Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zlob and rootkit


  • This topic is locked This topic is locked
12 replies to this topic

#1 cbrooks302

cbrooks302

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 05 September 2011 - 10:47 AM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by David Caulford at 10:23:15 on 2011-09-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.651 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
X:\Program Files\Webshots\webshots.scr
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\DOCUME~1\DAVIDC~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.websudoku.com/?level=4
mStart Page = about:blank
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PopUpStopperFreeEdition] "c:\progra~1\panicw~1\pop-up~1\PSFree.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10t_ActiveX.exe -update activex
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [<NO NAME>]
mRun: [LXBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBXtime.dll,_RunDLLEntry@16
StartupFolder: c:\docume~1\davidc~1\startm~1\programs\startup\webshots.lnk - x:\program files\webshots\Launcher.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 24.148.96.1 24.148.96.2
TCP: Interfaces\{B077E682-1EC0-430F-B1D4-58EBE57F7CF7} : DhcpNameServer = 24.148.96.1 24.148.96.2
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\david caulford\application data\mozilla\firefox\profiles\6qd8fw8y.default\
FF - prefs.js: browser.search.selectedEngine - Facemoods Search
FF - prefs.js: browser.startup.homepage - hxxp://www.websudoku.com/?level=4
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-29 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-29 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-29 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-29 243152]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-6-15 116608]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-8-6 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2011-6-1 308136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 2152152]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15232]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-5 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-29 1025352]
S3 cpuz132;cpuz132;\??\c:\docume~1\davidc~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\davidc~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-5 136176]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\packet.sys [2003-8-13 13203]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 12872]
S4 Unigraphics License Server (uglmd);Unigraphics License Server (uglmd);c:\program files\ugs\license servers\ugnxflexlm\lmgrd.exe [2004-8-2 659456]
.
=============== Created Last 30 ================
.
2011-08-19 00:17:38 -------- d-----w- c:\program files\InfraRecorder
2011-08-19 00:17:19 4090912 ----a-w- c:\program files\InfraRecorder.exe
2011-08-18 23:57:36 -------- d-----w- c:\program files\Doblon
2011-08-14 17:05:00 -------- d-----w- C:\Temp
2011-08-14 13:03:17 -------- d-----w- c:\program files\CCleaner
.
==================== Find3M ====================
.
2011-07-11 01:52:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-30 11:59:32 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 11:06:05 1409 ----a-w- c:\windows\QTFont.for
2011-06-22 13:31:49 77824 ----a-w- c:\windows\system32\qttask.exe
2011-06-20 12:06:18 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-06-20 11:12:15 58696 ----a-w- c:\windows\system32\AOLParconLink.exe
2011-06-15 23:42:10 243152 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-06-15 23:39:11 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2000BB-55GUC0 rev.08.02D08 -> Harddisk2\DR2 -> \Device\Ide\IdePort3 P3T1L0-19
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x896C3EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x855cb872; SUB DWORD [EBP-0x4], 0x855cb12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk2\DR2[0x89886AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000066[0x898B39E8]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x898C6940]
[0x894DC298] -> IRP_MJ_CREATE -> 0x896C3EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP3T1L0-19 -> \??\IDE#DiskWDC_WD2000BB-55GUC0_____________________08.02D08#5&35730f66&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x896C3AEA
user & kernel MBR OK
sectors 390721966 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 10:25:24.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:29 AM

Posted 05 September 2011 - 03:01 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#3 cbrooks302

cbrooks302
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 05 September 2011 - 06:28 PM

I tried running this this morning. After rebooting, I ran gmer again and got the same results as posted above. Here is the log.

2011/09/05 11:55:31.0781 3356 TDSS rootkit removing tool 2.5.18.0 Sep 5 2011 09:53:09
2011/09/05 11:55:32.0062 3356 ================================================================================
2011/09/05 11:55:32.0062 3356 SystemInfo:
2011/09/05 11:55:32.0062 3356
2011/09/05 11:55:32.0062 3356 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/05 11:55:32.0062 3356 Product type: Workstation
2011/09/05 11:55:32.0062 3356 ComputerName: DMC
2011/09/05 11:55:32.0062 3356 UserName: David Caulford
2011/09/05 11:55:32.0062 3356 Windows directory: C:\WINDOWS
2011/09/05 11:55:32.0062 3356 System windows directory: C:\WINDOWS
2011/09/05 11:55:32.0062 3356 Processor architecture: Intel x86
2011/09/05 11:55:32.0062 3356 Number of processors: 2
2011/09/05 11:55:32.0062 3356 Page size: 0x1000
2011/09/05 11:55:32.0062 3356 Boot type: Normal boot
2011/09/05 11:55:32.0062 3356 ================================================================================
2011/09/05 11:55:33.0781 3356 Initialize success
2011/09/05 11:55:38.0765 2468 ================================================================================
2011/09/05 11:55:38.0765 2468 Scan started
2011/09/05 11:55:38.0765 2468 Mode: Manual;
2011/09/05 11:55:38.0765 2468 ================================================================================
2011/09/05 11:55:40.0187 2468 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/05 11:55:40.0281 2468 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/05 11:55:40.0453 2468 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/05 11:55:40.0562 2468 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/09/05 11:55:40.0843 2468 AnyDVD (11fce73ff0e59b48899a6ff5d3dfb710) C:\WINDOWS\system32\Drivers\AnyDVD.sys
2011/09/05 11:55:41.0078 2468 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/05 11:55:41.0203 2468 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/05 11:55:41.0359 2468 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/09/05 11:55:41.0500 2468 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/05 11:55:41.0640 2468 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/05 11:55:41.0796 2468 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
2011/09/05 11:55:41.0906 2468 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
2011/09/05 11:55:42.0031 2468 AvgTdiX (9a7a93388f503a34e7339ae7f9997449) C:\WINDOWS\system32\Drivers\avgtdix.sys
2011/09/05 11:55:42.0156 2468 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/05 11:55:42.0250 2468 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/05 11:55:42.0375 2468 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/09/05 11:55:42.0546 2468 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/05 11:55:42.0671 2468 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/05 11:55:42.0781 2468 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/05 11:55:43.0406 2468 ctsfm2k (8db84de3aab34a8b4c2f644eff41cd76) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
2011/09/05 11:55:43.0593 2468 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/05 11:55:43.0750 2468 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/05 11:55:43.0906 2468 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/05 11:55:43.0984 2468 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/05 11:55:44.0125 2468 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/05 11:55:44.0218 2468 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/05 11:55:44.0390 2468 ElbyCDFL (ce37e3d51912e59c80c6d84337c0b4cd) C:\WINDOWS\system32\Drivers\ElbyCDFL.sys
2011/09/05 11:55:44.0468 2468 ElbyCDIO (309ac30471a0f1c3a89dee1c81230576) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2011/09/05 11:55:44.0578 2468 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/05 11:55:44.0625 2468 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/05 11:55:44.0703 2468 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2011/09/05 11:55:44.0796 2468 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/05 11:55:44.0828 2468 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/05 11:55:44.0937 2468 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/05 11:55:45.0031 2468 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/05 11:55:45.0125 2468 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/05 11:55:45.0234 2468 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/05 11:55:45.0281 2468 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/05 11:55:45.0421 2468 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/05 11:55:45.0593 2468 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/05 11:55:45.0687 2468 ICAM3NT5 (7e9dce459be666ab54f67e77cb7d1297) C:\WINDOWS\system32\Drivers\Icam3.sys
2011/09/05 11:55:45.0781 2468 Imapi (f5f83bc54a88dc7356978d644b15eb63) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/05 11:55:45.0781 2468 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\imapi.sys. Real md5: f5f83bc54a88dc7356978d644b15eb63, Fake md5: 083a052659f5310dd8b6a6cb05edcf8e
2011/09/05 11:55:45.0781 2468 Imapi - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/09/05 11:55:45.0890 2468 InCDfs (ccb643c38661011f64faa04c0df499dc) C:\WINDOWS\system32\drivers\InCDfs.sys
2011/09/05 11:55:45.0968 2468 InCDPass (e09681d8ceb387fd343afb432e5a7c6d) C:\WINDOWS\system32\DRIVERS\InCDPass.sys
2011/09/05 11:55:46.0046 2468 InCDrec (1c70fca13187877d91ee66c90d170d07) C:\WINDOWS\system32\drivers\InCDrec.sys
2011/09/05 11:55:46.0125 2468 incdrm (3d02fc921c4e814802c141fdb89a2aad) C:\WINDOWS\system32\drivers\incdrm.sys
2011/09/05 11:55:46.0343 2468 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/05 11:55:46.0406 2468 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/05 11:55:46.0437 2468 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/05 11:55:46.0484 2468 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/05 11:55:46.0546 2468 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/05 11:55:46.0593 2468 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/05 11:55:46.0625 2468 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/09/05 11:55:46.0656 2468 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/05 11:55:46.0718 2468 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2011/09/05 11:55:46.0781 2468 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/05 11:55:46.0812 2468 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/05 11:55:46.0906 2468 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/05 11:55:47.0031 2468 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/05 11:55:47.0265 2468 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2011/09/05 11:55:47.0453 2468 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/09/05 11:55:47.0640 2468 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/05 11:55:47.0718 2468 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/05 11:55:47.0781 2468 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/05 11:55:47.0875 2468 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/05 11:55:48.0031 2468 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/05 11:55:48.0093 2468 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/05 11:55:48.0250 2468 MRxSmb (421f7b922cec5a5f340e7574a98f7b7c) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/05 11:55:48.0453 2468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/05 11:55:48.0593 2468 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/05 11:55:48.0687 2468 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/05 11:55:48.0781 2468 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/05 11:55:48.0890 2468 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/05 11:55:49.0015 2468 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/09/05 11:55:49.0093 2468 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/05 11:55:49.0218 2468 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/09/05 11:55:49.0359 2468 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/05 11:55:49.0453 2468 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/09/05 11:55:49.0562 2468 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/05 11:55:49.0609 2468 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/05 11:55:49.0640 2468 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/05 11:55:49.0687 2468 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/05 11:55:49.0718 2468 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/05 11:55:49.0750 2468 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/05 11:55:49.0890 2468 NPF (9f700584e974a15820c2abf414088b0d) C:\WINDOWS\system32\drivers\packet.sys
2011/09/05 11:55:50.0031 2468 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/05 11:55:50.0093 2468 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/05 11:55:50.0265 2468 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/05 11:55:50.0343 2468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/05 11:55:50.0437 2468 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/05 11:55:50.0578 2468 ossrv (103a9b117a7d9903111955cdafe65ac6) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
2011/09/05 11:55:50.0671 2468 P17 (df886ffed69aead0cf608b89b18c3f6f) C:\WINDOWS\system32\drivers\P17.sys
2011/09/05 11:55:50.0812 2468 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/05 11:55:50.0843 2468 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/05 11:55:50.0937 2468 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/05 11:55:51.0109 2468 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/05 11:55:51.0312 2468 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/05 11:55:51.0375 2468 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/05 11:55:51.0734 2468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/05 11:55:51.0781 2468 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/09/05 11:55:51.0828 2468 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/05 11:55:51.0890 2468 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/05 11:55:52.0406 2468 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/05 11:55:52.0593 2468 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/09/05 11:55:52.0703 2468 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/05 11:55:52.0781 2468 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/05 11:55:52.0906 2468 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/05 11:55:53.0031 2468 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/05 11:55:53.0187 2468 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/05 11:55:53.0375 2468 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/05 11:55:53.0593 2468 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/05 11:55:53.0750 2468 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/05 11:55:53.0984 2468 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/09/05 11:55:54.0062 2468 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2011/09/05 11:55:54.0343 2468 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2011/09/05 11:55:54.0687 2468 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/05 11:55:54.0765 2468 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/05 11:55:54.0796 2468 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/05 11:55:54.0843 2468 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/05 11:55:55.0000 2468 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/09/05 11:55:55.0203 2468 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/05 11:55:55.0250 2468 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/05 11:55:55.0359 2468 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/05 11:55:55.0515 2468 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/09/05 11:55:55.0578 2468 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/05 11:55:55.0687 2468 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/05 11:55:55.0859 2468 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/05 11:55:55.0984 2468 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/05 11:55:56.0250 2468 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/05 11:55:56.0343 2468 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/05 11:55:56.0484 2468 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/05 11:55:56.0625 2468 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
2011/09/05 11:55:56.0687 2468 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/05 11:55:56.0812 2468 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/05 11:55:56.0921 2468 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/05 11:55:57.0062 2468 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/05 11:55:57.0156 2468 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/05 11:55:57.0234 2468 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/05 11:55:57.0343 2468 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/05 11:55:57.0468 2468 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/05 11:55:57.0531 2468 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/05 11:55:57.0562 2468 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/05 11:55:57.0593 2468 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/09/05 11:55:57.0656 2468 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/05 11:55:57.0734 2468 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/05 11:55:57.0828 2468 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/09/05 11:55:57.0953 2468 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/05 11:55:58.0046 2468 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/09/05 11:55:58.0187 2468 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/09/05 11:55:58.0234 2468 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/05 11:55:58.0265 2468 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
2011/09/05 11:55:58.0468 2468 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR2
2011/09/05 11:55:58.0640 2468 Boot (0x1200) (bb7001c4c3ec2d3a2b135e9c7c69ec87) \Device\Harddisk1\DR1\Partition0
2011/09/05 11:55:58.0656 2468 Boot (0x1200) (45d26e503c380d32a3ce6098e0899376) \Device\Harddisk2\DR2\Partition0
2011/09/05 11:55:58.0656 2468 ================================================================================
2011/09/05 11:55:58.0656 2468 Scan finished
2011/09/05 11:55:58.0656 2468 ================================================================================
2011/09/05 11:55:58.0671 3408 Detected object count: 1
2011/09/05 11:55:58.0671 3408 Actual detected object count: 1
2011/09/05 11:56:16.0296 3408 Imapi (f5f83bc54a88dc7356978d644b15eb63) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/05 11:56:16.0296 3408 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\imapi.sys. Real md5: f5f83bc54a88dc7356978d644b15eb63, Fake md5: 083a052659f5310dd8b6a6cb05edcf8e
2011/09/05 11:56:16.0750 3408 Backup copy found, using it..
2011/09/05 11:56:16.0750 3408 C:\WINDOWS\system32\DRIVERS\imapi.sys - will be cured after reboot
2011/09/05 11:56:16.0750 3408 Rootkit.Win32.TDSS.tdl3(Imapi) - User select action: Cure
2011/09/05 11:56:28.0921 3852 Deinitialize success

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:29 AM

Posted 06 September 2011 - 02:19 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#5 cbrooks302

cbrooks302
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 06 September 2011 - 08:17 PM

Pc is running much better. AVG ran complete scan without finding anything, first time in over a month, and no more pop ups.
Here is the log file after combofix. Thank you.

ComboFix 11-09-06.03 - David Caulford 09/06/2011 19:33:47.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.822 [GMT -4:00]
Running from: c:\documents and settings\David Caulford\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\David Caulford\WINDOWS
c:\program files\messenger\msmsgsin.exe
c:\windows\system32\comct332.ocx
c:\windows\system32\Packet.dll
c:\windows\system32\rnaph.dll
c:\windows\system32\wpcap.dll
c:\windows\winhelp.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-08-06 to 2011-09-06 )))))))))))))))))))))))))))))))
.
.
2011-09-06 22:51 . 2011-09-06 22:51 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2011-09-06 22:50 . 2011-09-06 22:50 -------- d-----w- c:\windows\system32\XPSViewer
2011-09-06 22:49 . 2011-09-06 22:49 -------- d-----w- c:\program files\MSBuild
2011-09-06 22:49 . 2011-09-06 22:49 -------- d-----w- c:\program files\Reference Assemblies
2011-09-06 22:48 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-09-06 22:47 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-09-06 22:47 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-09-06 22:47 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-09-06 22:47 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-09-06 22:47 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-09-06 22:47 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-09-06 22:47 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-09-06 22:47 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-09-05 17:58 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-09-05 17:58 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-05 17:56 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-09-05 17:56 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-09-05 17:56 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-09-05 17:55 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-09-05 17:52 . 2011-06-23 18:36 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-09-05 17:51 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-05 17:51 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-09-05 17:49 . 2011-09-06 22:33 -------- d--h--w- c:\windows\$hf_mig$
2011-09-05 16:21 . 2011-09-05 16:21 -------- d-----w- c:\documents and settings\David Caulford\Application Data\Malwarebytes
2011-09-05 16:21 . 2011-07-08 11:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-05 16:21 . 2011-09-05 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-05 16:21 . 2011-09-05 16:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-05 16:21 . 2011-07-08 11:55 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-19 00:17 . 2011-08-19 00:17 -------- d-----w- c:\program files\InfraRecorder
2011-08-18 23:57 . 2011-08-18 23:57 -------- d-----w- c:\program files\Doblon
2011-08-14 17:05 . 2011-08-14 17:05 -------- d-----w- C:\Temp
2011-08-14 13:03 . 2011-09-05 13:42 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-05 15:57 . 2002-08-29 12:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-09-05 15:14 . 2011-06-16 01:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2002-08-29 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2002-08-29 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-30 11:59 . 2010-03-29 14:57 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10 . 2010-03-28 06:27 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-24 11:06 . 2011-06-22 13:31 1409 ----a-w- c:\windows\QTFont.for
2011-06-23 18:36 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2002-08-29 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2002-08-29 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2010-03-28 20:52 385024 ----a-w- c:\windows\system32\html.iec
2011-06-22 13:31 . 2011-06-22 13:31 77824 ----a-w- c:\windows\system32\qttask.exe
2011-06-20 17:44 . 2002-08-29 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-20 12:06 . 2010-06-19 00:59 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-06-20 11:12 . 2011-06-20 11:18 58696 ----a-w- c:\windows\system32\AOLParconLink.exe
2011-06-15 23:42 . 2010-03-29 14:31 243152 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-06-15 23:39 . 2011-06-03 01:37 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2011-09-02 23:51 . 2011-07-11 01:52 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 524288]
"AOL Fast Start"="c:\progra~1\AOLDES~1.6\AOL.EXE" [2011-04-25 42320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-06-15 2071904]
"LXBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 69632]
.
c:\documents and settings\David Caulford\Start Menu\Programs\Startup\
Webshots.lnk - x:\program files\Webshots\Launcher.exe [2011-6-3 45056]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-21 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-08-06 17:48 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2011-04-25 21:52 42320 ----a-w- c:\program files\AOL Desktop 9.6\aol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2004-09-17 13:24 61440 ----a-w- c:\program files\Lexmark 7100 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1]
2004-12-06 15:53 286720 ----a-w- c:\program files\Lexmark 7100 Series\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2010-03-08 07:27 41800 ----a-w- c:\program files\Common Files\AOL\1308568557\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpfsched]
1998-10-20 06:17 35328 ----a-w- c:\windows\hpfsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXBXCATS]
2004-11-02 15:08 69632 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\lxbxtime.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxbxmon.exe]
2005-01-18 09:43 196608 ----a-w- c:\program files\Lexmark 7100 Series\lxbxmon.exE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2003-03-25 10:49 53248 ----a-r- c:\windows\system32\MMTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray2K]
2003-03-25 10:49 57344 ----a-r- c:\windows\system32\MMTray2k.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTrayLSI]
2003-03-25 10:49 53248 ----a-r- c:\windows\system32\MMTrayLSI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-06-22 13:31 77824 ----a-w- c:\windows\system32\qttask.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\UGS\\NX 3.0\\UGII\\ugraf.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1308568557\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL Desktop 9.6\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AOL Desktop 9.6\\AOLBrowser\\aolbrowser.exe"=
"c:\\WINDOWS\\system32\\lxbxcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxbxPSWX.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:*:Disabled:TCP Port 5003
"5004:TCP"= 5004:TCP:*:Disabled:TCP Port 5004
"5005:TCP"= 5005:TCP:*:Disabled:TCP Port 5005
"5006:TCP"= 5006:TCP:*:Disabled:TCP Port 5006
"5007:TCP"= 5007:TCP:*:Disabled:TCP Port 5007
"5008:TCP"= 5008:TCP:*:Disabled:TCP Port 5008
"5009:TCP"= 5009:TCP:*:Disabled:TCP Port 5009
"5010:TCP"= 5010:TCP:*:Disabled:TCP Port 5010
"5011:TCP"= 5011:TCP:*:Disabled:TCP Port 5011
"5012:TCP"= 5012:TCP:*:Disabled:TCP Port 5012
"5013:TCP"= 5013:TCP:*:Disabled:TCP Port 5013
"5014:TCP"= 5014:TCP:*:Disabled:TCP Port 5014
"5015:TCP"= 5015:TCP:*:Disabled:TCP Port 5015
"5016:TCP"= 5016:TCP:*:Disabled:TCP Port 5016
"5017:TCP"= 5017:TCP:*:Disabled:TCP Port 5017
"5018:TCP"= 5018:TCP:*:Disabled:TCP Port 5018
"5019:TCP"= 5019:TCP:*:Disabled:TCP Port 5019
"5020:TCP"= 5020:TCP:*:Disabled:TCP Port 5020
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/29/2010 10:57 AM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/29/2010 10:30 AM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/29/2010 10:31 AM 243152]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 8:17 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 8:17 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/15/2011 7:34 PM 116608]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [8/6/2010 1:48 PM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/1/2011 10:21 PM 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/5/2011 9:41 AM 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [10/29/2010 10:44 AM 1025352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/5/2011 9:41 AM 136176]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 8:15 AM 2152152]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 8:15 AM 15232]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/5/2011 12:21 PM 41272]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 8:17 PM 12872]
S4 Unigraphics License Server (uglmd);Unigraphics License Server (uglmd);c:\program files\UGS\License Servers\UGNXFLEXlm\lmgrd.exe [8/2/2004 6:29 AM 659456]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 07:40]
.
2011-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-05 13:41]
.
2011-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-05 13:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.websudoku.com/?level=4
mStart Page = about:blank
TCP: DhcpNameServer = 24.148.96.1 24.148.96.2
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\David Caulford\Application Data\Mozilla\Firefox\Profiles\6qd8fw8y.default\
FF - prefs.js: browser.search.selectedEngine - Facemoods Search
FF - prefs.js: browser.startup.homepage - hxxp://www.websudoku.com/?level=4
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-26483729.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-06 19:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2684)
c:\windows\system32\WININET.dll
c:\progra~1\PANICW~1\POP-UP~1\XAHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\progra~1\AOLDES~1.6\waol.exe
x:\program files\Webshots\webshots.scr
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\progra~1\AOLDES~1.6\shellmon.exe
.
**************************************************************************
.
Completion time: 2011-09-06 19:59:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-06 23:59
.
Pre-Run: 136,099,463,168 bytes free
Post-Run: 137,223,045,120 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 639D2D5F575633F103212C93088C7B72

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:29 AM

Posted 07 September 2011 - 02:18 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.
Download OTL by OldTimer from here and save it to your Desktop.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Double click the tool to run it.
  • Click the Quick Scan button and allow it to do it's thing.
  • Once complete, it should open two Notepad Windows - OTL.Txt and Extras.Txt
  • It should also save copies in the same location as OTL.
  • I want you to copy and paste the contents of OTL.txt that should appear into one reply and Extras.Txt into another.
  • The length of the two logs sometimes results in the end being chopped off if you post both in one reply.

So long, and thanks for all the fish.

 

 


#7 cbrooks302

cbrooks302
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 09 September 2011 - 06:47 PM

Here are the results from eset. Will get the other one over the weekend.


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=2afe6e56e6cca841ade12c044b6d3c06
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-09-08 04:36:53
# local_time=2011-09-08 12:36:53 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 44638057 44638057 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=280879
# found=34
# cleaned=0
# scan_time=24063
C:\Documents and Settings\David Caulford\My Documents\Downloads\AudioConverterSetup.exe a variant of Win32/InstallCore.C application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\David Caulford\My Documents\My Music\Shared\01 Track 1.wma WMA/TrojanDownloader.Wimad.D trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\David Caulford\My Documents\My Music\Shared\02 Track 2.wma WMA/TrojanDownloader.Wimad.D trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\David Caulford\My Documents\My Music\Shared\03 Track 3.wma WMA/TrojanDownloader.Wimad.D trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\David Caulford\My Documents\My Music\Shared\06 Track 6.wma WMA/TrojanDownloader.Wimad.D trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\David Caulford\My Documents\My Music\Shared\07 Track 7.wma WMA/TrojanDownloader.Wimad.D trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\David Caulford\My Documents\My Music\Shared\Top of Charts - 2005.wma WMA/TrojanDownloader.Wimad.D trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\David Caulford\My Documents\My Music\Shared\Wicked Remix.wma WMA/TrojanDownloader.Wimad.D trojan (unable to clean) 00000000000000000000000000000000 I
D:\Data_160\Backup2\Backup\Local Disk (F)\System Volume Information\_restore{DC3ED6C7-BEDF-4F43-BED8-FC164802EB19}\RP448\A0145012.exe Win32/Adware.SaveNow application (unable to clean) 00000000000000000000000000000000 I
D:\Data_160\Backup2\Backup\Local Disk (F)\System Volume Information\_restore{DC3ED6C7-BEDF-4F43-BED8-FC164802EB19}\RP448\A0145020.exe Win32/Adware.SaveNow application (unable to clean) 00000000000000000000000000000000 I
D:\Program Files\PDF Password Cracker v3.1\crackpdf.exe a variant of Win32/PSWTool.PdfCracker.A application (unable to clean) 00000000000000000000000000000000 I
X:\Bases\hjc\backups\backup-20100220-194639-183.dll Win32/Adware.Gamevance.AI application (unable to clean) 00000000000000000000000000000000 I
X:\Bases\hjc\backups\backup-20100220-194640-325.dll Win32/Adware.Gamevance.AI application (unable to clean) 00000000000000000000000000000000 I
X:\Documents and Settings\Clayton.OWNER-FBD660825\Shared\04 Track 4.wma Win32/Adware.180Solutions application (unable to clean) 00000000000000000000000000000000 I
X:\Documents and Settings\Clayton.OWNER-FBD660825\Shared\Top of Charts - 2004.wma WMA/TrojanDownloader.Wimad.L trojan (unable to clean) 00000000000000000000000000000000 I
X:\Documents and Settings\Owner\Desktop\SmitfraudFix\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
X:\Documents and Settings\Owner\Desktop\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I
X:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix.zip multiple threats (unable to clean) 00000000000000000000000000000000 I
X:\Documents and Settings\Owner\My Documents\BSINSTALL.exe Win32/Adware.WhenU.SaveNow application (unable to clean) 00000000000000000000000000000000 I
X:\Documents and Settings\Owner\My Documents\SDFix.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
X:\Documents and Settings\Owner\My Documents\SmitfraudFix.exe multiple threats (unable to clean) 00000000000000000000000000000000 I
X:\Documents and Settings\Owner\My Documents\LimeWire\love story scene asthetic.wma probably a variant of Win32/Agent.IIJHCBR trojan (unable to clean) 00000000000000000000000000000000 I
X:\Documents and Settings\Owner\My Documents\LimeWire\welcome home video version extended live edition.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan (unable to clean) 00000000000000000000000000000000 I
X:\Documents and Settings\Owner\My Documents\SmitfraudFix\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
X:\Documents and Settings\Owner\My Documents\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I
X:\Program Files\America Online 9.0a\download\SmitfraudFix\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
X:\Program Files\America Online 9.0a\download\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I
X:\Program Files\Common Files\AOL\Backup\ACS\Rollback\acslang.exe probably a variant of Win32/StartPage.HSZAKFT trojan (unable to clean) 00000000000000000000000000000000 I
X:\Program Files\Common Files\AOL\Backup\ACS\Rollback\acssetup.exe probably a variant of Win32/StartPage.HSZAKFT trojan (unable to clean) 00000000000000000000000000000000 I
X:\Program Files\SpecialOperationsSoftware\soscp\tempoldfiles\soscp.exe a variant of MSIL/TrojanClicker.NAP trojan (unable to clean) 00000000000000000000000000000000 I
X:\SDFix\apps\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
X:\SmitfraudFix\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
X:\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I
X:\WINDOWS\Installer\1334a3.msi multiple threats (unable to clean) 00000000000000000000000000000000 I

#8 cbrooks302

cbrooks302
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 09 September 2011 - 07:02 PM

extras.txt

OTL Extras logfile created on: 9/9/2011 7:53:09 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Documents and Settings\David Caulford\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 0.83 Gb Available Physical Memory | 55.14% Memory free
2.86 Gb Paging File | 2.20 Gb Available in Paging File | 77.16% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.30 Gb Total Space | 126.79 Gb Free Space | 68.06% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 150.39 Gb Free Space | 64.58% Space Free | Partition Type: NTFS
Drive X: | 232.88 Gb Total Space | 145.49 Gb Free Space | 62.48% Space Free | Partition Type: NTFS

Computer Name: DMC | User Name: David Caulford | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
https [open] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"135:TCP" = 135:TCP:*:Enabled:TCP Port 135
"5000:TCP" = 5000:TCP:*:Enabled:TCP Port 5000
"5001:TCP" = 5001:TCP:*:Enabled:TCP Port 5001
"5002:TCP" = 5002:TCP:*:Enabled:TCP Port 5002
"5003:TCP" = 5003:TCP:*:Disabled:TCP Port 5003
"5004:TCP" = 5004:TCP:*:Disabled:TCP Port 5004
"5005:TCP" = 5005:TCP:*:Disabled:TCP Port 5005
"5006:TCP" = 5006:TCP:*:Disabled:TCP Port 5006
"5007:TCP" = 5007:TCP:*:Disabled:TCP Port 5007
"5008:TCP" = 5008:TCP:*:Disabled:TCP Port 5008
"5009:TCP" = 5009:TCP:*:Disabled:TCP Port 5009
"5010:TCP" = 5010:TCP:*:Disabled:TCP Port 5010
"5011:TCP" = 5011:TCP:*:Disabled:TCP Port 5011
"5012:TCP" = 5012:TCP:*:Disabled:TCP Port 5012
"5013:TCP" = 5013:TCP:*:Disabled:TCP Port 5013
"5014:TCP" = 5014:TCP:*:Disabled:TCP Port 5014
"5015:TCP" = 5015:TCP:*:Disabled:TCP Port 5015
"5016:TCP" = 5016:TCP:*:Disabled:TCP Port 5016
"5017:TCP" = 5017:TCP:*:Disabled:TCP Port 5017
"5018:TCP" = 5018:TCP:*:Disabled:TCP Port 5018
"5019:TCP" = 5019:TCP:*:Disabled:TCP Port 5019
"5020:TCP" = 5020:TCP:*:Disabled:TCP Port 5020

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\UGS\NX 3.0\UGII\ugraf.exe" = C:\Program Files\UGS\NX 3.0\UGII\ugraf.exe:*:Disabled:NX Component -- (UGS Corp.)
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\acs\AOLDial.exe" = C:\Program Files\Common Files\AOL\acs\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer -- (America Online)
"C:\Program Files\Common Files\AOL\acs\AOLacsd.exe" = C:\Program Files\Common Files\AOL\acs\AOLacsd.exe:*:Enabled:AOL Connectivity Service -- (AOL LLC)
"C:\Program Files\Common Files\AOL\1308568557\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1308568557\ee\aolsoftware.exe:*:Enabled:AOL Shared Components -- (AOL Inc.)
"C:\Program Files\AOL Desktop 9.6\waol.exe" = C:\Program Files\AOL Desktop 9.6\waol.exe:*:Enabled:AOL -- (AOL Inc.)
"C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe" = C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed -- (AOL Inc.)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL Inc.)
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL System Information -- (AOL Inc.)
"C:\Program Files\AOL Desktop 9.6\AOLBrowser\aolbrowser.exe" = C:\Program Files\AOL Desktop 9.6\AOLBrowser\aolbrowser.exe:*:Enabled:AOL Browser -- (AOL Inc.)
"C:\WINDOWS\system32\lxbxcoms.exe" = C:\WINDOWS\system32\lxbxcoms.exe:*:Enabled:7100 Series Server -- (Lexmark International, Inc.)
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxbxPSWX.EXE" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxbxPSWX.EXE:*:Enabled:7100 Series Printer Status -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{316A75E3-039D-4BF4-AC29-3FF91E8555CD}" = Lexmark Fax Solutions
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{41979C2F-34B8-4F92-8111-B13C5864682D}" = MediaFACE 4.01
"{440701AA-4602-409C-8CC3-5BB9D2F11A91}" = NX 3 FLEXlm
"{82AF77BC-423D-42DA-BE5B-FFCA04752181}" = MediaFACE 4.01 Image Library
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9D180A76-C05F-4064-94B1-069E6EEEA5EF}" = NX 3
"{9F8C8C2C-3926-45D3-B247-3F478A1D0D9F}" = NX 3 Translators
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A31289C6-04EF-4437-A35B-7CC96167145C}" = Leisure Suit Larry - Magna Cum Laude
"{AA027AE9-DD20-4677-AA72-D760A358320B}" = Microsoft VC9 runtime libraries
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.5
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint Plus
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"{FFF5DEE7-8107-436B-9726-7573458FE6AE}" = ACE Mega CoDecS Pack
"Ad-Aware" = Ad-Aware
"Adobe Acrobat 4.0" = Adobe Acrobat 4.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 2.0" = Adobe Photoshop Elements 2.0
"AnyDVD" = AnyDVD
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"AVG9Uninstall" = AVG Free 9.0
"CADKEY 99" = CADKEY 99
"CCleaner" = CCleaner
"CloneCD" = CloneCD
"CodInstl" = Intel A/V Codecs V2.0
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ESET Online Scanner" = ESET Online Scanner v3
"ie8" = Windows Internet Explorer 8
"InfraRecorder" = InfraRecorder
"InfraRecorder_is1" = InfraRecorder
"InstallShield_{316A75E3-039D-4BF4-AC29-3FF91E8555CD}" = Lexmark 7100 Series Fax Solutions
"InstallShield_{41979C2F-34B8-4F92-8111-B13C5864682D}" = MediaFACE 4.01
"InstallShield_{82AF77BC-423D-42DA-BE5B-FFCA04752181}" = MediaFACE 4.01 Image Library
"InstallShield_{A31289C6-04EF-4437-A35B-7CC96167145C}" = Leisure Suit Larry - Magna Cum Laude
"Lexmark 7100 Series" = Lexmark 7100 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 6.0.2 (x86 en-US)" = Mozilla Firefox 6.0.2 (x86 en-US)
"NeroMultiInstaller!UninstallKey" = Nero Suite
"Pop-Up Stopper Free Edition" = Pop-Up Stopper Free Edition
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Sound Blaster AWE64" = Sound Blaster AWE64
"ViewpointMediaPlayer" = Viewpoint Media Player
"Yahoo! Companion" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"AOL Toolbar" = AOL Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/20/2011 6:42:49 PM | Computer Name = DMC | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 8/21/2011 10:24:09 AM | Computer Name = DMC | Source = MsiInstaller | ID = 11905
Description = Product: Ask Toolbar -- Error 1905.Module C:\Program Files\Ask.com\GenericAskToolbar.dll
failed to unregister. HRESULT -2147220472. Contact your support personnel.

Error - 8/30/2011 7:28:51 PM | Computer Name = DMC | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 9/3/2011 6:42:40 PM | Computer Name = DMC | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module xvid.ax, version 0.0.0.0, fault address 0x0003dd11.

Error - 9/4/2011 10:38:34 AM | Computer Name = DMC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 9/4/2011 10:38:35 AM | Computer Name = DMC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 9/5/2011 11:55:28 AM | Computer Name = DMC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 9/5/2011 11:55:28 AM | Computer Name = DMC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 9/6/2011 6:56:30 PM | Computer Name = DMC | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 9/6/2011 7:32:39 PM | Computer Name = DMC | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: C:\Program Files\PC Drivers HeadQuarters\Driver Detective\DriversHQ.DriverDetective.Client.exe
. Error code = 0x80131047

[ System Events ]
Error - 9/5/2011 11:45:58 AM | Computer Name = DMC | Source = Service Control Manager | ID = 7031
Description = The SAS Core Service service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 1000 milliseconds:
Restart the service.

Error - 9/5/2011 11:58:27 AM | Computer Name = DMC | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 9/5/2011 11:58:38 AM | Computer Name = DMC | Source = Service Control Manager | ID = 7000
Description = The DS1410D service failed to start due to the following error: %%2

Error - 9/5/2011 12:06:28 PM | Computer Name = DMC | Source = Service Control Manager | ID = 7000
Description = The DS1410D service failed to start due to the following error: %%2

Error - 9/5/2011 5:45:52 PM | Computer Name = DMC | Source = Service Control Manager | ID = 7000
Description = The DS1410D service failed to start due to the following error: %%2

Error - 9/6/2011 6:25:33 PM | Computer Name = DMC | Source = Service Control Manager | ID = 7000
Description = The DS1410D service failed to start due to the following error: %%2

Error - 9/6/2011 7:51:05 PM | Computer Name = DMC | Source = Service Control Manager | ID = 7000
Description = The DS1410D service failed to start due to the following error: %%2

Error - 9/7/2011 5:31:13 PM | Computer Name = DMC | Source = Service Control Manager | ID = 7000
Description = The DS1410D service failed to start due to the following error: %%2

Error - 9/8/2011 3:40:06 AM | Computer Name = DMC | Source = Service Control Manager | ID = 7000
Description = The DS1410D service failed to start due to the following error: %%2

Error - 9/9/2011 7:38:30 PM | Computer Name = DMC | Source = Service Control Manager | ID = 7000
Description = The DS1410D service failed to start due to the following error: %%2


< End of report >

#9 cbrooks302

cbrooks302
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 09 September 2011 - 07:04 PM

otl.txt

OTL logfile created on: 9/9/2011 7:53:09 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Documents and Settings\David Caulford\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 0.83 Gb Available Physical Memory | 55.14% Memory free
2.86 Gb Paging File | 2.20 Gb Available in Paging File | 77.16% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 186.30 Gb Total Space | 126.79 Gb Free Space | 68.06% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 150.39 Gb Free Space | 64.58% Space Free | Partition Type: NTFS
Drive X: | 232.88 Gb Total Space | 145.49 Gb Free Space | 62.48% Space Free | Partition Type: NTFS

Computer Name: DMC | User Name: David Caulford | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/09 19:52:30 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\David Caulford\My Documents\Downloads\OTL.scr
PRC - [2011/09/07 17:39:01 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/08/21 10:33:37 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
PRC - [2011/06/15 19:42:12 | 002,071,904 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2011/06/01 22:21:02 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2011/06/01 22:20:45 | 000,725,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2011/06/01 22:20:36 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/09/23 11:29:15 | 000,621,920 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/08/06 13:48:25 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/08/06 13:48:18 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/12/19 12:38:12 | 001,646,592 | ---- | M] (Webshots.com) -- X:\Program Files\Webshots\webshots.scr
PRC - [2004/08/27 12:00:20 | 001,192,050 | ---- | M] (Ahead Software AG) -- C:\Program Files\Ahead\InCD\InCDsrv.exe
PRC - [2003/10/29 11:01:02 | 000,524,288 | ---- | M] (Panicware, Inc.) -- C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/07 17:39:00 | 001,846,232 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/07/26 10:15:58 | 002,532,680 | ---- | M] () -- C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
MOD - [2004/12/06 11:49:28 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\LXBXPMON.DLL
MOD - [2004/10/07 11:49:04 | 000,061,440 | ---- | M] () -- C:\Program Files\Lexmark 7100 Series\lxbxcnv4.dll
MOD - [2004/09/14 09:44:12 | 000,073,728 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lxbxPP5C.DLL


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/09/02 09:29:30 | 002,152,152 | ---- | M] (Lavasoft Limited) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2011/08/21 10:33:37 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/07/26 10:16:02 | 001,025,352 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2011/06/01 22:21:02 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/08/06 13:48:18 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) [On_Demand | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)
SRV - [2005/01/06 13:41:22 | 000,462,848 | ---- | M] (Lexmark International, Inc.) [On_Demand | Stopped] -- C:\WINDOWS\System32\lxbxcoms.exe -- (lxbx_device)
SRV - [2004/08/27 12:00:20 | 001,192,050 | ---- | M] (Ahead Software AG) [Auto | Running] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrvR) InCD Helper (read only)
SRV - [2004/08/02 06:29:54 | 000,659,456 | R--- | M] (Macrovision Corporation) [Disabled | Stopped] -- C:\Program Files\UGS\License Servers\UGNXFLEXlm\lmgrd.exe -- (Unigraphics License Server (uglmd)) Unigraphics License Server (uglmd)


========== Driver Services (SafeList) ==========

DRV - [2011/08/21 10:33:34 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/08/21 10:33:33 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2011/07/08 07:55:36 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/06/20 08:06:16 | 000,015,232 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2011/06/15 19:42:10 | 000,243,152 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/08/12 08:15:20 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/08/06 13:48:17 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/06/02 12:20:57 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/30 18:20:41 | 000,104,768 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2010/03/28 17:52:36 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2008/04/14 02:04:16 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/06/15 05:47:26 | 001,127,936 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\P17.sys -- (P17)
DRV - [2007/02/15 20:57:04 | 000,034,760 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyCDFL.sys -- (ElbyCDFL)
DRV - [2005/01/10 13:15:30 | 000,106,496 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2005/01/10 13:15:24 | 000,138,752 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2004/08/27 12:02:46 | 000,028,672 | ---- | M] (Ahead Software AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2004/08/27 12:02:30 | 000,092,928 | ---- | M] (Ahead Software AG) [File_System | Disabled | Running] -- C:\WINDOWS\System32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2004/08/27 04:02:50 | 000,027,648 | ---- | M] (Ahead Software AG) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\InCDrm.sys -- (incdrm)
DRV - [2003/01/10 17:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 10:05:44 | 000,141,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Icam3.sys -- (ICAM3NT5)
DRV - [2001/08/17 09:51:32 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irsir.sys -- (irsir)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.websudoku.com/?level=4
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Facemoods Search"
FF - prefs.js..browser.search.selectedEngine: "Facemoods Search"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.websudoku.com/?level=4"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/07 17:39:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/07/10 21:38:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\David Caulford\Application Data\Mozilla\Extensions
[2011/08/21 12:44:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\David Caulford\Application Data\Mozilla\Firefox\Profiles\6qd8fw8y.default\extensions
[2011/07/10 21:52:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/08 03:10:29 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/09/07 17:39:01 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/09/06 19:51:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [LXBXCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.DLL ()
O4 - HKCU..\Run: [PopUpStopperFreeEdition] C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe (Panicware, Inc.)
O4 - Startup: C:\Documents and Settings\David Caulford\Start Menu\Programs\Startup\Webshots.lnk = X:\Program Files\Webshots\Launcher.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.148.96.1 24.148.96.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B077E682-1EC0-430F-B1D4-58EBE57F7CF7}: DhcpNameServer = 24.148.96.1 24.148.96.2
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\David Caulford\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\David Caulford\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/04/04 13:22:02 | 000,000,109 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/11/12 18:03:00 | 000,000,109 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/09 19:43:41 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/09/08 03:12:12 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/09/07 17:51:51 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/09/06 19:59:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/09/06 19:25:52 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/09/06 19:24:09 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/09/06 19:24:09 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/09/06 19:24:08 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/09/06 19:24:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/09/06 19:23:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/09/06 19:04:14 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/09/06 19:01:12 | 004,197,762 | R--- | C] (Swearware) -- C:\Documents and Settings\David Caulford\Desktop\ComboFix.exe
[2011/09/06 18:50:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2011/09/06 18:49:59 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2011/09/06 18:49:33 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/09/05 19:32:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Caulford\Desktop\cleaning the computer
[2011/09/05 13:49:55 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
[2011/09/05 12:21:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David Caulford\Application Data\Malwarebytes
[2011/09/05 12:21:50 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/09/05 12:21:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/05 12:21:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/09/05 12:21:30 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/09/05 12:21:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/09/05 10:23:15 | 000,000,000 | R--D | C] -- C:\Documents and Settings\David Caulford\My Documents\My Videos
[2011/09/05 10:23:15 | 000,000,000 | R--D | C] -- C:\Documents and Settings\David Caulford\Start Menu\Programs\Administrative Tools
[2011/09/05 09:50:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\David Caulford\Recent
[2011/08/18 20:17:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\InfraRecorder
[2011/08/18 20:17:38 | 000,000,000 | ---D | C] -- C:\Program Files\InfraRecorder
[2011/08/18 19:57:36 | 000,000,000 | ---D | C] -- C:\Program Files\Doblon
[2011/08/14 13:05:00 | 000,000,000 | ---D | C] -- C:\Temp
[2011/08/14 09:03:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/08/14 09:03:17 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2002/04/11 04:41:06 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/09 19:43:03 | 085,648,698 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2011/09/09 19:37:42 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/09 19:37:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/08 03:22:00 | 000,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/09/08 03:22:00 | 000,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/09/06 22:08:22 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/09/06 19:51:27 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/09/06 19:50:25 | 000,116,560 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/09/06 19:26:01 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/09/06 19:20:49 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/09/06 19:01:14 | 004,197,762 | R--- | M] (Swearware) -- C:\Documents and Settings\David Caulford\Desktop\ComboFix.exe
[2011/09/06 18:30:48 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/09/06 18:30:48 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/09/03 18:42:36 | 000,205,824 | ---- | M] () -- C:\Documents and Settings\David Caulford\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/01 18:36:15 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/08/28 10:12:08 | 000,000,010 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2011/08/18 20:17:56 | 000,000,760 | ---- | M] () -- C:\Documents and Settings\David Caulford\Application Data\Microsoft\Internet Explorer\Quick Launch\InfraRecorder.lnk
[2011/08/18 20:17:56 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\InfraRecorder.lnk
[2011/08/18 20:17:38 | 004,090,912 | ---- | M] () -- C:\Program Files\InfraRecorder.exe
[2011/08/14 08:38:28 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/08/11 16:35:49 | 000,436,344 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110905-093652.backup
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/06 19:26:01 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/09/06 19:25:55 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/09/06 19:24:09 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/09/06 19:24:09 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/09/06 19:24:09 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/09/06 19:24:09 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/09/06 19:24:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/09/05 22:02:36 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/09/03 18:50:42 | 000,845,675 | ---- | C] () -- C:\Documents and Settings\David Caulford\Desktop\DSCN2132.jpg
[2011/09/03 18:50:38 | 000,955,120 | ---- | C] () -- C:\Documents and Settings\David Caulford\Desktop\DSCN2131.jpg
[2011/08/18 20:17:56 | 000,000,760 | ---- | C] () -- C:\Documents and Settings\David Caulford\Application Data\Microsoft\Internet Explorer\Quick Launch\InfraRecorder.lnk
[2011/08/18 20:17:56 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\InfraRecorder.lnk
[2011/08/18 20:17:19 | 004,090,912 | ---- | C] () -- C:\Program Files\InfraRecorder.exe
[2011/08/12 22:27:09 | 000,000,080 | ---- | C] () -- C:\WINDOWS\explorer.scf
[2011/06/22 15:27:50 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2011/06/22 15:26:34 | 000,028,672 | ---- | C] () -- C:\WINDOWS\hookdllX.dll
[2011/06/22 15:26:34 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2011/06/22 15:16:10 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXBXPMON.DLL
[2011/06/22 15:16:10 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\LXBXFXPU.DLL
[2011/06/22 09:30:57 | 000,011,264 | R--- | C] () -- C:\WINDOWS\System32\TEKYUV.DLL
[2011/06/22 09:30:53 | 000,266,240 | R--- | C] () -- C:\WINDOWS\System32\rmp4.dll
[2011/06/22 09:30:53 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\dsrmp4.dll
[2011/06/22 09:30:52 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\mpegdecoder.dll
[2011/06/22 09:30:52 | 000,023,552 | R--- | C] () -- C:\WINDOWS\System32\pdi.dll
[2011/06/22 09:30:50 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\ogg.dll
[2011/06/22 09:30:47 | 000,921,600 | R--- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2011/06/22 09:30:47 | 000,237,568 | R--- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2011/06/22 09:30:47 | 000,188,416 | R--- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2011/06/22 09:30:46 | 000,000,702 | R--- | C] () -- C:\WINDOWS\MMTVMJ.INI
[2011/06/22 09:30:45 | 000,057,344 | R--- | C] () -- C:\WINDOWS\System32\MMTray2k.exe
[2011/06/22 09:30:45 | 000,000,761 | R--- | C] () -- C:\WINDOWS\M3JP2K.INI
[2011/06/22 09:30:45 | 000,000,714 | R--- | C] () -- C:\WINDOWS\m3jpeg.ini
[2011/06/22 09:30:36 | 000,413,760 | R--- | C] () -- C:\WINDOWS\System32\mpg4c32.dll
[2011/06/22 09:30:31 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2011/06/22 09:30:27 | 000,077,664 | R--- | C] () -- C:\WINDOWS\System32\IR21_R.DLL
[2011/06/22 09:30:23 | 000,152,064 | R--- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/06/22 09:30:14 | 000,092,672 | R--- | C] () -- C:\WINDOWS\System32\ASUSASV2.dll
[2011/06/22 09:30:14 | 000,071,680 | R--- | C] () -- C:\WINDOWS\System32\ASUSASV1.DLL
[2011/06/22 09:30:14 | 000,066,560 | R--- | C] () -- C:\WINDOWS\System32\atiyuv12.dll
[2011/06/22 09:30:11 | 000,507,904 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll
[2011/06/22 09:30:11 | 000,482,816 | R--- | C] () -- C:\WINDOWS\System32\VFCodec.dll
[2011/06/22 09:30:11 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\AVIWRAP.DLL
[2011/06/22 09:30:10 | 000,047,104 | R--- | C] () -- C:\WINDOWS\System32\KMVIDC32.DLL
[2011/06/22 09:30:01 | 000,114,688 | R--- | C] () -- C:\WINDOWS\System32\AVIZLIB.DLL
[2011/06/22 09:30:01 | 000,069,632 | R--- | C] () -- C:\WINDOWS\System32\AVIMSZH.DLL
[2011/06/22 09:29:56 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2011/06/22 09:29:56 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\libfaad.dll
[2011/06/20 08:07:00 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/06/20 08:07:00 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/06/02 22:28:56 | 000,000,010 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2011/06/02 21:37:31 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2010/06/18 20:59:11 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/06/13 11:13:49 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/14 11:32:42 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/04/25 09:59:49 | 000,000,068 | ---- | C] () -- C:\WINDOWS\Taxact09.ini
[2010/04/09 20:35:11 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/05 00:03:00 | 000,000,031 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2010/04/04 00:27:07 | 000,000,356 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2010/03/29 11:35:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/03/28 10:34:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2010/03/28 02:32:05 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/03/28 02:27:57 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/03/28 01:08:57 | 000,205,824 | ---- | C] () -- C:\Documents and Settings\David Caulford\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/28 00:40:59 | 004,703,784 | ---- | C] () -- C:\WINDOWS\System32\dxmedia.exe
[2010/03/28 00:40:58 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\vp3clean.exe
[2010/03/28 00:40:54 | 000,795,548 | ---- | C] () -- C:\WINDOWS\System32\ica2.dll
[2010/03/28 00:40:24 | 000,056,832 | R--- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[2010/03/28 00:31:09 | 000,035,328 | ---- | C] () -- C:\WINDOWS\System32\INETWH32.DLL
[2010/03/28 00:31:09 | 000,009,136 | ---- | C] () -- C:\WINDOWS\System32\INETWH16.DLL
[2010/03/27 23:50:05 | 000,000,438 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2010/03/27 18:20:46 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/03/27 18:19:53 | 000,116,560 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/12/31 11:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/05/03 14:38:42 | 000,064,512 | ---- | C] () -- C:\WINDOWS\System32\P17.dll
[2003/10/02 13:48:18 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\P17CPI.dll
[2003/09/29 11:27:12 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbxvs.dll
[2003/08/13 12:08:10 | 000,013,203 | ---- | C] () -- C:\WINDOWS\System32\drivers\packet.sys
[2003/08/12 15:58:40 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\lttls13n.dll
[2003/08/12 15:58:32 | 000,708,608 | ---- | C] () -- C:\WINDOWS\System32\ltcry13n.dll
[2003/08/12 15:58:22 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2003/08/12 15:58:20 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/08/29 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/08/29 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/08/29 08:00:00 | 000,432,356 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/08/29 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/08/29 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/08/29 08:00:00 | 000,067,312 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/08/29 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/08/29 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/08/29 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/08/29 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/08/29 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[1999/01/22 14:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/10/20 02:17:42 | 000,035,328 | ---- | C] () -- C:\WINDOWS\hpfsched.exe

========== LOP Check ==========

[2011/06/22 15:15:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\7100Series
[2010/10/11 09:16:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/03/29 10:28:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2011/06/15 21:05:11 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010/03/28 00:23:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fellowes
[2010/05/09 16:00:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2010/04/05 00:03:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft
[2011/06/20 07:18:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/08/19 05:24:17 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
[2011/06/23 07:16:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Caulford\Application Data\7100Series
[2011/06/20 07:23:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Caulford\Application Data\ACD Systems
[2010/06/25 15:35:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Caulford\Application Data\CVS
[2011/06/15 20:22:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David Caulford\Application Data\Webshots
[2011/09/06 19:20:49 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



< End of report >

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:29 AM

Posted 10 September 2011 - 03:54 PM

Good evening. :)

You need to uninstall one of your anti-virus programs. You have both AVG Anti-Virus Free and Lavasoft Ad-Watch Live! active and running two AVs in real-time presents an opportunity for conflictions giving less, not more, protection. Pick your favourite and get rid of the other.

If you are going to stick with AVG, you can pick up the latest, free, version from here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following items have been identified by ESET as potentially infected:

C:\Documents and Settings\David Caulford\My Documents\Downloads\AudioConverterSetup.exe
C:\Documents and Settings\David Caulford\My Documents\My Music\Shared\01 Track 1.wma
C:\Documents and Settings\David Caulford\My Documents\My Music\Shared\02 Track 2.wma
C:\Documents and Settings\David Caulford\My Documents\My Music\Shared\03 Track 3.wma
C:\Documents and Settings\David Caulford\My Documents\My Music\Shared\06 Track 6.wma
C:\Documents and Settings\David Caulford\My Documents\My Music\Shared\07 Track 7.wma
C:\Documents and Settings\David Caulford\My Documents\My Music\Shared\Top of Charts - 2005.wma
C:\Documents and Settings\David Caulford\My Documents\My Music\Shared\Wicked Remix.wma
X:\Documents and Settings\Clayton.OWNER-FBD660825\Shared\04 Track 4.wma
X:\Documents and Settings\Clayton.OWNER-FBD660825\Shared\Top of Charts - 2004.wma
X:\Documents and Settings\Owner\My Documents\LimeWire\love story scene asthetic.wma
X:\Documents and Settings\Owner\My Documents\LimeWire\welcome home video version extended live edition.au


I'll leave it to you to decide whether to keep them or not - you should know where you acquired them from and how likely it is that they are indeed infected and not false-positive detections.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your copy of Adobe Reader is out of date. You can get the latest version here, feel free to uncheck the McAfee download first, or you can update from within the program itself: Help > Check for Updates...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three (all of which i've used at one time or another) :

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet. It's a little old, but still contains some good ideas.

So long, and thanks for all the fish.

 

 


#11 cbrooks302

cbrooks302
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 10 September 2011 - 06:05 PM

Thank you very much. We just inherited this computer and being newer and faster than ours, so we decided to keep it, but knew there were a few bugs in here that I wasn't able to clean out. It does seem to be running fantastic now.

One other question,
Is it possible to rename the file-
C:\Documents and Settings\David Caulford
without having to reinstall all other programs to the new file name?

Clay Brooks

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:29 AM

Posted 11 September 2011 - 02:26 PM

Good evening. :)

Try the following linky.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following steps will serve as a spring clean for your PC. Not all of them will be of benefit to your PC as this is a general post, but the overall effect should be positive.

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download TFC by OldTimer from here and save it to your Desktop.

  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Defragment your hard drive. A tutorial for disc defragmentation is available here.

I happen to prefer a third-party defrag tool to the one that Windows offers. You can read about it, and find a linky, here - it's free too!

So long, and thanks for all the fish.

 

 


#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:29 AM

Posted 17 September 2011 - 04:32 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users