Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Trojan.FakeAlert, win32.agent.chh, Mal/FakeAV-CS


  • This topic is locked This topic is locked
26 replies to this topic

#1 fakealertbytes

fakealertbytes

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 15 September 2011 - 09:49 AM

cmd and anything that uses it stays open for at most a minute so unable to get a dds log. gmer does run so I will attach its log.

Other information I can provide:
Sophos detected, quarantined, and cleaned up:
Mal/Iframe-V
Mal/Generic-L
Mal/EndPk-AL
Mal/FakeAV-CS (returns shortly thereafter)
AdAware 6 hour scan found nothing.
Spybot finished an hour long second scan and found win32.agent.chh but there is no option to fix it the way it previously fixed virtumonde.prx on the first scan.
MalwareBytes full scan and 10 minute quick scan have the same outcome:
Trojan.Agent and Trojan.Hiloti removed by the first scan which also finds 3 or 4 Trojan.FakeAlert entries which require a reboot to remove but reappear along with the most visible sign of the problem: Taskbar System warning baloons.
OTL - by OldTimer attached in lieu of dds

All attachments are a problem since I cannot writed into the attach box nor will browse open an attachment box. The flash uploader doesn't load either... here is the content from gmer log ark.txt:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-15 10:14:09
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST980825A rev.3.06
Running: gmer.exe; Driver: C:\DOCUME~1\km\LOCALS~1\Temp\pxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF757187E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7571BFE]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + F0 804E275C 2 Bytes [7E, 18] {JLE 0x1a}
.text ntoskrnl.exe!_abnormal_termination + F3 804E275F 1 Byte [F7]
.text ntoskrnl.exe!_abnormal_termination + 428 804E2A94 2 Bytes [FE, 1B]
.text ntoskrnl.exe!_abnormal_termination + 42B 804E2A97 1 Byte [F7]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 00377460 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[576] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 003775A0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\WINDOWS\Explorer.EXE[576] ole32.dll!CoCreateInstance 774FF1AC 8 Bytes JMP 00377860 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

From OTL.Txt:
OTL logfile created on: 15/09/2011 9:35:47 AM - Run 1
OTL by OldTimer - Version 3.2.28.0 Folder = C:\Documents and Settings\username\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: NA | Language: ENC | Date Format: dd/MM/yyyy

1022.92 Mb Total Physical Memory | 270.11 Mb Available Physical Memory | 26.41% Memory free
2.41 Gb Paging File | 1.79 Gb Available in Paging File | 74.42% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 43.64 Gb Free Space | 58.55% Space Free | Partition Type: NTFS

Computer Name: computername | User Name: username | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/15 09:34:11 | 000,581,632 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\username\Desktop\OTL.exe
PRC - [2011/09/08 20:09:58 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/08/18 15:25:12 | 002,151,640 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2011/08/18 15:25:12 | 001,187,072 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2011/07/16 22:21:04 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\username\Desktop\gmer.exe
PRC - [2011/07/06 19:52:38 | 000,366,640 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/06/15 01:47:58 | 000,404,568 | ---- | M] (LG Electronics) -- C:\Documents and Settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe
PRC - [2011/03/30 19:16:36 | 001,541,360 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
PRC - [2011/03/30 19:16:22 | 000,097,520 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
PRC - [2011/03/30 19:16:14 | 000,163,056 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
PRC - [2011/03/30 19:16:04 | 000,806,912 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Remote Management System\RouterNT.exe
PRC - [2011/03/30 19:15:59 | 000,282,624 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
PRC - [2010/11/25 22:48:46 | 000,619,288 | ---- | M] (http://tortoisesvn.net) -- C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
PRC - [2010/09/30 07:08:31 | 000,439,536 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\AutoUpdate\ALMon.exe
PRC - [2010/09/30 07:08:30 | 000,230,640 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
PRC - [2010/05/14 11:44:46 | 000,501,480 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2010/01/08 20:30:28 | 000,234,032 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\openvpnas.exe
PRC - [2010/01/08 19:42:42 | 000,285,744 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\hsswd.exe
PRC - [2010/01/08 19:42:40 | 000,331,824 | ---- | M] (AnchorFree Inc.) -- C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/08/19 11:00:40 | 000,053,248 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
PRC - [2003/08/19 10:43:48 | 000,057,344 | ---- | M] (Lexmark International, Inc.) -- C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
PRC - [1998/02/26 15:00:00 | 000,260,096 | ---- | M] (Palm Computing, Inc., a 3Com Company) -- C:\Program Files\palm\hotsync.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/08 20:09:55 | 001,846,232 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/08/27 21:29:17 | 006,277,280 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/08/18 15:25:12 | 000,591,232 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\RPAPI.dll
MOD - [2011/08/18 15:25:12 | 000,430,568 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\Viprebridge.dll
MOD - [2011/08/18 15:25:12 | 000,308,560 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\Vipre.dll
MOD - [2011/07/16 22:21:04 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\username\Desktop\gmer.exe
MOD - [2011/05/26 13:42:00 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/03/30 19:16:04 | 000,032,256 | ---- | M] () -- C:\Program Files\Sophos\Remote Management System\TAO_Valuetype.dll
MOD - [2011/03/30 19:16:03 | 000,753,664 | ---- | M] () -- C:\Program Files\Sophos\Remote Management System\libeay32.dll
MOD - [2011/03/30 19:16:03 | 000,176,128 | ---- | M] () -- C:\Program Files\Sophos\Remote Management System\TAO_DynamicAny.dll
MOD - [2011/03/30 19:16:02 | 000,237,568 | ---- | M] () -- C:\Program Files\Sophos\Remote Management System\TAO_SSLIOP.dll
MOD - [2011/03/30 19:16:01 | 001,531,904 | ---- | M] () -- C:\Program Files\Sophos\Remote Management System\TAO.dll
MOD - [2011/03/30 19:16:00 | 001,048,576 | ---- | M] () -- C:\Program Files\Sophos\Remote Management System\ace.dll
MOD - [2011/03/30 19:15:59 | 000,733,184 | ---- | M] () -- C:\Program Files\Sophos\Remote Management System\TAO_Security.dll
MOD - [2011/03/30 19:15:59 | 000,159,744 | ---- | M] () -- C:\Program Files\Sophos\Remote Management System\ssleay32.dll
MOD - [2011/03/30 19:15:58 | 000,528,384 | ---- | M] () -- C:\Program Files\Sophos\Remote Management System\TAO_PortableServer.dll
MOD - [2011/03/30 19:15:58 | 000,056,832 | ---- | M] () -- C:\Program Files\Sophos\Remote Management System\ACE_SSL.dll
MOD - [2010/01/08 20:30:28 | 000,234,032 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\openvpnas.exe
MOD - [2010/01/08 19:42:42 | 000,285,744 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\hsswd.exe
MOD - [2010/01/08 19:42:42 | 000,194,048 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\curllib.dll
MOD - [2010/01/08 19:42:42 | 000,110,592 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\openldap.dll
MOD - [2010/01/08 19:42:42 | 000,065,536 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\libsasl.dll
MOD - [2009/03/29 22:34:30 | 000,280,143 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\libidn-11.dll
MOD - [2009/03/27 16:02:24 | 000,332,254 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\libssl32.dll
MOD - [2009/03/27 16:02:22 | 001,554,920 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\libeay32.dll
MOD - [2003/07/29 09:27:40 | 000,078,336 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LXBcomputernamePP5C.DLL
MOD - [2001/10/28 17:42:30 | 000,116,224 | ---- | M] () -- C:\WINDOWS\system32\pdfcmnnt.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (WmdmPmSp)
SRV - [2011/08/18 15:25:12 | 002,151,640 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2011/07/06 19:52:38 | 000,366,640 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/03/30 19:16:36 | 001,541,360 | ---- | M] (Sophos Plc) [Auto | Running] -- C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe -- (swi_service)
SRV - [2011/03/30 19:16:22 | 000,097,520 | ---- | M] (Sophos Plc) [Unknown | Running] -- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe -- (SAVService)
SRV - [2011/03/30 19:16:14 | 000,163,056 | ---- | M] (Sophos Plc) [Unknown | Running] -- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe -- (SAVAdminService)
SRV - [2011/03/30 19:16:04 | 000,806,912 | ---- | M] (Sophos Plc) [Auto | Running] -- C:\Program Files\Sophos\Remote Management System\RouterNT.exe -- (Sophos Message Router)
SRV - [2011/03/30 19:15:59 | 000,282,624 | ---- | M] (Sophos Plc) [Auto | Running] -- C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe -- (Sophos Agent)
SRV - [2011/03/06 22:18:12 | 000,035,856 | ---- | M] () [Auto | Stopped] -- C:\Program Files\NVDA\nvda_service.exe -- (nvda)
SRV - [2010/09/30 07:08:30 | 000,230,640 | ---- | M] (Sophos Plc) [Auto | Running] -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe -- (Sophos AutoUpdate Service)
SRV - [2010/01/08 20:31:04 | 000,057,640 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Hotspot Shield\bin\HssTrayService.exe -- (HssTrayService)
SRV - [2010/01/08 20:30:28 | 000,234,032 | ---- | M] () [Auto | Running] -- C:\Program Files\Hotspot Shield\bin\openvpnas.exe -- (HotspotShieldService)
SRV - [2010/01/08 19:42:42 | 000,285,744 | ---- | M] () [Auto | Running] -- C:\Program Files\Hotspot Shield\bin\hsswd.exe -- (HssWd)
SRV - [2010/01/08 19:42:40 | 000,331,824 | ---- | M] (AnchorFree Inc.) [Auto | Running] -- C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe -- (HssSrv)
SRV - [2008/04/14 06:41:56 | 000,035,328 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\iprip.dll -- (Iprip)
SRV - [2005/11/22 17:20:28 | 000,036,864 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\acs.exe -- (ACS)


========== Driver Services (SafeList) ==========

DRV - [2011/08/18 15:25:12 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [computernameernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/03/30 19:16:32 | 000,024,064 | ---- | M] (Sophos Plc) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\savonaccessfilter.sys -- (SAVOnAccessFilter)
DRV - [2011/03/30 19:16:28 | 000,014,976 | ---- | M] (Sophos Plc) [computernameernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\SophosBootDriver.sys -- (SophosBootDriver)
DRV - [2011/03/30 19:16:26 | 000,023,928 | ---- | M] (Sophos Plc) [computernameernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sdcfilter.sys -- (sdcfilter)
DRV - [2011/03/30 19:16:22 | 000,153,344 | ---- | M] (Sophos Plc) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\savonaccesscontrol.sys -- (SAVOnAccessControl)
DRV - [2010/12/07 14:12:24 | 000,025,088 | ---- | M] (LG Electronics Inc.) [computernameernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgandmodem.sys -- (ANDModem)
DRV - [2010/12/07 14:12:24 | 000,020,096 | ---- | M] (LG Electronics Inc.) [computernameernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgandgps.sys -- (AndGps)
DRV - [2010/12/07 14:12:22 | 000,020,736 | ---- | M] (LG Electronics Inc.) [computernameernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lganddiag.sys -- (AndDiag)
DRV - [2010/12/07 14:12:22 | 000,014,336 | ---- | M] (LG Electronics Inc.) [computernameernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgandbus.sys -- (Andbus)
DRV - [2010/01/08 19:42:40 | 000,032,768 | ---- | M] (AnchorFree Inc) [computernameernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\taphss.sys -- (taphss)
DRV - [2009/12/11 19:45:58 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [computernameernel | Boot | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/09/29 08:11:22 | 000,012,160 | ---- | M] (LG Electronics Inc.) [computernameernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lgbtport.sys -- (LgBttPort)
DRV - [2009/09/29 08:11:20 | 000,012,928 | ---- | M] (LG Electronics Inc.) [computernameernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lgvmodem.sys -- (LGVMODEM)
DRV - [2009/09/29 08:11:20 | 000,010,496 | ---- | M] (LG Electronics Inc.) [computernameernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lgbtbus.sys -- (lgbusenum)
DRV - [2008/07/10 02:49:14 | 000,242,712 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\RsFx0102.sys -- (RsFx0102)
DRV - [2008/01/23 17:25:32 | 000,027,136 | ---- | M] (The OpenVPN Project) [computernameernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tapvpn.sys -- (tapvpn)
DRV - [2007/05/02 10:54:08 | 000,472,224 | ---- | M] (Atheros Communications, Inc.) [computernameernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2005/03/22 20:00:58 | 001,034,752 | ---- | M] (ATI Technologies Inc.) [computernameernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2003/06/27 09:53:44 | 001,196,352 | ---- | M] (Agere Systems) [computernameernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2002/05/24 15:19:02 | 000,308,460 | ---- | M] (computernameeyspan) [computernameernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usa192k.sys -- (USA19)
DRV - [2002/05/24 15:18:20 | 000,040,868 | ---- | M] (computernameeyspan) [computernameernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usa192kp.sys -- (USA192computernameP)
DRV - [1999/04/09 16:17:32 | 000,021,840 | ---- | M] (Logitech Inc.) [computernameernel | Auto | Running] -- C:\WINDOWS\System32\drivers\cxlpt.sys -- (CxLPT)
DRV - [1998/06/14 16:32:24 | 000,065,792 | ---- | M] () [computernameernel | System | Running] -- C:\WINDOWS\System32\drivers\DSC2PAR.SYS -- (DSC2PAR)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HcomputernameCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HcomputernameCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HcomputernameCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=302398"
FF - prefs.js..browser.startup.homepage: "https://www.google.com"
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.6
FF - prefs.js..extensions.enabledItems: md5rehasher@phoneixs.es:0.8.7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - HcomputernameLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HcomputernameLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HcomputernameLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HcomputernameLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HcomputernameLM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll File not found
FF - HcomputernameLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HcomputernameLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HcomputernameLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.3: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HcomputernameLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HcomputernameLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HcomputernameLM\Software\MozillaPlugins\@pandasecurity.com/activescan: C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
FF - HcomputernameLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2536: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HcomputernameLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2594: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HcomputernameLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1698: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HcomputernameLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HcomputernameCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HcomputernameCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\username\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HcomputernameCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\username\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HcomputernameCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Documents and Settings\username\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll (Google Inc.)

FF - HcomputernameEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{4215CC0B-83D4-44AC-98D7-ED9AA0FC8CF1}: C:\Documents and Settings\username\Local Settings\Application Data\{4215CC0B-83D4-44AC-98D7-ED9AA0FC8CF1} [2011/09/11 16:09:11 | 000,000,000 | ---D | M]
FF - HcomputernameEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/08 20:09:59 | 000,000,000 | ---D | M]
FF - HcomputernameEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/05 17:23:09 | 000,000,000 | ---D | M]

[2008/08/30 00:41:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\username\Application Data\Mozilla\Extensions
[2011/08/25 10:08:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\nnjvu1g8.default\extensions
[2010/04/28 23:11:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\nnjvu1g8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/08/25 10:08:39 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\nnjvu1g8.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/05/05 23:50:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/08 23:01:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/06 06:58:33 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\username\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\NNJVU1G8.DEFAULT\EXTENSIONS\MD5REHASHER@PHONEIXS.ES.XPI
[2011/09/11 16:09:11 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\username\LOCAL SETTINGS\APPLICATION DATA\{4215CC0B-83D4-44AC-98D7-ED9AA0FC8CF1}
[2011/09/08 20:09:59 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2007/12/23 14:18:12 | 000,284,248 | ---- | M] (Musicnotes, Inc.) -- C:\Program Files\mozilla firefox\plugins\npmusicn.dll
[2011/05/06 00:58:56 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/09/14 12:53:53 | 000,000,000 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (HistoryTriggerBHO Class) - {21A88CB9-84D2-4020-A2D1-B25A21034884} - C:\Program Files\LG Electronics\LG PC Suite IV\LinkAir\LinkAirBrowserHelper.dll (LG Electronics)
O2 - BHO: (Sophos Web Content Scanner) - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll (Sophos Plc)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No CLSID value found.
O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\HssIE\HssIE.dll (AnchorFree Inc.)
O4 - HcomputernameLM..\Run: [B2C_AGENT] C:\Documents and Settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe (LG Electronics)
O4 - HcomputernameLM..\Run: [Lexmark X1100 Series] C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe (Lexmark International, Inc.)
O4 - HcomputernameLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HcomputernameLM..\Run: [Sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\ALMon.exe (Sophos Plc)
O4 - HcomputernameLM..\Run: [StorageGuard] C:\Program Files\VERITAS Software\Update Manager\sgtray.exe (VERITAS Software, Inc.)
O4 - HcomputernameLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics Incorporated)
O4 - HcomputernameLM..\Run: [Xkudemilek] rundll32.exe "C:\WINDOWS\afisuzogerutew.dll",Startup File not found
O4 - HcomputernameLM..\RunOnce: [*acctbridgedbg.exe] C:\WINDOWS\System32\config\systemprofile\Local Settings\Application Data\acctbridgedbg.exe ()
O4 - HcomputernameLM..\RunOnce: [*editcplpack.exe] C:\Documents and Settings\All Users\Application Data\editcplpack.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\palm\hotsync.exe (Palm Computing, Inc., a 3Com Company)
O6 - HcomputernameLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HcomputernameLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HcomputernameCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} http://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab (Microsoft Genuine Advantage Self Support Tool)
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab (Reg Error: computernameey error.)
O16 - DPF: {5F519B46-96EF-499F-BF24-C9E1548FA56B} http://ffcoservery1.webcam.carleton.ca/program/SonySncDf70View.cab (Sony SNC-DF70 Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178917880173 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178942918179 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: computernameey error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: computernameey error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: computernameey error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: computernameey error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: computernameey error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: computernameey error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL) -C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Plc)
O20 - HcomputernameLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HcomputernameLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O32 - HcomputernameLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/05/11 12:59:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HcomputernameLM BootExecute: (autocheck autochk *)
O35 - HcomputernameLM\..comfile [open] -- "%1" %*
O35 - HcomputernameLM\..exefile [open] -- "%1" %*
O37 - HcomputernameLM\...com [@ = comfile] -- "%1" %*
O37 - HcomputernameLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/15 09:34:29 | 000,581,632 | ---- | C] (OldTimer Tools) -- C:\OTL.exe
[2011/09/15 09:34:01 | 000,581,632 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\username\Desktop\OTL.exe
[2011/09/15 09:26:27 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\username\Desktop\something.scr
[2011/09/15 08:56:46 | 000,000,000 | ---D | C] -- C:\gmer
[2011/09/15 08:42:35 | 000,607,260 | R--- | C] (Swearware) -- C:\dds.scr
[2011/09/15 08:40:22 | 000,000,000 | R--D | C] -- C:\Documents and Settings\username\Start Menu\Programs\Administrative Tools
[2011/09/15 08:39:36 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\username\Desktop\dds.scr
[2011/09/14 21:34:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\username\Desktop\desktop files
[2011/09/14 11:39:55 | 000,080,384 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\o4Patch.exe
[2011/09/14 11:39:55 | 000,078,336 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\Agent.OMZ.Fix.exe
[2011/09/14 11:39:37 | 000,289,144 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\VCCLSID.exe
[2011/09/14 11:39:37 | 000,288,417 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\SrchSTS.exe
[2011/09/14 11:39:37 | 000,135,168 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swreg.exe
[2011/09/14 11:39:37 | 000,087,552 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\VACFix.exe
[2011/09/14 11:39:37 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.exe
[2011/09/14 11:39:37 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.C.exe
[2011/09/14 11:39:37 | 000,082,432 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\404Fix.exe
[2011/09/14 11:39:37 | 000,079,360 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swxcacls.exe
[2011/09/14 11:39:37 | 000,053,248 | ---- | C] (http://www.beyondlogic.org) -- C:\WINDOWS\System32\Process.exe
[2011/09/14 11:26:50 | 000,064,512 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2011/09/14 11:26:40 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2011/09/14 11:26:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Lavasoft
[2011/09/14 11:26:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2011/09/14 11:25:50 | 000,000,000 | ---D | C] -- C:\Virus removal
[2011/09/13 21:18:35 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/09/13 21:18:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\username\Start Menu\Programs\HiJackThis
[2011/09/11 16:09:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\username\Application Data\A1E6D3A5049E9BCF7C55F07C41174E6B
[2011/09/11 16:09:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\username\Local Settings\Application Data\{4215CC0B-83D4-44AC-98D7-ED9AA0FC8CF1}
[2011/09/05 17:26:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/09/05 17:24:51 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/09/05 17:24:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/09/05 17:20:57 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2011/09/05 17:16:43 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/09/03 06:17:37 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
[2011/08/28 05:59:33 | 000,126,976 | ---- | C] (Hewlett-Packard Company) -- C:\WINDOWS\System32\hpfll70v.dll
[2011/08/28 05:56:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Hewlett-Packard
[2011/08/28 05:54:35 | 000,372,736 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hppldcoi.dll
[2011/08/28 05:54:35 | 000,309,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\difxapi.dll
[2011/08/28 05:53:41 | 000,452,408 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hpzids01.dll
[2011/08/28 05:52:32 | 000,000,000 | ---D | C] -- C:\Program Files\HP
[2011/08/28 05:48:19 | 000,000,000 | -H-D | C] -- C:\Config.Msi
[2011/08/18 22:10:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\username\Application Data\DivX
[1996/11/18 01:00:00 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\IMPLODE.DLL
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/15 10:08:04 | 000,208,384 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\authappobj.exe
[2011/09/15 09:46:08 | 000,000,966 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-492894223-854245398-1003UA.job
[2011/09/15 09:34:29 | 000,581,632 | ---- | M] (OldTimer Tools) -- C:\OTL.exe
[2011/09/15 09:34:11 | 000,581,632 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\username\Desktop\OTL.exe
[2011/09/15 08:52:04 | 000,002,413 | ---- | M] () -- C:\WINDOWS\System32\lgAxconfig.ini
[2011/09/15 08:51:44 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/09/15 08:49:47 | 000,000,252 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2011/09/15 08:49:34 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/15 08:49:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/15 08:49:15 | 1072,680,960 | -HS- | M] () -- C:\hiberfil.sys
[2011/09/15 08:48:14 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2011/09/15 08:39:38 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\username\Desktop\something.scr
[2011/09/15 08:39:38 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\username\Desktop\dds.scr
[2011/09/15 08:39:38 | 000,607,260 | R--- | M] (Swearware) -- C:\dds.scr
[2011/09/14 12:53:58 | 000,001,528 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2011/09/14 04:33:15 | 000,000,092 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/09/13 08:48:14 | 000,002,243 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/09/11 14:46:00 | 000,000,914 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-492894223-854245398-1003Core.job
[2011/09/05 20:09:45 | 000,145,408 | ---- | M] () -- C:\Documents and Settings\username\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/03 06:17:37 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
[2011/08/28 06:08:03 | 000,136,481 | ---- | M] () -- C:\WINDOWS\hphins33.dat
[2011/08/27 21:29:17 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/08/21 14:36:58 | 000,502,482 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/08/21 14:36:58 | 000,093,632 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/08/18 23:31:16 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\username\Local Settings\Application Data\PUTTY.RND
[2011/08/18 15:25:12 | 000,064,512 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/15 10:00:40 | 000,208,384 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\actiondnsacl.exe
[2011/09/15 09:52:49 | 000,208,384 | ---- | C] () -- C:\Documents and Settings\username\parseacladsl.exe
[2011/09/15 08:57:36 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\username\Desktop\gmer.exe
[2011/09/15 08:49:15 | 1072,680,960 | -HS- | C] () -- C:\hiberfil.sys
[2011/09/15 08:48:18 | 000,000,655 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
[2011/09/14 12:50:52 | 000,001,528 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2011/09/14 11:39:37 | 000,075,776 | ---- | C] () -- C:\WINDOWS\System32\WS2Fix.exe
[2011/09/14 11:39:37 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\dumphive.exe
[2011/09/14 11:39:37 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\swsc.exe
[2011/09/14 11:27:10 | 000,000,486 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/09/14 04:33:15 | 000,000,092 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/09/13 08:48:14 | 000,002,243 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/08/28 05:39:08 | 000,136,481 | ---- | C] () -- C:\WINDOWS\hphins33.dat
[2011/08/28 05:39:08 | 000,000,512 | ---- | C] () -- C:\WINDOWS\hphmdl33.dat
[2011/08/05 21:38:13 | 000,082,416 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/05/27 00:35:18 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\CommonDL.dll
[2011/05/27 00:35:18 | 000,002,413 | ---- | C] () -- C:\WINDOWS\System32\lgAxconfig.ini
[2010/11/25 11:14:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\cd.dat
[2010/10/04 19:59:32 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\StarOpen.sys
[2010/08/14 21:47:22 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/03/15 10:16:31 | 000,000,242 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2010/03/15 10:15:47 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbkvs.dll
[2010/03/15 10:15:46 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\LXBcomputernameLCNP.DLL
[2010/03/15 10:15:45 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\LXBcomputernameIH.EXE
[2010/03/15 10:15:45 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\INSTMON.EXE
[2010/03/15 10:15:11 | 000,000,266 | ---- | C] () -- C:\WINDOWS\System32\lxbkcoin.ini
[2010/02/02 22:20:41 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2009/11/28 18:53:02 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/08/10 23:41:09 | 000,000,048 | ---- | C] () -- C:\WINDOWS\IXLAPLAY.INI
[2009/08/10 23:22:18 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2009/08/10 23:00:59 | 000,065,792 | ---- | C] () -- C:\WINDOWS\System32\drivers\DSC2PAR.SYS
[2009/08/10 23:00:59 | 000,052,736 | ---- | C] () -- C:\WINDOWS\System32\dime3500.drv
[2009/02/26 15:50:46 | 000,000,115 | ---- | C] () -- C:\WINDOWS\WINHLP32.INI
[2009/02/26 15:50:45 | 000,000,053 | ---- | C] () -- C:\WINDOWS\WINHELP.INI
[2009/02/14 19:38:49 | 000,000,027 | ---- | C] () -- C:\WINDOWS\SonySNCDF70.ini
[2008/02/04 21:34:58 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2008/02/04 21:34:58 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2008/02/04 21:34:58 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\acs.exe
[2008/02/04 21:34:17 | 000,315,392 | ---- | C] () -- C:\WINDOWS\System32\AegisI5.exe
[2007/12/31 18:34:40 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\Usa19PropPage.dll
[2007/12/31 18:34:40 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\k19inst.dll
[2007/12/19 12:11:44 | 000,000,156 | ---- | C] () -- C:\WINDOWS\matlab.ini
[2007/11/17 22:33:04 | 000,000,090 | ---- | C] () -- C:\WINDOWS\ImgView.INI
[2007/11/17 16:50:31 | 000,974,848 | ---- | C] () -- C:\WINDOWS\System32\OT5050R.dll
[2007/11/17 16:50:30 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2007/11/17 16:50:30 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\LFcomputernameODAcomputername.DLL
[2007/11/17 16:50:30 | 000,088,576 | ---- | C] () -- C:\WINDOWS\System32\lffpx90n.dll
[2007/06/14 20:31:42 | 000,001,365 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/05/28 10:20:08 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\username\Local Settings\Application Data\PUTTY.RND
[2007/05/27 16:58:24 | 000,000,145 | ---- | C] () -- C:\WINDOWS\System32\EBPPORT3.DAT
[2007/05/12 04:07:34 | 000,145,408 | ---- | C] () -- C:\Documents and Settings\username\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/05/12 02:09:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2007/05/12 00:22:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/05/12 00:21:47 | 000,003,870 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/05/11 23:34:45 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/11 16:22:55 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2007/05/11 13:01:41 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/05/11 12:56:22 | 000,022,720 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/05/11 08:19:43 | 000,004,349 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/05/11 08:18:45 | 000,138,056 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/12/31 08:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/03/17 11:29:58 | 000,081,342 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2003/06/24 14:43:48 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2003/03/31 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/03/31 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/03/31 08:00:00 | 000,502,482 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/03/31 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/03/31 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/03/31 08:00:00 | 000,093,632 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/03/31 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/03/31 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/03/31 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/03/31 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/03/31 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/11/08 13:10:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2001/08/31 16:33:58 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\VxDMDcDlg.dll
[1996/12/23 01:00:00 | 000,445,952 | ---- | C] () -- C:\WINDOWS\System32\REPODBC.DLL
[1996/12/23 01:00:00 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\REPRC.DLL
[1996/12/11 01:00:00 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\DMEM.DLL
[1996/11/18 01:00:00 | 000,748,160 | ---- | C] () -- C:\WINDOWS\System32\CO2C40EN.DLL
[1996/11/18 01:00:00 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\P2SODBC.DLL
[1996/11/18 01:00:00 | 000,054,272 | ---- | C] () -- C:\WINDOWS\System32\P2IRDAO.DLL
[1996/11/18 01:00:00 | 000,050,176 | ---- | C] () -- C:\WINDOWS\System32\P2CTDAO.DLL
[1996/11/18 01:00:00 | 000,036,352 | ---- | C] () -- C:\WINDOWS\System32\P2BBND.DLL

< End of report >
From Extras.Txt:
OTL Extras logfile created on: 15/09/2011 9:35:48 AM - Run 1
OTL by OldTimer - Version 3.2.28.0 Folder = C:\Documents and Settings\computername\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: NA | Language: ENC | Date Format: dd/MM/yyyy

1022.92 Mb Total Physical Memory | 270.11 Mb Available Physical Memory | 26.41% Memory free
2.41 Gb Paging File | 1.79 Gb Available in Paging File | 74.42% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 43.64 Gb Free Space | 58.55% Space Free | Partition Type: NTFS

Computer Name: username | User Name: computername | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: usernameey error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: usernameey error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\usernameasperskyAntiVirus]

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
"" =
"DisableMonitoring" = 1

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HusernameEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HusernameEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HusernameEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HusernameEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HusernameEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HusernameEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HusernameEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HusernameEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Sophos\Sophos Anti-Virus\SavMain.exe" = C:\Program Files\Sophos\Sophos Anti-Virus\SavMain.exe:*:Enabled:Sophos Anti-Virus -- (Sophos Plc)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\DC++\DCPlusPlus.exe" = C:\Program Files\DC++\DCPlusPlus.exe:*:Enabled:DC++
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Disabled:VLC media player -- ()
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Disabled:FrostWire
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Disabled:Google Talk
"C:\Documents and Settings\computername\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll" = C:\Documents and Settings\computername\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Disabled:Google Talk Plugin -- (Google)
"C:\Documents and Settings\computername\My Documents\Downloads\Mats_Run.winfilefolder.exe" = C:\Documents and Settings\computername\My Documents\Downloads\Mats_Run.winfilefolder.exe:*:Disabled:Mats_Run.winfilefolder.exe
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Disabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Xming\Xming.exe" = C:\Program Files\Xming\Xming.exe:*:Enabled:Xming X Server -- ()
"C:\Documents and Settings\computername\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\computername\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)


========== HusernameEY_LOCAL_MACHINE Uninstall List ==========

[HusernameEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{005F78AF-110D-398A-8430-BE98950A1E22}" = Google Talk Plugin
"{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDusername for Visual Studio 2008 SP1 Express Tools for Win32
"{0627E8E9-6822-4A5E-9225-286741CDC3E4}" = FileViewerUtility 1.0
"{0C19D563-5F25-4621-BF10-01F741BD283F}" = Microsoft SQL Server Compact 3.5 SP1 Design Tools English
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter Mobile
"{15C418EB-7675-42be-B2B3-281952DA014D}" = Sophos AutoUpdate
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{196E77C5-F524-4B50-BD1A-2C21EEE9B8F7}" = Microsoft SQL Server 2008 Common Files
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 22
"{292F0F52-B62D-4E71-921B-89A682402201}" = Toolbox
"{31800004-6386-4999-A519-518F2D78D8F0}" = Python 2.5.1
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{385DD1DD-65AA-408D-8E70-74601C2DB7E6}" = Ad-Aware
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{461B11E8-BF34-4ACB-962A-1CBE905BD9EB}" = LG United Mobile Drivers
"{4815BD99-96A4-49FE-A885-DCF06E9E4E78}" = Microsoft SQL Server 2008 Database Engine Shared
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A6F34E2-09E5-4616-B227-4A26A488A6F9}" = Microsoft SQL Server 2008 Common Files
"{570B96D1-70D3-4B48-93EF-029440FA1BCE}" = Camera Window
"{58721EC3-8D4E-4B79-BC51-1054E2DDCD10}" = Microsoft SQL Server 2008 Database Engine Services
"{5BD5F1C4-EB4E-4AC2-A110-B33E252D5DB6}" = usernameeyspan USB PDA Adapter
"{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}" = Microsoft Windows SDusername for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{60FFB3E0-6D5B-4D73-AE5B-07E58B83AF0C}" = 32 Bit HP CIO Components Installer
"{69995C7A-062A-4A90-A4DF-8C22895DF522}" = iTunes
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDusername
"{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}" = SSH Secure Shell
"{7694E0B1-2332-448B-9235-929F84B41E3F}" = Active@ ISO Burner
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{78D80EAF-1ADB-46A8-AF6F-EBB18B6ADBCE}" = ISO Creator 1.0
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8214CC02-6271-4DC8-B8DD-779933450264}" = IBM RecordNow
"{8338BA06-E527-491B-9400-F51708FEE695}" = iPod for Windows 2005-11-17
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - usernameB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8F2F35B0-4019-4291-BBF5-121F51637FC7}" = VC80MFCRedist - 8.0.50727.4053
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{913A0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Project Standard 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95468B00-C081-4B27-AC96-0A2A31359E60}" = Adobe Flash Player 10 ActiveX
"{96178C0A-BAF9-4E49-A2A5-CDE76722105B}" = HP Deskjet D1600 Printer Driver 14.0 Rel. 6
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9ACB414D-9347-40B6-A453-5EFB2DB59DFA}" = Sophos Anti-Virus
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D6D76A6-4328-49E8-97A7-531A74841DA5}" = Microsoft SQL Server 2008 Setup Support Files (English)
"{9FAC9E5C-0D20-4DBF-AFE5-2E09C52A95A2}" = ThinkPad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3E0FF15-90D5-40CD-8565-B80A433B0D4C}" = PhotoStitch
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MusernameV Splitter
"{AC76BA86-7AD7-1033-7B44-A83000000003}" = Adobe Reader 8.3.0
"{AC76BA86-7AD7-5670-0000-800000000003}" = usernameorean Fonts Support For Adobe Reader 8
"{AC7EE5F1-0DE4-4256-8E43-92B73C8E6019}" = LG Bluetooth Drivers
"{ACCEB7C3-4F3A-4C43-93CA-644951D08B0D}" = TortoiseSVN 1.6.12.20536 (32 bit)
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{AF145F8997B44EE9B106D018EF1DB58B}" = DivX Converter Mobile
"{B08894AF-D523-46B1-9B9B-2DA6B29CDD23}" = RemoteCapture 2.6
"{B116E95E-01B1-420A-AECB-B2B330B9BD97}" = Polar Precision Performance SW
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5153233-9AEE-4CD4-9D2C-4FAAC870DBE2}" = Microsoft SQL Server 2008 Database Engine Services
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B857D868-F8B0-43EE-BC2B-D9E5ED21F237}" = Microsoft SQL Server VSS Writer
"{B8CD1189-53D6-4C51-8082-14B812EABBA8}" = Canon Camera WIA Driver
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon Utilities ZoomBrowser EX
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C688457E-03FD-4941-923B-A27F4D42A7DD}" = Microsoft SQL Server 2008 Browser
"{C965F01C-76EA-4BD7-973E-46236AE312D7}" = Sql Server Customer Experience Improvement Program
"{C9B2F671-870B-43A0-8B9D-7DB30CEBD87E}" = DJ_SF_06_D1600_SW_Min
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{D9D937B0-E842-4130-9588-B948E876904A}" = Microsoft SQL Server 2008 Native Client
"{DD622B1D-A78E-3FE8-9C8C-246F5764B0D0}" = Microsoft Visual Basic 2008 Express Edition with SP1 - ENU
"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
"{E6F88942-A3EE-11D6-862E-0050BF643EE7}" = MD5 for Win32
"{F1DC7648-8623-442F-92B7-E118DF61872E}" = Microsoft SQL Server 2008 RsFx Driver
"{F3494AB6-6900-41C6-AF57-823626827ED8}" = Microsoft SQL Server 2008 Database Engine Shared
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{FED1005D-CBC8-45D5-A288-FFC7BB304121}" = Sophos Remote Management System
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner
"DiddleEx_is1" = DiddleEx 2.05
"Dimera 2000_3500" = Dimera 2000_3500
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"EasyGPS_is1" = EasyGPS 2.7.5
"EPSON Printer and Utilities" = EPSON Printer Software
"FLV Player1.33 FC" = FLV Player
"HotspotShield" = Hotspot Shield 1.37
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{0627E8E9-6822-4A5E-9225-286741CDC3E4}" = Canon Utilities FileViewerUtility 1.0
"InstallShield_{570B96D1-70D3-4B48-93EF-029440FA1BCE}" = Canon Camera Window for ZoomBrowser EX
"InstallShield_{8338BA06-E527-491B-9400-F51708FEE695}" = iPod for Windows 2005-11-17
"InstallShield_{A3E0FF15-90D5-40CD-8565-B80A433B0D4C}" = Canon Utilities PhotoStitch 3.1
"InstallShield_{B08894AF-D523-46B1-9B9B-2DA6B29CDD23}" = Canon Utilities RemoteCapture 2.6
"InstallShield_{B8CD1189-53D6-4C51-8082-14B812EABBA8}" = Canon IXY 320, PowerShot S230, IXUS v3 WIA Driver
"ixlaDCSV1.2" = ixla Digital Camera Suite
"ixlaExplorerV1.2" = ixla Explorer
"Lexmark X1100 Series" = Lexmark X1100 Series
"LG PC Suite IV" = LG PC Suite IV
"Logitech QuickCam" = Logitech QuickCam
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"MatlabR2007a" = MATLAB R2007a
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 10" = Microsoft SQL Server 2008
"Microsoft SQL Server 10 Release" = Microsoft SQL Server 2008
"Microsoft Visual Basic 2008 Express Edition with SP1 - ENU" = Microsoft Visual Basic 2008 Express Edition with SP1 - ENU
"Mozilla Firefox 6.0.2 (x86 en-US)" = Mozilla Firefox 6.0.2 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVDA" = NVDA 2011.1
"PhotoRecord" = Canon PhotoRecord
"Plaxo" = Plaxo Toolbar for Windows
"PocketMirror 2.0" = PocketMirror 2.0 Outlook Edition
"Power Management Driver" = ThinkPad Power Management Driver
"PROSet" = Intel® Network Connections Drivers
"RealPlayer 6.0" = RealPlayer
"Skype_is1" = Skype 2.5
"SynTPDeinstusernameey" = ThinkPad UltraNav Driver
"UltraStar Deluxe" = UltraStar Deluxe
"VB5" = Visual Basic 5.0 Professional Edition
"VLC media player" = VLC media player 1.0.3
"Wdf01009" = Microsoft usernameernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"winscp3_is1" = WinSCP 3.8.2
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Write-N-Cite" = Write-N-Cite
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"wxPython2.8-ansi-py25_is1" = wxPython 2.8.7.1 (ansi) for Python 2.5
"Xming_is1" = Xming 6.9.0.31
"Yahoo! Messenger" = Yahoo! Messenger

========== HusernameEY_CURRENT_USER Uninstall List ==========

[HusernameEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Pilot Desktop" = Palm Desktop

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 14/09/2011 9:57:45 PM | Computer Name = username | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 14/09/2011 10:34:06 PM | Computer Name = username | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 14/09/2011 10:34:06 PM | Computer Name = username | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 15/09/2011 8:50:25 AM | Computer Name = username | Source = MSSQL$SQLEXPRESS | ID = 17053
Description = UpdateUptimeRegusernameey: Operating system error 5(Access is denied.) encountered.

Error - 15/09/2011 8:50:49 AM | Computer Name = username | Source = Application Error | ID = 1000
Description = Faulting application nvda_service.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x10002f6c.

Error - 15/09/2011 8:51:02 AM | Computer Name = username | Source = Sophos Message Router | ID = 8005
Description = DNS lookup failure trying to resolve the following addresses: ccssav02,ccssav02.cunet.carleton.ca.%3

Error - 15/09/2011 8:51:04 AM | Computer Name = username | Source = MSSQL$SQLEXPRESS | ID = 17182
Description = TDSSNIClient initialization failed with error 0x5, status code 0x51.
Reason: Unable to configure MDAC-compatibility Named Pipes protocol pipe name in
registry. Access is denied.

Error - 15/09/2011 8:51:04 AM | Computer Name = username | Source = MSSQL$SQLEXPRESS | ID = 17182
Description = TDSSNIClient initialization failed with error 0x5, status code 0x1.
Reason: Initialization failed with an infrastructure error. Check for previous
errors. Access is denied.

Error - 15/09/2011 8:51:04 AM | Computer Name = username | Source = MSSQL$SQLEXPRESS | ID = 17826
Description = Could not start the network library because of an internal error in
the network library. To determine the cause, review the errors immediately preceding
this one in the error log.

Error - 15/09/2011 8:51:04 AM | Computer Name = username | Source = MSSQL$SQLEXPRESS | ID = 17120
Description = SQL Server could not spawn FRunCM thread. Check the SQL Server error
log and the Windows event logs for information about possible related problems.

[ System Events ]
Error - 15/09/2011 8:46:49 AM | Computer Name = username | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 15/09/2011 8:47:04 AM | Computer Name = username | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 15/09/2011 8:47:09 AM | Computer Name = username | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 15/09/2011 8:48:00 AM | Computer Name = username | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 15/09/2011 8:48:23 AM | Computer Name = username | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 15/09/2011 8:49:30 AM | Computer Name = username | Source = sptd | ID = 262148
Description = Driver detected an internal error in its data structures for .

Error - 15/09/2011 8:50:40 AM | Computer Name = username | Source = Service Control Manager | ID = 7023
Description = The Portable Media Serial Number service terminated with the following
error: %%126

Error - 15/09/2011 8:51:19 AM | Computer Name = username | Source = Service Control Manager | ID = 7024
Description = The SQL Server (SQLEXPRESS) service terminated with service-specific
error 5 (0x5).

Error - 15/09/2011 8:51:19 AM | Computer Name = username | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
sptd

Error - 15/09/2011 8:52:14 AM | Computer Name = username | Source = Service Control Manager | ID = 7034
Description = The nonVisual Desktop Access service terminated unexpectedly. It
has done this 1 time(s).


< End of report >

Edited by fakealertbytes, 15 September 2011 - 09:53 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 PM

Posted 20 September 2011 - 08:02 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Please let me know what problem persists.

#3 fakealertbytes

fakealertbytes
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 20 September 2011 - 09:24 PM

This website was down yesterday morning otherwise I would have replied earlier since I could not read the content of the new post until the forums were up again. After running http://download.bleepingcomputer.com/sUBs/ComboFix.exe from Safe-Mode with networking it installed the recovery and rebooted into a normal user and ran some more. After getting the below log I got a pop up that I will try to attach titled "Handle License Agreement" content: "SYSINTERNALS SOFTWARE LICENSE TERMS
You can also use the /accepteula command-line switch to accept the EULA
These license terms are an agreement between Sysinternals (a wholly owned subsidiary of Microsoft Corporation) and you. Please read them. They apply to the software you are downloading from Systinternals.com, which includes the media on which you received it, if any. The terms also apply to any Sysinternals..." Agree/Decline
Attached File  EULA.jpg   34.18KB   1 downloads

Should I accept this? It sounds like a valid program used to diagnose situations like this but does combofix install it? I certainly did not and I would guess that in order to get into this situation I clicked on something similar that was false so I am hesitant. Sophos is also having trouble updating. Should I run Malwarebytes to see if what it could detect has been removed?

ComboFix 11-09-20.04 - Administrator 20/09/2011 20:45:16.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.682 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\LocalService\Local Settings\Application Data\auditadslcsc.exe
c:\program files\Hotspot Shield\hssie\HsSIe.dll
c:\program files\messenger\msmsgsin.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\d3d9caps.dat
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\MSMAsk32.ocx
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\twain.dll
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\winhelp.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-08-21 to 2011-09-21 )))))))))))))))))))))))))))))))
.
.
2011-09-17 20:09 . 2011-09-17 21:38 -------- d---a-w- C:\.Trash-1001
2011-09-15 14:10 . 2011-09-15 14:10 208384 ----a-w- c:\windows\system32\apisrvapp.exe
2011-09-15 13:34 . 2011-09-15 13:34 581632 ----a-w- C:\OTL.exe
2011-09-15 12:56 . 2011-09-15 12:56 -------- d-----w- C:\gmer
2011-09-15 12:42 . 2011-09-15 12:39 607260 ----a-r- C:\dds.scr
2011-09-15 02:08 . 2011-09-15 02:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-09-14 16:43 . 2011-09-14 16:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-09-14 15:37 . 2011-09-14 15:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Subversion
2011-09-14 15:37 . 2011-09-14 15:37 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2011-09-14 15:35 . 2011-09-14 15:35 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-09-14 15:32 . 2011-09-21 00:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TSVNCache
2011-09-14 15:26 . 2011-08-18 19:25 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-09-14 15:26 . 2011-09-14 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-09-14 15:26 . 2011-09-14 15:26 -------- d-----w- c:\program files\Lavasoft
2011-09-14 15:25 . 2011-09-14 16:50 -------- d-----w- C:\Virus removal
2011-09-14 01:18 . 2011-09-14 01:18 -------- d-----w- c:\program files\Trend Micro
2011-09-12 14:10 . 2011-09-12 14:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-09-05 21:24 . 2011-09-05 21:25 -------- d-----w- c:\program files\iTunes
2011-09-05 21:24 . 2011-09-05 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-09-05 21:20 . 2011-09-05 21:20 -------- d-----w- c:\program files\Apple Software Update
2011-09-05 21:16 . 2011-09-05 21:16 -------- d-----w- c:\program files\Bonjour
2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-08-28 09:59 . 2009-04-16 18:08 312832 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp70v.dll
2011-08-28 09:59 . 2009-04-16 18:08 126976 ----a-w- c:\windows\system32\hpfll70v.dll
2011-08-28 09:56 . 2011-08-28 09:56 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-08-28 09:54 . 2008-10-29 00:27 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2011-08-28 09:54 . 2008-10-29 00:27 309760 ----a-w- c:\windows\system32\difxapi.dll
2011-08-28 09:54 . 2008-10-29 00:27 21568 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2011-08-28 09:54 . 2008-10-29 00:27 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2011-08-28 09:54 . 2008-10-29 00:27 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2011-08-28 09:53 . 2009-04-16 11:53 452408 ----a-w- c:\windows\system32\hpzids01.dll
2011-08-28 09:52 . 2011-08-28 09:54 -------- d-----w- c:\program files\HP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-21 00:01 . 2003-03-31 12:00 26112 ----a-w- c:\windows\system32\userinit.exe
2011-09-09 09:12 . 2003-03-31 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-28 01:29 . 2011-05-31 02:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-06 01:05 . 2009-06-04 00:08 134944 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2011-08-06 01:04 . 2009-06-04 00:07 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-07-15 13:29 . 2003-03-31 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02 . 2003-03-31 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2010-12-25 18:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-12-25 18:43 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10 . 2010-12-21 16:40 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2009-08-28 21:42 . 2009-08-28 21:42 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-08-28 21:42 . 2009-08-28 21:42 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-09-09 00:09 . 2011-05-06 04:58 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2006-10-19 01:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-04-23 128296]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-23 1725736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2010-09-30 439536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"B2C_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2011-09-20 404568]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
authappobj.exe [2011-9-15 208384]
HotSync Manager.lnk - c:\program files\palm\hotsync.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Sophos\\Sophos Anti-Virus\\SavMain.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\username\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Xming\\Xming.exe"=
"c:\\Documents and Settings\\username\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-12-11 717296]
R3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus.sys [2010-12-07 14336]
R3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag.sys [2010-12-07 20736]
R3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps.sys [2010-12-07 20096]
R3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem.sys [2010-12-07 25088]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-08-18 15232]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2011-03-30 23928]
R3 USA19;USA19;c:\windows\system32\DRIVERS\usa192k.sys [2002-05-24 308460]
R3 USA192KP;Keyspan USB PDA Adapter Port Driver;c:\windows\system32\DRIVERS\USA192kp.SYS [2002-05-24 40868]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]
R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2011-03-30 14976]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2011-08-18 64512]
S1 DSC2PAR;DSC2PAR; [x]
S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys [2011-03-30 153344]
S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys [2011-03-30 24064]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-01-08 285744]
S2 Iprip;RIP Listener;c:\windows\System32\svchost.exe [2008-04-14 14336]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-08-18 2151640]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S2 nvda;nonVisual Desktop Access;c:\program files\NVDA\nvda_service.exe [2011-03-07 35856]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2011-03-30 163056]
S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2011-03-30 97520]
S2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2011-03-30 1541360]
S3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\DRIVERS\lgbtport.sys [2009-09-29 12160]
S3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\DRIVERS\lgbtbus.sys [2009-09-29 10496]
S3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\DRIVERS\lgvmodem.sys [2009-09-29 12928]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-08-18 19:25]
.
2011-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-492894223-854245398-1003Core.job
- c:\documents and settings\username\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-18 03:07]
.
2011-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-492894223-854245398-1003UA.job
- c:\documents and settings\username\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-18 03:07]
.
2011-09-21 c:\windows\Tasks\WGASetup.job
- c:\windows\System32\KB905474\wgasetup.exe [2010-12-22 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
DPF: {5F519B46-96EF-499F-BF24-C9E1548FA56B} - hxxp://ffcoservery1.webcam.__.ca/program/SonySncDf70View.cab
FF - ProfilePath - c:\documents and settings\username\Application Data\Mozilla\Firefox\Profiles\nnjvu1g8.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Xkudemilek - c:\windows\afisuzogerutew.dll
SafeBoot-Wdf01000.sys
AddRemove-Pilot Desktop - c:\program files\palm\palmuni.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-20 20:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay\Applications]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay8\Applications]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1072)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2280)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP3\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\tcpsvcs.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\windows\AGRSMMSG.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\TEMP\sophos_autoupdate1.dir\alupdate.exe
.
**************************************************************************
.
Completion time: 2011-09-20 21:13:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-21 01:13
.
Pre-Run: 59,497,189,376 bytes free
Post-Run: 58,066,452,480 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 5B28F53A86FE22139A9CF3960C15A0DA

Edited by fakealertbytes, 21 September 2011 - 08:22 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 PM

Posted 21 September 2011 - 07:50 AM

I got a pop up that I will try to attach titled "Handle License Agreement" content: "SYSINTERNALS SOFTWARE LICENSE TERMS

When exacbly did you get this popup?

Open notepad and copy/paste the text in the quote box below into it:

File::
c:\documents and settings\All Users\Start Menu\Programs\Startup\authappobj.exe

Driver::
DSC2PAR



Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know what problem persists.

#5 fakealertbytes

fakealertbytes
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 21 September 2011 - 09:05 AM

The dialog is still open, it popped open on top of the combofix log window immediately afterward. Running the following as a regular user with dialog still open it got closed:

ComboFix 11-09-21.02 - username 21/09/2011 10:19:36.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.300 [GMT -4:00]
Running from: c:\documents and settings\username\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\username\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
FILE ::
"c:\documents and settings\All Users\Start Menu\Programs\Startup\authappobj.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\username\Application Data\Adobe\plugs
c:\documents and settings\username\Application Data\Adobe\shed
c:\documents and settings\username\Local Settings\Application Data\{4215CC0B-83D4-44AC-98D7-ED9AA0FC8CF1}
c:\documents and settings\username\Local Settings\Application Data\{4215CC0B-83D4-44AC-98D7-ED9AA0FC8CF1}\chrome.manifest
c:\documents and settings\username\Local Settings\Application Data\{4215CC0B-83D4-44AC-98D7-ED9AA0FC8CF1}\chrome\content\_cfg.js
c:\documents and settings\username\Local Settings\Application Data\{4215CC0B-83D4-44AC-98D7-ED9AA0FC8CF1}\chrome\content\overlay.xul
c:\documents and settings\username\Local Settings\Application Data\{4215CC0B-83D4-44AC-98D7-ED9AA0FC8CF1}\install.rdf
c:\documents and settings\username\WINDOWS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_DSC2PAR
-------\Service_DSC2PAR
.
.
((((((((((((((((((((((((( Files Created from 2011-08-21 to 2011-09-21 )))))))))))))))))))))))))))))))
.
.
2011-09-21 14:37 . 2011-09-21 14:37 208384 ----a-w- c:\documents and settings\LocalService\Application Data\debugcfgcrypt.exe
2011-09-17 20:09 . 2011-09-17 21:38 -------- d---a-w- C:\.Trash-1001
2011-09-15 14:10 . 2011-09-15 14:10 208384 ----a-w- c:\windows\system32\apisrvapp.exe
2011-09-15 13:34 . 2011-09-15 13:34 581632 ----a-w- C:\OTL.exe
2011-09-15 12:56 . 2011-09-15 12:56 -------- d-----w- C:\gmer
2011-09-15 12:42 . 2011-09-15 12:39 607260 ----a-r- C:\dds.scr
2011-09-15 02:08 . 2011-09-15 02:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-09-14 16:43 . 2011-09-14 16:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-09-14 15:37 . 2011-09-14 15:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Subversion
2011-09-14 15:37 . 2011-09-14 15:37 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2011-09-14 15:35 . 2011-09-14 15:35 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-09-14 15:32 . 2011-09-21 00:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TSVNCache
2011-09-14 15:26 . 2011-08-18 19:25 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-09-14 15:26 . 2011-09-14 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-09-14 15:26 . 2011-09-14 15:26 -------- d-----w- c:\program files\Lavasoft
2011-09-14 15:25 . 2011-09-14 16:50 -------- d-----w- C:\Virus removal
2011-09-14 01:18 . 2011-09-14 01:18 388096 ----a-r- c:\documents and settings\username\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-14 01:18 . 2011-09-14 01:18 -------- d-----w- c:\program files\Trend Micro
2011-09-12 14:10 . 2011-09-12 14:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-09-11 20:09 . 2011-09-12 14:09 -------- d-----w- c:\documents and settings\username\Application Data\A1E6D3A5049E9BCF7C55F07C41174E6B
2011-09-05 21:24 . 2011-09-05 21:25 -------- d-----w- c:\program files\iTunes
2011-09-05 21:24 . 2011-09-05 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-09-05 21:20 . 2011-09-05 21:20 -------- d-----w- c:\program files\Apple Software Update
2011-09-05 21:16 . 2011-09-05 21:16 -------- d-----w- c:\program files\Bonjour
2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-08-28 09:59 . 2009-04-16 18:08 312832 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp70v.dll
2011-08-28 09:59 . 2009-04-16 18:08 126976 ----a-w- c:\windows\system32\hpfll70v.dll
2011-08-28 09:56 . 2011-08-28 09:56 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-08-28 09:54 . 2008-10-29 00:27 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2011-08-28 09:54 . 2008-10-29 00:27 309760 ----a-w- c:\windows\system32\difxapi.dll
2011-08-28 09:54 . 2008-10-29 00:27 21568 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2011-08-28 09:54 . 2008-10-29 00:27 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2011-08-28 09:54 . 2008-10-29 00:27 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2011-08-28 09:53 . 2009-04-16 11:53 452408 ----a-w- c:\windows\system32\hpzids01.dll
2011-08-28 09:52 . 2011-08-28 09:54 -------- d-----w- c:\program files\HP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-21 00:01 . 2003-03-31 12:00 26112 ----a-w- c:\windows\system32\userinit.exe
2011-09-09 09:12 . 2003-03-31 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-28 01:29 . 2011-05-31 02:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-06 01:05 . 2009-06-04 00:08 134944 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2011-08-06 01:04 . 2009-06-04 00:07 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-07-15 13:29 . 2003-03-31 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02 . 2003-03-31 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2010-12-25 18:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-12-25 18:43 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10 . 2010-12-21 16:40 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2003-03-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2003-03-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2009-08-28 21:42 . 2009-08-28 21:42 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-08-28 21:42 . 2009-08-28 21:42 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-09-09 00:09 . 2011-05-06 04:58 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2006-10-19 01:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-04-23 128296]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-23 1725736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2010-09-30 439536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"B2C_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2011-09-20 404568]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*debugcfgcrypt.exe"="c:\documents and settings\LocalService\Application Data\debugcfgcrypt.exe" [2011-09-21 208384]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palm\hotsync.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Sophos\\Sophos Anti-Virus\\SavMain.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\username\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Xming\\Xming.exe"=
"c:\\Documents and Settings\\username\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [14/09/2011 11:26 AM 64512]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [26/02/2009 4:18 PM 153344]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [26/02/2009 4:19 PM 24064]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [08/01/2010 7:42 PM 285744]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [31/03/2003 8:00 AM 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/08/2011 3:25 PM 2151640]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [25/12/2010 2:43 PM 366640]
R2 nvda;nonVisual Desktop Access;c:\program files\NVDA\nvda_service.exe [06/03/2011 10:18 PM 35856]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [30/03/2011 7:16 PM 163056]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [30/03/2011 7:16 PM 97520]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [30/03/2011 7:16 PM 1541360]
R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [29/09/2009 8:11 AM 12160]
R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [29/09/2009 8:11 AM 10496]
R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [29/09/2009 8:11 AM 12928]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [25/12/2010 2:43 PM 22712]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/12/2009 7:45 PM 717296]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [07/12/2010 2:12 PM 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [07/12/2010 2:12 PM 20736]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [07/12/2010 2:12 PM 20096]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [07/12/2010 2:12 PM 25088]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [18/08/2011 3:25 PM 15232]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [25/12/2010 2:43 PM 41272]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [30/03/2011 7:16 PM 23928]
S3 USA19;USA19;c:\windows\system32\drivers\usa192k.sys [31/12/2007 6:34 PM 308460]
S3 USA192KP;Keyspan USB PDA Adapter Port Driver;c:\windows\system32\drivers\usa192kp.sys [31/12/2007 6:34 PM 40868]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [10/07/2008 8:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 2:49 AM 242712]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [26/02/2009 4:19 PM 14976]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [10/07/2008 8:28 PM 369688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-08-18 19:25]
.
2011-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-492894223-854245398-1003Core.job
- c:\documents and settings\username\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-18 03:07]
.
2011-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-492894223-854245398-1003UA.job
- c:\documents and settings\username\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-18 03:07]
.
2011-09-21 c:\windows\Tasks\WGASetup.job
- c:\windows\System32\KB905474\wgasetup.exe [2010-12-22 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
DPF: {5F519B46-96EF-499F-BF24-C9E1548FA56B} - hxxp://ffcoservery1.webcam.___.ca/program/SonySncDf70View.cab
FF - ProfilePath - c:\documents and settings\username\Application Data\Mozilla\Firefox\Profiles\nnjvu1g8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-21 10:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay\Applications]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay8\Applications]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1060)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(4908)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP3\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\tcpsvcs.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\AGRSMMSG.exe
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-09-21 10:42:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-21 14:42
ComboFix2.txt 2011-09-21 01:13
.
Pre-Run: 58,163,089,408 bytes free
Post-Run: 58,158,489,600 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 2FE0F37241EE9D28DCDBDE6915711147

Downloaded:
http://screen317.spywareinfoforum.org/SecurityCheck.exe
and the problem was cmd stayed open for not enough time to read the instructions but I did catch that it said hit space to continue... I did not have a chance to press the spacebar...

yeah - that is a good test it seems for the current situation - try to run... cmd and see if it stays opens - it does not

Edited by fakealertbytes, 21 September 2011 - 10:04 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 PM

Posted 21 September 2011 - 05:07 PM

Open notepad and copy/paste the text in the quote box below into it:

File::
c:\documents and settings\LocalService\Application Data\debugcfgcrypt.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*debugcfgcrypt.exe"=-



Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

Post the log.
===

Try to run the Security Check by right clicking the .exe file and select Run As An Administrator.

Post the log if you can.
==

Please let me know what problem persists.

#7 fakealertbytes

fakealertbytes
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 21 September 2011 - 06:45 PM

The taskbar popups are back with a vengeance. Combofix stated it had an update which I said yes to but it did not run as per usual counting to 50 with a reboot, I tried again but no difference, no log.
Attached File  isthistrue.jpg   9.8KB   1 downloads

Run as... for SecurityCheck does not change anything.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 PM

Posted 22 September 2011 - 06:46 AM

Delete your version of ComboFix.exe and download a fresh copy.
Post No. 2.

Can you run it now?

#9 fakealertbytes

fakealertbytes
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 22 September 2011 - 07:21 AM

I does not seem to make a big difference which version of ComboFix.exe is used. 3 slightly different problems:
1. Pop up that says I do not have corresponding permissions to run.
try again:
2. Just gets minimized to non existant item on taskbar.
try again:
3. Run initial green text on black background and then a pop up which gets minimized to non existant item on taskbar before a chance to respond.
try again:
one of the three

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 PM

Posted 22 September 2011 - 07:31 AM

Run this tool and when completed DO NOT restart the computer. Try to run ComboFix.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

#11 fakealertbytes

fakealertbytes
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 22 September 2011 - 09:22 PM

hmm... I replied this morning but it is not here. Combofix is stalled at "Completed Stage_50" for 12 hours.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 PM

Posted 23 September 2011 - 07:58 AM

Stop it.

Run this tool instead.

  • Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    explorer.exe
    svchost.exe
    userinit.exe
    qmgr.dll
    proquota.exe
    kernel32.dll
    ndis.sys
    autochk.exe
    spoolsv.exe
    xmlprov.dll
    ntmssvc.dll
    mswsock.dll
    Beep.SYS
    ntfs.sys
    termsrv.dll
    sfcfiles.dll
    st3shark.sys
    ahcix86.sys
    srsvc.dll
    /md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.


#13 fakealertbytes

fakealertbytes
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 23 September 2011 - 09:49 AM

Prior to noticing the new OTL suggestions I disconnected the ethernet cable and went back to combofix without the script. It was sitting at 18 this time for a while and when I tried to end the process I caught something about terminate batch job and will key an eye out for it next time. Tried the versions of rkill and each provided a dialog something to the tune of:
windows cannot find c:\WINDOWS\apidnsedit.exe
windows cannot find C:\Documents and Settings\All Users\Application Data\scanbasequeue.exe
etc. cmd still doesn't stay open, taskbar popups are still a problem.
Tried combo fix again and actually got the log so connected ethernet to make this post. Unless told that I still need to do them I will not do the OTL steps.

ComboFix 11-09-21.04 - username 23/09/2011 9:53.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.340 [GMT -4:00]
Running from: c:\documents and settings\username\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\fileprovstream.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-23 to 2011-09-23 )))))))))))))))))))))))))))))))
.
.
2011-09-23 14:13 . 2011-09-23 14:13 208384 ----a-w- c:\documents and settings\LocalService\authcatparse.exe
2011-09-21 23:35 . 2011-09-21 14:09 879225 ----a-w- C:\SecurityCheck.exe
2011-09-17 20:09 . 2011-09-17 21:38 -------- d---a-w- C:\.Trash-1001
2011-09-15 14:10 . 2011-09-15 14:10 208384 ----a-w- c:\windows\system32\apisrvapp.exe
2011-09-15 13:34 . 2011-09-15 13:34 581632 ----a-w- C:\OTL.exe
2011-09-15 12:56 . 2011-09-15 12:56 -------- d-----w- C:\gmer
2011-09-15 12:42 . 2011-09-15 12:39 607260 ----a-r- C:\dds.scr
2011-09-15 02:08 . 2011-09-15 02:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-09-14 16:43 . 2011-09-14 16:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-09-14 15:37 . 2011-09-14 15:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Subversion
2011-09-14 15:37 . 2011-09-14 15:37 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2011-09-14 15:35 . 2011-09-14 15:35 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-09-14 15:32 . 2011-09-21 00:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TSVNCache
2011-09-14 15:26 . 2011-08-18 19:25 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-09-14 15:26 . 2011-09-14 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-09-14 15:26 . 2011-09-14 15:26 -------- d-----w- c:\program files\Lavasoft
2011-09-14 15:25 . 2011-09-14 16:50 -------- d-----w- C:\Virus removal
2011-09-14 01:18 . 2011-09-14 01:18 388096 ----a-r- c:\documents and settings\username\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-14 01:18 . 2011-09-14 01:18 -------- d-----w- c:\program files\Trend Micro
2011-09-12 14:10 . 2011-09-12 14:10 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-09-11 20:09 . 2011-09-12 14:09 -------- d-----w- c:\documents and settings\username\Application Data\A1E6D3A5049E9BCF7C55F07C41174E6B
2011-09-05 21:24 . 2011-09-05 21:25 -------- d-----w- c:\program files\iTunes
2011-09-05 21:24 . 2011-09-05 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-09-05 21:20 . 2011-09-05 21:20 -------- d-----w- c:\program files\Apple Software Update
2011-09-05 21:16 . 2011-09-05 21:16 -------- d-----w- c:\program files\Bonjour
2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-08-28 09:59 . 2009-04-16 18:08 312832 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp70v.dll
2011-08-28 09:59 . 2009-04-16 18:08 126976 ----a-w- c:\windows\system32\hpfll70v.dll
2011-08-28 09:56 . 2011-08-28 09:56 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-08-28 09:54 . 2008-10-29 00:27 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2011-08-28 09:54 . 2008-10-29 00:27 309760 ----a-w- c:\windows\system32\difxapi.dll
2011-08-28 09:54 . 2008-10-29 00:27 21568 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2011-08-28 09:54 . 2008-10-29 00:27 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2011-08-28 09:54 . 2008-10-29 00:27 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2011-08-28 09:53 . 2009-04-16 11:53 452408 ----a-w- c:\windows\system32\hpzids01.dll
2011-08-28 09:52 . 2011-08-28 09:54 -------- d-----w- c:\program files\HP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-21 00:01 . 2003-03-31 12:00 26112 ----a-w- c:\windows\system32\userinit.exe
2011-09-09 09:12 . 2003-03-31 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-28 01:29 . 2011-05-31 02:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-06 01:05 . 2009-06-04 00:08 134944 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2011-08-06 01:04 . 2009-06-04 00:07 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-07-15 13:29 . 2003-03-31 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02 . 2003-03-31 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2010-12-25 18:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-12-25 18:43 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-08-28 21:42 . 2009-08-28 21:42 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-08-28 21:42 . 2009-08-28 21:42 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-09-09 00:09 . 2011-05-06 04:58 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2006-10-19 01:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\mspmsnsv.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-09-21_14.37.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-22 12:28 . 2011-09-22 12:28 16384 c:\windows\temp\Perflib_Perfdata_630.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-04-23 128296]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-23 1725736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2010-09-30 439536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"B2C_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2011-09-20 404568]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*authcatparse.exe"="c:\documents and settings\LocalService\authcatparse.exe" [2011-09-23 208384]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Sophos\\Sophos Anti-Virus\\SavMain.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\username\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Xming\\Xming.exe"=
"c:\\Documents and Settings\\username\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [14/09/2011 11:26 AM 64512]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [26/02/2009 4:18 PM 153344]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [26/02/2009 4:19 PM 24064]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [31/03/2003 8:00 AM 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/08/2011 3:25 PM 2151640]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [25/12/2010 2:43 PM 366640]
R2 nvda;nonVisual Desktop Access;c:\program files\NVDA\nvda_service.exe [06/03/2011 10:18 PM 35856]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [30/03/2011 7:16 PM 163056]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [30/03/2011 7:16 PM 97520]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [30/03/2011 7:16 PM 1541360]
R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [29/09/2009 8:11 AM 12160]
R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [29/09/2009 8:11 AM 10496]
R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [29/09/2009 8:11 AM 12928]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [25/12/2010 2:43 PM 22712]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/12/2009 7:45 PM 717296]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [08/01/2010 7:42 PM 285744]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [07/12/2010 2:12 PM 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [07/12/2010 2:12 PM 20736]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [07/12/2010 2:12 PM 20096]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [07/12/2010 2:12 PM 25088]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [18/08/2011 3:25 PM 15232]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [25/12/2010 2:43 PM 41272]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [30/03/2011 7:16 PM 23928]
S3 USA19;USA19;c:\windows\system32\drivers\usa192k.sys [31/12/2007 6:34 PM 308460]
S3 USA192KP;Keyspan USB PDA Adapter Port Driver;c:\windows\system32\drivers\usa192kp.sys [31/12/2007 6:34 PM 40868]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [10/07/2008 8:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 2:49 AM 242712]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [26/02/2009 4:19 PM 14976]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [10/07/2008 8:28 PM 369688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-08-18 19:25]
.
2011-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-492894223-854245398-1003Core.job
- c:\documents and settings\username\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-18 03:07]
.
2011-09-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-492894223-854245398-1003UA.job
- c:\documents and settings\username\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-18 03:07]
.
2011-09-22 c:\windows\Tasks\WGASetup.job
- c:\windows\System32\KB905474\wgasetup.exe [2010-12-22 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {5F519B46-96EF-499F-BF24-C9E1548FA56B} - hxxp://ffcoservery1.webcam.___.ca/program/SonySncDf70View.cab
FF - ProfilePath - c:\documents and settings\username\Application Data\Mozilla\Firefox\Profiles\nnjvu1g8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-*scanbasequeue.exe - c:\documents and settings\All Users\Application Data\scanbasequeue.exe
HKLM-RunOnce-*fileprovstream.exe - c:\documents and settings\All Users\Application Data\fileprovstream.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-23 10:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay\Applications]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay8\Applications]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1060)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-09-23 10:21:38
ComboFix-quarantined-files.txt 2011-09-23 14:21
ComboFix2.txt 2011-09-21 14:42
ComboFix3.txt 2011-09-21 01:13
.
Pre-Run: 58,015,588,352 bytes free
Post-Run: 58,005,061,632 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 25B96F0BB277CA00EC40DD448883C18A

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 PM

Posted 24 September 2011 - 08:16 AM

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===


Can you elaborate on this statement?
cmd still doesn't stay open, taskbar popups are still a problem.

#15 fakealertbytes

fakealertbytes
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 24 September 2011 - 02:35 PM

cmd - If I go to run... and try cmd half the time it closes before I can type anything and the other half it closes within 20 seconds. Same with anything that uses cmd. So I have tried SecurityCheck several times but I only make it so far before it quits. I respond right away for as many prompts as I can and sometimes I make it reasonably far but not far enough for a log to pop up.

Task bar pop ups with sound - every 20 or so seconds:

System Warning
Spyware protection is disabled. Your personal data is at high risk of being stolen and misused.

System Warning
Keep your computer safe from viruses and malicious programs that can slow down or break your system.

etc.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users