Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possiblae downloader trojan


  • This topic is locked This topic is locked
28 replies to this topic

#1 antonio831

antonio831

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 10 May 2011 - 11:58 PM

This computer tries to send out someting to 3 or 4 different IP addresses. I have run malwarebyes, avast ans ESET at it to no avail. I would appreciate some help. Both DDS txt files seem to be corrupted or missing.

Attached Files

  • Attached File  ark.txt   92.39KB   2 downloads


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:15 PM

Posted 13 May 2011 - 03:03 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________


Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 antonio831

antonio831
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 14 May 2011 - 05:52 AM

Hey SK! Thanks alot for taking the time to help me out. I believe I had most of the problem but had an issue with the outgoing sends. I know that aint the technical term. I believe the TKDSSkiller may have solved the problem but you know more about reading these logs than I do. Here is the TDSSKiller log

2011/05/13 18:55:01.0853 1784 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/13 18:55:02.0806 1784 ================================================================================
2011/05/13 18:55:02.0806 1784 SystemInfo:
2011/05/13 18:55:02.0806 1784
2011/05/13 18:55:02.0806 1784 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/13 18:55:02.0806 1784 Product type: Workstation
2011/05/13 18:55:02.0806 1784 ComputerName: ROBERT-GTRG3ASV
2011/05/13 18:55:02.0822 1784 UserName: robertmoss
2011/05/13 18:55:02.0822 1784 Windows directory: C:\WINDOWS
2011/05/13 18:55:02.0822 1784 System windows directory: C:\WINDOWS
2011/05/13 18:55:02.0822 1784 Processor architecture: Intel x86
2011/05/13 18:55:02.0822 1784 Number of processors: 1
2011/05/13 18:55:02.0822 1784 Page size: 0x1000
2011/05/13 18:55:02.0822 1784 Boot type: Normal boot
2011/05/13 18:55:02.0822 1784 ================================================================================
2011/05/13 18:55:03.0713 1784 Initialize success
2011/05/13 18:55:10.0134 3440 ================================================================================
2011/05/13 18:55:10.0134 3440 Scan started
2011/05/13 18:55:10.0134 3440 Mode: Manual;
2011/05/13 18:55:10.0134 3440 ================================================================================
2011/05/13 18:55:11.0166 3440 Aavmker4 (78a4db23bb4e8d4349e164d1d90af73f) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/05/13 18:55:12.0103 3440 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/13 18:55:12.0447 3440 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/13 18:55:13.0072 3440 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/05/13 18:55:13.0369 3440 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/13 18:55:13.0728 3440 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/13 18:55:14.0197 3440 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/05/13 18:55:16.0525 3440 aswFsBlk (9bdb29e81abceb883556df44649696c4) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/05/13 18:55:16.0838 3440 aswMon2 (2ce6da466687cbb3b97e59f8831a27cb) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/05/13 18:55:17.0197 3440 aswRdr (a90cf680ca7a323913ca3a0810c8e02d) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/05/13 18:55:17.0713 3440 aswSnx (f7969934cca2e566e95df17380a3cb11) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/05/13 18:55:18.0338 3440 aswSP (478d6a0e0630c31bf4a7f5eb0a05b92c) C:\WINDOWS\system32\drivers\aswSP.sys
2011/05/13 18:55:18.0728 3440 aswTdi (e52e45743e27fd6184c55618a10b81ab) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/05/13 18:55:19.0009 3440 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/13 18:55:19.0463 3440 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/13 18:55:20.0150 3440 ati2mtag (2d30381d718228d2841cf962e9e86499) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/13 18:55:20.0775 3440 atinevxx (d335e45bfa1bf0bf93a8d3c15d1fc0e1) C:\WINDOWS\system32\DRIVERS\atinevxx.sys
2011/05/13 18:55:21.0088 3440 ATITUNEP (4e09c36d16c5c310e9e8065385e743c2) C:\WINDOWS\system32\DRIVERS\atineuxx.sys
2011/05/13 18:55:21.0431 3440 ativraxx (866332d193898755dc955a4ad111ac89) C:\WINDOWS\system32\DRIVERS\atinraxx.sys
2011/05/13 18:55:21.0838 3440 ATIXSAudio (2bf5f72ad56964451b2e7b22aae389d1) C:\WINDOWS\system32\DRIVERS\atinesxx.sys
2011/05/13 18:55:22.0134 3440 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/13 18:55:22.0541 3440 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/13 18:55:23.0119 3440 BCMModem (41347688046d49cde0f6d138a534f73d) C:\WINDOWS\system32\DRIVERS\BCMSM.sys
2011/05/13 18:55:23.0884 3440 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/13 18:55:24.0166 3440 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/13 18:55:24.0431 3440 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/05/13 18:55:25.0134 3440 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/13 18:55:25.0447 3440 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/13 18:55:25.0931 3440 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/13 18:55:27.0478 3440 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/13 18:55:28.0119 3440 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/13 18:55:28.0666 3440 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/13 18:55:29.0150 3440 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/13 18:55:29.0416 3440 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/13 18:55:29.0963 3440 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/13 18:55:30.0400 3440 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/05/13 18:55:30.0822 3440 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/13 18:55:31.0275 3440 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/13 18:55:31.0572 3440 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/13 18:55:31.0853 3440 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/13 18:55:32.0353 3440 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/13 18:55:32.0713 3440 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/13 18:55:33.0041 3440 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/13 18:55:33.0494 3440 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/13 18:55:33.0822 3440 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/13 18:55:34.0541 3440 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/13 18:55:35.0447 3440 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/13 18:55:35.0791 3440 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/13 18:55:36.0681 3440 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/13 18:55:36.0978 3440 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/13 18:55:37.0275 3440 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/13 18:55:37.0713 3440 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/13 18:55:38.0088 3440 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/13 18:55:38.0822 3440 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/13 18:55:39.0134 3440 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/13 18:55:39.0431 3440 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/13 18:55:39.0869 3440 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/13 18:55:40.0166 3440 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/13 18:55:40.0494 3440 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/13 18:55:40.0994 3440 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/13 18:55:41.0541 3440 MBAMProtector (836e0e09ca9869be7eb39ef2cf3602c7) C:\WINDOWS\system32\drivers\mbam.sys
2011/05/13 18:55:41.0853 3440 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/13 18:55:42.0275 3440 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/13 18:55:42.0541 3440 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/05/13 18:55:42.0822 3440 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/13 18:55:43.0259 3440 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/13 18:55:43.0556 3440 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/13 18:55:44.0259 3440 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/13 18:55:44.0728 3440 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/13 18:55:45.0259 3440 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/13 18:55:45.0541 3440 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/13 18:55:45.0822 3440 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/13 18:55:46.0213 3440 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/13 18:55:46.0588 3440 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/13 18:55:46.0884 3440 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/05/13 18:55:47.0322 3440 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/13 18:55:47.0619 3440 MVDCODEC (04dd08f6c43d331c238197e7deaf0d5e) C:\WINDOWS\system32\DRIVERS\atinmdxx.sys
2011/05/13 18:55:47.0916 3440 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/05/13 18:55:48.0400 3440 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/13 18:55:48.0713 3440 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/05/13 18:55:49.0009 3440 NDISRD (1a18f436e4855572260580f4d42c69e8) C:\WINDOWS\system32\drivers\NDISRD.sys
2011/05/13 18:55:49.0416 3440 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/13 18:55:49.0634 3440 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/13 18:55:49.0931 3440 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/13 18:55:50.0244 3440 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/13 18:55:50.0681 3440 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/13 18:55:51.0025 3440 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/13 18:55:51.0541 3440 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/13 18:55:52.0009 3440 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/13 18:55:52.0619 3440 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/13 18:55:56.0181 3440 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/13 18:56:00.0259 3440 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/13 18:56:00.0541 3440 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/13 18:56:00.0822 3440 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2011/05/13 18:56:01.0150 3440 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/13 18:56:01.0588 3440 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/13 18:56:01.0869 3440 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/13 18:56:02.0150 3440 PCDCODEC (1a3e460843151029f98f87274fbb40ca) C:\WINDOWS\system32\DRIVERS\atinpdxx.sys
2011/05/13 18:56:02.0603 3440 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/13 18:56:03.0134 3440 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/13 18:56:03.0603 3440 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/13 18:56:05.0369 3440 Point32 (cf7c1868b90c90a265fc3f60ce46265b) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/05/13 18:56:05.0838 3440 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/13 18:56:06.0134 3440 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/05/13 18:56:06.0447 3440 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/13 18:56:06.0884 3440 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/13 18:56:08.0369 3440 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/13 18:56:08.0681 3440 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/13 18:56:09.0119 3440 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/13 18:56:09.0416 3440 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/13 18:56:09.0744 3440 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/13 18:56:10.0197 3440 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/13 18:56:10.0525 3440 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/13 18:56:11.0025 3440 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/13 18:56:11.0384 3440 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/13 18:56:11.0744 3440 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/13 18:56:12.0166 3440 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/13 18:56:12.0447 3440 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/13 18:56:12.0759 3440 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/13 18:56:13.0400 3440 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/05/13 18:56:13.0838 3440 smwdm (5018a9db5eb62e3edb3110f82f556285) C:\WINDOWS\system32\drivers\smwdm.sys
2011/05/13 18:56:14.0650 3440 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/13 18:56:14.0963 3440 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/13 18:56:15.0525 3440 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/13 18:56:15.0963 3440 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/05/13 18:56:16.0244 3440 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/13 18:56:16.0697 3440 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/13 18:56:18.0025 3440 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/13 18:56:18.0447 3440 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/13 18:56:18.0963 3440 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/13 18:56:19.0228 3440 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/13 18:56:19.0525 3440 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/13 18:56:20.0213 3440 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/13 18:56:20.0978 3440 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/13 18:56:21.0431 3440 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/13 18:56:21.0728 3440 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/13 18:56:22.0181 3440 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/13 18:56:22.0478 3440 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/13 18:56:22.0869 3440 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/13 18:56:23.0197 3440 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/13 18:56:23.0509 3440 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/13 18:56:23.0947 3440 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/13 18:56:24.0463 3440 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/13 18:56:24.0931 3440 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/13 18:56:25.0463 3440 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/13 18:56:25.0838 3440 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/05/13 18:56:26.0259 3440 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/05/13 18:56:26.0338 3440 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/13 18:56:26.0353 3440 ================================================================================
2011/05/13 18:56:26.0353 3440 Scan finished
2011/05/13 18:56:26.0353 3440 ================================================================================
2011/05/13 18:56:26.0369 3872 Detected object count: 1
2011/05/13 18:56:45.0681 3872 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/13 18:56:45.0713 3872 \HardDisk0 - ok
2011/05/13 18:56:45.0713 3872 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/05/13 18:56:58.0603 3384 Deinitialize success

And here is the OTL.txt log:

OTL logfile created on: 5/13/2011 7:15:29 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\robertmoss\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 170.00 Mb Available Physical Memory | 33.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 1543 2331 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.28 Gb Total Space | 23.09 Gb Free Space | 60.33% Space Free | Partition Type: NTFS

Computer Name: ROBERT-GTRG3ASV | User Name: robertmoss | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/13 19:10:16 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\robertmoss\Desktop\OTL.exe
PRC - [2011/04/18 10:25:12 | 003,460,784 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/04/18 10:25:10 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2010/12/20 18:08:58 | 000,363,344 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/12/20 18:08:56 | 000,443,728 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/05/13 19:10:16 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\robertmoss\Desktop\OTL.exe
MOD - [2011/04/18 10:25:09 | 000,199,792 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\snxhk.dll
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (itlperf)
SRV - [2011/04/18 10:25:10 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/12/20 18:08:58 | 000,363,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2009/03/02 22:38:45 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)


========== Driver Services (SafeList) ==========

DRV - [2011/04/18 10:17:46 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/04/18 10:17:34 | 000,307,288 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/04/18 10:16:18 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/04/18 10:16:06 | 000,102,488 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/04/18 10:13:21 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/04/18 10:13:02 | 000,030,680 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/04/18 10:12:58 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2003/09/06 22:39:00 | 000,602,624 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2003/08/29 05:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2003/08/25 00:31:00 | 000,047,104 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\atineuxx.sys -- (ATITUNEP)
DRV - [2003/08/25 00:30:00 | 000,067,072 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\atinesxx.sys -- (ATIXSAudio)
DRV - [2003/08/25 00:29:00 | 000,122,880 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinevxx.sys -- (atinevxx)
DRV - [2003/08/25 00:28:00 | 000,014,336 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\atinpdxx.sys -- (PCDCODEC)
DRV - [2003/08/25 00:28:00 | 000,013,824 | ---- | M] (ATI Technologies Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\atinmdxx.sys -- (MVDCODEC)
DRV - [2003/08/25 00:27:00 | 000,051,712 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinraxx.sys -- (ativraxx)
DRV - [2001/08/22 09:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========




IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1454471165-602609370-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1454471165-602609370-725345543-1003\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
IE - HKU\S-1-5-21-1454471165-602609370-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1454471165-602609370-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1454471165-602609370-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

FF - HKLM\software\mozilla\Firefox\Extensions\\{8F65C169-D330-4EA8-9F7B-075D00B60927}: C:\Documents and Settings\robertmoss\Local Settings\Application Data\{8F65C169-D330-4EA8-9F7B-075D00B60927} [2011/05/05 14:45:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{5AC82677-3B4A-47F1-A48E-EC8966EE6195}: C:\Documents and Settings\carolynmoss\Local Settings\Application Data\{5AC82677-3B4A-47F1-A48E-EC8966EE6195}\ [2011/05/07 13:52:39 | 000,000,000 | ---D | M]

[2010/07/21 10:02:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\robertmoss\Application Data\Mozilla\Extensions
[2010/07/21 10:02:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\robertmoss\Application Data\Mozilla\Extensions\mozswing@mozswing.org

Hosts file not found
O2 - BHO: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - No CLSID value found.
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (LimeWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (LimeWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKU\S-1-5-21-1454471165-602609370-725345543-1003\..\Toolbar\WebBrowser: (LimeWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1454471165-602609370-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236193398968 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238086879937 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.20.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\robertmoss\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\robertmoss\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/02 21:16:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{0d4ba056-3c2f-11df-a68b-000cf1829a13}\Shell - "" = AutoRun
O33 - MountPoints2\{0d4ba056-3c2f-11df-a68b-000cf1829a13}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0d4ba056-3c2f-11df-a68b-000cf1829a13}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/13 19:10:21 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\robertmoss\Desktop\OTL.exe
[2011/05/13 13:21:28 | 001,407,280 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\robertmoss\Desktop\TDSSKiller.exe
[2011/05/10 18:53:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\robertmoss\Desktop\gmer
[2011/05/08 13:20:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/05/08 13:20:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/05/08 12:54:05 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/08 12:54:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/05/08 12:53:58 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/05/08 12:53:58 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/05/07 08:26:48 | 000,019,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011/05/07 08:26:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2011/05/07 08:26:47 | 000,307,288 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/05/07 08:26:42 | 000,049,240 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/05/07 08:26:42 | 000,025,432 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/05/07 08:26:41 | 000,441,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/05/07 08:26:40 | 000,102,488 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/05/07 08:26:40 | 000,096,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/05/07 08:26:39 | 000,030,680 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/05/07 08:25:47 | 000,040,112 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011/05/07 08:25:46 | 000,199,304 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/05/07 08:25:24 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/05/07 07:51:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/05/07 07:29:43 | 000,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidserv.dll
[2011/05/07 07:29:38 | 000,014,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdhid.sys
[2011/05/07 07:29:21 | 000,032,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbccgp.sys
[2011/05/05 18:38:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/05/05 18:04:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/05/05 17:50:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\robertmoss\My Documents\FrostWire
[2011/05/05 17:18:14 | 000,000,000 | -HSD | C] -- C:\__
[2011/05/05 17:17:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\robertmoss\Application Data\FrostWire
[2011/05/05 17:16:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\robertmoss\datsystem
[2011/05/05 14:45:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\robertmoss\Local Settings\Application Data\{8F65C169-D330-4EA8-9F7B-075D00B60927}
[2011/05/05 14:43:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\robertmoss\Application Data\Onowi
[2011/05/05 14:43:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\robertmoss\Application Data\Iwruwy
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/13 19:29:38 | 000,000,894 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/13 19:10:16 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\robertmoss\Desktop\OTL.exe
[2011/05/13 19:01:00 | 000,000,244 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011/05/13 19:00:38 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/13 19:00:35 | 000,000,320 | -HS- | M] () -- C:\WINDOWS\tasks\Ejniylya.job
[2011/05/13 18:59:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/13 18:51:52 | 001,280,208 | ---- | M] () -- C:\Documents and Settings\robertmoss\Desktop\tdsskiller.zip
[2011/05/13 13:21:28 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\robertmoss\Desktop\TDSSKiller.exe
[2011/05/10 18:52:46 | 000,293,775 | ---- | M] () -- C:\Documents and Settings\robertmoss\Desktop\gmer.zip
[2011/05/10 18:39:59 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\robertmoss\Desktop\dds.scr
[2011/05/10 18:36:20 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\robertmoss\defogger_reenable
[2011/05/10 18:35:52 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\robertmoss\Desktop\Defogger.exe
[2011/05/10 18:20:08 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/08 17:22:38 | 000,002,501 | ---- | M] () -- C:\Documents and Settings\robertmoss\Desktop\WinXP Manager.lnk
[2011/05/08 14:26:04 | 000,001,984 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/08 12:59:15 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/08 08:11:10 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Qxamofejinur.bin
[2011/05/07 08:26:48 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/05/07 08:26:41 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/05/07 07:53:11 | 056,189,640 | ---- | M] () -- C:\Program Files\setup_av_free.exe
[2011/05/05 14:45:30 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Onitoyaqogun.dat
[2011/05/05 14:43:20 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\robertmoss\2gweorjqjutp92vjy9gake
[2011/05/03 10:01:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/02 08:43:37 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/04/18 10:25:12 | 000,040,112 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011/04/18 10:25:10 | 000,199,304 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/04/18 10:17:46 | 000,441,176 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/04/18 10:17:34 | 000,307,288 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/04/18 10:16:18 | 000,049,240 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/04/18 10:16:06 | 000,102,488 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/04/18 10:16:02 | 000,096,344 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/04/18 10:13:21 | 000,025,432 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/04/18 10:13:02 | 000,030,680 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/04/18 10:12:58 | 000,019,544 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/13 18:51:39 | 001,280,208 | ---- | C] () -- C:\Documents and Settings\robertmoss\Desktop\tdsskiller.zip
[2011/05/10 18:52:46 | 000,293,775 | ---- | C] () -- C:\Documents and Settings\robertmoss\Desktop\gmer.zip
[2011/05/10 18:39:50 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\robertmoss\Desktop\dds.scr
[2011/05/10 18:36:20 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\robertmoss\defogger_reenable
[2011/05/10 18:35:52 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\robertmoss\Desktop\Defogger.exe
[2011/05/08 12:54:05 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/07 08:26:48 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/05/07 07:53:17 | 056,189,640 | ---- | C] () -- C:\Program Files\setup_av_free.exe
[2011/05/05 14:45:30 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Onitoyaqogun.dat
[2011/05/05 14:45:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Qxamofejinur.bin
[2011/05/05 14:43:20 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\robertmoss\2gweorjqjutp92vjy9gake
[2011/05/04 01:27:38 | 000,000,320 | -HS- | C] () -- C:\WINDOWS\tasks\Ejniylya.job
[2010/12/04 07:39:53 | 000,232,968 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2010/12/04 07:39:50 | 000,232,968 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2010/12/04 07:39:50 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2010/07/10 06:38:00 | 002,195,030 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2009/08/12 04:50:18 | 000,000,373 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/08/11 13:22:57 | 000,006,426 | ---- | C] () -- C:\WINDOWS\th1234.dat
[2009/03/25 10:23:03 | 000,000,049 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2009/03/13 09:14:25 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\robertmoss\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/05 02:45:50 | 000,001,984 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/03/04 22:43:34 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\robertmoss\Local Settings\Application Data\fusioncache.dat
[2009/03/04 12:40:12 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/03/02 22:44:35 | 000,000,270 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2009/03/02 22:44:21 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbkvs.dll
[2009/03/02 22:44:11 | 000,000,255 | ---- | C] () -- C:\WINDOWS\System32\dlbkcoin.ini
[2009/03/02 22:24:59 | 000,303,104 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe
[2009/03/02 22:24:59 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2009/03/02 21:29:43 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2009/03/02 21:25:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/03/02 21:12:41 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/03/02 13:03:18 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/03/02 13:01:51 | 000,269,392 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/11/12 04:54:00 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/08/13 12:25:42 | 000,444,028 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/08/13 12:25:42 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/08/13 12:25:41 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/08/13 12:25:40 | 000,071,904 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/08/13 12:25:09 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/08/13 12:25:08 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/08/13 12:24:27 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/08/13 12:21:16 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/08/13 12:21:09 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/08/13 12:17:33 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/08/13 12:17:02 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

And finally the OTL extras log:

OTL Extras logfile created on: 5/13/2011 7:15:29 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\robertmoss\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 170.00 Mb Available Physical Memory | 33.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 1543 2331 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.28 Gb Total Space | 23.09 Gb Free Space | 60.33% Space Free | Partition Type: NTFS

Computer Name: ROBERT-GTRG3ASV | User Name: robertmoss | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"8085:TCP" = 8085:TCP:*:Enabled:browserctl
"80:TCP" = 80:TCP:*:Enabled:websrvx
"53:TCP" = 53:TCP:*:Enabled:websrvx

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\robertmoss\Local Settings\Temp\ImInstaller\incredimail_installer.exe" = C:\Documents and Settings\robertmoss\Local Settings\Temp\ImInstaller\incredimail_installer.exe:*:Enabled:IncrediMail Installer
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 21
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E6F4A97-631B-4C11-80AC-80111B64A909}" = ATIMCEE
"{66A9D30D-1464-4C7F-B2F3-507DADAF2595}" = Microsoft IntelliPoint 6.3
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{784CFD4D-1BA5-4DB5-9377-84DAF0D19EF1}" = WinXP Manager
"{7F34A21F-2DEB-4598-BB19-611D6BD24271}" = Managed DirectX (0901)
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{926CC8AE-8414-43DF-8EB4-CF26D9C3C663}" =
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"ATI Display Driver" = ATI Display Driver
"avast" = avast! Free Antivirus
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Dell AIO Printer A920" = Dell AIO Printer A920
"ENTERPRISE" = Microsoft Office Enterprise 2007
"GoToAssist" = GoToAssist 8.0.0.514
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{4E6F4A97-631B-4C11-80AC-80111B64A909}" = ATIMCEE
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"PROSet" = Intel® PRO Network Connections Drivers
"VLC media player" = VLC media player 0.9.8a
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1454471165-602609370-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/3/2010 9:52:47 AM | Computer Name = ROBERT-GTRG3ASV | Source = Ci | ID = 4126
Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci.
Index will be automatically restored by refiltering all documents.

Error - 9/16/2010 9:27:51 AM | Computer Name = ROBERT-GTRG3ASV | Source = Ci | ID = 4124
Description = Content index on c:\system volume information\catalog.wci is corrupt.
Please shutdown and restart the Indexing Service (cisvc).

Error - 9/16/2010 9:27:51 AM | Computer Name = ROBERT-GTRG3ASV | Source = Ci | ID = 4126
Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci.
Index will be automatically restored by refiltering all documents.

Error - 9/17/2010 9:44:10 PM | Computer Name = ROBERT-GTRG3ASV | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17080, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/17/2010 9:44:10 PM | Computer Name = ROBERT-GTRG3ASV | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17080, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/27/2010 2:03:52 PM | Computer Name = ROBERT-GTRG3ASV | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.17080, faulting
module mshtml.dll, version 7.0.6000.17080, fault address 0x000bdad2.

Error - 10/1/2010 10:53:47 AM | Computer Name = ROBERT-GTRG3ASV | Source = Application Hang | ID = 1002
Description = Hanging application InstallFlashPlayer.exe, version 10.1.85.3, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/1/2010 10:53:50 AM | Computer Name = ROBERT-GTRG3ASV | Source = Application Hang | ID = 1002
Description = Hanging application InstallFlashPlayer.exe, version 10.1.85.3, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/3/2010 9:13:04 PM | Computer Name = ROBERT-GTRG3ASV | Source = .NET Runtime | ID = 1023
Description = .NET Runtime version 2.0.50727.3615 - Fatal Execution Engine Error
(7A0979AE) (80131506)

Error - 10/3/2010 9:13:07 PM | Computer Name = ROBERT-GTRG3ASV | Source = .NET Runtime 2.0 Error Reporting | ID = 1000
Description = Faulting application junkfilecleaner.exe, version 5.5.0.0, stamp 48716bdc,
faulting module mscorwks.dll, version 2.0.50727.3615, stamp 4be902c7, debug? 0,
fault address 0x0010be75.

[ Application Events ]
Error - 8/3/2010 9:52:47 AM | Computer Name = ROBERT-GTRG3ASV | Source = Ci | ID = 4126
Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci.
Index will be automatically restored by refiltering all documents.

Error - 9/16/2010 9:27:51 AM | Computer Name = ROBERT-GTRG3ASV | Source = Ci | ID = 4124
Description = Content index on c:\system volume information\catalog.wci is corrupt.
Please shutdown and restart the Indexing Service (cisvc).

Error - 9/16/2010 9:27:51 AM | Computer Name = ROBERT-GTRG3ASV | Source = Ci | ID = 4126
Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci.
Index will be automatically restored by refiltering all documents.

Error - 9/17/2010 9:44:10 PM | Computer Name = ROBERT-GTRG3ASV | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17080, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/17/2010 9:44:10 PM | Computer Name = ROBERT-GTRG3ASV | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17080, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/27/2010 2:03:52 PM | Computer Name = ROBERT-GTRG3ASV | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.17080, faulting
module mshtml.dll, version 7.0.6000.17080, fault address 0x000bdad2.

Error - 10/1/2010 10:53:47 AM | Computer Name = ROBERT-GTRG3ASV | Source = Application Hang | ID = 1002
Description = Hanging application InstallFlashPlayer.exe, version 10.1.85.3, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/1/2010 10:53:50 AM | Computer Name = ROBERT-GTRG3ASV | Source = Application Hang | ID = 1002
Description = Hanging application InstallFlashPlayer.exe, version 10.1.85.3, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/3/2010 9:13:04 PM | Computer Name = ROBERT-GTRG3ASV | Source = .NET Runtime | ID = 1023
Description = .NET Runtime version 2.0.50727.3615 - Fatal Execution Engine Error
(7A0979AE) (80131506)

Error - 10/3/2010 9:13:07 PM | Computer Name = ROBERT-GTRG3ASV | Source = .NET Runtime 2.0 Error Reporting | ID = 1000
Description = Faulting application junkfilecleaner.exe, version 5.5.0.0, stamp 48716bdc,
faulting module mscorwks.dll, version 2.0.50727.3615, stamp 4be902c7, debug? 0,
fault address 0x0010be75.

[ System Events ]
Error - 5/11/2011 12:45:39 AM | Computer Name = ROBERT-GTRG3ASV | Source = Service Control Manager | ID = 7023
Description = The Intel CPU service terminated with the following error: %%126

Error - 5/11/2011 12:45:39 AM | Computer Name = ROBERT-GTRG3ASV | Source = Service Control Manager | ID = 7000
Description = The ATI WDM Specialized MVD Codec service failed to start due to the
following error: %%1058

Error - 5/11/2011 12:45:39 AM | Computer Name = ROBERT-GTRG3ASV | Source = Service Control Manager | ID = 7000
Description = The ATI WDM Specialized PCD Codec service failed to start due to the
following error: %%1058

Error - 5/12/2011 9:22:27 PM | Computer Name = ROBERT-GTRG3ASV | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 5/13/2011 10:02:29 PM | Computer Name = ROBERT-GTRG3ASV | Source = Service Control Manager | ID = 7000
Description = The ATI WDM TV Tuner service failed to start due to the following
error: %%1058

Error - 5/13/2011 10:02:29 PM | Computer Name = ROBERT-GTRG3ASV | Source = Service Control Manager | ID = 7000
Description = The ATI WDM TV Audio Crossbar service failed to start due to the following
error: %%1058

Error - 5/13/2011 10:02:29 PM | Computer Name = ROBERT-GTRG3ASV | Source = Service Control Manager | ID = 7023
Description = The Intel CPU service terminated with the following error: %%126

Error - 5/13/2011 10:02:29 PM | Computer Name = ROBERT-GTRG3ASV | Source = Service Control Manager | ID = 7000
Description = The ATI WDM Specialized MVD Codec service failed to start due to the
following error: %%1058

Error - 5/13/2011 10:02:29 PM | Computer Name = ROBERT-GTRG3ASV | Source = Service Control Manager | ID = 7000
Description = The ATI WDM Specialized PCD Codec service failed to start due to the
following error: %%1058

Error - 5/13/2011 10:02:35 PM | Computer Name = ROBERT-GTRG3ASV | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the nvsvc service.


< End of report >

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:15 PM

Posted 14 May 2011 - 10:40 AM

Hi!

Did you enable these ports?

"8085:TCP" = 8085:TCP:*:Enabled:browserctl
"80:TCP" = 80:TCP:*:Enabled:websrvx
"53:TCP" = 53:TCP:*:Enabled:websrvx

Looks like TDSSKiller has found the main culprit!

The main infection that you were infected with is called TDL4.

See the snippet of text below:

2011/05/13 18:56:26.0369 3872 Detected object count: 1
2011/05/13 18:56:45.0681 3872 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/13 18:56:45.0713 3872 \HardDisk0 - ok
2011/05/13 18:56:45.0713 3872 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/05/13 18:56:58.0603 3384 Deinitialize success


You can read more about this infection here:

Special thanks to quietman7 for providing the above links.



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :OTL
    SRV - File not found [Auto | Stopped] -- -- (itlperf)
    IE - HKU\S-1-5-21-1454471165-602609370-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    O2 - BHO: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - No CLSID value found.
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O20 - Winlogon\Notify\itlntfy: DllName - itlnfw32.dll - File not found
    O33 - MountPoints2\{0d4ba056-3c2f-11df-a68b-000cf1829a13}\Shell - "" = AutoRun
    O33 - MountPoints2\{0d4ba056-3c2f-11df-a68b-000cf1829a13}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{0d4ba056-3c2f-11df-a68b-000cf1829a13}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
    O33 - MountPoints2\F\Shell - "" = AutoRun
    O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
    [2011/05/05 14:45:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\robertmoss\Local Settings\Application Data\{8F65C169-D330-4EA8-9F7B-075D00B60927}
    [2011/05/05 14:43:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\robertmoss\Application Data\Onowi
    [2011/05/05 14:43:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\robertmoss\Application Data\Iwruwy
    [2011/05/13 19:00:35 | 000,000,320 | -HS- | M] () -- C:\WINDOWS\tasks\Ejniylya.job
    [2011/05/08 08:11:10 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Qxamofejinur.bin
    [2011/05/05 14:45:30 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Onitoyaqogun.dat
    [2011/05/05 14:43:20 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\robertmoss\2gweorjqjutp92vjy9gake
    [2011/05/05 14:45:30 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Onitoyaqogun.dat
    [2011/05/05 14:45:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Qxamofejinur.bin
    [2011/05/05 14:43:20 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\robertmoss\2gweorjqjutp92vjy9gake
    [2011/05/04 01:27:38 | 000,000,320 | -HS- | C] () -- C:\WINDOWS\tasks\Ejniylya.job
    
    :Reg
    
    :Files
    dir /s /a "C:\__" /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:


Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



What issues are you currently experiencing with your computer?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 antonio831

antonio831
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 16 May 2011 - 12:54 AM

Hi ST! The OTL file is too large to copy and paste. It locks the computer up. I can paste the malwarebytes log though. I have not opened any ports myself on this computer but other people do use it. Thanks again for your help

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6586

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/15/2011 10:03:21 PM
mbam-log-2011-05-15 (22-03-21).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 238269
Time elapsed: 2 hour(s), 17 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ICS5R7Y0OS (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\R8388QA8U8 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:15 PM

Posted 16 May 2011 - 09:07 AM

Hi!

Can you please submit the OTL file to my submission channel?

Uploading File
Please visit this site & follow the instructions for uploading the file mentioned below.
Copy/paste the contents of the Code Box below into the Link to topic where this file was requested: box:
http://www.bleepingcomputer.com/forums/topic396680.html/page__view__findpost__p__2249884
Click Browse & navigate to where the OTL fix log is saved.

the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.



Cheers,
ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 antonio831

antonio831
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 16 May 2011 - 10:05 AM

The file is over the download limit size.

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:15 PM

Posted 16 May 2011 - 10:19 AM

Can you zip it up and try submitting it that way?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 antonio831

antonio831
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 16 May 2011 - 02:22 PM

OK...it is sent. I should have thought to zip the file!

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:15 PM

Posted 16 May 2011 - 03:46 PM

Hi!

No worries!

I got the zip file successfully.

Do you happen to recognize this folder? C:\__

I'd like to grab a sample of a couple of the files, and have a look at them to see what exactly they do.

Please download ZipIt from here:
Download Link
  • Double-click ZipIt! to run it. (Windows Vista & 7 users need to right click and Run as Administrator)
  • Then copy the content of the following codebox into the textfield:

    ::info::L@C
    ::bleeping::102
    C:\__\Autodesk AutoCAD PID 2011.zip
    C:\__\AVG 9.0 PRO Anti-Virus several keys till 2018.zip
    
  • Then, just click the Zip button.
  • When finished, and if successful, it should automatically submit a file for me, so that it may be analyzed further. You should also see that a new .zip file has been created on your Desktop. You will be notified of what the file name is when the process has been completed.

Edited by SweetTech, 16 May 2011 - 04:22 PM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 antonio831

antonio831
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 16 May 2011 - 08:27 PM

Howdy! You sure have a good connection for living in Anartica!!! I have no clue what that file is that you asked about. This is a computer that I allow vistors to use. I aint gonna let them touch my new puter or my baby i built 7 years ago or my liniux server box! Once again...thanks for the help. I have done a couple of things on the side to this puter and it is geting faster finally. As an aside, I have a BS in IT...but never learned how to do the stuff you are helping me with!

#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:15 PM

Posted 17 May 2011 - 08:31 AM

Should have new instructions in a little while.

Edited by SweetTech, 17 May 2011 - 08:32 AM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:15 PM

Posted 17 May 2011 - 10:11 AM

Hi!


Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
  • IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 antonio831

antonio831
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 17 May 2011 - 11:45 AM

OK all done. I have a question though. When the computer rebooted, it is set up to auto start the antivirus and the malwarebytes. I turned them off right away. I assume that was ok. Here is the log:

ComboFix 11-05-16.04 - robertmoss 05/17/2011 8:59.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.193 [GMT -7:00]
Running from: c:\documents and settings\robertmoss\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\carolynmoss\Local Settings\Application Data\{5AC82677-3B4A-47F1-A48E-EC8966EE6195}
c:\documents and settings\carolynmoss\Local Settings\Application Data\{5AC82677-3B4A-47F1-A48E-EC8966EE6195}\chrome.manifest
c:\documents and settings\carolynmoss\Local Settings\Application Data\{5AC82677-3B4A-47F1-A48E-EC8966EE6195}\chrome\content\_cfg.js
c:\documents and settings\carolynmoss\Local Settings\Application Data\{5AC82677-3B4A-47F1-A48E-EC8966EE6195}\chrome\content\overlay.xul
c:\documents and settings\carolynmoss\Local Settings\Application Data\{5AC82677-3B4A-47F1-A48E-EC8966EE6195}\install.rdf
c:\documents and settings\donnie\Application Data\alot
c:\documents and settings\robertmoss\Application Data\Adobe\plugs
c:\documents and settings\robertmoss\Application Data\Adobe\plugs\mmc122445609.txt
c:\documents and settings\robertmoss\Application Data\Adobe\shed
c:\documents and settings\robertmoss\Application Data\Adobe\shed\thr1.chm
c:\documents and settings\robertmoss\Recent\SpeedStream Router Configurator (2).url
c:\documents and settings\robertmoss\Recent\SpeedStream Router Configurator.url
c:\documents and settings\robertmoss\WINDOWS
c:\program files\Common Files\Uninstall
c:\windows\4ff345dfbh521
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\ndisapi.dll
c:\windows\system32\tmp.reg
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_BROWSERCTL
-------\Legacy_BROWSERCTLDRV
.
.
((((((((((((((((((((((((( Files Created from 2011-04-17 to 2011-05-17 )))))))))))))))))))))))))))))))
.
.
2011-05-16 00:10 . 2011-05-16 00:10 -------- d-----w- C:\_OTL
2011-05-08 19:54 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-08 19:53 . 2011-05-08 19:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-08 19:53 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-07 15:26 . 2011-04-18 17:12 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-07 15:26 . 2011-04-18 17:17 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-07 15:26 . 2011-04-18 17:16 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-07 15:26 . 2011-04-18 17:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-07 15:26 . 2011-04-18 17:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-07 15:26 . 2011-04-18 17:16 102488 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-07 15:26 . 2011-04-18 17:16 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-07 15:26 . 2011-04-18 17:13 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-07 15:25 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-05-07 15:25 . 2011-04-18 17:25 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-07 15:25 . 2011-05-07 15:25 -------- d-----w- c:\program files\AVAST Software
2011-05-07 14:53 . 2011-05-07 14:53 56189640 ----a-w- c:\program files\setup_av_free.exe
2011-05-07 14:51 . 2011-05-07 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-05-07 14:29 . 2008-04-13 23:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-05-07 14:29 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-05-07 14:29 . 2008-04-13 17:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-05-07 14:29 . 2008-04-13 17:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-05-07 14:29 . 2008-04-13 17:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-05-07 14:29 . 2008-04-13 17:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-05-06 00:18 . 2011-05-06 00:48 -------- d-----w- C:\__
2011-05-06 00:17 . 2011-05-06 01:18 -------- d-----w- c:\documents and settings\robertmoss\Application Data\FrostWire
2011-05-06 00:16 . 2011-05-08 17:11 -------- d-----w- c:\documents and settings\robertmoss\datsystem
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-03-03 04:13 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2003-08-13 19:32 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2003-08-13 19:34 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00 . 2006-06-23 19:33 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2003-08-13 19:18 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2003-08-13 19:16 17408 ----a-w- c:\windows\system32\corpol.dll
2011-02-17 13:18 . 2003-08-13 19:21 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2003-08-13 19:30 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-15 15:57 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2004-08-04 05:59 389120 ------w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-11 1233288]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-06-11 00:28 1233288 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-11 1233288]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-11 1233288]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-10 13923432]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-21 443728]
.
c:\documents and settings\joshmoss\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-03 05:38 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PersonalAV
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2003-09-07 05:00 335872 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 12:59 122880 ----a-w- c:\windows\BCMSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
2003-05-12 23:02 270336 ----a-w- c:\program files\Dell AIO Printer A920\dlbkbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2008-04-14 00:12 50176 ----a-w- c:\windows\eHome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 19:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATIModeChange"=Ati2mdxx.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /installquiet
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/7/2011 8:26 AM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/7/2011 8:26 AM 307288]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/7/2011 8:26 AM 19544]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/8/2011 12:54 PM 363344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/8/2011 12:53 PM 20952]
S0 nvoedfk;nvoedfk;c:\windows\system32\drivers\nvlsnxwd.sys --> c:\windows\system32\drivers\nvlsnxwd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/1/2010 8:14 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/1/2010 8:14 AM 136176]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - NDISRD
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2011-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-01 15:13]
.
2011-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-01 15:13]
.
2011-05-17 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-06-11 00:28]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-17 09:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(696)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(1900)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2011-05-17 09:35:55 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-17 16:35
.
Pre-Run: 24,232,820,736 bytes free
Post-Run: 24,789,372,928 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
Current=2 Default=2 Failed=4 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 6A9EAF8F4676D9CA6A5FF1CEBB96005D

#15 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:15 PM

Posted 17 May 2011 - 11:50 AM

Hi!

OK all done. I have a question though. When the computer rebooted, it is set up to auto start the antivirus and the malwarebytes. I turned them off right away. I assume that was ok. Here is the log:

Yes, that's okay.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
DirLook::
c:\documents and settings\robertmoss\datsystem
Folder::
C:\__

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



What issues are you currently experiencing with your computer?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users