Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected- Internet Security 2011, Google redirect, background audio, script errors


  • This topic is locked This topic is locked
29 replies to this topic

#1 ej3000

ej3000

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 23 April 2011 - 12:55 PM

Okay- Here are the symptoms:
Windows Recovery Software/Internet Security 2011 antivirus pop-ups. Background audio ads, search engine redirect from google and script errors listing random websites.

I ran malwarebytes twice today. The first scan neted 15 files, but the second was clean and the problem remains. Although, i don't seem to be getting the internet secuirty 2011 pop-up any more.

I ran DDS and only the DDS.txt file was produced. Attach.txt did not pop up.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Eric at 13:15:48.30 on Sat 04/23/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2410 [GMT -4:00]
.
.
============== Running Processes ===============
.
I:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
I:\Program Files\Windows Defender\MsMpEng.exe
I:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\Explorer.EXE
svchost.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
I:\WINDOWS\eHome\ehRecvr.exe
I:\WINDOWS\eHome\ehSched.exe
I:\Program Files\Flip Video\FlipShare\FlipShareService.exe
I:\Program Files\Java\jre6\bin\jqs.exe
I:\WINDOWS\system32\lxcycoms.exe
svchost.exe
I:\WINDOWS\system32\svchost.exe -k imgsvc
I:\WINDOWS\system32\dllhost.exe
I:\WINDOWS\ehome\ehtray.exe
I:\WINDOWS\eHome\ehmsas.exe
I:\Program Files\Dell\Media Experience\DMXLauncher.exe
I:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
I:\WINDOWS\stsystra.exe
I:\WINDOWS\system32\igfxpers.exe
I:\Program Files\Lexmark 3400 Series\lxcymon.exe
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\Program Files\DivX\DivX Update\DivXUpdate.exe
I:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
I:\Program Files\Common Files\Java\Java Update\jusched.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\WINDOWS\System32\vssvc.exe
I:\WINDOWS\system32\dllhost.exe
I:\32788R22FWJFW\iexplore.exe
I:\32788R22FWJFW\iexplore.exe
I:\32788R22FWJFW\iexplore.exe
I:\32788R22FWJFW\iexplore.exe
I:\32788R22FWJFW\FireFox.exe
I:\32788R22FWJFW\FireFox.exe
I:\ComboFix\rmbr.cfxxe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Documents and Settings\Eric\Local Settings\temp\13.tmp\MBR.DAT
I:\Documents and Settings\Eric\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cnn.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - i:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - i:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - i:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - i:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] i:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "i:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] i:\windows\ehome\ehtray.exe
mRun: [DMXLauncher] i:\program files\dell\media experience\DMXLauncher.exe
mRun: [PDVDDXSrv] "i:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IgfxTray] i:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] i:\windows\system32\hkcmd.exe
mRun: [Persistence] i:\windows\system32\igfxpers.exe
mRun: [lxcymon.exe] "i:\program files\lexmark 3400 series\lxcymon.exe"
mRun: [EzPrint] "i:\program files\lexmark 3400 series\ezprint.exe"
mRun: [FaxCenterServer] "i:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [LXCYCATS] rundll32 i:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
mRun: [TkBellExe] "i:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "i:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "i:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "i:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe Reader Speed Launcher] "i:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "i:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Carbonite Backup] i:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [SunJavaUpdateSched] "i:\program files\common files\java\java update\jusched.exe"
StartupFolder: i:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - i:\program files\microsoft office\office10\OSA.EXE
StartupFolder: i:\docume~1\alluse~1\startm~1\programs\startup\smcwus~1.lnk - i:\program files\smc\smcwusb-g 802.11g wireless usb 2.0 adapter\SMCWGUTI.exe
IE: Add to Google Photos Screensa&ver - i:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - i:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - i:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - i:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - i:\progra~1\wifd1f~1\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R2 lxcy_device;lxcy_device;i:\windows\system32\lxcycoms.exe -service --> i:\windows\system32\lxcycoms.exe -service [?]
R2 McrdSvc;Media Center Extender Service;i:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 WinDefend;Windows Defender;i:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 ZD1211BU(Atheros);Atheros ZD1211B IEEE 802.11 Wireless LAN Driver (USB)(Atheros);i:\windows\system32\drivers\ZD1211BU.sys [2005-8-17 722432]
.
=============== Created Last 30 ================
.
2011-04-23 16:31:54 -------- d-s---w- I:\ComboFix
2011-04-23 16:31:00 -------- d-----w- i:\program files\Frontline Registry Cleaner
2011-04-22 01:32:46 -------- d-sha-r- I:\cmdcons
2011-04-22 01:21:38 73728 ----a-w- i:\windows\system32\javacpl.cpl
2011-04-22 00:39:06 -------- d-----w- i:\windows\system32\NtmsData
2011-04-21 23:00:35 6792528 ----a-w- i:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{6b5947f8-1e48-4edf-abaa-10d26564ab5e}\mpengine.dll
2011-04-21 22:59:32 -------- d-----w- i:\windows\system32\wbem\repository\FS
2011-04-21 22:59:32 -------- d-----w- i:\windows\system32\wbem\Repository
2011-04-21 02:53:37 -------- d-----w- I:\ComboFix(2)
2011-04-21 00:11:24 98816 ----a-w- i:\windows\sed.exe
2011-04-21 00:11:24 89088 ----a-w- i:\windows\MBR.exe
2011-04-21 00:11:24 256512 ----a-w- i:\windows\PEV.exe
2011-04-21 00:11:24 161792 ----a-w- i:\windows\SWREG.exe
2011-04-14 07:39:02 103864 ----a-w- i:\program files\internet explorer\plugins\nppdf32.dll
2011-04-09 15:18:26 -------- d-----w- i:\docume~1\eric\applic~1\Malwarebytes
2011-04-09 15:18:21 38224 ----a-w- i:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 15:18:20 -------- d-----w- i:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-09 15:18:17 -------- d-----w- i:\program files\Malwarebytes' Anti-Malware
2011-04-08 00:23:00 -------- d-----w- i:\program files\DTCLookup
.
==================== Find3M ====================
.
2011-04-22 01:21:28 472808 ----a-w- i:\windows\system32\deployJava1.dll
2011-03-07 05:33:50 692736 ----a-w- i:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- i:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- i:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- i:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- i:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- i:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- i:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- i:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- i:\windows\system32\atmfd.dll
2011-02-08 13:33:55 978944 ----a-w- i:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- i:\windows\system32\mfc42u.dll
2011-02-04 22:48:32 456192 ----a-w- i:\windows\system32\encdec.dll
2011-02-04 22:48:30 291840 ----a-w- i:\windows\system32\sbe.dll
2011-02-02 22:11:20 222080 ------w- i:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- i:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- i:\windows\system32\mstsc.exe
.
============= FINISH: 13:16:09.44 ===============

GMER Log:

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-23 15:46:50
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: I:\DOCUME~1\Eric\LOCALS~1\Temp\uwdyqfow.sys


---- Kernel code sections - GMER 1.0.15 ----

? indxhnit.sys The system cannot find the file specified. !
PAGE Ntfs.sys B9E42E01 4 Bytes JMP BA49157C \??\I:\DOCUME~1\Eric\LOCALS~1\Temp\catchme.sys
? I:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? I:\DOCUME~1\Eric\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? I:\DOCUME~1\Eric\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text I:\WINDOWS\Explorer.EXE[1836] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00BC18D5
.text I:\WINDOWS\Explorer.EXE[1836] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00BC1A9D
.text I:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2404] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2404] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00D7000A
.text I:\Program Files\Internet Explorer\iexplore.exe[2404] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0058000A
.text I:\Program Files\Internet Explorer\iexplore.exe[2404] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0057000A
.text I:\Program Files\Internet Explorer\iexplore.exe[2404] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0059000A
.text I:\Program Files\Internet Explorer\iexplore.exe[2404] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00D6000A
.text I:\Program Files\Internet Explorer\iexplore.exe[2404] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0056000A
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F I:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00D7000A
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0058000A
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0057000A
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0059000A
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00D6000A
.text I:\Program Files\Internet Explorer\iexplore.exe[2740] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0056000A
.text I:\32788R22FWJFW\iexplore.exe[3776] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00D7000A
.text I:\32788R22FWJFW\iexplore.exe[3776] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D4000A
.text I:\32788R22FWJFW\iexplore.exe[3776] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0051000A
.text I:\32788R22FWJFW\iexplore.exe[3776] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D5000A
.text I:\32788R22FWJFW\iexplore.exe[3776] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00D6000A
.text I:\32788R22FWJFW\iexplore.exe[3776] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0050000A

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdePort0 8AF1E1ED
Device \Driver\atapi \Device\Ide\IdePort2 8AF1E1ED

---- Threads - GMER 1.0.15 ----

Thread System [4:128] 8AF22E7A
Thread System [4:132] 8AF25008
---- Processes - GMER 1.0.15 ----

Library I:\32788R22FWJFW\FireFox.exe (*** hidden *** ) @ I:\32788R22FWJFW\FireFox.exe [592] 0x00400000
Library I:\32788R22FWJFW\iexplore.exe (*** hidden *** ) @ I:\32788R22FWJFW\iexplore.exe [936] 0x00400000
Library I:\32788R22FWJFW\FireFox.exe (*** hidden *** ) @ I:\32788R22FWJFW\FireFox.exe [2904] 0x00400000
Library I:\32788R22FWJFW\iexplore.exe (*** hidden *** ) @ I:\32788R22FWJFW\iexplore.exe [3500] 0x00400000
Library I:\32788R22FWJFW\iexplore.exe (*** hidden *** ) @ I:\32788R22FWJFW\iexplore.exe [3776] 0x00400000
Library I:\32788R22FWJFW\iexplore.exe (*** hidden *** ) @ I:\32788R22FWJFW\iexplore.exe [3932] 0x00400000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1

---- Files - GMER 1.0.15 ----

File I:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\Content.IE5\ZGSVYQKL\sendtracker[3].gif 43 bytes

---- EOF - GMER 1.0.15 ----

Merged posts. ~ OB

Edited by Orange Blossom, 27 April 2011 - 12:03 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:27 AM

Posted 01 May 2011 - 08:38 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 ej3000

ej3000
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 01 May 2011 - 11:24 AM

Thanks for your help. I am still getting the redirects, but the pop up anit-virus thing hasn't come up in a week or so.

Logs are pasted below.

OTL logfile created on: 5/1/2011 12:19:32 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = I:\Documents and Settings\Eric\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 64.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): I:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = I: | %SystemRoot% = I:\WINDOWS | %ProgramFiles% = I:\Program Files
Drive G: | 47.91 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 298.08 Gb Total Space | 258.06 Gb Free Space | 86.57% Space Free | Partition Type: NTFS

Computer Name: HOMEPC2005 | User Name: Eric | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/01 12:18:48 | 000,580,608 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Eric\Desktop\OTL.exe
PRC - [2011/03/03 20:52:00 | 003,410,576 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) -- I:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
PRC - [2011/03/03 20:52:00 | 000,948,880 | R--- | M] (Carbonite, Inc.) -- I:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
PRC - [2010/09/16 16:04:06 | 001,164,584 | ---- | M] () -- I:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/04/01 21:49:46 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- I:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/06/04 17:41:22 | 000,451,904 | ---- | M] () -- I:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2008/05/23 15:06:08 | 000,128,296 | ---- | M] (CyberLink Corp.) -- I:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\explorer.exe
PRC - [2006/11/29 12:57:20 | 000,537,520 | ---- | M] ( ) -- I:\WINDOWS\system32\lxcycoms.exe
PRC - [2006/11/29 12:57:10 | 000,082,864 | ---- | M] (Lexmark International Inc.) -- I:\Program Files\Lexmark 3400 Series\ezprint.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- I:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2005/11/01 04:12:00 | 000,094,208 | ---- | M] () -- I:\Program Files\Dell\Media Experience\DMXLauncher.exe
PRC - [2005/03/22 18:20:44 | 000,339,968 | ---- | M] (SigmaTel, Inc.) -- I:\WINDOWS\stsystra.exe


========== Modules (SafeList) ==========

MOD - [2011/05/01 12:18:48 | 000,580,608 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Eric\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- I:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/04/01 21:50:15 | 000,040,960 | ---- | M] () -- I:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (wuauserv)
SRV - [2011/03/03 20:52:00 | 003,410,576 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) [Auto | Running] -- I:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe -- (CarboniteService)
SRV - [2010/02/19 20:30:16 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- I:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/06/04 17:41:22 | 000,451,904 | ---- | M] () [Auto | Running] -- I:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2006/11/29 12:57:20 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- I:\WINDOWS\System32\lxcycoms.exe -- (lxcy_device)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- I:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2008/04/13 14:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- I:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2008/04/11 21:52:08 | 000,722,432 | ---- | M] (ZyDAS Technology Corporation) [Kernel | On_Demand | Stopped] -- I:\WINDOWS\system32\drivers\ZD1211BU.sys -- (ZD1211BU(Atheros)) Atheros ZD1211B IEEE 802.11 Wireless LAN Driver (USB)(Atheros)
DRV - [2006/01/03 21:58:00 | 000,269,952 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\atinavrr.sys -- (ATIAVPCI)
DRV - [2005/11/16 16:36:00 | 001,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2004/10/25 14:40:58 | 000,017,664 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | Auto | Running] -- I:\WINDOWS\system32\drivers\ZDPSp50.sys -- (ZDPSp50)
DRV - [2003/11/17 15:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 15:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 15:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- I:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2001/08/22 09:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- I:\WINDOWS\system32\drivers\omci.sys -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1417001333-261478967-2146992267-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
IE - HKU\S-1-5-21-1417001333-261478967-2146992267-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: I:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/04/01 21:50:15 | 000,000,000 | ---D | M]

[2011/04/18 22:04:27 | 000,002,047 | ---- | M] () -- I:\Program Files\Mozilla Firefox\searchplugins\fcmdSrch.xml

O1 HOSTS File: ([2011/04/20 23:02:47 | 000,000,027 | ---- | M]) - I:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - I:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [Carbonite Backup] I:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [DivXUpdate] I:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [DMXLauncher] I:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [EzPrint] I:\Program Files\Lexmark 3400 Series\ezprint.exe (Lexmark International Inc.)
O4 - HKLM..\Run: [FaxCenterServer] I:\Program Files\Lexmark Fax Solutions\fm3032.exe ()
O4 - HKLM..\Run: [LXCYCATS] I:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.DLL (Lexmark International Inc.)
O4 - HKLM..\Run: [lxcymon.exe] I:\Program Files\Lexmark 3400 Series\lxcymon.exe ()
O4 - HKLM..\Run: [PDVDDXSrv] I:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] I:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [TkBellExe] I:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - Startup: I:\Documents and Settings\All Users\Start Menu\Programs\Startup\SMCWUSB-G 802.11g Wireless USB Utility.lnk = I:\Program Files\SMC\SMCWUSB-G 802.11g Wireless USB 2.0 Adapter\SMCWGUTI.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = I:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = I:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1417001333-261478967-2146992267-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1417001333-261478967-2146992267-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1417001333-261478967-2146992267-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1417001333-261478967-2146992267-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - I:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1417001333-261478967-2146992267-1003\..Trusted Domains: localhost ([]* in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - I:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: I:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: I:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - I:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/01/30 03:39:10 | 000,000,040 | R--- | M] () - G:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PEVSystemStart - Service
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: procexp90.Sys - Driver
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: WinDefend - I:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {29E7D24F-BF30-45E7-8A40-AD27AFD8F5C6} - Microsoft .NET Framework 1.0 Hotfix (KB979904)
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2F6EFCE6-10DF-49F9-9E64-9AE3775B2588} - Microsoft .NET Framework 1.1 Security Update (KB2416447)
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {407408d4-94ed-4d86-ab69-a7f649d112ee} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection I:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection I:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - I:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - i:\WINDOWS\system32\Rundll32.exe i:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E8EA5BD6-D931-4001-ABF6-81BAA500360A} - Microsoft .NET Framework 1.0 Hotfix (KB953295)
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EA29D410-CE41-4953-A862-2DE706A1DAD7} - Microsoft .NET Framework 1.0 Service Pack 3
ActiveX: {FDC11A6F-17D1-48f9-9EA3-9051954BAA24} - .NET Framework
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - I:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - I:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "I:\WINDOWS\system32\rundll32.exe" "I:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: KB910393 - rundll32.exe advpack.dll,LaunchINFSection I:\WINDOWS\INF\EasyCDBlock.inf,PerUserInstall

Drivers32: msacm.iac2 - I:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - I:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - I:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - I:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - I:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.3IV2 - I:\WINDOWS\System32\3ivxVfWCodec.dll (3ivx Technologies Pty. Ltd.)
Drivers32: vidc.cvid - I:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - I:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.iv31 - I:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - I:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - I:\WINDOWS\System32\ir41_32.ax ()
Drivers32: vidc.iv50 - I:\WINDOWS\System32\ir50_32.dll ()
Drivers32: vidc.yv12 - I:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: wave2 - I:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: wuauserv - File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/05/01 12:18:37 | 000,580,608 | ---- | C] (OldTimer Tools) -- I:\Documents and Settings\Eric\Desktop\OTL.exe
[2011/04/30 08:04:37 | 000,000,000 | R--D | C] -- I:\32788R22FWJFW
[2011/04/30 08:04:00 | 000,000,000 | --SD | C] -- I:\ComboFix
[2011/04/23 12:31:00 | 000,000,000 | ---D | C] -- I:\Program Files\Frontline Registry Cleaner
[2011/04/23 12:31:00 | 000,000,000 | ---D | C] -- I:\Documents and Settings\Eric\Start Menu\Programs\Frontline Registry Cleaner
[2011/04/23 12:30:38 | 005,884,712 | ---- | C] (Frontline PC Utilities) -- I:\Documents and Settings\Eric\Desktop\FrontlineRegCleanerSetup.exe
[2011/04/23 11:57:24 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- I:\Documents and Settings\Eric\Desktop\4358asflsjaslfj.exe
[2011/04/21 21:32:46 | 000,000,000 | RHSD | C] -- I:\cmdcons
[2011/04/21 21:21:51 | 000,000,000 | ---D | C] -- I:\Program Files\Common Files\Java
[2011/04/21 21:21:38 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- I:\WINDOWS\System32\javaws.exe
[2011/04/21 21:21:38 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- I:\WINDOWS\System32\javaw.exe
[2011/04/21 21:21:38 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- I:\WINDOWS\System32\java.exe
[2011/04/21 21:21:38 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- I:\WINDOWS\System32\javacpl.cpl
[2011/04/21 21:21:26 | 000,000,000 | ---D | C] -- I:\Program Files\Java
[2011/04/21 21:19:30 | 016,525,088 | ---- | C] (Sun Microsystems, Inc.) -- I:\Documents and Settings\Eric\Desktop\jre-6u24-windows-i586.exe
[2011/04/21 20:39:06 | 000,000,000 | ---D | C] -- I:\WINDOWS\System32\NtmsData
[2011/04/21 18:56:27 | 000,000,000 | R--D | C] -- I:\Documents and Settings\Eric\Recent
[2011/04/20 23:02:23 | 000,000,000 | ---D | C] -- I:\WINDOWS\temp
[2011/04/20 22:53:37 | 000,000,000 | ---D | C] -- I:\ComboFix(2)
[2011/04/20 20:38:09 | 000,000,000 | -HSD | C] -- I:\RECYCLER
[2011/04/20 20:11:24 | 000,212,480 | ---- | C] (SteelWerX) -- I:\WINDOWS\SWXCACLS.exe
[2011/04/20 20:11:24 | 000,161,792 | ---- | C] (SteelWerX) -- I:\WINDOWS\SWREG.exe
[2011/04/20 20:11:24 | 000,136,704 | ---- | C] (SteelWerX) -- I:\WINDOWS\SWSC.exe
[2011/04/20 20:11:24 | 000,031,232 | ---- | C] (NirSoft) -- I:\WINDOWS\NIRCMD.exe
[2011/04/20 20:11:17 | 000,000,000 | ---D | C] -- I:\WINDOWS\ERDNT
[2011/04/20 20:10:35 | 000,000,000 | ---D | C] -- I:\Qoobox
[2011/04/19 20:15:45 | 000,000,000 | ---D | C] -- I:\Documents and Settings\Eric\Desktop\tdsskiller
[2011/04/18 22:04:25 | 000,000,000 | ---D | C] -- I:\Program Files\Mozilla Firefox
[2011/04/18 20:25:12 | 000,000,000 | -HSD | C] -- I:\WINDOWS\CSC
[2011/04/09 11:18:26 | 000,000,000 | ---D | C] -- I:\Documents and Settings\Eric\Application Data\Malwarebytes
[2011/04/09 11:18:21 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- I:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/09 11:18:21 | 000,000,000 | ---D | C] -- I:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/09 11:18:20 | 000,000,000 | ---D | C] -- I:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/09 11:18:17 | 000,000,000 | ---D | C] -- I:\Program Files\Malwarebytes' Anti-Malware
[2011/04/07 20:23:00 | 000,000,000 | ---D | C] -- I:\Program Files\DTCLookup
[2010/03/09 21:07:25 | 000,413,696 | ---- | C] ( ) -- I:\WINDOWS\System32\lxcyinpa.dll
[2010/03/09 21:07:25 | 000,323,584 | ---- | C] ( ) -- I:\WINDOWS\System32\lxcyhcp.dll
[2010/03/09 21:07:24 | 001,224,704 | ---- | C] ( ) -- I:\WINDOWS\System32\lxcyserv.dll
[2010/03/09 21:07:24 | 000,991,232 | ---- | C] ( ) -- I:\WINDOWS\System32\lxcyusb1.dll
[2010/03/09 21:07:24 | 000,397,312 | ---- | C] ( ) -- I:\WINDOWS\System32\lxcyiesc.dll
[2010/03/09 21:07:23 | 000,643,072 | ---- | C] ( ) -- I:\WINDOWS\System32\lxcypmui.dll
[2010/03/09 21:07:23 | 000,585,728 | ---- | C] ( ) -- I:\WINDOWS\System32\lxcylmpm.dll
[2010/03/09 21:07:23 | 000,163,840 | ---- | C] ( ) -- I:\WINDOWS\System32\lxcyprox.dll
[2010/03/09 21:07:23 | 000,094,208 | ---- | C] ( ) -- I:\WINDOWS\System32\lxcypplc.dll
[2010/03/09 21:07:22 | 000,696,320 | ---- | C] ( ) -- I:\WINDOWS\System32\lxcyhbn3.dll
[2010/03/09 21:07:22 | 000,537,520 | ---- | C] ( ) -- I:\WINDOWS\System32\lxcycoms.exe
[2010/03/09 21:07:22 | 000,385,968 | ---- | C] ( ) -- I:\WINDOWS\System32\lxcyih.exe
[2010/03/09 21:07:21 | 000,684,032 | ---- | C] ( ) -- I:\WINDOWS\System32\lxcycomc.dll
[2010/03/09 21:07:21 | 000,421,888 | ---- | C] ( ) -- I:\WINDOWS\System32\lxcycomm.dll
[2010/03/09 21:07:21 | 000,381,872 | ---- | C] ( ) -- I:\WINDOWS\System32\lxcycfg.exe
[8 I:\WINDOWS\*.tmp files -> I:\WINDOWS\*.tmp -> ]
[7 I:\WINDOWS\System32\*.tmp files -> I:\WINDOWS\System32\*.tmp -> ]
[1 I:\Documents and Settings\Eric\Desktop\*.tmp files -> I:\Documents and Settings\Eric\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/01 12:18:48 | 000,580,608 | ---- | M] (OldTimer Tools) -- I:\Documents and Settings\Eric\Desktop\OTL.exe
[2011/05/01 10:16:00 | 000,000,974 | ---- | M] () -- I:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-261478967-2146992267-1003UA.job
[2011/05/01 01:58:01 | 000,000,330 | -H-- | M] () -- I:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/05/01 00:31:40 | 000,000,420 | -H-- | M] () -- I:\WINDOWS\tasks\User_Feed_Synchronization-{463A6B1C-9FF4-4B39-BF5F-84F787516DB0}.job
[2011/04/30 18:16:56 | 000,002,277 | ---- | M] () -- I:\Documents and Settings\Eric\Desktop\Google Chrome.lnk
[2011/04/30 18:16:56 | 000,002,255 | ---- | M] () -- I:\Documents and Settings\Eric\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/04/30 17:52:43 | 000,000,276 | ---- | M] () -- I:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1417001333-261478967-2146992267-1003.job
[2011/04/30 17:52:38 | 000,000,284 | ---- | M] () -- I:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1417001333-261478967-2146992267-1003.job
[2011/04/30 17:50:06 | 000,000,276 | ---- | M] () -- I:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1417001333-261478967-2146992267-1004.job
[2011/04/30 17:49:01 | 000,002,048 | --S- | M] () -- I:\WINDOWS\bootstat.dat
[2011/04/30 13:16:00 | 000,000,922 | ---- | M] () -- I:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-261478967-2146992267-1003Core.job
[2011/04/30 08:04:30 | 004,333,650 | R--- | M] () -- I:\Documents and Settings\Eric\Desktop\ComboFix.exe
[2011/04/27 20:10:53 | 000,001,324 | ---- | M] () -- I:\WINDOWS\System32\d3d9caps.dat
[2011/04/23 13:19:16 | 000,293,019 | ---- | M] () -- I:\Documents and Settings\Eric\Desktop\gmer.zip
[2011/04/23 13:16:54 | 000,625,664 | ---- | M] () -- I:\Documents and Settings\Eric\Desktop\dds.scr
[2011/04/23 13:13:47 | 000,050,477 | ---- | M] () -- I:\Documents and Settings\Eric\Desktop\Defogger.exe
[2011/04/23 13:09:21 | 000,000,000 | ---- | M] () -- I:\Documents and Settings\Eric\defogger_reenable
[2011/04/23 12:31:00 | 000,001,724 | ---- | M] () -- I:\Documents and Settings\Eric\Desktop\FrontLine Registry Cleaner.lnk
[2011/04/23 12:30:47 | 005,884,712 | ---- | M] (Frontline PC Utilities) -- I:\Documents and Settings\Eric\Desktop\FrontlineRegCleanerSetup.exe
[2011/04/23 11:57:26 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- I:\Documents and Settings\Eric\Desktop\4358asflsjaslfj.exe
[2011/04/23 08:09:00 | 000,001,729 | ---- | M] () -- I:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/04/23 08:06:35 | 000,002,206 | ---- | M] () -- I:\WINDOWS\System32\wpa.dbl
[2011/04/21 21:32:50 | 000,000,325 | RHS- | M] () -- I:\boot.ini
[2011/04/21 21:21:28 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- I:\WINDOWS\System32\deployJava1.dll
[2011/04/21 21:21:28 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- I:\WINDOWS\System32\javaws.exe
[2011/04/21 21:21:28 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- I:\WINDOWS\System32\javaw.exe
[2011/04/21 21:21:28 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- I:\WINDOWS\System32\java.exe
[2011/04/21 21:21:28 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- I:\WINDOWS\System32\javacpl.cpl
[2011/04/21 21:19:31 | 016,525,088 | ---- | M] (Sun Microsystems, Inc.) -- I:\Documents and Settings\Eric\Desktop\jre-6u24-windows-i586.exe
[2011/04/21 19:20:22 | 000,301,568 | ---- | M] () -- I:\Documents and Settings\Eric\Desktop\7q9vdtkl.exe
[2011/04/21 19:00:26 | 000,116,560 | ---- | M] () -- I:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/20 23:02:47 | 000,000,027 | ---- | M] () -- I:\WINDOWS\System32\drivers\etc\hosts
[2011/04/20 22:53:27 | 000,016,602 | -HS- | M] () -- I:\Documents and Settings\Eric\Local Settings\Application Data\1ycw044f0ry3igk042b0613q
[2011/04/20 22:53:27 | 000,016,602 | -HS- | M] () -- I:\Documents and Settings\All Users\Application Data\1ycw044f0ry3igk042b0613q
[2011/04/19 20:15:20 | 001,263,721 | ---- | M] () -- I:\Documents and Settings\Eric\Desktop\tdsskiller.zip
[2011/04/19 19:38:41 | 000,017,618 | -HS- | M] () -- I:\Documents and Settings\Eric\Local Settings\Application Data\74naa86484b4h4547ab5g2x7g1n374va28l
[2011/04/19 19:38:41 | 000,017,618 | -HS- | M] () -- I:\Documents and Settings\All Users\Application Data\74naa86484b4h4547ab5g2x7g1n374va28l
[2011/04/18 23:51:24 | 000,625,664 | ---- | M] () -- I:\Documents and Settings\Eric\Desktop\dds.com
[2011/04/18 22:13:20 | 001,006,778 | ---- | M] () -- I:\Documents and Settings\Eric\Desktop\doyelalex.exe
[2011/04/18 19:03:58 | 000,000,284 | ---- | M] () -- I:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1417001333-261478967-2146992267-1004.job
[2011/04/16 12:34:17 | 001,108,770 | ---- | M] () -- I:\Documents and Settings\Eric\Desktop\amnio bill.pdf
[2011/04/16 07:55:21 | 000,001,374 | ---- | M] () -- I:\WINDOWS\imsins.BAK
[2011/04/16 07:53:36 | 000,441,124 | ---- | M] () -- I:\WINDOWS\System32\perfh009.dat
[2011/04/16 07:53:36 | 000,071,060 | ---- | M] () -- I:\WINDOWS\System32\perfc009.dat
[2011/04/09 11:18:21 | 000,000,784 | ---- | M] () -- I:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[8 I:\WINDOWS\*.tmp files -> I:\WINDOWS\*.tmp -> ]
[7 I:\WINDOWS\System32\*.tmp files -> I:\WINDOWS\System32\*.tmp -> ]
[1 I:\Documents and Settings\Eric\Desktop\*.tmp files -> I:\Documents and Settings\Eric\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/23 13:18:54 | 000,293,019 | ---- | C] () -- I:\Documents and Settings\Eric\Desktop\gmer.zip
[2011/04/23 13:15:25 | 000,625,664 | ---- | C] () -- I:\Documents and Settings\Eric\Desktop\dds.scr
[2011/04/23 13:09:21 | 000,000,000 | ---- | C] () -- I:\Documents and Settings\Eric\defogger_reenable
[2011/04/23 13:08:44 | 000,050,477 | ---- | C] () -- I:\Documents and Settings\Eric\Desktop\Defogger.exe
[2011/04/23 12:31:00 | 000,001,724 | ---- | C] () -- I:\Documents and Settings\Eric\Desktop\FrontLine Registry Cleaner.lnk
[2011/04/23 12:20:47 | 004,333,650 | R--- | C] () -- I:\Documents and Settings\Eric\Desktop\ComboFix.exe
[2011/04/21 19:20:20 | 000,301,568 | ---- | C] () -- I:\Documents and Settings\Eric\Desktop\7q9vdtkl.exe
[2011/04/20 22:56:45 | 000,000,208 | ---- | C] () -- I:\Boot.bak
[2011/04/20 22:56:44 | 000,260,272 | RHS- | C] () -- I:\cmldr
[2011/04/20 22:42:35 | 000,016,602 | -HS- | C] () -- I:\Documents and Settings\Eric\Local Settings\Application Data\1ycw044f0ry3igk042b0613q
[2011/04/20 22:42:35 | 000,016,602 | -HS- | C] () -- I:\Documents and Settings\All Users\Application Data\1ycw044f0ry3igk042b0613q
[2011/04/20 20:11:24 | 000,256,512 | ---- | C] () -- I:\WINDOWS\PEV.exe
[2011/04/20 20:11:24 | 000,098,816 | ---- | C] () -- I:\WINDOWS\sed.exe
[2011/04/20 20:11:24 | 000,089,088 | ---- | C] () -- I:\WINDOWS\MBR.exe
[2011/04/20 20:11:24 | 000,080,412 | ---- | C] () -- I:\WINDOWS\grep.exe
[2011/04/20 20:11:24 | 000,068,096 | ---- | C] () -- I:\WINDOWS\zip.exe
[2011/04/19 20:15:12 | 001,263,721 | ---- | C] () -- I:\Documents and Settings\Eric\Desktop\tdsskiller.zip
[2011/04/19 19:36:33 | 000,017,618 | -HS- | C] () -- I:\Documents and Settings\Eric\Local Settings\Application Data\74naa86484b4h4547ab5g2x7g1n374va28l
[2011/04/19 19:36:33 | 000,017,618 | -HS- | C] () -- I:\Documents and Settings\All Users\Application Data\74naa86484b4h4547ab5g2x7g1n374va28l
[2011/04/18 23:51:14 | 000,625,664 | ---- | C] () -- I:\Documents and Settings\Eric\Desktop\dds.com
[2011/04/18 22:13:16 | 001,006,778 | ---- | C] () -- I:\Documents and Settings\Eric\Desktop\doyelalex.exe
[2011/04/16 12:34:17 | 001,108,770 | ---- | C] () -- I:\Documents and Settings\Eric\Desktop\amnio bill.pdf
[2011/04/09 11:18:21 | 000,000,784 | ---- | C] () -- I:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/31 20:28:28 | 000,000,120 | ---- | C] () -- I:\WINDOWS\Rhapiyerezuq.dat
[2010/07/31 20:28:28 | 000,000,000 | ---- | C] () -- I:\WINDOWS\Qsapupil.bin
[2010/07/18 11:20:15 | 000,018,532 | ---- | C] () -- I:\WINDOWS\System32\mlfcache.dat
[2010/04/01 21:51:15 | 000,000,025 | ---- | C] () -- I:\WINDOWS\cdplayer.ini
[2010/04/01 20:52:21 | 000,047,616 | ---- | C] () -- I:\Documents and Settings\Eric\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/09 21:09:10 | 000,040,960 | ---- | C] () -- I:\WINDOWS\System32\lxcyvs.dll
[2010/03/09 21:09:09 | 000,344,064 | ---- | C] () -- I:\WINDOWS\System32\lxcycoin.dll
[2010/03/09 21:08:53 | 000,692,224 | ---- | C] () -- I:\WINDOWS\System32\lxcydrs.dll
[2010/03/09 21:08:53 | 000,065,536 | ---- | C] () -- I:\WINDOWS\System32\lxcycaps.dll
[2010/03/09 21:08:52 | 000,061,440 | ---- | C] () -- I:\WINDOWS\System32\lxcycnv4.dll
[2010/03/09 21:08:36 | 000,045,056 | ---- | C] () -- I:\WINDOWS\System32\LXPRMON.DLL
[2010/03/09 21:08:36 | 000,032,768 | ---- | C] () -- I:\WINDOWS\System32\LXPMONUI.DLL
[2010/03/09 21:07:25 | 000,274,432 | ---- | C] () -- I:\WINDOWS\System32\lxcyinst.dll
[2010/03/06 23:59:54 | 000,397,312 | ---- | C] () -- I:\WINDOWS\System32\drivers\ETNADiag.exe
[2010/03/06 15:30:40 | 000,001,324 | ---- | C] () -- I:\WINDOWS\System32\d3d9caps.dat
[2010/03/06 14:39:15 | 000,000,055 | ---- | C] () -- I:\WINDOWS\WININIT.INI
[2010/03/04 21:07:55 | 000,000,376 | ---- | C] () -- I:\WINDOWS\ODBC.INI
[2010/03/03 23:01:01 | 000,000,127 | ---- | C] () -- I:\Documents and Settings\Eric\Local Settings\Application Data\fusioncache.dat
[2010/03/03 22:55:46 | 000,002,048 | --S- | C] () -- I:\WINDOWS\bootstat.dat
[2010/03/03 22:49:35 | 000,021,640 | ---- | C] () -- I:\WINDOWS\System32\emptyregdb.dat
[2010/03/03 17:19:44 | 000,004,161 | ---- | C] () -- I:\WINDOWS\ODBCINST.INI
[2010/03/03 17:18:46 | 000,116,560 | ---- | C] () -- I:\WINDOWS\System32\FNTCACHE.DAT
[2008/03/24 09:47:02 | 000,000,012 | ---- | C] () -- I:\Documents and Settings\Eric\Application Data\userdic.tlx
[2008/02/19 02:33:34 | 000,446,352 | ---- | C] () -- I:\WINDOWS\System32\OpenQuicktimeLib.dll
[2005/11/18 10:52:42 | 000,000,000 | ---- | C] () -- I:\WINDOWS\System32\px.ini
[2005/10/09 22:33:54 | 000,137,216 | ---- | C] () -- I:\WINDOWS\System32\secdel.dll
[2005/08/05 15:01:54 | 000,235,008 | ---- | C] () -- I:\WINDOWS\System32\psisdecd.dll
[2005/07/12 15:44:42 | 000,015,872 | ---- | C] () -- I:\WINDOWS\System32\InsDrvZD64.DLL
[2005/03/22 18:38:24 | 013,107,200 | ---- | C] () -- I:\WINDOWS\System32\oembios.bin
[2005/03/22 18:38:24 | 000,004,627 | ---- | C] () -- I:\WINDOWS\System32\oembios.dat
[2004/08/10 07:00:00 | 001,291,776 | ---- | C] () -- I:\WINDOWS\System32\quartz(2).dll
[2004/08/10 07:00:00 | 000,755,200 | ---- | C] () -- I:\WINDOWS\System32\ir50_32.dll
[2004/08/10 07:00:00 | 000,673,088 | ---- | C] () -- I:\WINDOWS\System32\mlang.dat
[2004/08/10 07:00:00 | 000,441,124 | ---- | C] () -- I:\WINDOWS\System32\perfh009.dat
[2004/08/10 07:00:00 | 000,338,432 | ---- | C] () -- I:\WINDOWS\System32\ir41_qcx.dll
[2004/08/10 07:00:00 | 000,272,128 | ---- | C] () -- I:\WINDOWS\System32\perfi009.dat
[2004/08/10 07:00:00 | 000,218,003 | ---- | C] () -- I:\WINDOWS\System32\dssec.dat
[2004/08/10 07:00:00 | 000,200,192 | ---- | C] () -- I:\WINDOWS\System32\ir50_qc.dll
[2004/08/10 07:00:00 | 000,183,808 | ---- | C] () -- I:\WINDOWS\System32\ir50_qcx.dll
[2004/08/10 07:00:00 | 000,120,320 | ---- | C] () -- I:\WINDOWS\System32\ir41_qc.dll
[2004/08/10 07:00:00 | 000,071,060 | ---- | C] () -- I:\WINDOWS\System32\perfc009.dat
[2004/08/10 07:00:00 | 000,059,904 | ---- | C] () -- I:\WINDOWS\System32\devenum(2).dll
[2004/08/10 07:00:00 | 000,046,258 | ---- | C] () -- I:\WINDOWS\System32\mib.bin
[2004/08/10 07:00:00 | 000,028,626 | ---- | C] () -- I:\WINDOWS\System32\perfd009.dat
[2004/08/10 07:00:00 | 000,014,336 | ---- | C] () -- I:\WINDOWS\System32\msdmo(2).dll
[2004/08/10 07:00:00 | 000,004,569 | ---- | C] () -- I:\WINDOWS\System32\secupd.dat
[2004/08/10 07:00:00 | 000,001,804 | ---- | C] () -- I:\WINDOWS\System32\dcache.bin
[2004/08/10 07:00:00 | 000,000,741 | ---- | C] () -- I:\WINDOWS\System32\noise.dat
[2004/03/23 17:38:00 | 000,028,672 | ---- | C] () -- I:\WINDOWS\System32\InsDrvZD.dll
[2003/03/14 13:24:00 | 000,024,576 | ---- | C] () -- I:\WINDOWS\System32\ZyDelReg.exe

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- I:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- I:\WINDOWS\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- I:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2011/01/16 16:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- I:\Documents and Settings\Eric\Local Settings\temp\RarSFX2\procs\explorer.exe
[2004/08/10 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- I:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2005/08/16 02:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- I:\Documents and Settings\Eric\Local Settings\temp\RarSFX2\h\explorer.exe

< MD5 for: WINLOGON.EXE >
[2004/08/10 07:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- I:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2009/05/26 19:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- I:\Documents and Settings\Eric\Local Settings\temp\RarSFX2\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- I:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- I:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- I:\WINDOWS\system32\winlogon.exe

< >

< End of report >




Extras.txt log

OTL Extras logfile created on: 5/1/2011 12:19:32 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = I:\Documents and Settings\Eric\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 64.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): I:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = I: | %SystemRoot% = I:\WINDOWS | %ProgramFiles% = I:\Program Files
Drive G: | 47.91 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 298.08 Gb Total Space | 258.06 Gb Free Space | 86.57% Space Free | Partition Type: NTFS

Computer Name: HOMEPC2005 | User Name: Eric | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-1417001333-261478967-2146992267-1003\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"I:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = I:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.)
"I:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = I:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"I:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = I:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Disabled:CyberLink PowerDVD DX -- (CyberLink Corp.)
"I:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = I:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Disabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)
"I:\WINDOWS\system32\lxcycoms.exe" = I:\WINDOWS\system32\lxcycoms.exe:*:Disabled:Lexmark Communications System -- ( )


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0D3F9802-689F-9B6D-8E44-B55971F0CCBB}" = FlipShare
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java™ 6 Update 24
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{390FF986-468D-4CA9-8830-2C4B313F447F}" = ATI Parental Control
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{598420E8-E9F9-4FAE-9B6C-599FDF2F611A}" = BlackBerry App World Browser Plugin
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{802C87BF-3A1E-45B0-8C12-9527A5C572B3}" = SMCWUSB-G 802.11g Wireless USB 2.0 Adapter
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.4
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"3ivx MPEG-4 5.0.3" = 3ivx MPEG-4 5.0.3 (remove only)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Carbonite Backup" = Carbonite
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DivX Setup.divx.com" = DivX Setup
"Frontline Registry Cleaner2.0" = Frontline Registry Cleaner
"ie8" = Windows Internet Explorer 8
"INI_FCFG_V03.14A05_is1" = INI_FCFG_V03.14A05
"InstallShield_{390FF986-468D-4CA9-8830-2C4B313F447F}" = ATI Parental Control
"InstallShield_{802C87BF-3A1E-45B0-8C12-9527A5C572B3}" = SMCWUSB-G 802.11g Wireless USB 2.0 Adapter
"Lexmark 3400 Series" = Lexmark 3400 Series
"Lexmark Fax Solutions" = Lexmark Fax Solutions
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Picasa 3" = Picasa 3
"PROSet" = Intel® PRO Network Connections Drivers
"Quicken WillMaker Plus 2009" = Quicken WillMaker Plus 2009
"RealPlayer 12.0" = RealPlayer
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1417001333-261478967-2146992267-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager
"Google Chrome" = Google Chrome
"Move Media Player" = Move Media Player
"Sportsbook.com" = Sportsbook.com
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/1/2011 1:58:00 AM | Computer Name = HOMEPC2005 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80080005, P2 updateservicemanager-_get_services,
P3 fallbackcheck, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender,
P8 NIL, P9 NIL, P10 NIL.

Error - 5/1/2011 7:59:35 AM | Computer Name = HOMEPC2005 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 5/1/2011 7:59:35 AM | Computer Name = HOMEPC2005 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 7297

Error - 5/1/2011 7:59:35 AM | Computer Name = HOMEPC2005 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 7297

Error - 5/1/2011 8:38:18 AM | Computer Name = HOMEPC2005 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 5/1/2011 8:38:18 AM | Computer Name = HOMEPC2005 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 2330469

Error - 5/1/2011 8:38:18 AM | Computer Name = HOMEPC2005 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2330469

Error - 5/1/2011 11:00:27 AM | Computer Name = HOMEPC2005 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 5/1/2011 11:00:27 AM | Computer Name = HOMEPC2005 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3750

Error - 5/1/2011 11:00:27 AM | Computer Name = HOMEPC2005 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3750

[ System Events ]
Error - 4/30/2011 6:19:34 PM | Computer Name = HOMEPC2005 | Source = VolSnap | ID = 393241
Description = The shadow copy of volume I: was aborted because the diff area file
could not grow in time. Consider reducing the IO load on this system to avoid this
problem in the future.

Error - 4/30/2011 6:19:55 PM | Computer Name = HOMEPC2005 | Source = VolSnap | ID = 393228
Description = The shadow copy of volume I: became low on diff area space before
it was properly installed.

Error - 5/1/2011 1:57:00 AM | Computer Name = HOMEPC2005 | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 5/1/2011 1:57:30 AM | Computer Name = HOMEPC2005 | Source = DCOM | ID = 10010
Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register
with DCOM within the required timeout.

Error - 5/1/2011 1:57:30 AM | Computer Name = HOMEPC2005 | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 5/1/2011 1:58:00 AM | Computer Name = HOMEPC2005 | Source = DCOM | ID = 10010
Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register
with DCOM within the required timeout.

Error - 5/1/2011 12:16:38 PM | Computer Name = HOMEPC2005 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 5/1/2011 12:16:38 PM | Computer Name = HOMEPC2005 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 5/1/2011 12:16:44 PM | Computer Name = HOMEPC2005 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 5/1/2011 12:16:44 PM | Computer Name = HOMEPC2005 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.


< End of report >

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:27 AM

Posted 01 May 2011 - 11:38 AM

Hi,

it looks as if you tried to run ComboFix, do you have the logs? Could you please post it?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 ej3000

ej3000
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 01 May 2011 - 04:06 PM

combo fix will start to run, but always freezes up. I never get the log b/c it freezes up before then.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:27 AM

Posted 01 May 2011 - 05:46 PM

Hi,

at which point does it freeze?

Could you try renaming it to fun.com and see if that helps?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 ej3000

ej3000
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 01 May 2011 - 07:27 PM

It runs and opens, then the blue screen opens and says "system file is infected!! attempting to restore, I:\Windows\system32\Drivers\Volsnap.sys"

#8 ej3000

ej3000
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 01 May 2011 - 08:37 PM

I wanted to add to the combofix issue.

After it give that message on the blue screen. it just freezes. I can't even close the window. Bascially have to turn off the PC to get it to close.

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:27 AM

Posted 02 May 2011 - 05:16 AM

Hi,

ok well that makes it pretty obvious that you're infected with TDL4, this is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you choose to clean, please try running TDSSKiller next:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 ej3000

ej3000
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 02 May 2011 - 10:32 PM

Lets get it clean. Then I'll upgrade the OS.

I tried to run TDSkiller. The run box would open, I would click run and then nothing ever happens. Is it running? It doesn't appear to be.

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:27 AM

Posted 03 May 2011 - 04:09 PM

Hi,

could you please try a fresh download. There has recently been an upgrade to TDSSKiller and it should now run.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 ej3000

ej3000
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 03 May 2011 - 06:35 PM

it never produced a .txt file on the desktop. When i opened it again after restarting and clicked on report, here is what it said:

011/05/03 19:33:42.0352 2892 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/03 19:33:42.0712 2892 ================================================================================
2011/05/03 19:33:42.0712 2892 SystemInfo:
2011/05/03 19:33:42.0712 2892
2011/05/03 19:33:42.0712 2892 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/03 19:33:42.0712 2892 Product type: Workstation
2011/05/03 19:33:42.0712 2892 ComputerName: HOMEPC2005
2011/05/03 19:33:42.0712 2892 UserName: Tara
2011/05/03 19:33:42.0712 2892 Windows directory: I:\WINDOWS
2011/05/03 19:33:42.0712 2892 System windows directory: I:\WINDOWS
2011/05/03 19:33:42.0712 2892 Processor architecture: Intel x86
2011/05/03 19:33:42.0712 2892 Number of processors: 2
2011/05/03 19:33:42.0712 2892 Page size: 0x1000
2011/05/03 19:33:42.0712 2892 Boot type: Normal boot
2011/05/03 19:33:42.0712 2892 ================================================================================
2011/05/03 19:33:42.0899 2892 Initialize success

#13 ej3000

ej3000
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 03 May 2011 - 06:36 PM

The first scan found something and I rebooted as part of the program's steps. When it rebooted, I was expecting to find the file, but it wasn't there. Also, i ran it again and it said no threats found

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:27 AM

Posted 03 May 2011 - 06:37 PM

How is the PC doing now?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 ej3000

ej3000
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 03 May 2011 - 07:02 PM

seams better..no symptoms....yet




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users