Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ad's running in background IE8 redirects


  • This topic is locked This topic is locked
31 replies to this topic

#1 Forkfisherman

Forkfisherman

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 10 October 2011 - 11:12 PM

Hi Folks,

First I just want to say thanks to the entire staff, you guys are really great and have helped me with various things even if just allowing me to read through previous posts that were able to resolve my issues. Thumbs up to all of you.

Now......

As of last night all of a sudden I am getting background ad's of various kinds and the google re-direct issue.
Have researched this but found most directions to be for the person being worked with so do not want to follow same instructions for my system until told to do so.
I have also noticed that in Task Manager I might have 15 - 20 IExplore.exe's running at one time 2 or 3 in my user name which is normal and the rest under username (system), I know that is not normal. I try to end process on the .exe's under system but they just come back.
I have updated and run M-Bam and have found nothing using quick scan and full scan both.

I am running Win Xp 32 Media Edition Sp3


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Chris at 19:56:39 on 2011-10-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1044 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\LowLight.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\SymcPCCULaunchSvc.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\chris\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\chris\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{FC4B5935-7523-4719-9D64-B3CA95E540F1} : DhcpNameServer = 192.168.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-4-26 366152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\engine\2.0.12.27\SymcPCCULaunchSvc.exe [2011-8-28 123320]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-8-30 2218600]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\engine\2.0.12.27\ccSvcHst.exe [2011-8-28 126392]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-3 22216]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-3 136176]
S2 srvEEC;srvEEC;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 37376]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-3 136176]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys --> c:\windows\system32\drivers\nvhda32.sys [?]
.
=============== Created Last 30 ================
.
2011-10-11 00:50:44 872 ----a-w- c:\documents and settings\all users\application data\ehwoaaa.tmp
2011-10-10 23:25:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 15:55:01 862 ----a-w- c:\documents and settings\all users\application data\wtuoaaa.tmp
2011-10-10 14:51:30 814 ----a-w- c:\documents and settings\all users\application data\ttuoaaa.tmp
2011-10-10 14:01:07 834 ----a-w- c:\documents and settings\all users\application data\vtuoaaa.tmp
2011-10-10 07:08:25 866 ----a-w- c:\documents and settings\all users\application data\stuoaaa.tmp
2011-10-09 17:01:09 841 ----a-w- c:\documents and settings\all users\application data\quxoaaa.tmp
2011-10-09 17:00:15 818 ----a-w- c:\documents and settings\all users\application data\puxoaaa.tmp
2011-10-09 16:48:05 866 ----a-w- c:\documents and settings\all users\application data\nuxoaaa.tmp
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-08 23:53:22 139136 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-09-08 23:52:58 233920 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-09-08 23:52:58 233920 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-30 22:27:37 259604 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-08-30 22:27:37 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-08-30 22:27:37 0 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-08-09 22:33:58 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2011-08-08 01:59:26 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
============= FINISH: 19:58:09.67 ============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:29 PM

Posted 15 October 2011 - 02:58 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Forkfisherman

Forkfisherman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 16 October 2011 - 05:27 PM

Google still redirecting in IE, sounds like ad's in background may be gone and I only see 1 instance of IE in task manager under User, which is a big change from the 15 - 20 in User and System.

Here is ComboFix Log







ComboFix 11-10-16.02 - Chris 10/16/2011 17:09:26.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1390 [GMT -5:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\ouxoaaa.tmp
c:\documents and settings\All Users\Application Data\ttuoaaa.tmp
c:\documents and settings\All Users\Application Data\utuoaaa.tmp
c:\documents and settings\All Users\Application Data\vtuoaaa.tmp
c:\documents and settings\All Users\Application Data\wtuoaaa.tmp
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-09-16 to 2011-10-16 )))))))))))))))))))))))))))))))
.
.
2011-10-10 23:25 . 2011-10-10 23:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-09 18:25 . 2011-10-09 18:25 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Temp
2011-10-09 18:25 . 2011-10-09 18:25 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2011-10-09 16:48 . 2011-10-09 16:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-10-09 16:48 . 2011-10-09 16:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-10-09 16:32 . 2011-10-09 16:32 -------- d-----w- c:\program files\ERUNT
2011-09-21 11:31 . 2011-10-09 18:55 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 16:41 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-10 11:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-10 11:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-10 11:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-08 23:53 . 2011-05-02 21:47 139136 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-09-08 23:52 . 2011-05-02 21:49 233920 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-09-08 23:52 . 2011-05-02 21:47 233920 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-09-06 13:20 . 2004-08-10 11:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00 . 2011-07-03 23:14 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-10 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-10 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-10 11:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-10 11:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-09 22:33 . 2011-08-28 18:53 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2011-08-08 01:59 . 2011-08-08 01:59 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . 7736D5824DBCD6BBEE6FED7AC6943EE4 . 542720 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2004-08-10 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2004-08-10 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\winlogon.exe
.
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 . 7718FC0A09F7EC98DA67ED4F44A30EA5 . 37376 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[-] 2004-08-10 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2004-08-10 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\svchost.exe
.
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 . 500B1098F945D0EFEC330466EFCDF924 . 1056256 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2004-08-10 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-10 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\ERDNT\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2011-03-20 16384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2003-07-01 188416]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2003-07-01 65536]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\documents and settings\Chris\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2011-3-20 169472]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srvEEC]
@="service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56852:TCP"= 56852:TCP:Pando Media Booster
"56852:UDP"= 56852:UDP:Pando Media Booster
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/26/2011 4:10 PM 366152]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Engine\2.0.12.27\SymcPCCULaunchSvc.exe [8/28/2011 3:02 PM 123320]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [8/30/2011 5:28 PM 2218600]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe [8/28/2011 3:02 PM 126392]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/3/2011 6:14 PM 22216]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/3/2011 4:26 PM 136176]
S2 srvEEC;srvEEC;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 6:00 AM 37376]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/3/2011 4:26 PM 136176]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys --> c:\windows\system32\drivers\nvhda32.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
srvEEC
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-16 17:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.12.27\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srvEEC]
"servicedll"="\\?\globalroot\Device\HarddiskVolume2\DOCUME~1\Chris\LOCALS~1\Temp\srvEEC.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fa,08,80,1e,b4,6a,00,48,96,70,17,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fa,08,80,1e,b4,6a,00,48,96,70,17,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(332)
c:\windows\system32\WININET.dll
c:\docume~1\Chris\LOCALS~1\TempIadHide3.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\stsystra.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\LVComS.exe
c:\program files\Logitech\Video\LowLight.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2011-10-16 17:22:15 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-16 22:22
ComboFix2.txt 2011-10-11 23:40
.
Pre-Run: 73,503,608,832 bytes free
Post-Run: 73,450,196,992 bytes free
.
- - End Of File - - CF59B1F5E63F4BDF11ACA09483DB7FAD

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:29 PM

Posted 16 October 2011 - 06:35 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Forkfisherman

Forkfisherman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 16 October 2011 - 08:29 PM

Gringo,

I ran TDSKiller and no threats were found, the scan took like 20 seconds. No reboot was required and a log did not pop up, I had to click on "report" top right of window, once it was up I could highlight the text but couldnt find a way to copy and paste. Was also unable to find the txt.log in the c:/folder anywhere. Anyways, no threats.

#6 Forkfisherman

Forkfisherman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 16 October 2011 - 08:30 PM

I take that back, I found the log.


20:22:51.0875 2340 TDSS rootkit removing tool 2.6.9.0 Oct 14 2011 11:33:24
20:22:52.0265 2340 ============================================================
20:22:52.0265 2340 Current date / time: 2011/10/16 20:22:52.0265
20:22:52.0265 2340 SystemInfo:
20:22:52.0265 2340
20:22:52.0265 2340 OS Version: 5.1.2600 ServicePack: 3.0
20:22:52.0265 2340 Product type: Workstation
20:22:52.0265 2340 ComputerName: BEDROOM
20:22:52.0265 2340 UserName: Chris
20:22:52.0265 2340 Windows directory: C:\WINDOWS
20:22:52.0265 2340 System windows directory: C:\WINDOWS
20:22:52.0265 2340 Processor architecture: Intel x86
20:22:52.0265 2340 Number of processors: 2
20:22:52.0265 2340 Page size: 0x1000
20:22:52.0265 2340 Boot type: Normal boot
20:22:52.0265 2340 ============================================================
20:22:52.0828 2340 Initialize success
20:23:18.0718 3056 ============================================================
20:23:18.0718 3056 Scan started
20:23:18.0718 3056 Mode: Manual;
20:23:18.0718 3056 ============================================================
20:23:19.0031 3056 Abiosdsk - ok
20:23:19.0078 3056 abp480n5 - ok
20:23:19.0156 3056 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:23:19.0156 3056 ACPI - ok
20:23:19.0234 3056 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:23:19.0234 3056 ACPIEC - ok
20:23:19.0265 3056 adpu160m - ok
20:23:19.0281 3056 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:23:19.0281 3056 aec - ok
20:23:19.0343 3056 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
20:23:19.0343 3056 AFD - ok
20:23:19.0375 3056 Aha154x - ok
20:23:19.0390 3056 aic78u2 - ok
20:23:19.0406 3056 aic78xx - ok
20:23:19.0421 3056 AliIde - ok
20:23:19.0484 3056 AmdK8 - ok
20:23:19.0546 3056 AmdLLD (ad8fa28d8ed0d0a689a0559085ce0f18) C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
20:23:19.0546 3056 AmdLLD - ok
20:23:19.0593 3056 amsint - ok
20:23:19.0656 3056 asc - ok
20:23:19.0718 3056 asc3350p - ok
20:23:19.0781 3056 asc3550 - ok
20:23:19.0843 3056 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:23:19.0843 3056 AsyncMac - ok
20:23:19.0906 3056 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:23:19.0906 3056 atapi - ok
20:23:19.0921 3056 Atdisk - ok
20:23:20.0015 3056 ati2mtag (f5fc6ac1e7bc776871361d463fc86be2) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
20:23:20.0078 3056 ati2mtag - ok
20:23:20.0109 3056 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:23:20.0109 3056 Atmarpc - ok
20:23:20.0171 3056 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:23:20.0171 3056 audstub - ok
20:23:20.0218 3056 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
20:23:20.0218 3056 BANTExt - ok
20:23:20.0265 3056 bcm4sbxp (78e7b52da292fa90bad2f887bbf22159) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
20:23:20.0265 3056 bcm4sbxp - ok
20:23:20.0312 3056 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:23:20.0312 3056 Beep - ok
20:23:20.0312 3056 catchme - ok
20:23:20.0359 3056 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:23:20.0359 3056 cbidf2k - ok
20:23:20.0390 3056 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
20:23:20.0390 3056 CCDECODE - ok
20:23:20.0406 3056 cd20xrnt - ok
20:23:20.0421 3056 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:23:20.0421 3056 Cdaudio - ok
20:23:20.0437 3056 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:23:20.0437 3056 Cdfs - ok
20:23:20.0453 3056 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:23:20.0453 3056 Cdrom - ok
20:23:20.0500 3056 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
20:23:20.0500 3056 cercsr6 - ok
20:23:20.0515 3056 Changer - ok
20:23:20.0531 3056 CmdIde - ok
20:23:20.0546 3056 Cpqarray - ok
20:23:20.0562 3056 dac2w2k - ok
20:23:20.0578 3056 dac960nt - ok
20:23:20.0593 3056 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:23:20.0593 3056 Disk - ok
20:23:20.0625 3056 DLABMFSM (a53723176d0002feb486eff8e17812f2) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
20:23:20.0625 3056 DLABMFSM - ok
20:23:20.0640 3056 DLABOIOM (d4587063acea776699251e177d719586) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
20:23:20.0640 3056 DLABOIOM - ok
20:23:20.0656 3056 DLACDBHM (5230cdb7e715f3a3b4a882e254cdd35d) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
20:23:20.0656 3056 DLACDBHM - ok
20:23:20.0671 3056 DLADResM (c950c2e7b9ed1a4fc4a2ac7ec044f1d6) C:\WINDOWS\system32\DLA\DLADResM.SYS
20:23:20.0671 3056 DLADResM - ok
20:23:20.0687 3056 DLAIFS_M (24400137e387a24410c52a591f3cfb4d) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
20:23:20.0687 3056 DLAIFS_M - ok
20:23:20.0703 3056 DLAOPIOM (29a303feceb28641ecebdae89eb71c63) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
20:23:20.0703 3056 DLAOPIOM - ok
20:23:20.0734 3056 DLAPoolM (c93e33a22a1ae0c5508f3fb1f6d0a50c) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
20:23:20.0734 3056 DLAPoolM - ok
20:23:20.0750 3056 DLARTL_M (77fe51f0f8d86804cb81f6ef6bfb86dd) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
20:23:20.0750 3056 DLARTL_M - ok
20:23:20.0812 3056 DLAUDFAM (b953498c35a31e5ac98f49adbcf3e627) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
20:23:20.0812 3056 DLAUDFAM - ok
20:23:20.0843 3056 DLAUDF_M (4897704c093c1f59ce58fc65e1e1ef1e) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
20:23:20.0843 3056 DLAUDF_M - ok
20:23:20.0921 3056 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:23:20.0968 3056 dmboot - ok
20:23:21.0015 3056 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:23:21.0031 3056 dmio - ok
20:23:21.0062 3056 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:23:21.0062 3056 dmload - ok
20:23:21.0093 3056 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:23:21.0093 3056 DMusic - ok
20:23:21.0140 3056 dpti2o - ok
20:23:21.0156 3056 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:23:21.0156 3056 drmkaud - ok
20:23:21.0218 3056 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
20:23:21.0218 3056 DRVMCDB - ok
20:23:21.0250 3056 DRVNDDM (ffc371525aa55d1bae18715ebcb8797c) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
20:23:21.0250 3056 DRVNDDM - ok
20:23:21.0359 3056 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:23:21.0359 3056 Fastfat - ok
20:23:21.0421 3056 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
20:23:21.0421 3056 Fdc - ok
20:23:21.0468 3056 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:23:21.0468 3056 Fips - ok
20:23:21.0484 3056 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
20:23:21.0484 3056 Flpydisk - ok
20:23:21.0515 3056 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
20:23:21.0515 3056 FltMgr - ok
20:23:21.0531 3056 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:23:21.0531 3056 Fs_Rec - ok
20:23:21.0578 3056 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:23:21.0578 3056 Ftdisk - ok
20:23:21.0609 3056 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:23:21.0609 3056 Gpc - ok
20:23:21.0656 3056 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:23:21.0656 3056 HDAudBus - ok
20:23:21.0703 3056 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:23:21.0703 3056 hidusb - ok
20:23:21.0750 3056 hpn - ok
20:23:21.0812 3056 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:23:21.0812 3056 HTTP - ok
20:23:21.0843 3056 i2omgmt - ok
20:23:21.0890 3056 i2omp - ok
20:23:21.0921 3056 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
20:23:21.0921 3056 i8042prt - ok
20:23:21.0937 3056 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:23:21.0937 3056 Imapi - ok
20:23:21.0953 3056 ini910u - ok
20:23:21.0984 3056 IntelIde - ok
20:23:22.0031 3056 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
20:23:22.0031 3056 Ip6Fw - ok
20:23:22.0078 3056 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:23:22.0078 3056 IpInIp - ok
20:23:22.0109 3056 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:23:22.0109 3056 IpNat - ok
20:23:22.0125 3056 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:23:22.0125 3056 IPSec - ok
20:23:22.0156 3056 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:23:22.0156 3056 IRENUM - ok
20:23:22.0203 3056 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:23:22.0203 3056 isapnp - ok
20:23:22.0234 3056 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:23:22.0234 3056 Kbdclass - ok
20:23:22.0234 3056 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:23:22.0234 3056 kbdhid - ok
20:23:22.0265 3056 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:23:22.0265 3056 kmixer - ok
20:23:22.0312 3056 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:23:22.0312 3056 KSecDD - ok
20:23:22.0328 3056 lbrtfdc - ok
20:23:22.0390 3056 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
20:23:22.0390 3056 MBAMProtector - ok
20:23:22.0468 3056 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
20:23:22.0468 3056 MHNDRV - ok
20:23:22.0531 3056 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:23:22.0531 3056 mnmdd - ok
20:23:22.0593 3056 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:23:22.0593 3056 Modem - ok
20:23:22.0640 3056 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:23:22.0640 3056 Mouclass - ok
20:23:22.0687 3056 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:23:22.0687 3056 mouhid - ok
20:23:22.0703 3056 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:23:22.0703 3056 MountMgr - ok
20:23:22.0718 3056 mraid35x - ok
20:23:22.0734 3056 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:23:22.0734 3056 MRxDAV - ok
20:23:22.0796 3056 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:23:22.0812 3056 MRxSmb - ok
20:23:22.0859 3056 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:23:22.0859 3056 Msfs - ok
20:23:22.0890 3056 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:23:22.0890 3056 MSKSSRV - ok
20:23:22.0921 3056 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:23:22.0921 3056 MSPCLOCK - ok
20:23:22.0937 3056 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:23:22.0937 3056 MSPQM - ok
20:23:23.0000 3056 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:23:23.0000 3056 mssmbios - ok
20:23:23.0031 3056 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
20:23:23.0031 3056 MSTEE - ok
20:23:23.0078 3056 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
20:23:23.0078 3056 Mup - ok
20:23:23.0109 3056 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
20:23:23.0109 3056 NABTSFEC - ok
20:23:23.0140 3056 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:23:23.0140 3056 NDIS - ok
20:23:23.0187 3056 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
20:23:23.0187 3056 NdisIP - ok
20:23:23.0234 3056 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:23:23.0234 3056 NdisTapi - ok
20:23:23.0265 3056 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:23:23.0281 3056 Ndisuio - ok
20:23:23.0281 3056 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:23:23.0281 3056 NdisWan - ok
20:23:23.0328 3056 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
20:23:23.0328 3056 NDProxy - ok
20:23:23.0343 3056 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:23:23.0343 3056 NetBIOS - ok
20:23:23.0390 3056 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:23:23.0390 3056 NetBT - ok
20:23:23.0437 3056 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:23:23.0437 3056 Npfs - ok
20:23:23.0468 3056 NPPTNT2 (9131fe60adfab595c8da53ad6a06aa31) C:\WINDOWS\system32\npptNT2.sys
20:23:23.0484 3056 NPPTNT2 - ok
20:23:23.0515 3056 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:23:23.0515 3056 Ntfs - ok
20:23:23.0562 3056 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:23:23.0562 3056 Null - ok
20:23:23.0765 3056 nv (8e72e452b9cc1e455d19e3c9fa964d37) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:23:23.0937 3056 nv - ok
20:23:23.0968 3056 NVHDA - ok
20:23:24.0031 3056 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:23:24.0031 3056 NwlnkFlt - ok
20:23:24.0046 3056 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:23:24.0046 3056 NwlnkFwd - ok
20:23:24.0109 3056 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
20:23:24.0109 3056 NwlnkIpx - ok
20:23:24.0140 3056 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
20:23:24.0156 3056 NwlnkNb - ok
20:23:24.0187 3056 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
20:23:24.0187 3056 NwlnkSpx - ok
20:23:24.0234 3056 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
20:23:24.0250 3056 Parport - ok
20:23:24.0281 3056 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:23:24.0281 3056 PartMgr - ok
20:23:24.0343 3056 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:23:24.0343 3056 ParVdm - ok
20:23:24.0375 3056 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:23:24.0390 3056 PCI - ok
20:23:24.0406 3056 PCIDump - ok
20:23:24.0453 3056 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:23:24.0468 3056 PCIIde - ok
20:23:24.0515 3056 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:23:24.0515 3056 Pcmcia - ok
20:23:24.0562 3056 PDCOMP - ok
20:23:24.0593 3056 PDFRAME - ok
20:23:24.0625 3056 PDRELI - ok
20:23:24.0687 3056 PDRFRAME - ok
20:23:24.0750 3056 perc2 - ok
20:23:24.0781 3056 perc2hib - ok
20:23:24.0828 3056 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:23:24.0843 3056 PptpMiniport - ok
20:23:24.0875 3056 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
20:23:24.0890 3056 Processor - ok
20:23:24.0906 3056 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:23:24.0906 3056 PSched - ok
20:23:24.0937 3056 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:23:24.0937 3056 Ptilink - ok
20:23:25.0015 3056 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:23:25.0015 3056 PxHelp20 - ok
20:23:25.0078 3056 QCMerced (b607f201293e884f36f9a2ac2c960853) C:\WINDOWS\system32\DRIVERS\LVCM.sys
20:23:25.0078 3056 QCMerced - ok
20:23:25.0093 3056 ql1080 - ok
20:23:25.0109 3056 Ql10wnt - ok
20:23:25.0109 3056 ql12160 - ok
20:23:25.0140 3056 ql1240 - ok
20:23:25.0156 3056 ql1280 - ok
20:23:25.0218 3056 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:23:25.0218 3056 RasAcd - ok
20:23:25.0312 3056 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:23:25.0312 3056 Rasl2tp - ok
20:23:25.0328 3056 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:23:25.0328 3056 RasPppoe - ok
20:23:25.0343 3056 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:23:25.0343 3056 Raspti - ok
20:23:25.0406 3056 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:23:25.0406 3056 Rdbss - ok
20:23:25.0437 3056 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:23:25.0437 3056 RDPCDD - ok
20:23:25.0484 3056 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:23:25.0484 3056 rdpdr - ok
20:23:25.0546 3056 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
20:23:25.0546 3056 RDPWD - ok
20:23:25.0593 3056 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:23:25.0593 3056 redbook - ok
20:23:25.0656 3056 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:23:25.0656 3056 Secdrv - ok
20:23:25.0703 3056 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
20:23:25.0718 3056 Serial - ok
20:23:25.0750 3056 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:23:25.0750 3056 Sfloppy - ok
20:23:25.0781 3056 Simbad - ok
20:23:25.0859 3056 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
20:23:25.0859 3056 SLIP - ok
20:23:25.0906 3056 Sparrow - ok
20:23:25.0937 3056 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:23:25.0937 3056 splitter - ok
20:23:25.0984 3056 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:23:25.0984 3056 sr - ok
20:23:26.0062 3056 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
20:23:26.0078 3056 Srv - ok
20:23:26.0187 3056 STHDA (8990440e4b2a7ca5a56a1833b03741fd) C:\WINDOWS\system32\drivers\sthda.sys
20:23:26.0203 3056 STHDA - ok
20:23:26.0250 3056 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
20:23:26.0250 3056 streamip - ok
20:23:26.0296 3056 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:23:26.0296 3056 swenum - ok
20:23:26.0328 3056 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:23:26.0328 3056 swmidi - ok
20:23:26.0343 3056 symc810 - ok
20:23:26.0375 3056 symc8xx - ok
20:23:26.0406 3056 sym_hi - ok
20:23:26.0421 3056 sym_u3 - ok
20:23:26.0437 3056 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:23:26.0453 3056 sysaudio - ok
20:23:26.0515 3056 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:23:26.0515 3056 Tcpip - ok
20:23:26.0578 3056 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
20:23:26.0593 3056 Tcpip6 - ok
20:23:26.0640 3056 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:23:26.0640 3056 TDPIPE - ok
20:23:26.0687 3056 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:23:26.0687 3056 TDTCP - ok
20:23:26.0718 3056 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:23:26.0718 3056 TermDD - ok
20:23:26.0734 3056 TosIde - ok
20:23:26.0781 3056 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
20:23:26.0781 3056 tunmp - ok
20:23:26.0812 3056 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:23:26.0812 3056 Udfs - ok
20:23:26.0828 3056 ultra - ok
20:23:26.0875 3056 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:23:26.0875 3056 Update - ok
20:23:26.0906 3056 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
20:23:26.0906 3056 usbaudio - ok
20:23:26.0937 3056 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:23:26.0937 3056 usbccgp - ok
20:23:26.0968 3056 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:23:26.0968 3056 usbehci - ok
20:23:26.0984 3056 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:23:26.0984 3056 usbhub - ok
20:23:27.0000 3056 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
20:23:27.0000 3056 usbohci - ok
20:23:27.0046 3056 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:23:27.0046 3056 USBSTOR - ok
20:23:27.0078 3056 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:23:27.0078 3056 VgaSave - ok
20:23:27.0093 3056 ViaIde - ok
20:23:27.0125 3056 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:23:27.0125 3056 VolSnap - ok
20:23:27.0171 3056 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:23:27.0171 3056 Wanarp - ok
20:23:27.0187 3056 WDICA - ok
20:23:27.0218 3056 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:23:27.0234 3056 wdmaud - ok
20:23:27.0312 3056 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
20:23:27.0312 3056 WSTCODEC - ok
20:23:27.0390 3056 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:23:27.0390 3056 WudfPf - ok
20:23:27.0421 3056 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
20:23:27.0421 3056 WudfRd - ok
20:23:27.0453 3056 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:23:27.0562 3056 \Device\Harddisk0\DR0 - ok
20:23:27.0562 3056 Boot (0x1200) (998a959cdacb009b343966d5554add6e) \Device\Harddisk0\DR0\Partition0
20:23:27.0562 3056 \Device\Harddisk0\DR0\Partition0 - ok
20:23:27.0562 3056 ============================================================
20:23:27.0562 3056 Scan finished
20:23:27.0562 3056 ============================================================
20:23:27.0578 0396 Detected object count: 0
20:23:27.0578 0396 Actual detected object count: 0
20:25:11.0437 2620 Deinitialize success

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:29 PM

Posted 16 October 2011 - 08:33 PM

Hello

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Forkfisherman

Forkfisherman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 16 October 2011 - 08:57 PM

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-16 20:55:26
-----------------------------
20:55:26.968 OS Version: Windows 5.1.2600 Service Pack 3
20:55:26.968 Number of processors: 2 586 0x4B02
20:55:26.968 ComputerName: BEDROOM UserName: Chris
20:55:27.468 Initialize success
20:55:48.953 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:55:48.953 Disk 0 Vendor: ST3160812AS 3.ADJ Size: 152587MB BusType: 3
20:55:50.968 Disk 0 MBR read successfully
20:55:50.968 Disk 0 MBR scan
20:55:50.968 Disk 0 Windows XP default MBR code
20:55:50.968 Disk 0 scanning sectors +312496380
20:55:51.031 Disk 0 scanning C:\WINDOWS\system32\drivers
20:55:56.203 Service scanning
20:55:57.062 Modules scanning
20:56:01.718 Disk 0 trace - called modules:
20:56:01.734 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:56:01.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89cb0ab8]
20:56:01.734 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000064[0x89cc5510]
20:56:01.734 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89cd4940]
20:56:01.734 Scan finished successfully
20:56:23.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Chris\Desktop\MBR.dat"
20:56:23.671 The log file has been saved successfully to "C:\Documents and Settings\Chris\Desktop\aswMBR.txt"

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:29 PM

Posted 16 October 2011 - 09:13 PM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Forkfisherman

Forkfisherman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 16 October 2011 - 09:24 PM

OTL logfile created on: 10/16/2011 9:17:50 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Chris\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.54 Gb Available Physical Memory | 76.84% Memory free
3.35 Gb Paging File | 3.06 Gb Available in Paging File | 91.46% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.32 Gb Total Space | 68.41 Gb Free Space | 47.40% Space Free | Partition Type: NTFS

Computer Name: BEDROOM | User Name: Chris | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Chris\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\SymcPCCULaunchSvc.exe (Symantec Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
PRC - C:\Program Files\Logitech\Video\LowLight.exe (Logitech Inc.)
PRC - C:\WINDOWS\system32\LVComS.exe (Logitech Inc.)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\system32\sbe.dll ()
MOD - C:\WINDOWS\system32\quartz.dll ()
MOD - C:\WINDOWS\system32\nvshell.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\WINDOWS\system32\devenum.dll ()
MOD - C:\WINDOWS\system32\DLAAPI_W.DLL ()


========== Win32 Services (SafeList) ==========

SRV - (srvEEC) -- File not found
SRV - (HidServ) -- File not found
SRV - (ATI Smart) -- File not found
SRV - (Ati HotKey Poller) -- File not found
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (PCCUJobMgr) -- C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe (Symantec Corporation)
SRV - (Norton PC Checkup Application Launcher) -- C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\SymcPCCULaunchSvc.exe (Symantec Corporation)
SRV - (npggsvc) -- C:\WINDOWS\System32\GameMon.des (INCA Internet Co., Ltd.)
SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
SRV - (IDriverT) -- C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)


========== Driver Services (SafeList) ==========

DRV - (catchme) -- File not found
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (BANTExt) -- C:\WINDOWS\System32\Drivers\BANTExt.sys ()
DRV - (Tcpip6) -- C:\WINDOWS\system32\drivers\tcpip6.sys (Microsoft Corporation)
DRV - (NwlnkIpx) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation)
DRV - (AmdLLD) -- C:\WINDOWS\system32\drivers\AmdLLD.sys (AMD, Inc.)
DRV - (DLARTL_M) -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS (Roxio)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Roxio)
DRV - (DLADResM) -- C:\WINDOWS\system32\DLA\DLADResM.SYS (Roxio)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Roxio)
DRV - (DLABMFSM) -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS (Roxio)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Roxio)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Roxio)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Roxio)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Roxio)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Roxio)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (NPPTNT2) -- C:\WINDOWS\system32\npptNT2.sys (INCA Internet Co., Ltd.)
DRV - (NwlnkNb) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation)
DRV - (NwlnkSpx) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation)
DRV - (QCMerced) -- C:\WINDOWS\system32\drivers\lvcm.sys (Logitech Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = about:blank
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = about:blank
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1715567821-343818398-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1715567821-343818398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1715567821-343818398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)



========== Chrome ==========

CHR - default_search_provider: Google ()
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}

O1 HOSTS File: ([2011/10/16 17:17:47 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe (Logitech Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKU\S-1-5-21-1715567821-343818398-725345543-1003..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe ()
O4 - Startup: C:\Documents and Settings\Chris\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\Chris\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe (Logitech)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1715567821-343818398-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1715567821-343818398-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-1715567821-343818398-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1715567821-343818398-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1715567821-343818398-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FC4B5935-7523-4719-9D64-B3CA95E540F1}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/11/01 11:11:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/16 21:17:07 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
[2011/10/16 20:55:22 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Chris\Desktop\aswMBR.exe
[2011/10/16 20:22:44 | 001,559,344 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Chris\Desktop\tdsskiller.exe
[2011/10/14 16:56:37 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/10/11 18:12:55 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/10/11 18:12:55 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/10/11 18:12:55 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/10/11 18:12:55 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/10/11 18:12:43 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/10/11 18:10:52 | 004,263,052 | R--- | C] (Swearware) -- C:\Documents and Settings\Chris\Desktop\ComboFix.exe
[2011/10/10 20:49:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Desktop\Old EQ
[2011/10/10 20:01:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Desktop\gmer
[2011/10/10 19:56:31 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Chris\Desktop\dds.scr
[2011/10/10 18:25:14 | 000,414,368 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/10/09 11:46:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Desktop\GooredFix Backups
[2011/10/09 11:32:24 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/10/09 11:32:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/10/09 11:31:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chris\Desktop\fix

========== Files - Modified Within 30 Days ==========

[2011/10/16 21:17:07 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris\Desktop\OTL.exe
[2011/10/16 20:56:23 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\MBR.dat
[2011/10/16 20:55:22 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Chris\Desktop\aswMBR.exe
[2011/10/16 20:22:44 | 001,559,344 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Chris\Desktop\tdsskiller.exe
[2011/10/16 17:17:53 | 000,183,180 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/10/16 17:17:47 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/10/16 17:17:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/16 17:15:28 | 000,507,904 | ---- | M] () -- C:\WINDOWS\System32\winl.dat
[2011/10/16 17:07:58 | 004,263,052 | R--- | M] (Swearware) -- C:\Documents and Settings\Chris\Desktop\ComboFix.exe
[2011/10/16 17:02:12 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/14 17:31:26 | 000,149,992 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/10/14 16:57:40 | 000,441,716 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/10/14 16:57:40 | 000,071,526 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/10/14 16:55:26 | 000,007,243 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2011/10/14 16:53:44 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/10/10 20:00:55 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\gmer.zip
[2011/10/10 19:56:33 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Chris\Desktop\dds.scr
[2011/10/10 19:55:51 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Chris\defogger_reenable
[2011/10/10 19:55:30 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\Defogger.exe
[2011/10/10 18:25:14 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/10/09 12:19:51 | 003,670,016 | ---- | M] () -- C:\Documents and Settings\Chris\NTUSER.bak
[2011/10/09 11:32:30 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Chris\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/10/09 11:32:24 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\NTREGOPT.lnk
[2011/10/09 11:32:24 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Chris\Desktop\ERUNT.lnk
[2011/10/07 09:16:22 | 000,044,032 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\19792079
[2011/10/03 03:35:11 | 005,971,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2011/09/26 11:41:20 | 000,611,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\uiautomationcore.dll
[2011/09/26 11:41:20 | 000,220,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleacc.dll
[2011/09/26 11:41:14 | 000,020,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\oleaccrc.dll
[2011/09/26 11:41:14 | 000,020,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleaccrc.dll
[2011/09/22 16:47:21 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

========== Files Created - No Company Name ==========

[2011/10/16 20:56:23 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\MBR.dat
[2011/10/16 17:15:28 | 000,507,904 | ---- | C] () -- C:\WINDOWS\System32\winl.dat
[2011/10/14 16:55:26 | 000,007,243 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/10/11 18:12:55 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/10/11 18:12:55 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/10/11 18:12:55 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/10/11 18:12:55 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/10/11 18:12:55 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/10/10 20:00:53 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\gmer.zip
[2011/10/10 19:55:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Chris\defogger_reenable
[2011/10/10 19:55:30 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\Defogger.exe
[2011/10/09 11:32:30 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Chris\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/10/09 11:32:24 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\NTREGOPT.lnk
[2011/10/09 11:32:24 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Chris\Desktop\ERUNT.lnk
[2011/10/07 09:16:22 | 000,044,032 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\19792079
[2011/08/30 17:27:37 | 000,259,604 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/08/30 17:27:37 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/08/30 17:27:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/08/28 13:53:23 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2011/08/26 15:28:11 | 000,443,816 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/08/17 18:00:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\popcreg.dat
[2011/08/17 18:00:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2011/08/08 14:10:54 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2011/08/08 08:23:33 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2011/07/18 08:41:52 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/08 12:19:16 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Chris\Application Data\wklnhst.dat
[2011/05/14 19:35:30 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2011/05/14 19:35:30 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2011/05/14 19:35:30 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2011/05/14 19:28:39 | 000,035,933 | ---- | C] () -- C:\WINDOWS\DIIUnin.dat
[2011/05/11 19:27:09 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18013988
[2011/05/11 19:27:09 | 000,000,120 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18013988r
[2011/05/11 19:24:10 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\18013988
[2011/05/02 16:47:21 | 000,139,136 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2011/05/02 16:47:21 | 000,138,056 | ---- | C] () -- C:\Documents and Settings\Chris\Application Data\PnkBstrK.sys
[2011/05/02 16:47:19 | 000,233,920 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2011/05/02 16:46:59 | 000,075,136 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrA.exe
[2011/05/02 16:46:58 | 003,360,624 | ---- | C] () -- C:\WINDOWS\System32\pbsvc.exe
[2011/04/29 21:03:49 | 000,000,425 | ---- | C] () -- C:\WINDOWS\AcroChallenge.ini
[2011/04/26 14:58:51 | 000,000,192 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\0
[2011/03/28 16:35:48 | 000,018,948 | -HS- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\cc582sh666kxui22427je85620g72wl634w8ri3m7rk050
[2011/03/28 16:35:48 | 000,018,948 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\cc582sh666kxui22427je85620g72wl634w8ri3m7rk050
[2011/03/20 12:15:49 | 000,014,938 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2011/03/20 12:15:34 | 000,000,260 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2011/03/20 12:15:20 | 000,036,864 | R--- | C] () -- C:\WINDOWS\System32\AthUnIns.exe
[2010/12/30 15:22:04 | 000,000,174 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/12/29 20:48:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2010/11/01 11:18:26 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\fusioncache.dat
[2010/11/01 11:14:09 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/11/01 11:08:29 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/11/01 04:59:04 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/11/01 04:58:14 | 000,149,992 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/01 00:31:32 | 002,116,894 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2008/05/02 22:46:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/05/02 22:46:00 | 001,630,208 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2008/05/02 22:46:00 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/05/02 22:46:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2008/05/02 22:46:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/05/02 22:46:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/05/02 22:46:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2008/05/02 22:46:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2008/05/02 22:46:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/08/06 18:22:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/16 23:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/16 23:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2005/08/05 15:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/03/22 17:38:24 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/22 17:38:24 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 06:00:00 | 000,441,716 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 06:00:00 | 000,071,526 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 06:00:00 | 000,014,336 | ---- | C] () -- C:\WINDOWS\System32\svch.dat
[2004/08/10 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/10 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/02/26 15:47:14 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\MimicICM.dll
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B1FBBD09
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Chris\Desktop\targetedcoverletter.gif:Roxio EMC Stream

< End of report >

*******************************************************************
*******************************************************************
*******************************************************************
*******************************************************************
*******************************************************************
*******************************************************************
*******************************************************************


OTL Extras logfile created on: 10/16/2011 9:17:50 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Chris\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.54 Gb Available Physical Memory | 76.84% Memory free
3.35 Gb Paging File | 3.06 Gb Available in Paging File | 91.46% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.32 Gb Total Space | 68.41 Gb Free Space | 47.40% Space Free | Partition Type: NTFS

Computer Name: BEDROOM | User Name: Chris | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"56852:TCP" = 56852:TCP:*:Enabled:Pando Media Booster
"56852:UDP" = 56852:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"56852:TCP" = 56852:TCP:*:Enabled:Pando Media Booster
"56852:UDP" = 56852:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe:*:Disabled:backWeb-8876480 -- ()
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.)
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)
"C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe" = C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe:*:Enabled:Daemonu.exe -- (NVIDIA Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java™ 6 Update 24
"{26AA53D5-1307-48F9-A80F-A4D25F5849D4}" = Logitech QuickCam
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}" = Broadcom 440x 10/100 Integrated Controller
"{9FD6F1A8-5550-46AF-8509-271DF0E768B5}" = Dual-Core Optimizer
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}" = Wizard101
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 270.61
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 270.61
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView" = NVIDIA nView 135.70
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.10.0514
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.1.34
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B3FED300-806C-11E0-A0D0-B8AC6F97B88E}" = Google Earth
"{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}" = NVIDIA PhysX
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D7A89413-FB45-4ECE-A893-32DC87F45554}" = Legends of Norrath
"{FA3D29BC-9440-4CB4-993D-189543036C1E}" = AcroChallenge 2.86
"{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}" = Broadcom Management Programs
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}" = Dell Resource CD
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Athena" = WebCam for MSN Messenger
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Belarc Advisor" = Belarc Advisor 8.2
"Diablo II" = Diablo II
"ERUNT_is1" = ERUNT 1.1j
"ie8" = Windows Internet Explorer 8
"Logitech Print Service" = Logitech Print Service
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Morphyre" = Morphyre
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NortonPCCheckup" = Norton PC Checkup
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Plants vs. Zombies" = Plants vs. Zombies
"PunkBusterSvc" = PunkBuster Services
"SystemRequirementsLab" = System Requirements Lab
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Zoo Tycoon 1.0" = Microsoft Zoo Tycoon

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1715567821-343818398-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"0638265cfb8124a6" = AA2Deploy
"6f16172c295f43ac" = GamParse

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/12/2011 11:28:00 AM | Computer Name = BEDROOM | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash10p.ocx, version 10.2.159.1, fault address 0x00068db5.

Error - 9/16/2011 8:52:04 PM | Computer Name = BEDROOM | Source = Application Error | ID = 1000
Description = Faulting application wizardgraphicalclient.exe, version 0.0.0.0, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x00019af2.

Error - 9/17/2011 6:48:16 PM | Computer Name = BEDROOM | Source = Application Error | ID = 1000
Description = Faulting application wizardgraphicalclient.exe, version 0.0.0.0, faulting
module wizardgraphicalclient.exe, version 0.0.0.0, fault address 0x0069970d.

Error - 9/18/2011 10:00:07 PM | Computer Name = BEDROOM | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 9/18/2011 10:01:47 PM | Computer Name = BEDROOM | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 9/18/2011 10:01:47 PM | Computer Name = BEDROOM | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 9/18/2011 10:04:38 PM | Computer Name = BEDROOM | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 9/18/2011 10:04:38 PM | Computer Name = BEDROOM | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 9/19/2011 7:50:27 PM | Computer Name = BEDROOM | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 9/23/2011 10:56:54 PM | Computer Name = BEDROOM | Source = Application Error | ID = 1000
Description = Faulting application wizardgraphicalclient.exe, version 0.0.0.0, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x00019af2.

[ System Events ]
Error - 10/14/2011 6:32:02 PM | Computer Name = BEDROOM | Source = Service Control Manager | ID = 7023
Description = The srvEEC service terminated with the following error: %%126

Error - 10/16/2011 6:02:30 PM | Computer Name = BEDROOM | Source = Service Control Manager | ID = 7000
Description = The Ati HotKey Poller service failed to start due to the following
error: %%2

Error - 10/16/2011 6:02:30 PM | Computer Name = BEDROOM | Source = Service Control Manager | ID = 7000
Description = The ATI Smart service failed to start due to the following error:
%%2

Error - 10/16/2011 6:02:30 PM | Computer Name = BEDROOM | Source = Service Control Manager | ID = 7023
Description = The srvEEC service terminated with the following error: %%126

Error - 10/16/2011 6:18:02 PM | Computer Name = BEDROOM | Source = Service Control Manager | ID = 7000
Description = The Ati HotKey Poller service failed to start due to the following
error: %%2

Error - 10/16/2011 6:18:02 PM | Computer Name = BEDROOM | Source = Service Control Manager | ID = 7000
Description = The ATI Smart service failed to start due to the following error:
%%2

Error - 10/16/2011 6:18:02 PM | Computer Name = BEDROOM | Source = Service Control Manager | ID = 7023
Description = The srvEEC service terminated with the following error: %%126

Error - 10/16/2011 6:26:23 PM | Computer Name = BEDROOM | Source = Service Control Manager | ID = 7034
Description = The MBAMService service terminated unexpectedly. It has done this
1 time(s).

Error - 10/16/2011 6:36:45 PM | Computer Name = BEDROOM | Source = Service Control Manager | ID = 7034
Description = The PnkBstrA service terminated unexpectedly. It has done this 1
time(s).

Error - 10/16/2011 6:36:48 PM | Computer Name = BEDROOM | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Update Service Daemon service terminated unexpectedly.
It has done this 1 time(s).


< End of report >

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:29 PM

Posted 17 October 2011 - 08:15 PM

Hello

I want you to run this custem OTL script for me and then let me know how things are after you finish.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :otl
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    @Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B1FBBD09
    @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Chris\Desktop\targetedcoverletter.gif:Roxio EMC Stream
    [2011/05/11 19:27:09 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18013988
    [2011/05/11 19:27:09 | 000,000,120 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~18013988r
    [2011/05/11 19:24:10 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\18013988
    [2011/03/28 16:35:48 | 000,018,948 | -HS- | C] () -- C:\Documents and Settings\Chris\Local Settings\Application Data\cc582sh666kxui22427je85620g72wl634w8ri3m7rk050
    [2011/03/28 16:35:48 | 000,018,948 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\cc582sh666kxui22427je85620g72wl634w8ri3m7rk050
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [EMPTYTEMP]
    [EMPTYFLASH]
    [RESETHOSTS]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Forkfisherman

Forkfisherman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 17 October 2011 - 08:30 PM

Ok everything done as you said, still no background ad's BUT IE and google are still re-directing :o(



All processes killed
========== OTL ==========
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B1FBBD09 deleted successfully.
ADS C:\Documents and Settings\Chris\Desktop\targetedcoverletter.gif:Roxio EMC Stream deleted successfully.
C:\Documents and Settings\All Users\Application Data\~18013988 moved successfully.
C:\Documents and Settings\All Users\Application Data\~18013988r moved successfully.
C:\Documents and Settings\All Users\Application Data\18013988 moved successfully.
C:\Documents and Settings\Chris\Local Settings\Application Data\cc582sh666kxui22427je85620g72wl634w8ri3m7rk050 moved successfully.
C:\Documents and Settings\All Users\Application Data\cc582sh666kxui22427je85620g72wl634w8ri3m7rk050 moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Chris\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Chris\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Chris
->Temp folder emptied: 522647 bytes
->Temporary Internet Files folder emptied: 68583886 bytes
->Java cache emptied: 6192 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 470 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 108 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied:

#13 Forkfisherman

Forkfisherman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 17 October 2011 - 08:44 PM

Hmmmm now I am getting IE pop up's under "system" in TaskManager,complete with ad's with sound. (sigh)
Currently I have 10 IE processes under "system" in TaskManager and they are eating up the mem usage.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:29 PM

Posted 17 October 2011 - 09:03 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
explorer.exe
svchost.exe
winlogon.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Forkfisherman

Forkfisherman
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 17 October 2011 - 09:43 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 21:40 on 17/10/2011 by Chris
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 1056256 bytes [11:00 10/08/2004] [00:12 14/04/2008] 500B1098F945D0EFEC330466EFCDF924
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe -----c- 1032192 bytes [20:50 26/08/2011] [11:00 10/08/2004] A0732187050030AE399B241436565E64
C:\WINDOWS\ERDNT\cache\explorer.exe --a---- 1032192 bytes [00:23 13/05/2011] [11:00 10/08/2004] A0732187050030AE399B241436565E64
C:\WINDOWS\ServicePackFiles\i386\explorer.exe --a---- 1033728 bytes [19:46 08/08/2011] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

Searching for "svchost.exe"
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe -----c- 14336 bytes [20:49 26/08/2011] [11:00 10/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\ERDNT\cache\svchost.exe --a---- 14336 bytes [00:23 13/05/2011] [11:00 10/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\ServicePackFiles\i386\svchost.exe --a---- 14336 bytes [19:46 08/08/2011] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\svchost.exe --a---- 38912 bytes [11:00 10/08/2004] [00:12 14/04/2008] B9D3895B2BB916236AA275FF9B28EC60

Searching for "winlogon.exe"
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe -----c- 502272 bytes [20:49 26/08/2011] [11:00 10/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\ERDNT\cache\winlogon.exe --a---- 502272 bytes [00:23 13/05/2011] [11:00 10/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe --a---- 507904 bytes [19:46 08/08/2011] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe --a---- 544256 bytes [11:00 10/08/2004] [00:12 14/04/2008] 756E33D30E8B2D3A69FA3EA18630EEB4

-= EOF =-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users