Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Max++ infection


  • This topic is locked This topic is locked
38 replies to this topic

#1 JayStation3

JayStation3

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:54 PM

Posted 09 September 2011 - 02:34 PM

I was refered to this section by Boopme. I prepared everything as asked on this thread here (http://www.bleepingcomputer.com/forums/topic417601.html) and here are the logs requested. Any help is appriciated! I was unable to get DDS to run, Here is the Old Timer logs instead. I tried to follow the Prep Guide but was unable to get DDS to run.

JS3

===============================================================

OTL logfile created on: 9/9/2011 2:06:03 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Documents and Settings\user\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.69 Gb Available Physical Memory | 84.74% Memory free
3.33 Gb Paging File | 3.20 Gb Available in Paging File | 96.07% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 30.69 Gb Free Space | 82.41% Space Free | Partition Type: NTFS
Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 1.86 Gb Total Space | 1.81 Gb Free Space | 97.29% Space Free | Partition Type: FAT

Computer Name: AREA5 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 60 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\1970289697:3737358218.exe
PRC - [2011/09/09 13:37:56 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
PRC - [2011/09/05 17:19:04 | 000,085,504 | ---- | M] () -- C:\WINDOWS\Inherit.exe
PRC - [2011/09/05 17:19:04 | 000,085,504 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Inherit.exe
PRC - [2011/08/11 18:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
PRC - [2011/04/21 07:53:48 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2000/09/29 00:58:42 | 000,130,048 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\WFXSVC.EXE


========== Modules (No Company Name) ==========

MOD - [2011/09/05 17:19:04 | 000,085,504 | ---- | M] () -- C:\WINDOWS\Inherit.exe
MOD - [2011/09/05 17:19:04 | 000,085,504 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Inherit.exe
MOD - [2011/07/21 15:12:31 | 000,355,688 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2000/09/29 00:58:38 | 000,012,800 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\WFXPNT40.DLL


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/08/11 18:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/07/21 12:12:16 | 000,269,480 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/04/21 07:53:48 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/12/01 17:51:31 | 000,307,968 | ---- | M] (TuneUp Software GmbH) [On_Demand | Stopped] -- C:\WINDOWS\system32\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2008/02/27 14:15:14 | 000,028,416 | ---- | M] (TuneUp Software GmbH) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2000/09/29 00:58:42 | 000,130,048 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\WINDOWS\system32\WFXSVC.EXE -- (wfxsvc)


========== Driver Services (SafeList) ==========

DRV - [2011/07/22 11:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\user\Local Settings\Temp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/21 12:15:21 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/07/21 12:15:19 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011/07/12 16:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\user\Local Settings\Temp\SAS_SelfExtract\saskutil.sys -- (SASKUTIL)
DRV - [2010/07/27 04:47:30 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2010/07/27 04:47:10 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2010/06/17 15:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/06/17 15:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2006/05/10 15:00:16 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1645522239-1757981266-1606980848-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
IE - HKU\S-1-5-21-1645522239-1757981266-1606980848-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = google.com
IE - HKU\S-1-5-21-1645522239-1757981266-1606980848-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net
IE - HKU\S-1-5-21-1645522239-1757981266-1606980848-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-1645522239-1757981266-1606980848-1004\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [ATT-SST_McciTrayApp] C:\Program Files\ATT-SST\McciTrayApp.exe (Alcatel-Lucent)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - Startup: C:\Documents and Settings\user\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\user\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1645522239-1757981266-1606980848-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1645522239-1757981266-1606980848-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O15 - HKU\S-1-5-21-1645522239-1757981266-1606980848-1004\..Trusted Domains: $talisma_url$ ([]https in Trusted sites)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5D5FC251-6865-4C4F-98BA-580D55136D00}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe ()
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {A213B520-C6C2-11d0-AF9D-008029E1027E} - C:\Program Files\WinFax\WFXSEH32.DLL (Symantec Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/18 14:10:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/06 07:26:23 | 000,000,309 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- [2007/10/23 02:45:39 | 001,336,632 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 60 Days ==========

[2011/09/09 14:05:04 | 000,581,120 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2011/09/08 16:48:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2011/09/08 16:48:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\user\Start Menu\Programs\Administrative Tools
[2011/09/08 16:44:53 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\user\Desktop\dds.scr
[2011/09/06 19:26:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/09/06 19:26:29 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/09/06 19:15:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
[2011/09/06 19:15:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/09/06 18:59:50 | 012,532,384 | ---- | C] (SUPERAntiSpyware.com) -- C:\Documents and Settings\user\Desktop\SUPERAntiSpyware.exe
[2011/09/05 20:49:21 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/09/05 17:25:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Malwarebytes
[2011/09/05 17:25:29 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/09/05 17:25:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/05 17:25:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/09/05 17:25:26 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/09/05 17:25:26 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/09/05 17:21:40 | 009,545,312 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\user\Desktop\mbam-setup.exe
[2011/09/05 13:24:48 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2011/09/05 13:16:19 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/09/05 12:42:15 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\user\Recent
[2011/09/05 12:19:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
[2011/09/05 12:19:23 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2011/09/05 12:19:21 | 000,138,192 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/09/05 12:19:21 | 000,066,616 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2011/09/05 12:19:21 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2011/09/05 12:19:21 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2011/09/05 12:19:21 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2011/09/01 13:05:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/09/01 12:53:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Avira
[2011/09/01 12:51:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2011/09/01 12:25:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Avant Downloader
[2011/08/30 19:48:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/08/27 17:18:42 | 000,000,000 | -HSD | C] -- C:\WINDOWS\assembly
[2011/08/23 17:52:50 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd106.dll
[2011/08/23 17:52:50 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd106.dll
[2011/08/22 16:37:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2011/07/14 17:56:34 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\user\IECompatCache
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 60 Days ==========

[2011/09/09 14:01:04 | 000,085,504 | ---- | M] () -- C:\Inherit.exe
[2011/09/09 14:00:05 | 000,000,484 | ---- | M] () -- C:\WINDOWS\tasks\1-Click Maintenance.job
[2011/09/09 13:47:12 | 000,000,000 | ---- | M] () -- C:\WINDOWS\1970289697
[2011/09/09 13:47:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/09 13:37:56 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2011/09/08 17:32:35 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Email.lnk
[2011/09/08 16:46:26 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\user\defogger_reenable
[2011/09/08 16:38:32 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\user\Desktop\gmer.zip
[2011/09/08 16:37:20 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\user\Desktop\dds.scr
[2011/09/08 16:36:48 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Defogger.exe
[2011/09/08 14:05:46 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\{2521BB91-29B1-4d7e-9137-AC9875D77735}
[2011/09/08 13:12:02 | 000,047,616 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Win32kDiag.exe
[2011/09/07 14:05:04 | 000,294,400 | ---- | M] () -- C:\Documents and Settings\user\Desktop\exeHelper.com
[2011/09/06 19:26:36 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/09/06 19:11:06 | 017,050,016 | ---- | M] () -- C:\Documents and Settings\user\Desktop\SAS_17012.COM
[2011/09/06 18:59:55 | 012,532,384 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\user\Desktop\SUPERAntiSpyware.exe
[2011/09/05 19:12:52 | 001,008,092 | ---- | M] () -- C:\Documents and Settings\user\Desktop\rkill.scr
[2011/09/05 19:11:59 | 000,000,335 | ---- | M] () -- C:\Documents and Settings\user\Desktop\FixExe.reg
[2011/09/05 17:23:02 | 000,380,815 | ---- | M] () -- C:\Documents and Settings\user\Desktop\MiniToolBox.exe
[2011/09/05 17:21:40 | 009,545,312 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\user\Desktop\mbam-setup.exe
[2011/09/05 17:19:04 | 000,085,504 | ---- | M] () -- C:\WINDOWS\Inherit.exe
[2011/09/05 17:19:04 | 000,085,504 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Inherit.exe
[2011/09/05 13:16:03 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\user\Desktop\HijackThis.msi
[2011/09/05 13:03:19 | 000,388,608 | ---- | M] () -- C:\Documents and Settings\user\Desktop\HijackThis.exe
[2011/09/05 12:20:01 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Avira AntiVir Control Center.lnk
[2011/09/01 12:48:35 | 000,043,408 | -HS- | M] () -- C:\WINDOWS\System32\c_74702.nl_
[2011/09/01 12:25:05 | 000,001,598 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Avant Browser.lnk
[2011/08/27 16:12:10 | 000,002,855 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Data Entry.pif
[2011/08/22 13:11:40 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/25 10:17:44 | 005,969,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2011/07/21 12:15:21 | 000,138,192 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/07/21 12:15:19 | 000,066,616 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2011/07/16 22:21:04 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\user\Desktop\gmer.exe
[2011/07/15 08:29:31 | 000,456,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2011/07/13 13:52:32 | 000,212,080 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/09 14:03:25 | 000,085,504 | ---- | C] () -- C:\Inherit.exe
[2011/09/09 13:51:25 | 000,085,504 | ---- | C] () -- C:\WINDOWS\Inherit.exe
[2011/09/08 17:24:13 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\user\Desktop\gmer.exe
[2011/09/08 16:46:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\user\defogger_reenable
[2011/09/08 16:44:51 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Defogger.exe
[2011/09/08 16:44:40 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\user\Desktop\gmer.zip
[2011/09/08 14:05:46 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\{2521BB91-29B1-4d7e-9137-AC9875D77735}
[2011/09/08 14:02:54 | 000,047,616 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Win32kDiag.exe
[2011/09/07 14:41:36 | 000,294,400 | ---- | C] () -- C:\Documents and Settings\user\Desktop\exeHelper.com
[2011/09/07 13:37:53 | 017,050,016 | ---- | C] () -- C:\Documents and Settings\user\Desktop\SAS_17012.COM
[2011/09/06 19:26:36 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/09/05 19:12:43 | 001,008,092 | ---- | C] () -- C:\Documents and Settings\user\Desktop\rkill.scr
[2011/09/05 19:11:58 | 000,000,335 | ---- | C] () -- C:\Documents and Settings\user\Desktop\FixExe.reg
[2011/09/05 17:23:02 | 000,380,815 | ---- | C] () -- C:\Documents and Settings\user\Desktop\MiniToolBox.exe
[2011/09/05 17:19:04 | 000,085,504 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Inherit.exe
[2011/09/05 13:15:51 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\user\Desktop\HijackThis.msi
[2011/09/05 13:03:17 | 000,388,608 | ---- | C] () -- C:\Documents and Settings\user\Desktop\HijackThis.exe
[2011/09/05 12:20:01 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Avira AntiVir Control Center.lnk
[2011/09/01 12:48:35 | 000,043,408 | -HS- | C] () -- C:\WINDOWS\System32\c_74702.nl_
[2011/08/27 17:14:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\1970289697
[2011/03/08 19:59:05 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/01 13:27:30 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/11/30 14:26:25 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\RegHero.exe
[2010/11/30 14:26:25 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\PopWait.exe
[2010/11/30 14:16:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WTNSETUP.INI
[2010/11/30 14:10:59 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\DCCWFP32.DLL
[2010/11/30 14:10:59 | 000,000,250 | ---- | C] () -- C:\WINDOWS\WINFAX.INI
[2010/11/30 14:10:58 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\IMPLODE.DLL
[2010/06/18 15:49:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/06/18 14:56:01 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hkcmd.exe
[2010/06/18 14:13:01 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/06/18 14:06:53 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/06/18 08:59:11 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/06/18 08:57:44 | 000,212,080 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/14 07:00:00 | 001,033,728 | ---- | C] () -- C:\WINDOWS\explorer.exe
[2008/04/14 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 07:00:00 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\cmd.exe
[2008/04/14 07:00:00 | 000,314,508 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 07:00:00 | 000,040,836 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/04/15 11:52:33 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/04/15 11:52:33 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\user\Desktop\Data Entry.pif:SummaryInformation
@Alternate Data Stream - 816 bytes -> C:\WINDOWS\1970289697:3737358218.exe

< End of report >

==========================================================================================

OTL Extras logfile created on: 9/9/2011 2:06:03 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Documents and Settings\user\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.69 Gb Available Physical Memory | 84.74% Memory free
3.33 Gb Paging File | 3.20 Gb Available in Paging File | 96.07% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 30.69 Gb Free Space | 82.41% Space Free | Partition Type: NTFS
Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 1.86 Gb Total Space | 1.81 Gb Free Space | 97.29% Space Free | Partition Type: FAT

Computer Name: AREA5 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 60 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- "%1" %*
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cmd [@ = cmdfile] -- "%1" %*
.com [@ = comfile] -- "%1" %*
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.exe [@ = exefile] -- "%1" %*
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Avant Browser\avant.exe (Avant Force)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\Program Files\Avant Browser\avant.exe (Avant Force)
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.pif [@ = piffile] -- "%1" %*
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.scr [@ = scrfile] -- "%1" /S
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Avant Browser\avant.exe" "%1" (Avant Force)
htmlfile [opennew] -- "C:\Program Files\Avant Browser\avant.exe" "%1" (Avant Force)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Avant Browser\avant.exe" "%1" (Avant Force)
https [open] -- "C:\Program Files\Avant Browser\avant.exe" "%1" (Avant Force)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Program Files\Avant Browser\avant.exe" "%1" (Avant Force)
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L ()
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L ()
Drive [find] -- %SystemRoot%\Explorer.exe ()
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer
"C:\Documents and Settings\user\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\user\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- (Dropbox, Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\ATT-HSI\McciBrowser.exe" = C:\Program Files\ATT-HSI\McciBrowser.exe:*:Enabled:motivebrowser.exe -- (Alcatel-Lucent)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Disabled:Windows Explorer -- ()
"C:\Program Files\Avira\AntiVir PersonalEdition Classic\update.exe" = C:\Program Files\Avira\AntiVir PersonalEdition Classic\update.exe:*:Disabled:Antivirus Updater
"C:\Program Files\Avira\AntiVir PersonalEdition Classic\avnotify.exe" = C:\Program Files\Avira\AntiVir PersonalEdition Classic\avnotify.exe:*:Disabled:Notification Tool
"C:\Program Files\Avant Browser\ybrowser.exe" = C:\Program Files\Avant Browser\ybrowser.exe:*:Enabled:Avant Browser -- (Avant Force)
"C:\Program Files\CCleaner\CCleaner.exe" = C:\Program Files\CCleaner\CCleaner.exe:*:Enabled:CCleaner -- (Piriform Ltd)
"C:\Documents and Settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe" = C:\Documents and Settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe:*:Enabled:Yahoo Auto Updater -- (Yahoo! Inc.)
"C:\Program Files\Avant Browser\adownloader.exe" = C:\Program Files\Avant Browser\adownloader.exe:*:Enabled:adownloader -- ()
"C:\Program Files\Avira\AntiVir Desktop\update.exe" = C:\Program Files\Avira\AntiVir Desktop\update.exe:*:Enabled:product updater -- (Avira GmbH)
"C:\Program Files\SpywareBlaster\spywareblaster.exe" = C:\Program Files\SpywareBlaster\spywareblaster.exe:*:Enabled:SpywareBlaster -- ()
"C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe" = C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe:*:Enabled:Adobe Reader -- (Adobe Systems Incorporated)
"C:\Program Files\Avira\AntiVir Desktop\setup.exe" = C:\Program Files\Avira\AntiVir Desktop\setup.exe:*:Enabled:setup -- (Avira GmbH)
"C:\Documents and Settings\user\Local Settings\Temp\RarSFX0\apnstub.exe" = C:\Documents and Settings\user\Local Settings\Temp\RarSFX0\apnstub.exe:*:Enabled:AskStub Application
"C:\Documents and Settings\user\Local Settings\Temp\RarSFX0\fact.exe" = C:\Documents and Settings\user\Local Settings\Temp\RarSFX0\fact.exe:*:Enabled:Product activation tool
"C:\Program Files\Avira\AntiVir Desktop\avnotify.exe" = C:\Program Files\Avira\AntiVir Desktop\avnotify.exe:*:Enabled:Notification Tool -- (Avira GmbH)
"C:\Program Files\Avant Browser\avant.exe" = C:\Program Files\Avant Browser\avant.exe:*:Enabled:Avant Browser -- (Avant Force)
"C:\Program Files\Avira\AntiVir Desktop\apnstub.exe" = C:\Program Files\Avira\AntiVir Desktop\apnstub.exe:*:Enabled:AskStub Application -- (Ask.com)
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- ()
"C:\Documents and Settings\user\Application Data\U3\1536110F29D0F1FD\LaunchPad.exe" = C:\Documents and Settings\user\Application Data\U3\1536110F29D0F1FD\LaunchPad.exe:*:Enabled:LaunchPad Application -- ()
"C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe" = C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe:*:Enabled:OnlineCmdLineScanner -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{281ECE39-F043-492B-8337-F2E546B5604A}" = PowerDVD
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5888428E-699C-4E71-BF71-94EE06B497DA}" = TuneUp Utilities 2008
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6ADD0603-16EF-400D-9F9E-486432835002}" = OpenOffice.org 3.2
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{7E369B27-13E2-41A5-9879-358EE1C8B5AD}" = Broadcom Gigabit Integrated Controller
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{C1008475-75B2-4475-B98C-51FAE8B62960}" = Concord WinFax Plugin v3.0
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATT-SST" = AT&T Service & Support Tool
"AvantBrowser" = Avant Browser (remove only)
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner
"ESET Online Scanner" = ESET Online Scanner v3
"ie8" = Windows Internet Explorer 8
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 1.80 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"SpywareBlaster_is1" = SpywareBlaster 4.4
"WinFax" = Symantec WinFax PRO
"WinRAR archiver" = WinRAR archiver
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1645522239-1757981266-1606980848-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/22/2011 5:23:40 PM | Computer Name = AREA5 | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/3921C115C15D0ECA5CCB5BC4F07D21D8050B566A.crt>
with error: This operation returned because the timeout period expired.

Error - 4/22/2011 5:23:40 PM | Computer Name = AREA5 | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/3921C115C15D0ECA5CCB5BC4F07D21D8050B566A.crt>
with error: The specified server cannot perform the requested operation.

Error - 5/3/2011 9:07:29 PM | Computer Name = AREA5 | Source = Application Error | ID = 1000
Description = Faulting application avant.exe, version 11.8.0.131, faulting module
kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 5/7/2011 5:10:27 PM | Computer Name = AREA5 | Source = Application Hang | ID = 1002
Description = Hanging application avant.exe, version 11.8.0.131, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/7/2011 5:46:58 PM | Computer Name = AREA5 | Source = Application Hang | ID = 1002
Description = Hanging application avant.exe, version 11.8.0.131, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ Application Events ]
Error - 4/22/2011 5:23:40 PM | Computer Name = AREA5 | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/3921C115C15D0ECA5CCB5BC4F07D21D8050B566A.crt>
with error: This operation returned because the timeout period expired.

Error - 4/22/2011 5:23:40 PM | Computer Name = AREA5 | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/3921C115C15D0ECA5CCB5BC4F07D21D8050B566A.crt>
with error: The specified server cannot perform the requested operation.

Error - 5/3/2011 9:07:29 PM | Computer Name = AREA5 | Source = Application Error | ID = 1000
Description = Faulting application avant.exe, version 11.8.0.131, faulting module
kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 5/7/2011 5:10:27 PM | Computer Name = AREA5 | Source = Application Hang | ID = 1002
Description = Hanging application avant.exe, version 11.8.0.131, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/7/2011 5:46:58 PM | Computer Name = AREA5 | Source = Application Hang | ID = 1002
Description = Hanging application avant.exe, version 11.8.0.131, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 9/9/2011 2:56:35 PM | Computer Name = AREA5 | Source = Service Control Manager | ID = 7031
Description = The SAS Core Service service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 1000 milliseconds:
Restart the service.

Error - 9/9/2011 3:05:26 PM | Computer Name = AREA5 | Source = Service Control Manager | ID = 7031
Description = The SAS Core Service service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 1000 milliseconds:
Restart the service.

Error - 9/9/2011 3:12:25 PM | Computer Name = AREA5 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 9/9/2011 3:12:29 PM | Computer Name = AREA5 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 9/9/2011 3:12:33 PM | Computer Name = AREA5 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 9/9/2011 3:12:37 PM | Computer Name = AREA5 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 9/9/2011 3:16:27 PM | Computer Name = AREA5 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 9/9/2011 3:16:31 PM | Computer Name = AREA5 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 9/9/2011 3:16:35 PM | Computer Name = AREA5 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 9/9/2011 3:16:39 PM | Computer Name = AREA5 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.


< End of report >
Posted Image

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:54 PM

Posted 12 September 2011 - 09:11 AM

Hi

Please run the following:


Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :processes 
    C:\WINDOWS\1970289697:3737358218.exe
    
    :OTL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKU\S-1-5-21-1645522239-1757981266-1606980848-1004\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
     O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
    [2011/09/09 13:47:12 | 000,000,000 | ---- | M] () -- C:\WINDOWS\1970289697
    [2011/09/08 14:05:46 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\{2521BB91-29B1-4d7e-9137-AC9875D77735}
    [2011/09/01 12:48:35 | 000,043,408 | -HS- | M] () -- C:\WINDOWS\System32\c_74702.nl_
    @Alternate Data Stream - 816 bytes -> C:\WINDOWS\1970289697:3737358218.exe
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [resethosts]
    [emptyflash]
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log



NEXT


  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 JayStation3

JayStation3
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:54 PM

Posted 12 September 2011 - 12:48 PM

Ok, I ran OTL and it scanned for a few seconds then disappeared. It did not creat a log. Then I ran the other progrma you asked me to run and it also scanned for only a few seconds and then disappeared. When I tried to reload both programs, they both gave me errors saying that I did not have the permissions to run the app... I tried the inherit fix, and it gave me the same error...
Posted Image

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:54 PM

Posted 12 September 2011 - 08:12 PM

Hi

Please download the following program and save it directly to your c:\ drive, rename it to iexplore before saving it

Link 1


Now boot into safe mode with networking to run it

make sure your security programs are disabled and all other windows are closed:


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with networking
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Edited by CatByte, 12 September 2011 - 08:12 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 JayStation3

JayStation3
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:54 PM

Posted 12 September 2011 - 10:13 PM

Ok,Thanks... I ran it...in safe mode. I changed the name - the first time it ran for a few seconds and hung on a file that had a bunch of numbers, I couldnt get the name then it disappeared.

Then I tried to re run it and it gave me the windows permissions error and wouldnt let me run it again. So I renamed it to explorer (and explorerer on a third attempt) and it ran both times, but these times it gave me the error -
"Error opening file for writing: C:/32788R22FWJFW/iexplorer.exe Click abort to stop installation, retry to try again, or Ignore to skip this file."

So I hit "try again" a few times and nothing, so I hit "Ignore" and it scanned for a few more files then hung on that same file with all the numbers and disapperaed again... What next?
Posted Image

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:54 PM

Posted 12 September 2011 - 10:21 PM

This is the problem file


C:\WINDOWS\1970289697

try this

Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    C:\WINDOWS\1970289697
  • Press Create button and post the content of the Result.txt.

    Important: Restart the computer.



now run the following tool, we will need to unlock permissions to get the tools to work


  • Please download Junction.zip and save it to your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window will open and the system will be scanned.
  • Wait until a log file opens.
  • Copy and paste or attach the content of it in your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 JayStation3

JayStation3
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:54 PM

Posted 13 September 2011 - 01:18 PM

Ok, I got the first step done, restarted the computer and when I copy and pasted the command into the run box for the second step, I hit "OK" and it gave me another permissions error saying I didn't have perrmission to run the specified file or path or what ever...

also, just so you know- I do not have access to any of the "windows explorer" commands. I have been running everything through task manager by hitting new task and browsing files and all that... tedious and painstaking, but it works. I do not have a "Start" button or shortcut Icons or anything like that on my desktop... what ever it is that has hindered my machine has killed "explorer.exe" and when I try to run it from "new task" it gives me the same perrmissions error...

anyway, here is the log from the first step...
===============================================================================================================

DummyCreator by Farbar
Ran by user (administrator) on 13-09-2011 at 13:02:54
**************************************************************

C:\WINDOWS\1970289697 [13-09-2011 13:02:27]

== End of log ==

===============================================================================================================
Doesnt seem like it did too much, but I could be wrong...lol

Let me know whats next, thanks!

JS3

Edited by JayStation3, 13 September 2011 - 01:22 PM.

Posted Image

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:54 PM

Posted 13 September 2011 - 10:30 PM

did you reboot the computer?

Reboot then try the junction.exe instructions again

try in safe mode


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 JayStation3

JayStation3
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:54 PM

Posted 14 September 2011 - 01:46 PM

Yes, I did reboot... I followed the instructions word for word as you wrote them. I tried again, in "safe mode with networking" and then again in just "safe mode". Neither worked. When I copy and pasted -

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A error window pops up and it just gives me the same permissions error saying I dont have the permissions to access the file...

Every single program I have installed in order to get these viruses off my computer always end up giving me that same error after they run for the first time... except Junction didn't even run once... I guess its cause I placed the file in the C:\Windows folder?? It seems like anything that messes with anything in that folder, it blocks...

What now?

JS3
Posted Image

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:54 PM

Posted 14 September 2011 - 10:33 PM

This is being particularly stubborn isn't it


Let's give combofix another try, if it still wont run we'll have to go to a boot disk


Please delete the copy of combofix that you have, then download a fresh copy but save it directly to your c:\ drive - rename it to svchost.exe

Now boot into safe mode and run it.


If it still won't run then please do the following:


You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console

Next, please download maxlook, saving the file to your desktop.

Double click maxlook.exe to run it. Note - you must run it only once!

As instructed when the tool runs, restart the computer and logon to the Recovery Console.

Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

Press Enter

You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Once back in Windows, go to Start > Run, and copy/paste the following then press Enter.

maxlook -sig

Follow the prompts, and post (or attach) the log produced, C:\looklog.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 JayStation3

JayStation3
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:54 PM

Posted 15 September 2011 - 04:10 PM

Good news, Combo fix ran. The first time it ran it asked for me to install the recovery consol, how ever - what ever infected my computer - was disabling the internet...so i skipped that and it continued to scan for malware - it gave me a notice saying I was infected with "rootkit.zeroaccess" and that it inserted itself into "tcp/ip stack"... it kept running then told me to let CF reboot the computer which I did.

I ran combofix again and it went on to install the recovery console and repair a few files, cdrom.sys and a few others like it but mostly .exe files. Some of them were not repaired but it rebooted the system again... I ran it for a third time and it went thru the same process and rebooted... after the third reboot, my windows explorer still does not run. most of the icons still have the icon that signifies that windows doesnt recognize them and I still do not have any icons on my desktop or the ability to hit the start button on the bottom left side of the screen... I looked at the processes running and the process that was made up of a bunch of letters does not seem to be running any more.

So what next?
Posted Image

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:54 PM

Posted 15 September 2011 - 06:25 PM

wow, at last some progress has been made


Let's see if you can get junction to run so we can free up the locked programs, but I would like to see the ComboFix logs as there may be malware remaining that I need to script out, the last one you ran will be located at C:\comboFix.txt, the older logs will be located at c:\Qoobox\combofix2.txt \combofix3.txt etc. if you could post them.

Now in all likelihood explorer.exe is patched and needs replacing. lets look for a replacement for that as well

see if you can get the following to run:


  • Please download Junction.zip and save it to your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window will open and the system will be scanned.
  • Wait until a log file opens.
  • Copy and paste or attach the content of it in your next reply



NEXT


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    *explorer*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Edited by CatByte, 15 September 2011 - 06:26 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 JayStation3

JayStation3
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:54 PM

Posted 16 September 2011 - 12:51 PM

Ok, I got all that completed. I was not able to find any other logs for combo fix except a log called Catch me - I will post it for you incase you need it... here is the Combofix log but there wasnt a lot in it:

======================================================================================
ComboFix 11-09-15.05 - user 09/15/2011 16:01:35.3.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1808 [GMT -5:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe

======================================================================================

Is that it? Let me know if I should run it again, or if this log is correct...

Here is the Catchme log which was located in the quarantine folder just incase you need it. There were a bunch of folders in there and I went thru them all and this was the only other log I could find.


======================================================================================


-------- 2011-09-15 - 14:42:31 -------------

file zipped: C:\WINDOWS\$NtUninstallKB44726$\2042525012 -> _2042525012_.zip -> 2042525012 ( 0 bytes )
error: C:\WINDOWS\$NtUninstallKB44726$\2042525012 is not a PE file
kill file error: C:\WINDOWS\$NtUninstallKB44726$\2042525012, The file can not be accessed by the system.

-------- 2011-09-15 - 14:56:19 -------------

file zipped: C:\Program Files\Avira\AntiVir Desktop\sched.exe -> _sched_.exe.zip -> sched.exe ( 136360 bytes )
PE file "C:\Program Files\Avira\AntiVir Desktop\sched.exe" killed successfully

-------- 2011-09-15 - 15:48:17 -------------


-------- 2011-09-15 - 16:00:29 -------------

======================================================================================

Here is the Junction log:

======================================================================================



Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.


...

...

...
Failed to open \\?\c:\\Documents and Settings\user\Desktop\aswMBR.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\user\Desktop\Explorer.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\user\Desktop\gmer.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\user\Desktop\HijackThis.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\user\Desktop\iexplore.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\user\Desktop\OTL.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\user\Desktop\rkill.scr: Access is denied.




...

..
Failed to open \\?\c:\\Program Files\Avira\AntiVir Desktop\avguard.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Avira\AntiVir Desktop\avscan.exe: Access is denied.


.

...

.
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.


..

...

...

...


Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Trend Micro\HiJackThis\HiJackThis.exe: Access is denied.


...

...


Failed to open \\?\c:\\WINDOWS\explorer.exe: Access is denied.


...

..\\?\c:\\WINDOWS\$NtUninstallKB44726$\2042525012: SYMBOLIC LINK
Print Name : c:\windows\system32\config
Substitute Name: \systemroot\system32\config

.

...

...

...
Failed to open \\?\c:\\WINDOWS\system32\hkcmd.exe: Access is denied.




...

...

...

======================================================================================

And last, here is the system look log:

======================================================================================

SystemLook 30.07.11 by jpshortstuff
Log created at 12:40 on 16/09/2011 by user
Administrator - Elevation successful

========== filefind ==========

Searching for "*explorer*"
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Windows Explorer.lnk --a---- 1487 bytes [00:10 06/09/2011] [19:09 18/06/2010] 9E027EC3E23DF5DDEDD422926A6EB353
C:\Documents and Settings\All Users\Start Menu\Programs\TuneUp Utilities 2008\Utilities\TuneUp Disk Space Explorer.lnk --a---- 787 bytes [22:51 01/12/2010] [22:51 01/12/2010] E850DE755E30922C131866297A969014
C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Windows Explorer.lnk --a--c- 1487 bytes [19:09 18/06/2010] [19:09 18/06/2010] 9E027EC3E23DF5DDEDD422926A6EB353
C:\Documents and Settings\user\Desktop\Explorer.exe -ra---- 4204602 bytes [03:02 13/09/2011] [02:59 13/09/2011] (Unable to calculate MD5)
C:\Documents and Settings\user\My Documents\My Dropbox\Android\APKs\com.speedsoftware.rootexplorer-1.apk --a---- 239379 bytes [01:08 07/12/2010] [22:29 05/12/2010] 27FB5F0174C26DD17EB466DED3D4177B
C:\Documents and Settings\user\My Documents\My Dropbox\Android\APKs\com.speedsoftware.rootexplorer_44.apk --a---- 239379 bytes [23:44 20/01/2011] [23:27 20/01/2011] 27FB5F0174C26DD17EB466DED3D4177B
C:\Documents and Settings\user\My Documents\My Dropbox\Android\APKs\Root_Explorer_2.12.3.apk --a---- 239379 bytes [01:08 07/12/2010] [20:13 28/11/2010] 27FB5F0174C26DD17EB466DED3D4177B
C:\Documents and Settings\user\Start Menu\Programs\Accessories\Windows Explorer.lnk --a---- 1487 bytes [19:16 18/06/2010] [19:09 18/06/2010] 9E027EC3E23DF5DDEDD422926A6EB353
C:\Documents and Settings\user\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk --a---- 833 bytes [21:22 18/06/2010] [21:22 18/06/2010] 678B52AEA843A761F641514E6863C1A2
C:\Program Files\TuneUp Utilities 2008\DiskExplorer.exe --a---- 454912 bytes [20:24 29/02/2008] [20:24 29/02/2008] 06D5307AB48CBB91BEE9ECFE37B2E3C0
C:\Program Files\TuneUp Utilities 2008\Data\ExplorerLine.png --a---- 2839 bytes [19:10 27/02/2008] [19:10 27/02/2008] 4682EBFEF050C3045B7BE8A28F31D350
C:\Program Files\TuneUp Utilities 2008\Data\ico_alpha_ExplorerDetails_16x16.png --a---- 644 bytes [19:09 27/02/2008] [19:09 27/02/2008] BBA7ACE5763E606B7705C3008343F615
C:\Program Files\TuneUp Utilities 2008\Data\ico_alpha_Explorer_16x16.png --a---- 590 bytes [19:09 27/02/2008] [19:09 27/02/2008] AC846F42F6F6EA7398EF816DCF4F4110
C:\Program Files\TuneUp Utilities 2008\Data\logo_diskspaceexplorer.png --a---- 15822 bytes [19:09 27/02/2008] [19:09 27/02/2008] 781FA02FAEC7B3CF6B2A7B618E6642FB
C:\Program Files\TuneUp Utilities 2008\Data\ws_diskexplorer.ttx --a---- 670 bytes [17:50 20/12/2007] [17:50 20/12/2007] 36962CE3CF051A9A2612B59B6DBC2271
C:\Program Files\TuneUp Utilities 2008\Data\Integrator\modules\disk-space-explorer-16x16.png --a---- 807 bytes [19:09 27/02/2008] [19:09 27/02/2008] BCE973A517B3D8ABFAB79200FB5C2E91
C:\Program Files\TuneUp Utilities 2008\Data\Integrator\modules\disk-space-explorer.png --a---- 3218 bytes [19:09 27/02/2008] [19:09 27/02/2008] DD7303B65DB892383E56EED5C6E24CE4
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [12:00 14/04/2008] [12:00 14/04/2008] (Unable to calculate MD5)
C:\WINDOWS\explorer.scf --a--c- 80 bytes [12:00 14/04/2008] [12:00 14/04/2008] A3975A7D2C98B30A2AE010754FFB9392
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Windows Explorer.lnk --a--c- 1487 bytes [19:12 18/06/2010] [19:09 18/06/2010] 9E027EC3E23DF5DDEDD422926A6EB353
C:\WINDOWS\system32\dllcache\explorer.exe --a--c- 1033728 bytes [12:00 14/04/2008] [12:00 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

-= EOF =-

=======================================================================================

Let me know what I need to do next, thanks for all your help so far... look forward to hearing back from you.

JS3

Posted Image

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:54 PM

Posted 16 September 2011 - 03:13 PM

Hi

explorer.exe is locked down so let's hope the following works and it will be back:


Please do the following:

Please run the following:
  • please download GrantPerms.zip and save it to your desktop.
  • Unzip the file and run GrantPerms.exe
  • Copy and paste the following in the edit box:



c:\\System Volume Information
c:\\Documents and Settings\user\Desktop\aswMBR.exe
c:\\Documents and Settings\user\Desktop\Explorer.exe
c:\\Documents and Settings\user\Desktop\gmer.exe
c:\\Documents and Settings\user\Desktop\HijackThis.exe
c:\\Documents and Settings\user\Desktop\iexplore.exe
c:\\Documents and Settings\user\Desktop\OTL.exe
c:\\Documents and Settings\user\Desktop\rkill.scr
c:\\Program Files\Avira\AntiVir Desktop\avguard.exe
c:\\Program Files\Avira\AntiVir Desktop\avscan.exe
c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
c:\\WINDOWS\explorer.exe
c:\\WINDOWS\system32\hkcmd.exe



  • Now Click Unlock.
  • When it is done click "OK".
  • Now click List Permissions and post the result (Perms.txt) that pops up.
  • A copy of Perms.txt will be saved in the same directory the tool is run.


Once that is done, reboot normally and run combofix, allow it to update if it requests to do so, it should now produce a log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 JayStation3

JayStation3
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:54 PM

Posted 16 September 2011 - 04:27 PM

Ok, the unlock thing seemed to have worked...my explorer is working now... Here is the Perms log

============================================================================================

GrantPerms by Farbar
Ran by user at 2011-09-16 15:57:08

===============================================
\\?\c:\\System Volume Information

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


\\?\c:\\Documents and Settings\user\Desktop\aswMBR.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Documents and Settings\user\Desktop\Explorer.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Documents and Settings\user\Desktop\gmer.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Documents and Settings\user\Desktop\HijackThis.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Documents and Settings\user\Desktop\iexplore.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Documents and Settings\user\Desktop\OTL.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Documents and Settings\user\Desktop\rkill.scr

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Program Files\Avira\AntiVir Desktop\avguard.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Program Files\Avira\AntiVir Desktop\avscan.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\WINDOWS\explorer.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\WINDOWS\system32\hkcmd.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

================================================================================================

Here is the ComboFix log

================================================================================================

Other Deletions

c:\program files\Avira\AntiVir Desktop\sched.exe
.
-- Previous Run --
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . is infected!!
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . is infected!!
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!!
c:\program files\Avira\AntiVir Desktop\sched.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . is infected!!
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!!
c:\program files\Avira\AntiVir Desktop\sched.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . is infected!!
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!!
c:\program files\Avira\AntiVir Desktop\sched.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Motive\McciCMService.exe . . . is infected!!
c:\program files\Common Files\Motive\McciCMService.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . is infected!!
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!!
c:\program files\Avira\AntiVir Desktop\sched.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Motive\McciCMService.exe . . . is infected!!
c:\program files\Common Files\Motive\McciCMService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\System32\TuneUpDefragService.exe . . . is infected!!
c:\windows\System32\TuneUpDefragService.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . is infected!!
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!!
c:\program files\Avira\AntiVir Desktop\sched.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Motive\McciCMService.exe . . . is infected!!
c:\program files\Common Files\Motive\McciCMService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\System32\TuneUpDefragService.exe . . . is infected!!
c:\windows\System32\TuneUpDefragService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\WFXSVC.EXE . . . is infected!!
c:\windows\system32\WFXSVC.EXE . . . was deleted!! You should re-install the program it pertains to
.
-- Previous Run --
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . is infected!!
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . is infected!!
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!!
c:\program files\Avira\AntiVir Desktop\sched.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . is infected!!
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!!
c:\program files\Avira\AntiVir Desktop\sched.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . is infected!!
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!!
c:\program files\Avira\AntiVir Desktop\sched.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Motive\McciCMService.exe . . . is infected!!
c:\program files\Common Files\Motive\McciCMService.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . is infected!!
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!!
c:\program files\Avira\AntiVir Desktop\sched.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Motive\McciCMService.exe . . . is infected!!
c:\program files\Common Files\Motive\McciCMService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\System32\TuneUpDefragService.exe . . . is infected!!
c:\windows\System32\TuneUpDefragService.exe . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . is infected!!
c:\program files\SUPERAntiSpyware\SASCORE.EXE . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!!
c:\program files\Avira\AntiVir Desktop\sched.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Motive\McciCMService.exe . . . is infected!!
c:\program files\Common Files\Motive\McciCMService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\System32\TuneUpDefragService.exe . . . is infected!!
c:\windows\System32\TuneUpDefragService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\WFXSVC.EXE . . . is infected!!
c:\windows\system32\WFXSVC.EXE . . . was deleted!! You should re-install the program it pertains to
.
--------
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
--------
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_213c7075
-------\Legacy_AntiVirSchedulerService
-------\Service_AntiVirSchedulerService
.
.
((((((((((((((((((((((((( Files Created from 2011-08-16 to 2011-09-16 )))))))))))))))))))))))))))))))
.
.
2011-09-16 17:34 . 2010-09-07 20:39 150392 ----a-w- c:\windows\junction.exe
2011-09-15 19:50 . 2008-04-14 12:00 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2011-09-15 19:50 . 2008-04-14 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-09-14 18:35 . 2011-09-14 18:35 50112 --sha-w- c:\windows\system32\c_74702.nl_
2011-09-07 00:26 . 2011-09-15 20:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-07 00:15 . 2011-09-07 00:15 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2011-09-07 00:15 . 2011-09-07 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-09-06 01:49 . 2011-09-06 01:49 -------- d-----w- c:\program files\ESET
2011-09-06 00:10 . 2011-09-06 00:10 -------- d-----w- c:\documents and settings\Administrator
2011-09-05 22:25 . 2011-09-05 22:25 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-09-05 22:25 . 2011-09-05 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-05 22:25 . 2011-07-08 12:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-05 22:25 . 2011-09-09 18:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-05 22:25 . 2011-07-08 12:55 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-05 18:24 . 2011-09-05 18:24 -------- d--h--w- c:\windows\PIF
2011-09-05 18:16 . 2011-09-05 18:16 -------- d-----w- c:\program files\Trend Micro
2011-09-05 17:19 . 2011-09-05 17:19 -------- d-----w- c:\program files\Avira
2011-09-05 17:19 . 2011-07-21 17:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-09-05 17:19 . 2011-07-21 17:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-09-05 17:19 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-09-05 17:19 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-09-01 18:05 . 2011-09-06 02:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-09-01 17:53 . 2011-09-01 17:53 -------- d-----w- c:\documents and settings\user\Application Data\Avira
2011-09-01 17:51 . 2011-09-05 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-09-01 17:25 . 2011-09-01 17:25 -------- d-----w- c:\documents and settings\user\Application Data\Avant Downloader
2011-08-23 22:52 . 2008-04-14 10:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2011-08-23 22:52 . 2008-04-14 10:39 6144 ----a-w- c:\windows\system32\kbd106.dll
2011-08-22 21:37 . 2011-08-22 21:37 -------- d-----w- c:\windows\Sun
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2008-04-14 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-04-14 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2010-06-18 19:04 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-07-27 1573888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\user\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 16:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 21:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WFXSwtch]
2002-12-12 22:15 28160 ----a-r- c:\progra~1\WinFax\WFXSWTCH.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
2002-12-12 22:15 45568 ----a-w- c:\windows\system32\WFXSNT40.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\user\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Avant Browser\\ybrowser.exe"=
"c:\\Program Files\\CCleaner\\CCleaner.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Yahoo!\\YUpdater\\yupdater.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"c:\\Program Files\\Avant Browser\\adownloader.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\update.exe"=
"c:\\Program Files\\SpywareBlaster\\spywareblaster.exe"=
"c:\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\setup.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avnotify.exe"=
"c:\\Program Files\\Avant Browser\\avant.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\apnstub.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\user\\Application Data\\U3\\1536110F29D0F1FD\\LaunchPad.exe"=
"c:\\Program Files\\ESET\\ESET Online Scanner\\OnlineCmdLineScanner.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\MSTORDB.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
S0 cerc6;cerc6; [x]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\user\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\user\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\user\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\user\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 !SASCORE;SAS Core Service;"c:\program files\SUPERAntiSpyware\SASCORE.EXE" --> c:\program files\SUPERAntiSpyware\SASCORE.EXE [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-16 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 20:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
mStart Page = hxxp://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: $talisma_url$
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-16 16:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\.cdrom]
"ImagePath"="\*"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(452)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1600)
c:\windows\system32\WININET.dll
c:\documents and settings\user\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-09-16 16:04:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-16 21:04
.
Pre-Run: 32,927,367,168 bytes free
Post-Run: 32,863,412,224 bytes free
.
- - End Of File - - 6195B5957B1B68D9E1ABC2C12753A456


Let me know what is up with the logs when you get them, thanks again!
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users