ionavideo

Members

View Profile See their activity

Posts
11
Joined
March 17, 2010
Last visited
June 14, 2018

Reputation

0 Neutral

Can't access my podcast upload site www.lexy.com

ionavideo posted a topic in Malwarebytes for Windows Support Forum

I spent a good portion of last night and today finding out how to remove and then removing the AV malware -- the one that takes over your browser/OS and bombards you with warnings that your system is infected with viruses and only buyiing their software will make the messages go away. Well, I was feeling quite relieved that Malwarebytes had found 5 trojans and taken care of them. But wait. There's more. After everything seemed back to normal, no more proxy IP, etc .... I cannot access www.lexy.com, the site where I post my podcast. At first I thought their server was down, but I went to the library and was able to log in and post my podcast there -- no problem. This is so weird, because why would a virus or malware block lexy.com and not youtube or vimeo or something like that? I don't have any problem accessing other popular video / audio websites. Can someone explain what is going on and if it's related to my malware removal of the past 24 hours? Thanks.
- September 14, 2010
- 1 reply
watch-oscar-online tubezz.org malware prevents antivirus site access

ionavideo replied to ionavideo's topic in Resolved Malware Removal Logs

Thanks, DL I had actually tried running Malwarebytes earlier today before I read this. It thought bcomfx.sys was not good. I still can't access malwarebytes web site. Here is an OTL log that I just ran. ===================== OTL logfile created on: 3/29/2010 5:49:37 PM - Run 4 OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.5512) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 503.00 Mb Total Physical Memory | 300.00 Mb Available Physical Memory | 60.00% Memory free 974.00 Mb Paging File | 807.00 Mb Available in Paging File | 83.00% Paging File free Paging file location(s): C:\pagefile.sys 500 1512 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 3.72 Gb Total Space | 0.04 Gb Free Space | 1.10% Space Free | Partition Type: NTFS Drive D: | 1.88 Gb Total Space | 1.47 Gb Free Space | 78.20% Space Free | Partition Type: FAT32 Drive E: | 1.85 Gb Total Space | 0.96 Gb Free Space | 52.23% Space Free | Partition Type: FAT F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: ASUS Current User Name: Administrator Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff\OTL.exe (OldTimer Tools) PRC - C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.) PRC - C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (Hauppauge Computer Works) PRC - E:\Program Files\File Unlocker\Unlocker\UnlockerAssistant.exe () PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (ArcSoft Inc.) PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.) PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.) PRC - C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc) PRC - C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.) PRC - C:\WINDOWS\system32\acs.exe (Atheros) PRC - E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff\OTL.exe (OldTimer Tools) MOD - E:\Program Files\File Unlocker\Unlocker\UnlockerHook.dll () MOD - C:\WINDOWS\system32\DrvPatch.dll (WangYue@BLCU.EDU.CN) ========== Win32 Services (SafeList) ========== SRV - (UPS) -- File not found SRV - (ose) -- File not found SRV - (odserv) -- File not found SRV - (ClipSrv) -- File not found SRV - (CiSvc) -- File not found SRV - (HauppaugeTVServer) -- C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (Hauppauge Computer Works) SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.) SRV - (ACS) -- C:\WINDOWS\system32\acs.exe (Atheros) ========== Driver Services (SafeList) ========== DRV - (hcw72DTV) -- C:\WINDOWS\system32\drivers\hcw72DTV.sys (Hauppauge Computer Works, Inc.) DRV - (hcw72ATV) -- C:\WINDOWS\system32\drivers\hcw72ATV.sys (Hauppauge Computer Works, Inc.) DRV - (hcw72ADFilter) -- C:\WINDOWS\system32\drivers\hcw72ADFilter.sys (Hauppauge Computer Works, Inc.) DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation) DRV - (MPE) -- C:\WINDOWS\system32\drivers\MPE.sys (Microsoft Corporation) DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider) DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.) DRV - (AtcL002) -- C:\WINDOWS\system32\drivers\l251x86.sys (Atheros Communications, Inc.) DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.) DRV - (WSIMD) -- C:\WINDOWS\system32\drivers\wsimd.sys (Atheros Communications, Inc.) DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.) DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation) DRV - (APL531) -- C:\WINDOWS\system32\drivers\ov550i.sys (Omnivision Technologies, Inc.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 O1 HOSTS File: ([2001/08/23 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\adobe\Acrobat\ActiveX\AcroIEHelper.ocx File not found O4 - HKLM..\Run: [ACU] C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.) O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.) O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN) O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh) O4 - HKLM..\Run: [skyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [unlockerAssistant] E:\Program Files\File Unlocker\Unlocker\UnlockerAssistant.exe () O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc) O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [sUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware.exe File not found O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = D:\Program Files\Adobe\Distillr\AcroTray.exe File not found O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk = C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideRunAsVerb = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll File not found O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12 O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\!SASWinLogon: DllName - E:\Program Files\SASWINLO.dll - E:\Program Files\SASWINLO.dll File not found O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation) O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - E:\Program Files\SASSEH.DLL File not found O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/08/27 15:27:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2009/08/27 17:52:02 | 000,000,103 | ---- | M] () - D:\Autorun.inf -- [ FAT32 ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/03/29 17:46:25 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent [2010/03/23 15:06:21 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ping.exe [2010/03/23 15:06:16 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\nslookup.exe [2010/03/23 15:06:10 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ipconfig.exe [2010/03/22 08:26:08 | 000,000,000 | --SD | C] -- C:\bocomfx [2010/03/20 15:30:48 | 000,000,000 | ---D | C] -- C:\_OTL [2010/03/18 13:15:49 | 000,056,816 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys [2010/03/14 20:16:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\gmer [2010/03/14 15:12:25 | 000,040,448 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll [2010/03/14 15:08:32 | 000,047,104 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\AsTray.exe [2010/03/14 15:08:29 | 000,011,264 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\DrvPatch.dll [2010/03/14 15:04:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\7-Zip [2010/03/14 14:58:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\EEEPC graphics drivers [2010/03/14 14:34:22 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro [2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera [2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Opera [2010/03/14 12:59:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff [2010/03/14 11:49:18 | 000,000,000 | ---D | C] -- C:\MGtools [2010/03/14 11:46:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010/03/14 11:46:30 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010/03/14 11:46:30 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010/03/14 11:46:30 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010/03/14 11:46:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2010/03/14 11:45:30 | 000,000,000 | ---D | C] -- C:\Qoobox [2010/03/14 10:51:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com [2010/03/14 10:48:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com [2010/03/14 10:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun [2010/03/14 10:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java [2010/03/14 10:42:46 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe [2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe [2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe [2010/03/14 10:42:46 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl [2010/03/14 10:42:11 | 000,000,000 | ---D | C] -- C:\Program Files\Java [2010/03/13 06:23:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2010/03/12 20:43:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\AVG8 [2010/03/12 12:11:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\possible virus or malware [2010/03/12 12:04:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\igfx Intel graphics driver files [2010/03/12 11:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes [2010/03/12 11:29:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/03/12 11:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2010/03/12 11:29:24 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/03/10 21:23:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\ProjectX_Portable [2010/03/10 21:19:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\tsMuxeR_1.10.6 [2010/03/08 05:27:49 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild [2010/03/08 05:27:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer [2010/03/08 05:27:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us [2010/03/08 05:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies [2010/03/08 05:26:38 | 000,022,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spupdsvc.exe [2010/03/08 05:26:38 | 000,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll [2010/03/07 17:46:52 | 000,485,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\evr.dll [2010/03/07 17:46:52 | 000,000,000 | ---D | C] -- C:\My Videos [2010/03/07 17:46:31 | 000,036,921 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwutl32.dll [2010/03/07 17:36:09 | 000,000,000 | R-SD | C] -- C:\WINDOWS\assembly [2010/03/07 17:35:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\v7 wintv [2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\PCHEALTH [2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft.NET [2010/03/07 17:12:30 | 000,307,256 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwpnp32.dll [2010/03/07 17:12:30 | 000,106,552 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwi2c32.dll [2010/03/07 17:11:01 | 001,220,224 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72DTV.sys [2010/03/07 17:10:55 | 000,028,928 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ADFilter.sys [2010/03/07 17:10:36 | 000,095,744 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwcpxx.ax [2010/03/07 17:10:36 | 000,044,032 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcw72Co.dll [2010/03/07 17:10:34 | 001,217,920 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ATV.sys [2010/03/07 13:58:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\LitBirthdays March 2010 [2009/08/27 15:29:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft ========== Files - Modified Within 30 Days ========== [2010/03/29 17:47:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/03/29 17:46:30 | 002,883,584 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT [2010/03/29 17:46:30 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini [2010/03/29 17:46:24 | 005,881,500 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db [2010/03/29 17:38:59 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/03/29 15:04:17 | 000,000,430 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk [2010/03/27 16:33:43 | 000,000,558 | ---- | M] () -- C:\WINDOWS\win.ini [2010/03/27 16:33:43 | 000,000,270 | ---- | M] () -- C:\WINDOWS\system.ini [2010/03/25 19:47:18 | 000,042,612 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\3rd ref backup cc_20100325_194645.reg [2010/03/20 22:41:27 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2010/03/20 03:14:51 | 000,056,816 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys [2010/03/18 13:43:09 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable [2010/03/18 12:44:22 | 000,525,824 | ---- | M] () -- C:\dds.com [2010/03/16 21:38:38 | 000,000,211 | -HS- | M] () -- C:\boot.ini [2010/03/16 07:14:07 | 000,004,972 | ---- | M] () -- C:\WINDOWS\System32\AsTray.ini [2010/03/14 15:05:42 | 000,939,956 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe [2010/03/14 10:45:01 | 000,000,558 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk [2010/03/14 10:42:17 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll [2010/03/14 10:42:17 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe [2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe [2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe [2010/03/14 10:42:17 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl [2010/03/08 13:42:20 | 000,041,568 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT [2010/03/08 13:41:59 | 000,181,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010/03/08 13:36:31 | 000,399,130 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010/03/08 13:36:30 | 000,444,028 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010/03/08 13:36:30 | 000,058,458 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010/03/07 18:10:52 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI [2010/03/07 18:10:52 | 000,000,483 | ---- | M] () -- C:\WINDOWS\ODBC.INI [2010/03/07 18:09:09 | 000,003,536 | ---- | M] () -- C:\WINDOWS\HCWPNP.INI [2010/03/07 17:52:17 | 000,000,769 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk [2010/03/07 17:52:17 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk [2010/03/07 16:32:46 | 000,000,425 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk ========== Files Created - No Company Name ========== [2010/03/25 19:47:16 | 000,042,612 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\3rd ref backup cc_20100325_194645.reg [2010/03/18 13:43:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable [2010/03/18 13:25:37 | 000,525,824 | ---- | C] () -- C:\dds.com [2010/03/14 15:08:32 | 000,004,972 | ---- | C] () -- C:\WINDOWS\System32\AsTray.ini [2010/03/14 15:08:28 | 000,125,952 | ---- | C] () -- C:\WINDOWS\System32\igxpun.exe [2010/03/14 15:05:41 | 000,939,956 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe [2010/03/14 13:25:27 | 000,000,430 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk [2010/03/14 11:46:30 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe [2010/03/14 11:46:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2010/03/14 11:46:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2010/03/14 11:46:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2010/03/14 11:46:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2010/03/08 05:29:15 | 000,114,400 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat [2010/03/07 17:52:17 | 000,000,769 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk [2010/03/07 17:52:17 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk [2010/03/07 17:48:54 | 000,142,337 | ---- | C] () -- C:\WINDOWS\System32\Wait.exe [2010/03/07 17:12:02 | 000,003,536 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI [2010/03/07 16:32:46 | 000,000,425 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk [2009/12/13 20:48:42 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009/10/14 15:56:22 | 000,399,360 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll [2009/10/14 15:17:51 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll [2009/10/11 19:35:14 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dmcrypto.dll [2009/10/11 19:22:03 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll [2009/09/07 10:53:12 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2009/09/06 14:59:41 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll [2009/09/02 09:43:25 | 000,000,483 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2009/08/29 16:58:57 | 000,016,773 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini [2009/08/28 10:00:57 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS [2009/08/27 16:18:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll < End of report > ===================== and the jpg is attached.
- March 29, 2010
- 16 replies
watch-oscar-online tubezz.org malware prevents antivirus site access

ionavideo replied to ionavideo's topic in Resolved Malware Removal Logs

Hi, here's the OTL script reply ========== OTL ========== HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\NameServer| /E : value set successfully! ========== FILES ========== C:\WINDOWS\system32\drivers\utm5nje2.sys moved successfully. OTL by OldTimer - Version 3.1.37.3 log created on 03252010_195224 ------------------------ and the OTL reports OTL logfile created on: 3/25/2010 7:55:22 PM - Run 3 OTL by OldTimer - Version 3.1.37.3 Folder = D:\Virus Malware removal Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.5512) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 503.00 Mb Total Physical Memory | 376.00 Mb Available Physical Memory | 75.00% Memory free 1.00 Gb Paging File | 1.00 Gb Available in Paging File | 85.00% Paging File free Paging file location(s): C:\pagefile.sys 500 1512 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 3.72 Gb Total Space | 1.03 Gb Free Space | 27.84% Space Free | Partition Type: NTFS Drive D: | 1.88 Gb Total Space | 1.47 Gb Free Space | 78.22% Space Free | Partition Type: FAT32 Drive E: | 1.85 Gb Total Space | 0.98 Gb Free Space | 53.24% Space Free | Partition Type: FAT F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: ASUS Current User Name: Administrator Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - D:\Virus Malware removal\OTL.exe (OldTimer Tools) PRC - C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.) PRC - C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (Hauppauge Computer Works) PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.) PRC - C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc) PRC - C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\WINDOWS\system32\acs.exe (Atheros) PRC - E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.) ========== Modules (SafeList) ========== MOD - D:\Virus Malware removal\OTL.exe (OldTimer Tools) MOD - C:\WINDOWS\system32\DrvPatch.dll (WangYue@BLCU.EDU.CN) ========== Win32 Services (SafeList) ========== SRV - (UPS) -- File not found SRV - (ose) -- File not found SRV - (odserv) -- File not found SRV - (ClipSrv) -- File not found SRV - (CiSvc) -- File not found SRV - (HauppaugeTVServer) -- C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (Hauppauge Computer Works) SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.) SRV - (ACS) -- C:\WINDOWS\system32\acs.exe (Atheros) ========== Driver Services (SafeList) ========== DRV - (hcw72DTV) -- C:\WINDOWS\system32\drivers\hcw72DTV.sys (Hauppauge Computer Works, Inc.) DRV - (hcw72ATV) -- C:\WINDOWS\system32\drivers\hcw72ATV.sys (Hauppauge Computer Works, Inc.) DRV - (hcw72ADFilter) -- C:\WINDOWS\system32\drivers\hcw72ADFilter.sys (Hauppauge Computer Works, Inc.) DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation) DRV - (MPE) -- C:\WINDOWS\system32\drivers\MPE.sys (Microsoft Corporation) DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider) DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.) DRV - (AtcL002) -- C:\WINDOWS\system32\drivers\l251x86.sys (Atheros Communications, Inc.) DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.) DRV - (WSIMD) -- C:\WINDOWS\system32\drivers\wsimd.sys (Atheros Communications, Inc.) DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.) DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation) DRV - (APL531) -- C:\WINDOWS\system32\drivers\ov550i.sys (Omnivision Technologies, Inc.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 O1 HOSTS File: ([2001/08/23 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\adobe\Acrobat\ActiveX\AcroIEHelper.ocx File not found O4 - HKLM..\Run: [ACU] C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.) O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.) O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN) O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh) O4 - HKLM..\Run: [skyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [unlockerAssistant] E:\Program Files\File Unlocker\Unlocker\UnlockerAssistant.exe () O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc) O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [sUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware.exe File not found O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = D:\Program Files\Adobe\Distillr\AcroTray.exe File not found O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk = C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideRunAsVerb = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll File not found O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12 O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\!SASWinLogon: DllName - E:\Program Files\SASWINLO.dll - E:\Program Files\SASWINLO.dll File not found O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation) O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - E:\Program Files\SASSEH.DLL File not found O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/08/27 15:27:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2009/08/27 17:52:02 | 000,000,103 | ---- | M] () - D:\Autorun.inf -- [ FAT32 ] O33 - MountPoints2\{27ce3bed-9350-11de-a6b0-0015af675024}\Shell\AutoRun\command - "" = D:\LinksysConnectPC.exe -- [2009/08/27 17:52:00 | 003,993,088 | ---- | M] (Linksys, a Division of Cisco Systems, Inc.) O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/03/25 19:45:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent [2010/03/23 15:06:21 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ping.exe [2010/03/23 15:06:16 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\nslookup.exe [2010/03/23 15:06:10 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ipconfig.exe [2010/03/22 08:26:08 | 000,000,000 | --SD | C] -- C:\bocomfx [2010/03/20 15:30:48 | 000,000,000 | ---D | C] -- C:\_OTL [2010/03/18 13:15:49 | 000,056,816 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys [2010/03/14 20:16:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\gmer [2010/03/14 15:12:25 | 000,040,448 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll [2010/03/14 15:08:32 | 000,047,104 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\AsTray.exe [2010/03/14 15:08:29 | 000,011,264 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\DrvPatch.dll [2010/03/14 15:04:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\7-Zip [2010/03/14 15:03:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\New Folder [2010/03/14 14:58:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\EEEPC graphics drivers [2010/03/14 14:34:22 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro [2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera [2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Opera [2010/03/14 12:59:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff [2010/03/14 11:49:18 | 000,000,000 | ---D | C] -- C:\MGtools [2010/03/14 11:46:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010/03/14 11:46:30 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010/03/14 11:46:30 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010/03/14 11:46:30 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010/03/14 11:46:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2010/03/14 11:45:30 | 000,000,000 | ---D | C] -- C:\Qoobox [2010/03/14 10:51:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com [2010/03/14 10:48:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com [2010/03/14 10:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun [2010/03/14 10:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java [2010/03/14 10:42:46 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe [2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe [2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe [2010/03/14 10:42:46 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl [2010/03/14 10:42:11 | 000,000,000 | ---D | C] -- C:\Program Files\Java [2010/03/13 06:23:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2010/03/12 20:43:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\AVG8 [2010/03/12 12:11:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\possible virus or malware [2010/03/12 12:04:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\igfx Intel graphics driver files [2010/03/12 11:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes [2010/03/12 11:29:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/03/12 11:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2010/03/12 11:29:24 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/03/10 21:23:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\ProjectX_Portable [2010/03/10 21:19:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\tsMuxeR_1.10.6 [2010/03/08 05:27:49 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild [2010/03/08 05:27:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer [2010/03/08 05:27:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us [2010/03/08 05:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies [2010/03/08 05:26:38 | 000,022,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spupdsvc.exe [2010/03/08 05:26:38 | 000,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll [2010/03/07 17:46:52 | 000,485,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\evr.dll [2010/03/07 17:46:52 | 000,000,000 | ---D | C] -- C:\My Videos [2010/03/07 17:46:31 | 000,036,921 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwutl32.dll [2010/03/07 17:36:09 | 000,000,000 | R-SD | C] -- C:\WINDOWS\assembly [2010/03/07 17:35:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\v7 wintv [2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\PCHEALTH [2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft.NET [2010/03/07 17:12:30 | 000,307,256 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwpnp32.dll [2010/03/07 17:12:30 | 000,106,552 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwi2c32.dll [2010/03/07 17:11:01 | 001,220,224 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72DTV.sys [2010/03/07 17:10:55 | 000,028,928 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ADFilter.sys [2010/03/07 17:10:36 | 000,095,744 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwcpxx.ax [2010/03/07 17:10:36 | 000,044,032 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcw72Co.dll [2010/03/07 17:10:34 | 001,217,920 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ATV.sys [2010/03/07 13:58:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\LitBirthdays March 2010 [2009/08/27 15:29:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft ========== Files - Modified Within 30 Days ========== [2010/03/25 19:47:18 | 000,042,612 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\3rd ref backup cc_20100325_194645.reg [2010/03/22 08:12:32 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/03/22 08:12:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/03/20 22:41:27 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2010/03/20 22:06:05 | 002,883,584 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT [2010/03/20 22:06:05 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini [2010/03/20 06:11:04 | 005,880,278 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db [2010/03/20 03:14:51 | 000,056,816 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys [2010/03/18 13:43:09 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable [2010/03/18 12:44:22 | 000,525,824 | ---- | M] () -- C:\dds.com [2010/03/16 21:38:38 | 000,000,558 | ---- | M] () -- C:\WINDOWS\win.ini [2010/03/16 21:38:38 | 000,000,270 | ---- | M] () -- C:\WINDOWS\system.ini [2010/03/16 21:38:38 | 000,000,211 | -HS- | M] () -- C:\boot.ini [2010/03/16 07:14:07 | 000,004,972 | ---- | M] () -- C:\WINDOWS\System32\AsTray.ini [2010/03/14 15:05:42 | 000,939,956 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe [2010/03/14 13:25:27 | 000,000,430 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk [2010/03/14 10:45:01 | 000,000,558 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk [2010/03/14 10:42:17 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll [2010/03/14 10:42:17 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe [2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe [2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe [2010/03/14 10:42:17 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl [2010/03/08 13:42:20 | 000,041,568 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT [2010/03/08 13:41:59 | 000,181,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010/03/08 13:36:31 | 000,399,130 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010/03/08 13:36:30 | 000,444,028 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010/03/08 13:36:30 | 000,058,458 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010/03/07 18:10:52 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI [2010/03/07 18:10:52 | 000,000,483 | ---- | M] () -- C:\WINDOWS\ODBC.INI [2010/03/07 18:09:09 | 000,003,536 | ---- | M] () -- C:\WINDOWS\HCWPNP.INI [2010/03/07 17:52:17 | 000,000,769 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk [2010/03/07 17:52:17 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk [2010/03/07 16:32:46 | 000,000,425 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk ========== Files Created - No Company Name ========== [2010/03/25 19:47:16 | 000,042,612 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\3rd ref backup cc_20100325_194645.reg [2010/03/18 13:43:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable [2010/03/18 13:25:37 | 000,525,824 | ---- | C] () -- C:\dds.com [2010/03/14 15:08:32 | 000,004,972 | ---- | C] () -- C:\WINDOWS\System32\AsTray.ini [2010/03/14 15:08:28 | 000,125,952 | ---- | C] () -- C:\WINDOWS\System32\igxpun.exe [2010/03/14 15:05:41 | 000,939,956 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe [2010/03/14 13:25:27 | 000,000,430 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk [2010/03/14 11:46:30 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe [2010/03/14 11:46:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2010/03/14 11:46:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2010/03/14 11:46:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2010/03/14 11:46:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2010/03/08 05:29:15 | 000,114,400 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat [2010/03/07 17:52:17 | 000,000,769 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk [2010/03/07 17:52:17 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk [2010/03/07 17:48:54 | 000,142,337 | ---- | C] () -- C:\WINDOWS\System32\Wait.exe [2010/03/07 17:12:02 | 000,003,536 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI [2010/03/07 16:32:46 | 000,000,425 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk [2009/12/13 20:48:42 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009/10/14 15:56:22 | 000,399,360 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll [2009/10/14 15:17:51 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll [2009/10/11 19:35:14 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dmcrypto.dll [2009/10/11 19:22:03 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll [2009/09/07 10:53:12 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2009/09/06 14:59:41 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll [2009/09/02 09:43:25 | 000,000,483 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2009/08/29 16:58:57 | 000,016,773 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini [2009/08/28 10:00:57 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS [2009/08/27 16:18:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll < End of report > ====================OTL Extras logfile created on: 3/25/2010 7:55:22 PM - Run 3 OTL by OldTimer - Version 3.1.37.3 Folder = D:\Virus Malware removal Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.5512) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 503.00 Mb Total Physical Memory | 376.00 Mb Available Physical Memory | 75.00% Memory free 1.00 Gb Paging File | 1.00 Gb Available in Paging File | 85.00% Paging File free Paging file location(s): C:\pagefile.sys 500 1512 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 3.72 Gb Total Space | 1.03 Gb Free Space | 27.84% Space Free | Partition Type: NTFS Drive D: | 1.88 Gb Total Space | 1.47 Gb Free Space | 78.22% Space Free | Partition Type: FAT32 Drive E: | 1.85 Gb Total Space | 0.98 Gb Free Space | 53.24% Space Free | Partition Type: FAT F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: ASUS Current User Name: Administrator Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html [@ = Opera.HTML] -- E:\Program Files\OPERA BROWSER\opera.exe (Opera Software) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "E:\Office12\msohtmed.exe" %1 File not found htmlfile [open] -- Reg Error: Key error. htmlfile [opennew] -- Reg Error: Key error. htmlfile [print] -- "E:\Office12\msohtmed.exe" /p %1 File not found http [open] -- "E:\Program Files\OPERA BROWSER\opera.exe" (Opera Software) https [open] -- "E:\Program Files\OPERA BROWSER\opera.exe" (Opera Software) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" File not found Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [PlayWithVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" File not found Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- Reg Error: Key error. CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" File not found ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found "C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation) "C:\Program Files\WinTV\WinTV7\WinTV7.exe" = C:\Program Files\WinTV\WinTV7\WinTV7.exe:*:Enabled:WinTV7 -- (Hauppauge Computer Works, Inc.) "E:\Program Files\OPERA BROWSER\opera.exe" = E:\Program Files\OPERA BROWSER\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{063E409E-3D7C-4A4A-95AB-2F124B9224B3}" = ArcSoft PhotoImpression 6 "{0A755762-EED8-47AB-A446-505766F93D43}" = Atheros Communications Inc.® L2 Fast Ethernet Driver "{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java 6 Update 18 "{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program "{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1 "{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5 "{332BCC03-A1B7-4BE7-8C8A-2B1333E22C33}" = Opera 10.50 "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{5A347920-4AFC-11D5-9FB0-800649886934}" = SDFormatter "{6B566EFE-DC1D-471F-93DD-84832663F140}" = OVT Scanner X86 "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12 "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007 "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007 "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007 "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007 "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007 "{91120000-0013-0000-0000-0000000FF1CE}" = Microsoft Office Basic 2007 "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable "{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1 "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "7-Zip" = 7-Zip 4.65 "Adobe Acrobat 5.0" = Adobe Acrobat 5.0 "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Adobe Photoshop 7.0" = Adobe Photoshop 7.0 "Adobe Shockwave Player" = Adobe Shockwave Player 11.5 "Audacity_is1" = Audacity 1.2.6 "CCleaner" = CCleaner "Cool Edit Pro 2.1" = Cool Edit Pro 2.1 "Gadwin PrintScreen" = Gadwin PrintScreen "Hauppauge WinTV 7" = Hauppauge WinTV 7 "HDMI" = Intel® Graphics Media Accelerator Driver "HijackThis" = HijackThis 2.0.2 "Karen's Computer Profiler" = Karen's Computer Profiler "Karen's Time Sync" = Karen's Time Sync "Karen's WhoIs" = Karen's WhoIs "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5 "Nero - Burning Rom!UninstallKey" = Nero OEM "OVT Scanner" = Uninstall OVT Scanner "QuicktimeAlt_is1" = QuickTime Alternative 3.0.0 "RealAlt_is1" = Real Alternative 2.0.1 "ST6UNST #1" = Karen's Disk Slack Checker "SUPER
- March 26, 2010
- 16 replies
watch-oscar-online tubezz.org malware prevents antivirus site access

ionavideo replied to ionavideo's topic in Resolved Malware Removal Logs

Okey dokey ----------------------------- March 23 Results.txt *** Can't find server name for address 93.188.162.117: Server failed Server: 93.188.161.67.static.ukrtelegroup.com.ua Address: 93.188.161.67 Name: www.malwarebytes.org *** 93.188.162.117.static.ukrtelegroup.com.ua can't find www.safer-networking.org: Non-existent domain Server: 93.188.162.117.static.ukrtelegroup.com.ua Address: 93.188.162.117 Ping request could not find host www.safer-networking.org. Please check the name and try again. Windows IP Configuration Host Name . . . . . . . . . . . . : asus Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : dc.dc.cox.net Ethernet adapter Wireless Network Connection: Connection-specific DNS Suffix . : dc.dc.cox.net Description . . . . . . . . . . . : Atheros AR5007EG Wireless Network Adapter Physical Address. . . . . . . . . : 00-15-AF-67-50-24 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.1.117 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DNS Servers . . . . . . . . . . . : 93.188.162.117 93.188.161.67 Lease Obtained. . . . . . . . . . : Tuesday, March 23, 2010 3:36:07 PM Lease Expires . . . . . . . . . . : Wednesday, March 24, 2010 3:36:07 PM Ethernet adapter Local Area Connection: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : Atheros L2 Fast Ethernet 10/100 Base-T Controller Physical Address. . . . . . . . . : 00-1E-8C-41-7C-C8 Windows IP Configuration Successfully flushed the DNS Resolver Cache. Server: 93.188.162.117.static.ukrtelegroup.com.ua Address: 93.188.162.117 Name: www.malwarebytes.org *** 93.188.162.117.static.ukrtelegroup.com.ua can't find www.safer-networking.org: Non-existent domain Server: 93.188.162.117.static.ukrtelegroup.com.ua Address: 93.188.162.117 Ping request could not find host www.safer-networking.org. Please check the name and try again. ------------------------------------ March 23 OTL report ========== SERVICES/DRIVERS ========== Service utm5nje2 stopped successfully! Service utm5nje2 deleted successfully! Error: No service named :files was found to stop! Service\Driver key :files not found. Error: No service named C:\WINDOWS\system32\drivers\utm5nje2.sys was found to stop! Service\Driver key C:\WINDOWS\system32\drivers\utm5nje2.sys not found. OTL by OldTimer - Version 3.1.37.3 log created on 03232010_151434 ======================= About Start-Run: I don't have a Start-Run. At least I can't find it. I always go to a command line prompt when I'm following instructions that say Start-Run. In this case the command line uninstall instruction couldn't find the file. Can't I just delete the bocomfx.exe file? Thank you, DL.
- March 24, 2010
- 16 replies
watch-oscar-online tubezz.org malware prevents antivirus site access

ionavideo replied to ionavideo's topic in Resolved Malware Removal Logs

Thank you, DeltaLima. We don't want you saying this is a thankless job. Internet access is not blocked on the infected PC. The ISP is Cox Cable. bocomfx.exe is my renaming of combofix. I could not get it to run properly, and it still can't. It says "PING is not recognized" and "Combofix is preparing to run" and then nothing. I think I screwed something up when I put it on the PC, because ... well nevermind, it's off the topic. Here is Virus Total for both files: =================== virustotal results File utm5nje2.sys received on 2010.03.22 13:39:22 (UTC) Current status: finished Result: 18/42 (42.86%) Compact ================================ Antivirus Version Last Update Result a-squared 4.5.0.50 2010.03.22 Trojan.Win32.Bagle!IK AhnLab-V3 5.0.0.2 2010.03.22 - AntiVir 8.2.1.196 2010.03.22 - Antiy-AVL 2.0.3.7 2010.03.19 - Authentium 5.2.0.5 2010.03.22 W32/Bagle.IJ Avast 4.8.1351.0 2010.03.22 - Avast5 5.0.332.0 2010.03.22 - AVG 9.0.0.787 2010.03.22 - BitDefender 7.2 2010.03.22 - CAT-QuickHeal 10.00 2010.03.22 - ClamAV 0.96.0.0-git 2010.03.22 Trojan.Agent-66914 Comodo 4349 2010.03.22 - DrWeb 5.0.1.12222 2010.03.22 - eSafe 7.0.17.0 2010.03.21 Win32.Bagle.RC.worm eTrust-Vet 35.2.7381 2010.03.22 - F-Prot 4.5.1.85 2010.03.22 W32/Bagle.IJ F-Secure 9.0.15370.0 2010.03.22 Rootkit:W32/Bagle.SR Fortinet 4.0.14.0 2010.03.22 W32/Bagle.ZNG!worm GData 19 2010.03.22 - Ikarus T3.1.1.80.0 2010.03.22 Trojan.Win32.Bagle Jiangmin 13.0.900 2010.03.22 Trojan/Agent.cmdf K7AntiVirus 7.10.1002 2010.03.19 Trojan.Win32.Malware.1 Kaspersky 7.0.0.125 2010.03.22 - McAfee 5927 2010.03.21 - McAfee+Artemis 5927 2010.03.21 - McAfee-GW-Edition 6.8.5 2010.03.22 - Microsoft 1.5605 2010.03.22 - NOD32 4965 2010.03.22 - Norman 6.04.09 2010.03.22 W32/Bagle.GEX nProtect 2009.1.8.0 2010.03.22 Worm/W32.Bagle.7168 Panda 10.0.2.2 2010.03.22 - PCTools 7.0.3.5 2010.03.22 Trojan-Downloader.Bagle Prevx 3.0 2010.03.22 Medium Risk Malware Rising 22.40.00.04 2010.03.22 Trojan.Win32.Generic.51E920C9 Sophos 4.51.0 2010.03.22 - Sunbelt 6024 2010.03.22 Trojan.Win32.Generic!BT Symantec 20091.2.0.41 2010.03.22 - TheHacker 6.5.2.0.241 2010.03.22 Trojan/Rootkit.gen TrendMicro 9.120.0.1004 2010.03.22 - VBA32 3.12.12.2 2010.03.19 - ViRobot 2010.3.22.2238 2010.03.22 Trojan.Win32.Bagle.7168 VirusBuster 5.0.27.0 2010.03.21 - ================== Additional information File size: 7168 bytes MD5...: 524d8d450622db4a7875b111c299a76b SHA1..: fe22db1e0b864e77baeca5520c05c42431784fd8 SHA256: 7ae9aae77884ac0baa2f8168b3ed4de0c0c9834a42d8e5a775f47a2c66cec237 ssdeep: 96:wQQovxXZHQ7SioGfU2zSVeUvaUOPLNI8n1Sw1xJj0o:w+PQ/oV2z2eaaUOW8R I PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1990 timedatestamp.....: 0x4788d40f (Sat Jan 12 14:51:59 2008) machinetype.......: 0x14c (I386) ( 6 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x9d4 0xa00 5.78 b65e29f81689fbde8b3d49891e4011de .rdata 0x2000 0x144 0x200 2.93 4c5e3a3a7d9a4ad57704be677563d7ca .data 0x3000 0x20 0x200 0.26 4f4f5306b935a3d853c02c6c206aa506 INIT 0x4000 0x292 0x400 3.74 a077364ef66a2ed1ad88d7557f37474a .rsrc 0x5000 0x300 0x400 2.56 85021f99de084aa59772f678fd7aaf3a .reloc 0x6000 0x106 0x200 2.65 173202905f3e2cfaecaf72eb73fd3c1c ( 2 imports ) > ntoskrnl.exe: MmIsAddressValid, MmProbeAndLockPages, MmMapLockedPagesSpecifyCache, MmBuildMdlForNonPagedPool, IoAllocateMdl, _except_handler3, ObfDereferenceObject, ObReferenceObjectByName, MmUnlockPages, RtlInitUnicodeString, KeServiceDescriptorTable, PsGetCurrentProcessId, IoGetCurrentProcess, IoDeleteDevice, IoCreateSymbolicLink, IoCreateDevice, IoDeleteSymbolicLink, IoFreeMdl, IoDriverObjectType, IofCompleteRequest > HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (68.0%) Generic Win/DOS Executable (15.9%) DOS Executable Generic (15.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=524d8d450622db4a7875b111c299a76b' target='_blank'>http://www.threatexpert.com/report.aspx?md5=524d8d450622db4a7875b111c299a76b</a> sigcheck: publisher....: n/a copyright....: Zaitsev Oleg, Copyright © 2004-2006 product......: AVZ Driver description..: AVZ Driver original name: avz.sys internal name: avz.sys file version.: 1, 2, 0, 0 comments.....: n/a signers......: - signing date.: - verified.....: Unsigned <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=16590770003B863E1CA000B5C14F3D00CCFB2D16' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=16590770003B863E1CA000B5C14F3D00CCFB2D16</a> --------------------------------- File bocomfx.exe received on 2010.03.22 13:47:59 (UTC) Current status: finished Result: 7/42 (16.67%) ====================== Antivirus Version Last Update Result a-squared 4.5.0.50 2010.03.22 - AhnLab-V3 5.0.0.2 2010.03.22 - AntiVir 8.2.1.196 2010.03.22 - Antiy-AVL 2.0.3.7 2010.03.19 - Authentium 5.2.0.5 2010.03.22 - Avast 4.8.1351.0 2010.03.22 - Avast5 5.0.332.0 2010.03.22 - AVG 9.0.0.787 2010.03.22 - BitDefender 7.2 2010.03.22 - CAT-QuickHeal 10.00 2010.03.22 - ClamAV 0.96.0.0-git 2010.03.22 - Comodo 4349 2010.03.22 ApplicUnsaf.Win32.Hide.~AB DrWeb 5.0.1.12222 2010.03.22 - eSafe 7.0.17.0 2010.03.21 - eTrust-Vet 35.2.7381 2010.03.22 - F-Prot 4.5.1.85 2010.03.22 - F-Secure 9.0.15370.0 2010.03.22 - Fortinet 4.0.14.0 2010.03.22 PossibleThreat GData 19 2010.03.22 - Ikarus T3.1.1.80.0 2010.03.22 - Jiangmin 13.0.900 2010.03.22 Backdoor/RBot.oqm K7AntiVirus 7.10.1002 2010.03.19 - Kaspersky 7.0.0.125 2010.03.22 - McAfee 5927 2010.03.21 - McAfee+Artemis 5927 2010.03.21 Artemis!696CAFEF7D46 McAfee-GW-Edition 6.8.5 2010.03.22 - Microsoft 1.5605 2010.03.22 - NOD32 4965 2010.03.22 - Norman 6.04.09 2010.03.22 - nProtect 2009.1.8.0 2010.03.22 - Panda 10.0.2.2 2010.03.22 - PCTools 7.0.3.5 2010.03.22 Application.NirCmd Prevx 3.0 2010.03.22 - Rising 22.40.00.04 2010.03.22 - Sophos 4.51.0 2010.03.22 NirCmd Sunbelt 6024 2010.03.22 - Symantec 20091.2.0.41 2010.03.22 - TheHacker 6.5.2.0.241 2010.03.22 - TrendMicro 9.120.0.1004 2010.03.22 - VBA32 3.12.12.2 2010.03.19 Trojan.Win32.Agent2.cpop ViRobot 2010.3.22.2238 2010.03.22 - VirusBuster 5.0.27.0 2010.03.21 - Additional information File size: 3888953 bytes MD5...: 696cafef7d468312521ca0daf9443c22 SHA1..: cf338a8111bb34c47023cd27ed9e15576a253116 SHA256: 12139e4259122142a5e79877faa8404d2add9ba36acfbd38dd1af6e884a0b43b ssdeep: 98304:ZdT5ACRG3hpdqdg4t6lrhikwZqIB+HpPsFj8:7y+GIdtWikwvoH6Fj8 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x25a60 timedatestamp.....: 0x4a6427af (Mon Jul 20 08:15:43 2009) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x1a000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x1b000 0xb000 0xac00 7.91 1bc1245ff9048fed736ae63682ed39f4 .rsrc 0x26000 0x2000 0x1800 4.36 e4b3312c3ff4026176ec0979d40e3540 ( 9 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess > ADVAPI32.dll: RegCloseKey > COMCTL32.dll: - > COMDLG32.dll: GetSaveFileNameA > GDI32.dll: DeleteDC > ole32.dll: OleInitialize > OLEAUT32.dll: - > SHELL32.dll: SHGetMalloc > USER32.dll: GetDC ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%) packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.PECompact, PecBundle, PECompact, PE_Patch.PECompact, PecBundle, PECompact, UPX, PE_Patch.UPX, UPX, UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, UPX, UPX, PE_Patch.UPX, UPX sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned packers (F-Prot): RAR, UPX, PecBundle, PECompact ==================== Here is the GMER file GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-03-22 09:05:15 Windows 5.1.2600 Service Pack 3 Running: mrge.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdrpoc.sys ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 ---- EOF - GMER 1.0.15 ---- ==================== Toodles.
- March 22, 2010
- 16 replies
watch-oscar-online tubezz.org malware prevents antivirus site access

ionavideo replied to ionavideo's topic in Resolved Malware Removal Logs

Okay. Ran TFC. It took a few seconds. Uploaded fqomoa.exe to Virus Total. I don't understand, is 67% bad? It's a passing grade. Note that I have to do things from the desktop pc, so the upload to VirusTotal is done from the non-infected desktop. My little eee pc does not compute nslookup or ping. I tested the script on the desktop pc and it did return DNS for both, but was only able to contact safer-net. ======================== VirusTotal Scan of fqomoa.exe File Fqomoa.exe received on 2010.03.21 02:05:35 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 28/42 (66.67%) ============================================================================ Antivirus Version Last Update Result a-squared 4.5.0.50 2010.03.20 Packed.Win32.Krap.as!A2 AhnLab-V3 5.0.0.2 2010.03.20 - AntiVir 8.2.1.196 2010.03.19 TR/Crypt.XPACK.Gen2 Antiy-AVL 2.0.3.7 2010.03.19 Packed/Win32.Krap.gen Authentium 5.2.0.5 2010.03.21 W32/FraudPack.E!Generic Avast 4.8.1351.0 2010.03.20 Win32:Rootkit-gen Avast5 5.0.332.0 2010.03.20 Win32:Rootkit-gen AVG 9.0.0.787 2010.03.20 FakeAV.ACM BitDefender 7.2 2010.03.21 - CAT-QuickHeal 10.00 2010.03.19 Trojan.Krap.as ClamAV 0.96.0.0-git 2010.03.20 - Comodo 4335 2010.03.21 - DrWeb 5.0.1.12222 2010.03.21 Trojan.DownLoad1.16994 eSafe 7.0.17.0 2010.03.18 - eTrust-Vet 35.2.7376 2010.03.19 Win32/Wardunlo.EG F-Prot 4.5.1.85 2010.03.21 W32/FraudPack.E!Generic F-Secure 9.0.15370.0 2010.03.20 - Fortinet 4.0.14.0 2010.03.20 - GData 19 2010.03.21 Win32:Rootkit-gen Ikarus T3.1.1.80.0 2010.03.20 - Jiangmin 13.0.900 2010.03.20 Packed.Krap.brif K7AntiVirus 7.10.1002 2010.03.19 - Kaspersky 7.0.0.125 2010.03.21 Packed.Win32.Krap.as McAfee 5926 2010.03.20 Downloader-CEW McAfee+Artemis 5926 2010.03.20 Downloader-CEW McAfee-GW-Edition 6.8.5 2010.03.20 Trojan.Crypt.XPACK.Gen2 Microsoft 1.5605 2010.03.20 TrojanDownloader:Win32/Renos.KF NOD32 4961 2010.03.20 Win32/TrojanDownloader.FakeAlert.AQI Norman 6.04.09 2010.03.20 - nProtect 2009.1.8.0 2010.03.20 - Panda 10.0.2.2 2010.03.20 - PCTools 7.0.3.5 2010.03.20 - Prevx 3.0 2010.03.21 Medium Risk Malware Rising 22.39.06.01 2010.03.21 Trojan.Win32.Nodef.zaf Sophos 4.51.0 2010.03.21 Mal/FakeAV-CO Sunbelt 5999 2010.03.21 Trojan.Win32.Generic!SB.0 Symantec 20091.2.0.41 2010.03.21 Suspicious.Insight TheHacker 6.5.2.0.241 2010.03.21 Trojan/Krap.as TrendMicro 9.120.0.1004 2010.03.20 TROJ_RENOS.SMPE VBA32 3.12.12.2 2010.03.19 - ViRobot 2010.3.19.2236 2010.03.20 Trojan.Win32.Krap.152064.E VirusBuster 5.0.27.0 2010.03.20 Trojan.Codecpack.Gen.3 Additional information File size: 152064 bytes MD5...: a05fa53fb7b153933193d8e636d9132e SHA1..: 761432e3cc4942d3a2b51f0d9e087d900c588cff SHA256: 1b48d574076109503221c9fa698d33ee9df6c41b115ab38b3e6614995ef9cffc ssdeep: 3072:uCoV0uyTwEwc1Iq+p/xwnvnd6fqXWIpRd:m01rJIq+pZwn/UiGIB PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1446 timedatestamp.....: 0x4aeb0cb7 (Fri Oct 30 15:56:39 2009) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 BSS 0x1000 0x697e 0x6a00 5.42 b2f8f08fdd6ab7545d68a7ac25769281 DATA 0x8000 0x32cc5 0x1ce00 7.27 027ec3a7754f776339b6377ac7c69d3f .tls 0x3b000 0x101d 0x1200 2.70 ce10e5f1eb474d8669597ac678b2dfda .edata 0x3d000 0x12b 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b .data 0x3e000 0x1e0 0x200 0.06 ca23f95849f3213e71961b45b3f0f880 ( 6 imports ) > KERNEL32.DLL: LocalAlloc, GetStartupInfoA, ExitProcess, FindResourceA, CreateFileA, VirtualAlloc, GetUserDefaultLCID, GetStringTypeA, GetStringTypeW, GetVersion, VirtualAllocEx, SetEndOfFile, LocalFree, MoveFileA, GetOEMCP, InitializeCriticalSection, GetProcessHeap, lstrlenA, LoadLibraryExA > user32.dll: DrawMenuBar, GetMenuItemInfoA, MessageBoxA, EnumThreadWindows, GetSysColor, CreateWindowExA, DrawFrameControl, DrawIcon, SetWindowTextA, DrawEdge, CreatePopupMenu, BeginDeferWindowPos, EndDeferWindowPos, SystemParametersInfoA, DefMDIChildProcA, GetMenuState, RegisterClassA, FrameRect > comdlg32.dll: GetOpenFileNameA > OLE32.DLL: StringFromIID, CoCreateGuid, CoGetMalloc, WriteClassStm, CreateOleAdviseHolder, CoUnmarshalInterface > advapi32.dll: RegDeleteValueA > MSVCRT.DLL: atol, time, sprintf, wcscspn, exit, swprintf, rand, memcpy, tolower, sqrt, calloc, memmove, memset ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.2%) Clipper DOS Executable (9.1%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%) sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=F0887DE30065B2CD525E027B77201F0070C8CDC2' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=F0887DE30065B2CD525E027B77201F0070C8CDC2</a> ============================= script 'Nslookup' is not recognized as an internal or external command, operable program or batch file. 'Nslookup' is not recognized as an internal or external command, operable program or batch file. 'Ping' is not recognized as an internal or external command, operable program or batch file. 'ping' is not recognized as an internal or external command, operable program or batch file. ===================
- March 21, 2010
- 16 replies
watch-oscar-online tubezz.org malware prevents antivirus site access

ionavideo replied to ionavideo's topic in Resolved Malware Removal Logs

Alas, DeltaLima, would 'twere that easy. They are clever. Here is the log. I cannot get to malwarebytes.org or spybot (safer-networking.org). I don't want to confuse things with too much information, but I do have: - someone else answered my original post with some info on where the tubezz.org url redirects to -- Ohmniscient's post. I can't find the message placed on malwarebytes, but I did find another post at McAfee site: ------------------------------- "then redirects to: http://update-center.net/microsoft/get_update.php?sid=2 which redirects to: http://thetubestores.com/xplays.php?id=45158, which redirects to: http://besttoolsonline.com/video-plugin.45158.exe which is a malware! ----------------------------------------------- - This article just came up on Google: "It seems that fans around the world are not the only ones who are hooked on the Oscars. Just a day after this year
- March 20, 2010
- 16 replies
watch-oscar-online tubezz.org malware prevents antivirus site access

ionavideo replied to ionavideo's topic in Resolved Malware Removal Logs

Hi, here are the OTL results - I'm attaching the txt files. ===================== OTL logfile created on: 3/20/2010 3:44:53 AM - Run 2 OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.5512) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 503.00 Mb Total Physical Memory | 343.00 Mb Available Physical Memory | 68.00% Memory free 974.00 Mb Paging File | 852.00 Mb Available in Paging File | 87.00% Paging File free Paging file location(s): C:\pagefile.sys 500 1512 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 3.72 Gb Total Space | 1.23 Gb Free Space | 33.07% Space Free | Partition Type: NTFS Drive D: | 1.88 Gb Total Space | 1.47 Gb Free Space | 78.27% Space Free | Partition Type: FAT32 Drive E: | 1.85 Gb Total Space | 0.98 Gb Free Space | 53.24% Space Free | Partition Type: FAT F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: ASUS Current User Name: Administrator Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Administrator\Desktop\random.exe (OldTimer Tools) PRC - E:\Program Files\File Unlocker\Unlocker\UnlockerAssistant.exe () PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.) PRC - C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc) PRC - C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\Administrator\Desktop\random.exe (OldTimer Tools) MOD - E:\Program Files\File Unlocker\Unlocker\UnlockerHook.dll () MOD - C:\WINDOWS\system32\DrvPatch.dll (WangYue@BLCU.EDU.CN) ========== Win32 Services (SafeList) ========== SRV - (UPS) -- File not found SRV - (ose) -- File not found SRV - (odserv) -- File not found SRV - (ClipSrv) -- File not found SRV - (CiSvc) -- File not found SRV - (HauppaugeTVServer) -- C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (Hauppauge Computer Works) SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.) SRV - (ACS) -- C:\WINDOWS\system32\acs.exe (Atheros) ========== Driver Services (SafeList) ========== DRV - (utm5nje2) -- C:\WINDOWS\system32\drivers\utm5nje2.sys () DRV - (hcw72DTV) -- C:\WINDOWS\system32\drivers\hcw72DTV.sys (Hauppauge Computer Works, Inc.) DRV - (hcw72ATV) -- C:\WINDOWS\system32\drivers\hcw72ATV.sys (Hauppauge Computer Works, Inc.) DRV - (hcw72ADFilter) -- C:\WINDOWS\system32\drivers\hcw72ADFilter.sys (Hauppauge Computer Works, Inc.) DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation) DRV - (MPE) -- C:\WINDOWS\system32\drivers\MPE.sys (Microsoft Corporation) DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider) DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.) DRV - (AtcL002) -- C:\WINDOWS\system32\drivers\l251x86.sys (Atheros Communications, Inc.) DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.) DRV - (WSIMD) -- C:\WINDOWS\system32\drivers\wsimd.sys (Atheros Communications, Inc.) DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.) DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation) DRV - (APL531) -- C:\WINDOWS\system32\drivers\ov550i.sys (Omnivision Technologies, Inc.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 O1 HOSTS File: ([2001/08/23 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\adobe\Acrobat\ActiveX\AcroIEHelper.ocx File not found O4 - HKLM..\Run: [ACU] C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.) O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.) O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN) O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh) O4 - HKLM..\Run: [skyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [unlockerAssistant] E:\Program Files\File Unlocker\Unlocker\UnlockerAssistant.exe () O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc) O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [sUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware.exe File not found O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = D:\Program Files\Adobe\Distillr\AcroTray.exe File not found O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk = C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideRunAsVerb = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0 O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll File not found O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.117,93.188.161.67 O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\!SASWinLogon: DllName - E:\Program Files\SASWINLO.dll - E:\Program Files\SASWINLO.dll File not found O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation) O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - E:\Program Files\SASSEH.DLL File not found O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/08/27 15:27:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2009/08/27 17:52:02 | 000,000,103 | ---- | M] () - D:\Autorun.inf -- [ FAT32 ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/03/20 03:44:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent [2010/03/20 03:16:15 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\random.exe [2010/03/19 11:38:27 | 000,000,000 | --SD | C] -- C:\bocomfx [2010/03/18 13:15:49 | 000,056,816 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys [2010/03/14 20:16:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\gmer [2010/03/14 15:12:25 | 000,040,448 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll [2010/03/14 15:08:32 | 000,047,104 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\AsTray.exe [2010/03/14 15:08:29 | 000,011,264 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\DrvPatch.dll [2010/03/14 15:04:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\7-Zip [2010/03/14 15:03:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\New Folder [2010/03/14 14:58:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\EEEPC graphics drivers [2010/03/14 14:34:22 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro [2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera [2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Opera [2010/03/14 12:59:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff [2010/03/14 11:49:18 | 000,000,000 | ---D | C] -- C:\MGtools [2010/03/14 11:46:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010/03/14 11:46:30 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010/03/14 11:46:30 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010/03/14 11:46:30 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010/03/14 11:46:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2010/03/14 11:45:30 | 000,000,000 | ---D | C] -- C:\Qoobox [2010/03/14 10:51:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com [2010/03/14 10:48:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com [2010/03/14 10:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun [2010/03/14 10:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java [2010/03/14 10:42:46 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe [2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe [2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe [2010/03/14 10:42:46 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl [2010/03/14 10:42:11 | 000,000,000 | ---D | C] -- C:\Program Files\Java [2010/03/13 06:23:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2010/03/12 20:43:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\AVG8 [2010/03/12 12:11:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\possible virus or malware [2010/03/12 12:04:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\igfx Intel graphics driver files [2010/03/12 11:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes [2010/03/12 11:29:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/03/12 11:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2010/03/12 11:29:24 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/03/10 21:23:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\ProjectX_Portable [2010/03/10 21:19:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\tsMuxeR_1.10.6 [2010/03/08 05:27:49 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild [2010/03/08 05:27:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer [2010/03/08 05:27:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us [2010/03/08 05:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies [2010/03/08 05:26:38 | 000,022,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spupdsvc.exe [2010/03/08 05:26:38 | 000,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll [2010/03/07 17:46:52 | 000,485,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\evr.dll [2010/03/07 17:46:52 | 000,000,000 | ---D | C] -- C:\My Videos [2010/03/07 17:46:31 | 000,036,921 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwutl32.dll [2010/03/07 17:36:09 | 000,000,000 | R-SD | C] -- C:\WINDOWS\assembly [2010/03/07 17:35:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\v7 wintv [2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\PCHEALTH [2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft.NET [2010/03/07 17:12:30 | 000,307,256 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwpnp32.dll [2010/03/07 17:12:30 | 000,106,552 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwi2c32.dll [2010/03/07 17:11:01 | 001,220,224 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72DTV.sys [2010/03/07 17:10:55 | 000,028,928 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ADFilter.sys [2010/03/07 17:10:36 | 000,095,744 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwcpxx.ax [2010/03/07 17:10:36 | 000,044,032 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcw72Co.dll [2010/03/07 17:10:34 | 001,217,920 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ATV.sys [2010/03/07 13:58:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\LitBirthdays March 2010 [2009/08/27 15:29:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft [7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/03/20 03:24:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/03/20 03:24:24 | 002,883,584 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT [2010/03/20 03:24:24 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini [2010/03/20 03:24:17 | 005,879,024 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db [2010/03/20 03:14:51 | 000,056,816 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys [2010/03/19 18:23:44 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\random.exe [2010/03/18 13:44:46 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/03/18 13:43:09 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable [2010/03/18 12:44:22 | 000,525,824 | ---- | M] () -- C:\dds.com [2010/03/16 21:38:38 | 000,000,558 | ---- | M] () -- C:\WINDOWS\win.ini [2010/03/16 21:38:38 | 000,000,270 | ---- | M] () -- C:\WINDOWS\system.ini [2010/03/16 21:38:38 | 000,000,211 | -HS- | M] () -- C:\boot.ini [2010/03/16 21:26:22 | 000,007,168 | ---- | M] () -- C:\WINDOWS\System32\drivers\utm5nje2.sys [2010/03/16 07:14:07 | 000,004,972 | ---- | M] () -- C:\WINDOWS\System32\AsTray.ini [2010/03/14 15:53:30 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2010/03/14 15:05:42 | 000,939,956 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe [2010/03/14 14:34:22 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk [2010/03/14 13:25:27 | 000,000,430 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk [2010/03/14 10:45:01 | 000,000,558 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk [2010/03/14 10:42:17 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll [2010/03/14 10:42:17 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe [2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe [2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe [2010/03/14 10:42:17 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl [2010/03/13 13:19:48 | 003,888,953 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\bocomfx.exe [2010/03/08 13:42:20 | 000,041,568 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT [2010/03/08 13:41:59 | 000,181,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010/03/08 13:36:31 | 000,399,130 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010/03/08 13:36:30 | 000,444,028 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010/03/08 13:36:30 | 000,058,458 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010/03/07 18:10:52 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI [2010/03/07 18:10:52 | 000,000,483 | ---- | M] () -- C:\WINDOWS\ODBC.INI [2010/03/07 18:09:09 | 000,003,536 | ---- | M] () -- C:\WINDOWS\HCWPNP.INI [2010/03/07 17:52:17 | 000,000,769 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk [2010/03/07 17:52:17 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk [2010/03/07 16:32:46 | 000,000,425 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk [7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/03/18 13:43:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable [2010/03/18 13:25:37 | 000,525,824 | ---- | C] () -- C:\dds.com [2010/03/16 21:26:22 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\utm5nje2.sys [2010/03/14 19:04:37 | 003,888,953 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\bocomfx.exe [2010/03/14 15:08:32 | 000,004,972 | ---- | C] () -- C:\WINDOWS\System32\AsTray.ini [2010/03/14 15:08:28 | 000,125,952 | ---- | C] () -- C:\WINDOWS\System32\igxpun.exe [2010/03/14 15:05:41 | 000,939,956 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe [2010/03/14 14:34:22 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk [2010/03/14 13:25:27 | 000,000,430 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk [2010/03/14 11:46:30 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe [2010/03/14 11:46:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2010/03/14 11:46:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2010/03/14 11:46:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2010/03/14 11:46:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2010/03/08 05:29:15 | 000,114,400 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat [2010/03/07 17:52:17 | 000,000,769 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk [2010/03/07 17:52:17 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk [2010/03/07 17:48:54 | 000,142,337 | ---- | C] () -- C:\WINDOWS\System32\Wait.exe [2010/03/07 17:12:02 | 000,003,536 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI [2010/03/07 16:32:46 | 000,000,425 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk [2009/12/13 20:48:42 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009/10/14 15:56:22 | 000,399,360 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll [2009/10/14 15:17:51 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll [2009/10/11 19:35:14 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dmcrypto.dll [2009/10/11 19:22:03 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll [2009/09/07 10:53:12 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2009/09/06 14:59:41 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll [2009/09/02 09:43:25 | 000,000,483 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2009/08/29 16:58:57 | 000,016,773 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini [2009/08/28 10:00:57 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS [2009/08/27 16:18:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll < End of report > ====================== EXTRAS OTL Extras logfile created on: 3/20/2010 3:36:02 AM - Run 1 OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.5512) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 503.00 Mb Total Physical Memory | 351.00 Mb Available Physical Memory | 70.00% Memory free 974.00 Mb Paging File | 865.00 Mb Available in Paging File | 89.00% Paging File free Paging file location(s): C:\pagefile.sys 500 1512 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 3.72 Gb Total Space | 1.23 Gb Free Space | 33.07% Space Free | Partition Type: NTFS Drive D: | 1.88 Gb Total Space | 1.47 Gb Free Space | 78.27% Space Free | Partition Type: FAT32 Drive E: | 1.85 Gb Total Space | 0.98 Gb Free Space | 53.24% Space Free | Partition Type: FAT F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: ASUS Current User Name: Administrator Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html [@ = Opera.HTML] -- E:\Program Files\OPERA BROWSER\opera.exe (Opera Software) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "E:\Office12\msohtmed.exe" %1 File not found htmlfile [open] -- Reg Error: Key error. htmlfile [opennew] -- Reg Error: Key error. htmlfile [print] -- "E:\Office12\msohtmed.exe" /p %1 File not found http [open] -- "E:\Program Files\OPERA BROWSER\opera.exe" (Opera Software) https [open] -- "E:\Program Files\OPERA BROWSER\opera.exe" (Opera Software) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" File not found Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [PlayWithVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" File not found Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- Reg Error: Key error. CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" File not found ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found "C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation) "C:\Program Files\WinTV\WinTV7\WinTV7.exe" = C:\Program Files\WinTV\WinTV7\WinTV7.exe:*:Enabled:WinTV7 -- (Hauppauge Computer Works, Inc.) "E:\Program Files\OPERA BROWSER\opera.exe" = E:\Program Files\OPERA BROWSER\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{063E409E-3D7C-4A4A-95AB-2F124B9224B3}" = ArcSoft PhotoImpression 6 "{0A755762-EED8-47AB-A446-505766F93D43}" = Atheros Communications Inc.® L2 Fast Ethernet Driver "{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java 6 Update 18 "{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program "{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1 "{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5 "{332BCC03-A1B7-4BE7-8C8A-2B1333E22C33}" = Opera 10.50 "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{5A347920-4AFC-11D5-9FB0-800649886934}" = SDFormatter "{6B566EFE-DC1D-471F-93DD-84832663F140}" = OVT Scanner X86 "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12 "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007 "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007 "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007 "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007 "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007 "{91120000-0013-0000-0000-0000000FF1CE}" = Microsoft Office Basic 2007 "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable "{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1 "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "7-Zip" = 7-Zip 4.65 "Adobe Acrobat 5.0" = Adobe Acrobat 5.0 "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Adobe Photoshop 7.0" = Adobe Photoshop 7.0 "Adobe Shockwave Player" = Adobe Shockwave Player 11.5 "Audacity_is1" = Audacity 1.2.6 "CCleaner" = CCleaner "Cool Edit Pro 2.1" = Cool Edit Pro 2.1 "Gadwin PrintScreen" = Gadwin PrintScreen "Hauppauge WinTV 7" = Hauppauge WinTV 7 "HDMI" = Intel® Graphics Media Accelerator Driver "HijackThis" = HijackThis 2.0.2 "Karen's Computer Profiler" = Karen's Computer Profiler "Karen's Time Sync" = Karen's Time Sync "Karen's WhoIs" = Karen's WhoIs "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5 "Nero - Burning Rom!UninstallKey" = Nero OEM "OVT Scanner" = Uninstall OVT Scanner "QuicktimeAlt_is1" = QuickTime Alternative 3.0.0 "RealAlt_is1" = Real Alternative 2.0.1 "ST6UNST #1" = Karen's Disk Slack Checker "SUPER OTL.Txt Extras.Txt
- March 20, 2010
- 16 replies
watch-oscar-online tubezz.org malware prevents antivirus site access

ionavideo replied to ionavideo's topic in Resolved Malware Removal Logs

Thanks, DL Here is the TDSskiller text. Even though it says it found and removed something, my browser still cannot go to malwarebytes.org or safer-networking.org, the home of Spybot. ------------------------ 10:22:14:984 2264 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20 10:22:14:984 2264 ================================================================================ 10:22:14:984 2264 SystemInfo: 10:22:14:984 2264 OS Version: 5.1.2600 ServicePack: 3.0 10:22:14:984 2264 Product type: Workstation 10:22:14:984 2264 ComputerName: ASUS 10:22:14:984 2264 UserName: Administrator 10:22:14:984 2264 Windows directory: C:\WINDOWS 10:22:14:984 2264 Processor architecture: Intel x86 10:22:14:984 2264 Number of processors: 1 10:22:14:984 2264 Page size: 0x1000 10:22:15:000 2264 Boot type: Normal boot 10:22:15:000 2264 ================================================================================ 10:22:15:000 2264 UnloadDriverW: NtUnloadDriver error 2 10:22:15:000 2264 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2 10:22:15:093 2264 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 10:22:15:093 2264 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 10:22:15:093 2264 wfopen_ex: Trying to KLMD file open 10:22:15:093 2264 wfopen_ex: File opened ok (Flags 2) 10:22:15:093 2264 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 10:22:15:093 2264 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 10:22:15:093 2264 wfopen_ex: Trying to KLMD file open 10:22:15:093 2264 wfopen_ex: File opened ok (Flags 2) 10:22:15:093 2264 Initialize success 10:22:15:093 2264 10:22:15:093 2264 Scanning Services ... 10:22:16:500 2264 GetAdvancedServicesInfo: Raw services enum returned 243 services 10:22:16:515 2264 10:22:16:515 2264 Scanning Kernel memory ... 10:22:16:515 2264 Devices to scan: 6 10:22:16:515 2264 10:22:16:515 2264 Driver Name: Disk 10:22:16:515 2264 IRP_MJ_CREATE : F8578BB0 10:22:16:515 2264 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E 10:22:16:515 2264 IRP_MJ_CLOSE : F8578BB0 10:22:16:515 2264 IRP_MJ_READ : F8572D1F 10:22:16:515 2264 IRP_MJ_WRITE : F8572D1F 10:22:16:515 2264 IRP_MJ_QUERY_INFORMATION : 804FA87E 10:22:16:515 2264 IRP_MJ_SET_INFORMATION : 804FA87E 10:22:16:515 2264 IRP_MJ_QUERY_EA : 804FA87E 10:22:16:515 2264 IRP_MJ_SET_EA : 804FA87E 10:22:16:515 2264 IRP_MJ_FLUSH_BUFFERS : F85732E2 10:22:16:515 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E 10:22:16:515 2264 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E 10:22:16:515 2264 IRP_MJ_DIRECTORY_CONTROL : 804FA87E 10:22:16:515 2264 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E 10:22:16:515 2264 IRP_MJ_DEVICE_CONTROL : F85733BB 10:22:16:515 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8576F28 10:22:16:515 2264 IRP_MJ_SHUTDOWN : F85732E2 10:22:16:515 2264 IRP_MJ_LOCK_CONTROL : 804FA87E 10:22:16:515 2264 IRP_MJ_CLEANUP : 804FA87E 10:22:16:515 2264 IRP_MJ_CREATE_MAILSLOT : 804FA87E 10:22:16:515 2264 IRP_MJ_QUERY_SECURITY : 804FA87E 10:22:16:515 2264 IRP_MJ_SET_SECURITY : 804FA87E 10:22:16:515 2264 IRP_MJ_POWER : F8574C82 10:22:16:515 2264 IRP_MJ_SYSTEM_CONTROL : F857999E 10:22:16:515 2264 IRP_MJ_DEVICE_CHANGE : 804FA87E 10:22:16:515 2264 IRP_MJ_QUERY_QUOTA : 804FA87E 10:22:16:515 2264 IRP_MJ_SET_QUOTA : 804FA87E 10:22:16:515 2264 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 10:22:16:515 2264 10:22:16:515 2264 Driver Name: usbstor 10:22:16:515 2264 IRP_MJ_CREATE : F8907218 10:22:16:515 2264 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E 10:22:16:515 2264 IRP_MJ_CLOSE : F8907218 10:22:16:515 2264 IRP_MJ_READ : F890723C 10:22:16:515 2264 IRP_MJ_WRITE : F890723C 10:22:16:515 2264 IRP_MJ_QUERY_INFORMATION : 804FA87E 10:22:16:515 2264 IRP_MJ_SET_INFORMATION : 804FA87E 10:22:16:515 2264 IRP_MJ_QUERY_EA : 804FA87E 10:22:16:515 2264 IRP_MJ_SET_EA : 804FA87E 10:22:16:515 2264 IRP_MJ_FLUSH_BUFFERS : 804FA87E 10:22:16:515 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E 10:22:16:515 2264 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E 10:22:16:515 2264 IRP_MJ_DIRECTORY_CONTROL : 804FA87E 10:22:16:515 2264 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E 10:22:16:515 2264 IRP_MJ_DEVICE_CONTROL : F8907180 10:22:16:515 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F89029E6 10:22:16:515 2264 IRP_MJ_SHUTDOWN : 804FA87E 10:22:16:515 2264 IRP_MJ_LOCK_CONTROL : 804FA87E 10:22:16:515 2264 IRP_MJ_CLEANUP : 804FA87E 10:22:16:515 2264 IRP_MJ_CREATE_MAILSLOT : 804FA87E 10:22:16:515 2264 IRP_MJ_QUERY_SECURITY : 804FA87E 10:22:16:515 2264 IRP_MJ_SET_SECURITY : 804FA87E 10:22:16:515 2264 IRP_MJ_POWER : F89065F0 10:22:16:515 2264 IRP_MJ_SYSTEM_CONTROL : F8904A6E 10:22:16:515 2264 IRP_MJ_DEVICE_CHANGE : 804FA87E 10:22:16:515 2264 IRP_MJ_QUERY_QUOTA : 804FA87E 10:22:16:515 2264 IRP_MJ_SET_QUOTA : 804FA87E 10:22:16:531 2264 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1 10:22:16:531 2264 10:22:16:531 2264 Driver Name: Disk 10:22:16:531 2264 IRP_MJ_CREATE : F8578BB0 10:22:16:531 2264 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E 10:22:16:531 2264 IRP_MJ_CLOSE : F8578BB0 10:22:16:531 2264 IRP_MJ_READ : F8572D1F 10:22:16:531 2264 IRP_MJ_WRITE : F8572D1F 10:22:16:531 2264 IRP_MJ_QUERY_INFORMATION : 804FA87E 10:22:16:531 2264 IRP_MJ_SET_INFORMATION : 804FA87E 10:22:16:531 2264 IRP_MJ_QUERY_EA : 804FA87E 10:22:16:531 2264 IRP_MJ_SET_EA : 804FA87E 10:22:16:531 2264 IRP_MJ_FLUSH_BUFFERS : F85732E2 10:22:16:531 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E 10:22:16:531 2264 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E 10:22:16:531 2264 IRP_MJ_DIRECTORY_CONTROL : 804FA87E 10:22:16:531 2264 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E 10:22:16:531 2264 IRP_MJ_DEVICE_CONTROL : F85733BB 10:22:16:531 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8576F28 10:22:16:531 2264 IRP_MJ_SHUTDOWN : F85732E2 10:22:16:531 2264 IRP_MJ_LOCK_CONTROL : 804FA87E 10:22:16:531 2264 IRP_MJ_CLEANUP : 804FA87E 10:22:16:531 2264 IRP_MJ_CREATE_MAILSLOT : 804FA87E 10:22:16:531 2264 IRP_MJ_QUERY_SECURITY : 804FA87E 10:22:16:531 2264 IRP_MJ_SET_SECURITY : 804FA87E 10:22:16:531 2264 IRP_MJ_POWER : F8574C82 10:22:16:531 2264 IRP_MJ_SYSTEM_CONTROL : F857999E 10:22:16:531 2264 IRP_MJ_DEVICE_CHANGE : 804FA87E 10:22:16:531 2264 IRP_MJ_QUERY_QUOTA : 804FA87E 10:22:16:531 2264 IRP_MJ_SET_QUOTA : 804FA87E 10:22:16:531 2264 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 10:22:16:531 2264 10:22:16:531 2264 Driver Name: usbstor 10:22:16:531 2264 IRP_MJ_CREATE : F8907218 10:22:16:531 2264 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E 10:22:16:531 2264 IRP_MJ_CLOSE : F8907218 10:22:16:531 2264 IRP_MJ_READ : F890723C 10:22:16:531 2264 IRP_MJ_WRITE : F890723C 10:22:16:531 2264 IRP_MJ_QUERY_INFORMATION : 804FA87E 10:22:16:531 2264 IRP_MJ_SET_INFORMATION : 804FA87E 10:22:16:531 2264 IRP_MJ_QUERY_EA : 804FA87E 10:22:16:531 2264 IRP_MJ_SET_EA : 804FA87E 10:22:16:531 2264 IRP_MJ_FLUSH_BUFFERS : 804FA87E 10:22:16:531 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E 10:22:16:531 2264 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E 10:22:16:531 2264 IRP_MJ_DIRECTORY_CONTROL : 804FA87E 10:22:16:531 2264 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E 10:22:16:531 2264 IRP_MJ_DEVICE_CONTROL : F8907180 10:22:16:531 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F89029E6 10:22:16:531 2264 IRP_MJ_SHUTDOWN : 804FA87E 10:22:16:531 2264 IRP_MJ_LOCK_CONTROL : 804FA87E 10:22:16:531 2264 IRP_MJ_CLEANUP : 804FA87E 10:22:16:531 2264 IRP_MJ_CREATE_MAILSLOT : 804FA87E 10:22:16:531 2264 IRP_MJ_QUERY_SECURITY : 804FA87E 10:22:16:531 2264 IRP_MJ_SET_SECURITY : 804FA87E 10:22:16:531 2264 IRP_MJ_POWER : F89065F0 10:22:16:531 2264 IRP_MJ_SYSTEM_CONTROL : F8904A6E 10:22:16:531 2264 IRP_MJ_DEVICE_CHANGE : 804FA87E 10:22:16:546 2264 IRP_MJ_QUERY_QUOTA : 804FA87E 10:22:16:546 2264 IRP_MJ_SET_QUOTA : 804FA87E 10:22:16:546 2264 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1 10:22:16:546 2264 10:22:16:546 2264 Driver Name: Disk 10:22:16:546 2264 IRP_MJ_CREATE : F8578BB0 10:22:16:546 2264 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E 10:22:16:546 2264 IRP_MJ_CLOSE : F8578BB0 10:22:16:546 2264 IRP_MJ_READ : F8572D1F 10:22:16:546 2264 IRP_MJ_WRITE : F8572D1F 10:22:16:546 2264 IRP_MJ_QUERY_INFORMATION : 804FA87E 10:22:16:546 2264 IRP_MJ_SET_INFORMATION : 804FA87E 10:22:16:546 2264 IRP_MJ_QUERY_EA : 804FA87E 10:22:16:546 2264 IRP_MJ_SET_EA : 804FA87E 10:22:16:546 2264 IRP_MJ_FLUSH_BUFFERS : F85732E2 10:22:16:546 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E 10:22:16:546 2264 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E 10:22:16:546 2264 IRP_MJ_DIRECTORY_CONTROL : 804FA87E 10:22:16:546 2264 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E 10:22:16:546 2264 IRP_MJ_DEVICE_CONTROL : F85733BB 10:22:16:546 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8576F28 10:22:16:546 2264 IRP_MJ_SHUTDOWN : F85732E2 10:22:16:546 2264 IRP_MJ_LOCK_CONTROL : 804FA87E 10:22:16:546 2264 IRP_MJ_CLEANUP : 804FA87E 10:22:16:546 2264 IRP_MJ_CREATE_MAILSLOT : 804FA87E 10:22:16:546 2264 IRP_MJ_QUERY_SECURITY : 804FA87E 10:22:16:546 2264 IRP_MJ_SET_SECURITY : 804FA87E 10:22:16:546 2264 IRP_MJ_POWER : F8574C82 10:22:16:546 2264 IRP_MJ_SYSTEM_CONTROL : F857999E 10:22:16:546 2264 IRP_MJ_DEVICE_CHANGE : 804FA87E 10:22:16:546 2264 IRP_MJ_QUERY_QUOTA : 804FA87E 10:22:16:546 2264 IRP_MJ_SET_QUOTA : 804FA87E 10:22:16:546 2264 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 10:22:16:546 2264 10:22:16:546 2264 Driver Name: atapi 10:22:16:546 2264 IRP_MJ_CREATE : F848EB3A 10:22:16:546 2264 IRP_MJ_CREATE_NAMED_PIPE : F848EB3A 10:22:16:546 2264 IRP_MJ_CLOSE : F848EB3A 10:22:16:546 2264 IRP_MJ_READ : F848EB3A 10:22:16:546 2264 IRP_MJ_WRITE : F848EB3A 10:22:16:546 2264 IRP_MJ_QUERY_INFORMATION : F848EB3A 10:22:16:546 2264 IRP_MJ_SET_INFORMATION : F848EB3A 10:22:16:546 2264 IRP_MJ_QUERY_EA : F848EB3A 10:22:16:546 2264 IRP_MJ_SET_EA : F848EB3A 10:22:16:546 2264 IRP_MJ_FLUSH_BUFFERS : F848EB3A 10:22:16:546 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : F848EB3A 10:22:16:546 2264 IRP_MJ_SET_VOLUME_INFORMATION : F848EB3A 10:22:16:546 2264 IRP_MJ_DIRECTORY_CONTROL : F848EB3A 10:22:16:546 2264 IRP_MJ_FILE_SYSTEM_CONTROL : F848EB3A 10:22:16:546 2264 IRP_MJ_DEVICE_CONTROL : F848EB3A 10:22:16:546 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F848EB3A 10:22:16:546 2264 IRP_MJ_SHUTDOWN : F848EB3A 10:22:16:546 2264 IRP_MJ_LOCK_CONTROL : F848EB3A 10:22:16:546 2264 IRP_MJ_CLEANUP : F848EB3A 10:22:16:546 2264 IRP_MJ_CREATE_MAILSLOT : F848EB3A 10:22:16:546 2264 IRP_MJ_QUERY_SECURITY : F848EB3A 10:22:16:546 2264 IRP_MJ_SET_SECURITY : F848EB3A 10:22:16:546 2264 IRP_MJ_POWER : F848EB3A 10:22:16:546 2264 IRP_MJ_SYSTEM_CONTROL : F848EB3A 10:22:16:546 2264 IRP_MJ_DEVICE_CHANGE : F848EB3A 10:22:16:546 2264 IRP_MJ_QUERY_QUOTA : F848EB3A 10:22:16:546 2264 IRP_MJ_SET_QUOTA : F848EB3A 10:22:16:546 2264 Driver "atapi" infected by TDSS rootkit! 10:22:16:562 2264 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1 10:22:16:562 2264 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 10:22:16:562 2264 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys 10:22:16:562 2264 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3 10:22:16:640 2264 vfvi6 10:22:16:984 2264 !dsvbh1 10:22:17:937 2264 dsvbh2 10:22:17:937 2264 fdfb2 10:22:17:937 2264 Backup copy found, using it.. 10:22:18:203 2264 will be cured on next reboot 10:22:18:203 2264 Reboot required for cure complete.. 10:22:18:234 2264 Cure on reboot scheduled successfully 10:22:18:234 2264 10:22:18:234 2264 Completed 10:22:18:234 2264 10:22:18:234 2264 Results: 10:22:18:234 2264 Memory objects infected / cured / cured on reboot: 1 / 0 / 0 10:22:18:234 2264 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 10:22:18:234 2264 File objects infected / cured / cured on reboot: 1 / 0 / 1 10:22:18:234 2264 10:22:18:234 2264 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 10:22:18:234 2264 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 10:22:18:234 2264 UnloadDriverW: NtUnloadDriver error 1 10:22:18:234 2264 KLMD_Unload: UnloadDriverW(klmd21) error 1 10:22:18:250 2264 KLMD(ARK) unloaded successfully ------------------------- [*]Download the file TDSSKiller.zip and save it on your desktop [*]Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop [*]Next double-click the tdsskiller Folder on your desktop. [*]Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop. [*]Highlight and copy the text in the codebox below. "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt" [*]Click Start, click Run... and paste the text above into the Open: line and click OK. [*]Wait for the scan and disinfection process to be over. [*]Open tdskiller.txt on your desktop and post the contents in your next reply
- March 19, 2010
- 16 replies
watch-oscar-online tubezz.org malware prevents antivirus site access

ionavideo posted a topic in Resolved Malware Removal Logs

Reposting this after instructions from forum: On March 12, 2010 I did something not too bright. I was looking to watch the 2010 Academy Awards again and I followed a link from a Cleveland newspaper site to watch-oscar-online.com which directed me to tubezz.org (href="http://tubezz.org/oscars-2010/"). Dumb and dumber, I allowed the Active-X download, which caused an infection that I still cannot completely get rid of. I used malwarebytes (I had to go to another machine and transport via thumb drive). It found a trojan which I deleted, but it did not resolve the browser hijack. I am sending this from another computer. From the infected notebook, an eee pc, I cannot access any anti-malware site, including malwarebytes. I am directed to a 404-style error page. Has anyone else run into this problem? ================== March 18: Followed the instructions but the only thing I could get was a gmer log. DDS.scr and DDS.com pop open a DOS window for a second but don't give a log. Avira, like malwarebytes and every other anti-v, anti-m software I've run does NOT give any indication of a problem/infection. Posting the gmer log ====================== GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-03-18 14:13:50 Windows 5.1.2600 Service Pack 3 Running: mrge.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdrpoc.sys ---- System - GMER 1.0.15 ---- SSDT F8BF80F6 ZwCreateKey SSDT F8BF80EC ZwCreateThread SSDT F8BF80FB ZwDeleteKey SSDT F8BF8105 ZwDeleteValueKey SSDT F8BF810A ZwLoadKey SSDT F8BF80D8 ZwOpenProcess SSDT F8BF80DD ZwOpenThread SSDT F8BF8114 ZwReplaceKey SSDT F8BF810F ZwRestoreKey SSDT F8BF8100 ZwSetValueKey SSDT F8BF80E7 ZwTerminateProcess ---- Devices - GMER 1.0.15 ---- Device \Driver\atapi \Device\Ide\IdePort0 [F848EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]} Device \Driver\atapi \Device\Ide\IdePort1 [F848EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 [F848EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]} AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ---- =============== P.S. More info - Not to confuse things but ... When I first was trying to deal with this, last week, I looked at the Task Manager processes running and removed or noted down some possibly suspicious things. I removed c:\documents&etc\Admin\Local settings\temp\Fx1.exe I removed c:\windows\fqomoa.exe I segregated and subsequently replaced the Intel graphics drivers igfx-etc with a new set of Intel graphics drivers tweaked especially for the eee pc. These new drivers, attached to a process that allows you to swap screen resolution in the systray, could be the suspicious atapi. Thanks for any help.
- March 18, 2010
- 16 replies

Sign In

ionavideo

Posts

Joined

Last visited

Reputation

Can't access my podcast upload site www.lexy.com

watch-oscar-online tubezz.org malware prevents antivirus site access

watch-oscar-online tubezz.org malware prevents antivirus site access

watch-oscar-online tubezz.org malware prevents antivirus site access

watch-oscar-online tubezz.org malware prevents antivirus site access

watch-oscar-online tubezz.org malware prevents antivirus site access

watch-oscar-online tubezz.org malware prevents antivirus site access

watch-oscar-online tubezz.org malware prevents antivirus site access

watch-oscar-online tubezz.org malware prevents antivirus site access

watch-oscar-online tubezz.org malware prevents antivirus site access

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information