARLESXP\Application Data\Mozilla\Extensions
[2011/03/28 16:11:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.CHARLESXP\Application Data\Mozilla\Firefox\Profiles\2ioepqiq.default\extensions
[2011/03/28 09:45:12 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2011/03/28 23:40:16 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\STARTEAK.exe (Compaq Computer Corporation)
O4 - HKLM..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (adi)
O4 - HKLM..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [srmclean] C:\cpqs\scom\srmclean.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\RealVNC\WinVNC.EXE (RealVNC Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe (Intuit Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-969125504-3549729543-1025539173-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-969125504-3549729543-1025539173-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-969125504-3549729543-1025539173-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-969125504-3549729543-1025539173-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://active.macromedia.com/director/cabs/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38050.414375 (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_01)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.13 192.168.1.7
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = horizontitle.local
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\System32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/07 15:45:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/04/07 10:17:05 | 000,000,000 | ---D | C] -- C:\~ErdUserProfile.$$$
[2011/03/31 16:56:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CHARLESXP\Local Settings\Application Data\Adobe
[2011/03/31 16:56:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CHARLESXP\Application Data\Adobe
[2011/03/31 15:47:48 | 000,030,136 | ---- | C] (Resplendence Software Projects Sp.) -- C:\WINDOWS\System32\drivers\rspSanity32.sys
[2011/03/31 15:47:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SanityCheck
[2011/03/31 15:47:47 | 000,000,000 | ---D | C] -- C:\Program Files\SanityCheck
[2011/03/31 14:39:01 | 000,000,000 | ---D | C] -- C:\Work
[2011/03/28 23:04:24 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator.CHARLESXP\IETldCache
[2011/03/28 16:20:15 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/28 16:13:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CHARLESXP\My Documents\Downloads
[2011/03/28 16:11:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CHARLESXP\Local Settings\Application Data\Mozilla
[2011/03/28 16:11:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CHARLESXP\Application Data\Mozilla
[2011/03/28 15:25:51 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/28 15:25:51 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/28 15:25:50 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/28 15:25:50 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/28 15:25:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trend Micro
[2011/03/28 15:22:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/03/28 15:22:20 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/28 15:12:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CHARLESXP\Desktop\TMRBLog
[2011/03/28 15:12:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CHARLESXP\Desktop\log
[2011/03/28 15:06:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CHARLESXP\log
[2011/03/28 15:05:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinPcap
[2011/03/28 15:03:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Trend Micro RUBotted
[2011/03/28 12:47:15 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2011/03/28 12:38:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis
[2011/03/28 11:36:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CHARLESXP\My Documents\Anti-Malware
[2011/03/28 11:32:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.CHARLESXP\Application Data\.clamwin
[2011/03/28 10:00:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ClamWin Antivirus
[2011/03/28 10:00:28 | 000,000,000 | ---D | C] -- C:\Program Files\ClamWin
[2011/03/28 10:00:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\.clamwin
[2011/03/28 09:53:24 | 000,000,000 | ---D | C] -- C:\Downloads
[2011/03/28 09:45:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox
[2011/03/28 09:45:10 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2011/03/24 15:38:08 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2011/03/24 10:35:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2011/03/23 14:06:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/07 15:35:06 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/07 15:34:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/07 15:01:02 | 000,000,238 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011/04/07 12:58:32 | 004,315,750 | R--- | M] () -- C:\Documents and Settings\Administrator.CHARLESXP\Desktop\ComboFix.exe
[2011/03/28 23:40:16 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/28 16:20:52 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/03/28 15:06:56 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/03/28 15:05:22 | 000,000,073 | ---- | M] () -- C:\WINDOWS\System32\-1
[2011/03/28 12:38:16 | 000,001,744 | ---- | M] () -- C:\Documents and Settings\Administrator.CHARLESXP\Desktop\HijackThis.lnk
[2011/03/28 11:32:25 | 000,000,825 | ---- | M] () -- C:\Documents and Settings\Administrator.CHARLESXP\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/03/28 09:45:22 | 000,001,612 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/03/28 09:41:33 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/03/24 15:40:57 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/03/21 18:48:56 | 000,002,723 | ---- | M] () -- C:\WINDOWS\dsi.ini
[2011/03/17 11:41:50 | 000,316,180 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/17 11:41:50 | 000,041,712 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/17 11:33:15 | 000,176,264 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/17 11:31:12 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/07 12:58:29 | 004,315,750 | R--- | C] () -- C:\Documents and Settings\Administrator.CHARLESXP\Desktop\ComboFix.exe
[2011/03/28 16:20:51 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/03/28 15:32:50 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/03/28 15:25:51 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/28 15:25:51 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/28 15:25:51 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/28 15:25:51 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/28 15:25:51 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/28 15:05:21 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\-1
[2011/03/28 12:38:16 | 000,001,744 | ---- | C] () -- C:\Documents and Settings\Administrator.CHARLESXP\Desktop\HijackThis.lnk
[2011/03/28 09:45:22 | 000,001,612 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/03/24 10:06:10 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/03/23 14:07:33 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/12/20 19:38:22 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Qfinohuyaga.dat
[2010/10/06 17:20:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Textart.INI
[2009/03/26 12:15:09 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2008/10/10 13:06:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/09/02 15:02:51 | 000,002,162 | ---- | C] () -- C:\WINDOWS\System32\tmmute.ini
[2007/01/03 19:08:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2006/12/31 07:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/03/29 10:10:57 | 000,000,345 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2004/03/26 14:02:07 | 000,000,064 | ---- | C] () -- C:\WINDOWS\qwimp.ini
[2004/03/26 13:17:53 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\encodr32.dll
[2004/03/25 11:04:02 | 000,002,723 | ---- | C] () -- C:\WINDOWS\dsi.ini
[2004/03/24 14:05:30 | 000,001,220 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/03/05 13:52:14 | 000,061,440 | ---- | C] () -- C:\WINDOWS\othread2.dll
[2004/02/21 06:42:52 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/02/21 06:39:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\Reboot.exe
[2004/02/21 06:39:00 | 000,000,470 | ---- | C] () -- C:\WINDOWS\ikey.ini
[2004/02/21 06:38:58 | 000,040,960 | R--- | C] () -- C:\WINDOWS\LoadDll.dll
[2004/02/21 06:37:44 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/02/21 06:35:10 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/02/21 06:34:59 | 000,001,056 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/02/21 06:33:58 | 000,005,025 | ---- | C] () -- C:\WINDOWS\System32\patterns.dat
[2004/02/21 06:33:43 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2004/02/21 06:32:51 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/05/19 09:32:34 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2003/05/19 09:27:40 | 000,176,264 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/05/19 09:21:46 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/05/19 09:17:58 | 000,316,180 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/05/19 09:17:58 | 000,041,712 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/05/19 09:17:04 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2003/03/30 22:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/03/30 22:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/03/30 22:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/03/30 22:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/03/30 22:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/03/30 22:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/03/30 22:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/02/07 21:31:48 | 000,000,260 | ---- | C] () -- C:\WINDOWS\System32\BDEMERGE.INI
[2003/01/07 19:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/05/28 04:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/05/28 04:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/10 20:37:54 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

========== LOP Check ==========

[2010/05/14 11:16:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Foxit
[2010/06/08 12:06:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Foxit Software
[2008/09/02 15:01:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2011/03/23 14:06:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2004/06/28 11:00:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2011/04/07 15:01:02 | 000,000,238 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

========== Purity Check ==========



< End of report >


EXTRAS log.

OTL Extras logfile created on: 4/7/2011 3:47:35 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator.CHARLESXP\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 700 1500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 27.72 Gb Free Space | 74.41% Space Free | Partition Type: NTFS

Computer Name: CHARLESXP | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-969125504-3549729543-1025539173-500\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List]
"%ProgramFiles%\Microsoft ActiveSync\CeAppMgr.exe:LocalSubnet:Enabled:ActiveSync Application Manager" = %ProgramFiles%\Microsoft ActiveSync\CeAppMgr.exe:LocalSubnet:Enabled:ActiveSync Application Manager
"%ProgramFiles%\Microsoft ActiveSync\WCESMgr.exe:LocalSubnet:Enabled:ActiveSync Application" = %ProgramFiles%\Microsoft ActiveSync\WCESMgr.exe:LocalSubnet:Enabled:ActiveSync Application
"%ProgramFiles%\Microsoft ActiveSync\WCESComm.exe:LocalSubnet:Enabled:ActiveSync Connection Manager" = %ProgramFiles%\Microsoft ActiveSync\WCESComm.exe:LocalSubnet:Enabled:ActiveSync Connection Manager

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
"135:TCP:*:Enabled:Offer Remote Assistance - Port" = 135:TCP:*:Enabled:Offer Remote Assistance - Port

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{23E5032B-56CA-4C19-A72E-B50161DB82CA}" = Shadow Copy Client
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"{54F90B55-BEB3-4F0D-8802-228822FA5921}" = WordPerfect Productivity Pack
"{5A633ED0-E5D7-4D65-AB8D-53ED43510284}" = Symantec AntiVirus
"{6817B93A-8497-11D4-AA25-00104B66574A}" = Displaysoft Main Install
"{7148F0A8-6813-11D6-A77B-00B0D0142010}" = Java 2 Runtime Environment, SE v1.4.2_01
"{750DFF5E-C559-11D4-A441-00B0D0436EE7}" = Broadcom Management Programs
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{93539D60-1817-11D1-9504-00805F26A89C}" = Easy Access Button Support
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{E031338C-839D-4EDD-9537-99B653C39D81}" = Autodesk MapGuide® Viewer ActiveX Control Release 6.5
"{EECDDEA0-DB76-4488-8E52-0EF1DF63700A}" = Microsoft IntelliPoint 5.4
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Belarc Advisor 2.0" = Belarc Advisor 7.0
"Foxit Reader" = Foxit Reader
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Image Web Server IE Plugin" = Image Web Server IE Plugins 2,0,0,104
"InstallShield_{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SanityCheck_is1" = SanityCheck 1.02
"Software Setup" = Software Setup
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/7/2011 10:40:20 AM | Computer Name = CHARLESXP | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 4/7/2011 10:40:21 AM | Computer Name = CHARLESXP | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 4/7/2011 12:55:26 PM | Computer Name = CHARLESXP | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 4/7/2011 12:55:27 PM | Computer Name = CHARLESXP | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 4/7/2011 1:13:14 PM | Computer Name = CHARLESXP | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 4/7/2011 1:13:15 PM | Computer Name = CHARLESXP | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 4/7/2011 3:11:58 PM | Computer Name = CHARLESXP | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 4/7/2011 3:11:58 PM | Computer Name = CHARLESXP | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 4/7/2011 3:34:58 PM | Computer Name = CHARLESXP | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 4/7/2011 3:34:58 PM | Computer Name = CHARLESXP | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

[ System Events ]
Error - 4/7/2011 10:40:23 AM | Computer Name = CHARLESXP | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2

Error - 4/7/2011 12:55:27 PM | Computer Name = CHARLESXP | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain horizontitle due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.

Error - 4/7/2011 12:55:31 PM | Computer Name = CHARLESXP | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2

Error - 4/7/2011 1:13:14 PM | Computer Name = CHARLESXP | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain horizontitle due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.

Error - 4/7/2011 1:13:19 PM | Computer Name = CHARLESXP | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2

Error - 4/7/2011 1:23:08 PM | Computer Name = CHARLESXP | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_ROOTREPEAL\0000 disappeared from the system
without first being prepared for removal.

Error - 4/7/2011 3:11:57 PM | Computer Name = CHARLESXP | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain horizontitle due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.

Error - 4/7/2011 3:12:01 PM | Computer Name = CHARLESXP | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2

Error - 4/7/2011 3:34:58 PM | Computer Name = CHARLESXP | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain horizontitle due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.

Error - 4/7/2011 3:35:04 PM | Computer Name = CHARLESXP | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2


< End of report >

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:01 AM

Posted 07 April 2011 - 03:47 PM

Can you please rerun combofix now? I want to confirm that the loading points for the dll file are gone (they still showed up in the last log).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Viral_Frustration

Viral_Frustration
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 07 April 2011 - 04:30 PM

ComboFix log.

ComboFix 11-04-06.03 - Administrator 04/07/2011 17:19:07.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.934 [GMT -4:00]
Running from: c:\documents and settings\Administrator.CHARLESXP\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-07 to 2011-04-07 )))))))))))))))))))))))))))))))
.
.
2011-04-07 19:46 . 2009-03-21 14:06 265292 ----a-w- c:\windows\system32\t5j.dll
2011-04-07 14:17 . 2011-04-07 14:17 -------- d-----w- C:\~ErdUserProfile.$$$
2011-03-31 20:56 . 2011-03-31 20:57 -------- d-----w- c:\documents and settings\Administrator.CHARLESXP\Local Settings\Application Data\Adobe
2011-03-31 19:47 . 2009-03-08 01:23 30136 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2011-03-31 19:47 . 2011-03-31 19:47 -------- d-----w- c:\program files\SanityCheck
2011-03-31 19:38 . 2008-04-13 23:00 110080 ----a-w- c:\windows\system32\imm32.dll
2011-03-31 19:38 . 2008-04-13 23:00 110080 ----a-w- c:\windows\system32\dllcache\imm32.dll
2011-03-31 18:39 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-03-31 18:39 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-03-31 18:39 . 2011-04-07 16:51 -------- d-----w- C:\Work
2011-03-29 03:04 . 2011-03-29 03:04 -------- d-sh--w- c:\documents and settings\Administrator.CHARLESXP\IETldCache
2011-03-28 20:11 . 2011-03-28 20:11 -------- d-----w- c:\documents and settings\Administrator.CHARLESXP\Local Settings\Application Data\Mozilla
2011-03-28 19:25 . 2011-03-28 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-03-28 19:18 . 2008-04-14 00:00 63744 ----a-w- c:\windows\system32\drivers\cdfs.sys
2011-03-28 19:06 . 2011-03-28 19:06 -------- d-----w- c:\documents and settings\Administrator.CHARLESXP\log
2011-03-28 16:47 . 2011-03-28 16:47 -------- d-----w- C:\VundoFix Backups
2011-03-28 15:32 . 2011-03-28 15:32 -------- d-----w- c:\documents and settings\Administrator.CHARLESXP\Application Data\.clamwin
2011-03-28 14:00 . 2011-03-28 14:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\.clamwin
2011-03-28 14:00 . 2011-03-28 14:00 -------- d-----w- c:\program files\ClamWin
2011-03-28 14:00 . 2011-03-28 14:00 -------- d-----w- c:\documents and settings\All Users\.clamwin
2011-03-28 13:53 . 2011-03-28 13:53 -------- d-----w- C:\Downloads
2011-03-24 19:38 . 2011-03-24 19:38 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-03-24 14:35 . 2011-03-24 14:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-03-24 14:08 . 2010-10-19 20:51 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2011-03-23 18:07 . 2011-03-28 13:41 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-23 18:06 . 2011-03-23 18:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-28 19:06 . 2008-09-02 19:02 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-02-09 13:53 . 2003-03-31 02:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2003-03-31 02:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2003-03-31 02:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2003-03-31 02:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2003-03-31 02:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-29_03.40.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-03-31 02:00 . 2008-04-14 09:42 18944 c:\windows\system32\version.dll
- 2003-03-31 02:00 . 2011-03-24 19:41 18944 c:\windows\system32\version.dll
+ 2003-03-31 02:00 . 2008-04-14 09:42 18944 c:\windows\system32\dllcache\version.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 20:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-10-02 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-10-02 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"CPQEASYACC"="c:\program files\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 32768]
"WinVNC"="c:\program files\RealVNC\WinVNC.EXE" [2003-03-05 335872]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2005-04-17 85184]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
S2 mrtRate;mrtRate; [x]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [3/31/2011 3:47 PM 30136]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-07 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 20:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Connection Wizard,ShellNext = hxxp://www.superantispyware.com/uninstallsurvey.html?trial=no&installdate=2009-05-14&installtime=20:22&faultcount=1&version=4,%2025,%200,%201014
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-07 17:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-969125504-3549729543-1025539173-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BBD4551A-9B23-41CD-9BCD-818AA2DA7B63}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Count"=dword:00000004
"Time"=hex:d9,07,05,00,05,00,0f,00,10,00,08,00,04,00,00,00
.
Completion time: 2011-04-07 17:28:15
ComboFix-quarantined-files.txt 2011-04-07 21:28
ComboFix2.txt 2011-03-29 03:42
ComboFix3.txt 2011-03-29 01:27
.
Pre-Run: 29,745,823,744 bytes free
Post-Run: 29,729,230,848 bytes free
.
- - End Of File - - 02FA1E5C8226796273C49D76D0C24468

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:01 AM

Posted 08 April 2011 - 03:42 AM

Hi again, thats looking good now. :)

Your version of Adobe Reader is outdated. Older versions have known security vulnerabilities that can be exploited by malware. I recommend you to visit Adobe's website and download the latest version (Adobe REader X).


Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.



MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:01 AM

Posted 21 April 2011 - 01:17 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users