ionavideo
-
Posts
11 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by ionavideo
-
-
Thanks, DL
I had actually tried running Malwarebytes earlier today before I read this. It thought bcomfx.sys was not good.
I still can't access malwarebytes web site.
Here is an OTL log that I just ran.
=====================
OTL logfile created on: 3/29/2010 5:49:37 PM - Run 4
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
503.00 Mb Total Physical Memory | 300.00 Mb Available Physical Memory | 60.00% Memory free
974.00 Mb Paging File | 807.00 Mb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 500 1512 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 3.72 Gb Total Space | 0.04 Gb Free Space | 1.10% Space Free | Partition Type: NTFS
Drive D: | 1.88 Gb Total Space | 1.47 Gb Free Space | 78.20% Space Free | Partition Type: FAT32
Drive E: | 1.85 Gb Total Space | 0.96 Gb Free Space | 52.23% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: ASUS
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.)
PRC - C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (Hauppauge Computer Works)
PRC - E:\Program Files\File Unlocker\Unlocker\UnlockerAssistant.exe ()
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (ArcSoft Inc.)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
PRC - C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
PRC - C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.)
PRC - C:\WINDOWS\system32\acs.exe (Atheros)
PRC - E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff\OTL.exe (OldTimer Tools)
MOD - E:\Program Files\File Unlocker\Unlocker\UnlockerHook.dll ()
MOD - C:\WINDOWS\system32\DrvPatch.dll (WangYue@BLCU.EDU.CN)
========== Win32 Services (SafeList) ==========
SRV - (UPS) -- File not found
SRV - (ose) -- File not found
SRV - (odserv) -- File not found
SRV - (ClipSrv) -- File not found
SRV - (CiSvc) -- File not found
SRV - (HauppaugeTVServer) -- C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (Hauppauge Computer Works)
SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (ACS) -- C:\WINDOWS\system32\acs.exe (Atheros)
========== Driver Services (SafeList) ==========
DRV - (hcw72DTV) -- C:\WINDOWS\system32\drivers\hcw72DTV.sys (Hauppauge Computer Works, Inc.)
DRV - (hcw72ATV) -- C:\WINDOWS\system32\drivers\hcw72ATV.sys (Hauppauge Computer Works, Inc.)
DRV - (hcw72ADFilter) -- C:\WINDOWS\system32\drivers\hcw72ADFilter.sys (Hauppauge Computer Works, Inc.)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (MPE) -- C:\WINDOWS\system32\drivers\MPE.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (AtcL002) -- C:\WINDOWS\system32\drivers\l251x86.sys (Atheros Communications, Inc.)
DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)
DRV - (WSIMD) -- C:\WINDOWS\system32\drivers\wsimd.sys (Atheros Communications, Inc.)
DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (APL531) -- C:\WINDOWS\system32\drivers\ov550i.sys (Omnivision Technologies, Inc.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O1 HOSTS File: ([2001/08/23 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\adobe\Acrobat\ActiveX\AcroIEHelper.ocx File not found
O4 - HKLM..\Run: [ACU] C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [skyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [unlockerAssistant] E:\Program Files\File Unlocker\Unlocker\UnlockerAssistant.exe ()
O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [sUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = D:\Program Files\Adobe\Distillr\AcroTray.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk = C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideRunAsVerb = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - E:\Program Files\SASWINLO.dll - E:\Program Files\SASWINLO.dll File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - E:\Program Files\SASSEH.DLL File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/27 15:27:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/08/27 17:52:02 | 000,000,103 | ---- | M] () - D:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2010/03/29 17:46:25 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/03/23 15:06:21 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ping.exe
[2010/03/23 15:06:16 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\nslookup.exe
[2010/03/23 15:06:10 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ipconfig.exe
[2010/03/22 08:26:08 | 000,000,000 | --SD | C] -- C:\bocomfx
[2010/03/20 15:30:48 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/03/18 13:15:49 | 000,056,816 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/03/14 20:16:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\gmer
[2010/03/14 15:12:25 | 000,040,448 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll
[2010/03/14 15:08:32 | 000,047,104 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\AsTray.exe
[2010/03/14 15:08:29 | 000,011,264 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\DrvPatch.dll
[2010/03/14 15:04:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\7-Zip
[2010/03/14 14:58:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\EEEPC graphics drivers
[2010/03/14 14:34:22 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera
[2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Opera
[2010/03/14 12:59:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff
[2010/03/14 11:49:18 | 000,000,000 | ---D | C] -- C:\MGtools
[2010/03/14 11:46:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/14 11:46:30 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/14 11:46:30 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/14 11:46:30 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/14 11:46:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/14 11:45:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/14 10:51:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/03/14 10:48:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
[2010/03/14 10:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/03/14 10:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/03/14 10:42:46 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/03/14 10:42:46 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/03/14 10:42:11 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/03/13 06:23:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/12 20:43:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\AVG8
[2010/03/12 12:11:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\possible virus or malware
[2010/03/12 12:04:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\igfx Intel graphics driver files
[2010/03/12 11:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/03/12 11:29:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/12 11:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/12 11:29:24 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/10 21:23:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\ProjectX_Portable
[2010/03/10 21:19:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\tsMuxeR_1.10.6
[2010/03/08 05:27:49 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2010/03/08 05:27:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2010/03/08 05:27:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
[2010/03/08 05:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2010/03/08 05:26:38 | 000,022,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spupdsvc.exe
[2010/03/08 05:26:38 | 000,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll
[2010/03/07 17:46:52 | 000,485,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\evr.dll
[2010/03/07 17:46:52 | 000,000,000 | ---D | C] -- C:\My Videos
[2010/03/07 17:46:31 | 000,036,921 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwutl32.dll
[2010/03/07 17:36:09 | 000,000,000 | R-SD | C] -- C:\WINDOWS\assembly
[2010/03/07 17:35:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\v7 wintv
[2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\PCHEALTH
[2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft.NET
[2010/03/07 17:12:30 | 000,307,256 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwpnp32.dll
[2010/03/07 17:12:30 | 000,106,552 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwi2c32.dll
[2010/03/07 17:11:01 | 001,220,224 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72DTV.sys
[2010/03/07 17:10:55 | 000,028,928 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ADFilter.sys
[2010/03/07 17:10:36 | 000,095,744 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwcpxx.ax
[2010/03/07 17:10:36 | 000,044,032 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcw72Co.dll
[2010/03/07 17:10:34 | 001,217,920 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ATV.sys
[2010/03/07 13:58:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\LitBirthdays March 2010
[2009/08/27 15:29:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
========== Files - Modified Within 30 Days ==========
[2010/03/29 17:47:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/29 17:46:30 | 002,883,584 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/03/29 17:46:30 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/03/29 17:46:24 | 005,881,500 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/03/29 17:38:59 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/29 15:04:17 | 000,000,430 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2010/03/27 16:33:43 | 000,000,558 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/27 16:33:43 | 000,000,270 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/25 19:47:18 | 000,042,612 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\3rd ref backup cc_20100325_194645.reg
[2010/03/20 22:41:27 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/20 03:14:51 | 000,056,816 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/03/18 13:43:09 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/03/18 12:44:22 | 000,525,824 | ---- | M] () -- C:\dds.com
[2010/03/16 21:38:38 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/03/16 07:14:07 | 000,004,972 | ---- | M] () -- C:\WINDOWS\System32\AsTray.ini
[2010/03/14 15:05:42 | 000,939,956 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe
[2010/03/14 10:45:01 | 000,000,558 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
[2010/03/14 10:42:17 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/03/14 10:42:17 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/03/14 10:42:17 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/03/08 13:42:20 | 000,041,568 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/08 13:41:59 | 000,181,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/08 13:36:31 | 000,399,130 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/08 13:36:30 | 000,444,028 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/08 13:36:30 | 000,058,458 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/07 18:10:52 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2010/03/07 18:10:52 | 000,000,483 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010/03/07 18:09:09 | 000,003,536 | ---- | M] () -- C:\WINDOWS\HCWPNP.INI
[2010/03/07 17:52:17 | 000,000,769 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk
[2010/03/07 17:52:17 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk
[2010/03/07 16:32:46 | 000,000,425 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk
========== Files Created - No Company Name ==========
[2010/03/25 19:47:16 | 000,042,612 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\3rd ref backup cc_20100325_194645.reg
[2010/03/18 13:43:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/03/18 13:25:37 | 000,525,824 | ---- | C] () -- C:\dds.com
[2010/03/14 15:08:32 | 000,004,972 | ---- | C] () -- C:\WINDOWS\System32\AsTray.ini
[2010/03/14 15:08:28 | 000,125,952 | ---- | C] () -- C:\WINDOWS\System32\igxpun.exe
[2010/03/14 15:05:41 | 000,939,956 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe
[2010/03/14 13:25:27 | 000,000,430 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2010/03/14 11:46:30 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/14 11:46:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/14 11:46:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/14 11:46:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/14 11:46:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/08 05:29:15 | 000,114,400 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/03/07 17:52:17 | 000,000,769 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk
[2010/03/07 17:52:17 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk
[2010/03/07 17:48:54 | 000,142,337 | ---- | C] () -- C:\WINDOWS\System32\Wait.exe
[2010/03/07 17:12:02 | 000,003,536 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI
[2010/03/07 16:32:46 | 000,000,425 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk
[2009/12/13 20:48:42 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/14 15:56:22 | 000,399,360 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll
[2009/10/14 15:17:51 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2009/10/11 19:35:14 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dmcrypto.dll
[2009/10/11 19:22:03 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2009/09/07 10:53:12 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/06 14:59:41 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll
[2009/09/02 09:43:25 | 000,000,483 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/29 16:58:57 | 000,016,773 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/08/28 10:00:57 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2009/08/27 16:18:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll
< End of report >
=====================
and the jpg is attached.
Please right click on the bocomfx icon and select properties and post a screen shot.Now please try to access the Malwarebytes web site, if successful then please run Malwarebytes, update the definitions and run a quick scan then post the log back here.
If you still cannot access the site then please reboot and then run another OTL scan and post OTL.txt in your next reply.
-
Hi, here's the OTL script reply
========== OTL ==========
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\NameServer| /E : value set successfully!
========== FILES ==========
C:\WINDOWS\system32\drivers\utm5nje2.sys moved successfully.
OTL by OldTimer - Version 3.1.37.3 log created on 03252010_195224
------------------------
and the OTL reports
OTL logfile created on: 3/25/2010 7:55:22 PM - Run 3
OTL by OldTimer - Version 3.1.37.3 Folder = D:\Virus Malware removal
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
503.00 Mb Total Physical Memory | 376.00 Mb Available Physical Memory | 75.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 500 1512 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 3.72 Gb Total Space | 1.03 Gb Free Space | 27.84% Space Free | Partition Type: NTFS
Drive D: | 1.88 Gb Total Space | 1.47 Gb Free Space | 78.22% Space Free | Partition Type: FAT32
Drive E: | 1.85 Gb Total Space | 0.98 Gb Free Space | 53.24% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: ASUS
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Processes (SafeList) ==========
PRC - D:\Virus Malware removal\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.)
PRC - C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (Hauppauge Computer Works)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
PRC - C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
PRC - C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\acs.exe (Atheros)
PRC - E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
========== Modules (SafeList) ==========
MOD - D:\Virus Malware removal\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\DrvPatch.dll (WangYue@BLCU.EDU.CN)
========== Win32 Services (SafeList) ==========
SRV - (UPS) -- File not found
SRV - (ose) -- File not found
SRV - (odserv) -- File not found
SRV - (ClipSrv) -- File not found
SRV - (CiSvc) -- File not found
SRV - (HauppaugeTVServer) -- C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (Hauppauge Computer Works)
SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (ACS) -- C:\WINDOWS\system32\acs.exe (Atheros)
========== Driver Services (SafeList) ==========
DRV - (hcw72DTV) -- C:\WINDOWS\system32\drivers\hcw72DTV.sys (Hauppauge Computer Works, Inc.)
DRV - (hcw72ATV) -- C:\WINDOWS\system32\drivers\hcw72ATV.sys (Hauppauge Computer Works, Inc.)
DRV - (hcw72ADFilter) -- C:\WINDOWS\system32\drivers\hcw72ADFilter.sys (Hauppauge Computer Works, Inc.)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (MPE) -- C:\WINDOWS\system32\drivers\MPE.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (AtcL002) -- C:\WINDOWS\system32\drivers\l251x86.sys (Atheros Communications, Inc.)
DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)
DRV - (WSIMD) -- C:\WINDOWS\system32\drivers\wsimd.sys (Atheros Communications, Inc.)
DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (APL531) -- C:\WINDOWS\system32\drivers\ov550i.sys (Omnivision Technologies, Inc.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O1 HOSTS File: ([2001/08/23 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\adobe\Acrobat\ActiveX\AcroIEHelper.ocx File not found
O4 - HKLM..\Run: [ACU] C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [skyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [unlockerAssistant] E:\Program Files\File Unlocker\Unlocker\UnlockerAssistant.exe ()
O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [sUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = D:\Program Files\Adobe\Distillr\AcroTray.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk = C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideRunAsVerb = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - E:\Program Files\SASWINLO.dll - E:\Program Files\SASWINLO.dll File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - E:\Program Files\SASSEH.DLL File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/27 15:27:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/08/27 17:52:02 | 000,000,103 | ---- | M] () - D:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{27ce3bed-9350-11de-a6b0-0015af675024}\Shell\AutoRun\command - "" = D:\LinksysConnectPC.exe -- [2009/08/27 17:52:00 | 003,993,088 | ---- | M] (Linksys, a Division of Cisco Systems, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2010/03/25 19:45:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/03/23 15:06:21 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ping.exe
[2010/03/23 15:06:16 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\nslookup.exe
[2010/03/23 15:06:10 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ipconfig.exe
[2010/03/22 08:26:08 | 000,000,000 | --SD | C] -- C:\bocomfx
[2010/03/20 15:30:48 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/03/18 13:15:49 | 000,056,816 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/03/14 20:16:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\gmer
[2010/03/14 15:12:25 | 000,040,448 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll
[2010/03/14 15:08:32 | 000,047,104 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\AsTray.exe
[2010/03/14 15:08:29 | 000,011,264 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\DrvPatch.dll
[2010/03/14 15:04:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\7-Zip
[2010/03/14 15:03:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\New Folder
[2010/03/14 14:58:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\EEEPC graphics drivers
[2010/03/14 14:34:22 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera
[2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Opera
[2010/03/14 12:59:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff
[2010/03/14 11:49:18 | 000,000,000 | ---D | C] -- C:\MGtools
[2010/03/14 11:46:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/14 11:46:30 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/14 11:46:30 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/14 11:46:30 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/14 11:46:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/14 11:45:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/14 10:51:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/03/14 10:48:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
[2010/03/14 10:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/03/14 10:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/03/14 10:42:46 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/03/14 10:42:46 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/03/14 10:42:11 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/03/13 06:23:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/12 20:43:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\AVG8
[2010/03/12 12:11:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\possible virus or malware
[2010/03/12 12:04:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\igfx Intel graphics driver files
[2010/03/12 11:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/03/12 11:29:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/12 11:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/12 11:29:24 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/10 21:23:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\ProjectX_Portable
[2010/03/10 21:19:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\tsMuxeR_1.10.6
[2010/03/08 05:27:49 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2010/03/08 05:27:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2010/03/08 05:27:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
[2010/03/08 05:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2010/03/08 05:26:38 | 000,022,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spupdsvc.exe
[2010/03/08 05:26:38 | 000,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll
[2010/03/07 17:46:52 | 000,485,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\evr.dll
[2010/03/07 17:46:52 | 000,000,000 | ---D | C] -- C:\My Videos
[2010/03/07 17:46:31 | 000,036,921 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwutl32.dll
[2010/03/07 17:36:09 | 000,000,000 | R-SD | C] -- C:\WINDOWS\assembly
[2010/03/07 17:35:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\v7 wintv
[2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\PCHEALTH
[2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft.NET
[2010/03/07 17:12:30 | 000,307,256 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwpnp32.dll
[2010/03/07 17:12:30 | 000,106,552 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwi2c32.dll
[2010/03/07 17:11:01 | 001,220,224 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72DTV.sys
[2010/03/07 17:10:55 | 000,028,928 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ADFilter.sys
[2010/03/07 17:10:36 | 000,095,744 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwcpxx.ax
[2010/03/07 17:10:36 | 000,044,032 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcw72Co.dll
[2010/03/07 17:10:34 | 001,217,920 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ATV.sys
[2010/03/07 13:58:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\LitBirthdays March 2010
[2009/08/27 15:29:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
========== Files - Modified Within 30 Days ==========
[2010/03/25 19:47:18 | 000,042,612 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\3rd ref backup cc_20100325_194645.reg
[2010/03/22 08:12:32 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/22 08:12:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/20 22:41:27 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/20 22:06:05 | 002,883,584 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/03/20 22:06:05 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/03/20 06:11:04 | 005,880,278 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/03/20 03:14:51 | 000,056,816 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/03/18 13:43:09 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/03/18 12:44:22 | 000,525,824 | ---- | M] () -- C:\dds.com
[2010/03/16 21:38:38 | 000,000,558 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/16 21:38:38 | 000,000,270 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/16 21:38:38 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/03/16 07:14:07 | 000,004,972 | ---- | M] () -- C:\WINDOWS\System32\AsTray.ini
[2010/03/14 15:05:42 | 000,939,956 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe
[2010/03/14 13:25:27 | 000,000,430 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2010/03/14 10:45:01 | 000,000,558 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
[2010/03/14 10:42:17 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/03/14 10:42:17 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/03/14 10:42:17 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/03/08 13:42:20 | 000,041,568 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/08 13:41:59 | 000,181,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/08 13:36:31 | 000,399,130 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/08 13:36:30 | 000,444,028 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/08 13:36:30 | 000,058,458 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/07 18:10:52 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2010/03/07 18:10:52 | 000,000,483 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010/03/07 18:09:09 | 000,003,536 | ---- | M] () -- C:\WINDOWS\HCWPNP.INI
[2010/03/07 17:52:17 | 000,000,769 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk
[2010/03/07 17:52:17 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk
[2010/03/07 16:32:46 | 000,000,425 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk
========== Files Created - No Company Name ==========
[2010/03/25 19:47:16 | 000,042,612 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\3rd ref backup cc_20100325_194645.reg
[2010/03/18 13:43:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/03/18 13:25:37 | 000,525,824 | ---- | C] () -- C:\dds.com
[2010/03/14 15:08:32 | 000,004,972 | ---- | C] () -- C:\WINDOWS\System32\AsTray.ini
[2010/03/14 15:08:28 | 000,125,952 | ---- | C] () -- C:\WINDOWS\System32\igxpun.exe
[2010/03/14 15:05:41 | 000,939,956 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe
[2010/03/14 13:25:27 | 000,000,430 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2010/03/14 11:46:30 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/14 11:46:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/14 11:46:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/14 11:46:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/14 11:46:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/08 05:29:15 | 000,114,400 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/03/07 17:52:17 | 000,000,769 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk
[2010/03/07 17:52:17 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk
[2010/03/07 17:48:54 | 000,142,337 | ---- | C] () -- C:\WINDOWS\System32\Wait.exe
[2010/03/07 17:12:02 | 000,003,536 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI
[2010/03/07 16:32:46 | 000,000,425 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk
[2009/12/13 20:48:42 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/14 15:56:22 | 000,399,360 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll
[2009/10/14 15:17:51 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2009/10/11 19:35:14 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dmcrypto.dll
[2009/10/11 19:22:03 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2009/09/07 10:53:12 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/06 14:59:41 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll
[2009/09/02 09:43:25 | 000,000,483 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/29 16:58:57 | 000,016,773 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/08/28 10:00:57 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2009/08/27 16:18:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll
< End of report >
====================OTL Extras logfile created on: 3/25/2010 7:55:22 PM - Run 3
OTL by OldTimer - Version 3.1.37.3 Folder = D:\Virus Malware removal
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
503.00 Mb Total Physical Memory | 376.00 Mb Available Physical Memory | 75.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 500 1512 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 3.72 Gb Total Space | 1.03 Gb Free Space | 27.84% Space Free | Partition Type: NTFS
Drive D: | 1.88 Gb Total Space | 1.47 Gb Free Space | 78.22% Space Free | Partition Type: FAT32
Drive E: | 1.85 Gb Total Space | 0.98 Gb Free Space | 53.24% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: ASUS
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- E:\Program Files\OPERA BROWSER\opera.exe (Opera Software)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "E:\Office12\msohtmed.exe" %1 File not found
htmlfile [open] -- Reg Error: Key error.
htmlfile [opennew] -- Reg Error: Key error.
htmlfile [print] -- "E:\Office12\msohtmed.exe" /p %1 File not found
http [open] -- "E:\Program Files\OPERA BROWSER\opera.exe" (Opera Software)
https [open] -- "E:\Program Files\OPERA BROWSER\opera.exe" (Opera Software)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" File not found
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- Reg Error: Key error.
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" File not found
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\WinTV\WinTV7\WinTV7.exe" = C:\Program Files\WinTV\WinTV7\WinTV7.exe:*:Enabled:WinTV7 -- (Hauppauge Computer Works, Inc.)
"E:\Program Files\OPERA BROWSER\opera.exe" = E:\Program Files\OPERA BROWSER\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{063E409E-3D7C-4A4A-95AB-2F124B9224B3}" = ArcSoft PhotoImpression 6
"{0A755762-EED8-47AB-A446-505766F93D43}" = Atheros Communications Inc.® L2 Fast Ethernet Driver
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java 6 Update 18
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5
"{332BCC03-A1B7-4BE7-8C8A-2B1333E22C33}" = Opera 10.50
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5A347920-4AFC-11D5-9FB0-800649886934}" = SDFormatter
"{6B566EFE-DC1D-471F-93DD-84832663F140}" = OVT Scanner X86
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{91120000-0013-0000-0000-0000000FF1CE}" = Microsoft Office Basic 2007
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"7-Zip" = 7-Zip 4.65
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Audacity_is1" = Audacity 1.2.6
"CCleaner" = CCleaner
"Cool Edit Pro 2.1" = Cool Edit Pro 2.1
"Gadwin PrintScreen" = Gadwin PrintScreen
"Hauppauge WinTV 7" = Hauppauge WinTV 7
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"Karen's Computer Profiler" = Karen's Computer Profiler
"Karen's Time Sync" = Karen's Time Sync
"Karen's WhoIs" = Karen's WhoIs
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5
"Nero - Burning Rom!UninstallKey" = Nero OEM
"OVT Scanner" = Uninstall OVT Scanner
"QuicktimeAlt_is1" = QuickTime Alternative 3.0.0
"RealAlt_is1" = Real Alternative 2.0.1
"ST6UNST #1" = Karen's Disk Slack Checker
"SUPER
-
Okey dokey
-----------------------------
March 23 Results.txt
*** Can't find server name for address 93.188.162.117: Server failed
Server: 93.188.161.67.static.ukrtelegroup.com.ua
Address: 93.188.161.67
Name: www.malwarebytes.org
*** 93.188.162.117.static.ukrtelegroup.com.ua can't find www.safer-networking.org: Non-existent domain
Server: 93.188.162.117.static.ukrtelegroup.com.ua
Address: 93.188.162.117
Ping request could not find host www.safer-networking.org. Please check the name and try again.
Windows IP Configuration
Host Name . . . . . . . . . . . . : asus
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : dc.dc.cox.net
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . : dc.dc.cox.net
Description . . . . . . . . . . . : Atheros AR5007EG Wireless Network Adapter
Physical Address. . . . . . . . . : 00-15-AF-67-50-24
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.117
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 93.188.162.117
93.188.161.67
Lease Obtained. . . . . . . . . . : Tuesday, March 23, 2010 3:36:07 PM
Lease Expires . . . . . . . . . . : Wednesday, March 24, 2010 3:36:07 PM
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Atheros L2 Fast Ethernet 10/100 Base-T Controller
Physical Address. . . . . . . . . : 00-1E-8C-41-7C-C8
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
Server: 93.188.162.117.static.ukrtelegroup.com.ua
Address: 93.188.162.117
Name: www.malwarebytes.org
*** 93.188.162.117.static.ukrtelegroup.com.ua can't find www.safer-networking.org: Non-existent domain
Server: 93.188.162.117.static.ukrtelegroup.com.ua
Address: 93.188.162.117
Ping request could not find host www.safer-networking.org. Please check the name and try again.
------------------------------------
March 23 OTL report
========== SERVICES/DRIVERS ==========
Service utm5nje2 stopped successfully!
Service utm5nje2 deleted successfully!
Error: No service named :files was found to stop!
Service\Driver key :files not found.
Error: No service named C:\WINDOWS\system32\drivers\utm5nje2.sys was found to stop!
Service\Driver key C:\WINDOWS\system32\drivers\utm5nje2.sys not found.
OTL by OldTimer - Version 3.1.37.3 log created on 03232010_151434
=======================
About Start-Run: I don't have a Start-Run. At least I can't find it. I always go to a command line prompt when I'm following instructions that say Start-Run. In this case the command line uninstall instruction couldn't find the file. Can't I just delete the bocomfx.exe file?
Thank you, DL.
results.txt should open in Notepad automatically when the script has complete, post the contents of this file in your next response along with the log from OTL. -
Thank you, DeltaLima. We don't want you saying this is a thankless job.
Internet access is not blocked on the infected PC.
The ISP is Cox Cable.
bocomfx.exe is my renaming of combofix. I could not get it to run properly, and it still can't. It says "PING is not recognized" and "Combofix is preparing to run" and then nothing. I think I screwed something up when I put it on the PC, because ... well nevermind, it's off the topic.
Here is Virus Total for both files:
===================
virustotal results
File utm5nje2.sys received on 2010.03.22 13:39:22 (UTC)
Current status: finished
Result: 18/42 (42.86%)
Compact
================================
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.22 Trojan.Win32.Bagle!IK
AhnLab-V3 5.0.0.2 2010.03.22 -
AntiVir 8.2.1.196 2010.03.22 -
Antiy-AVL 2.0.3.7 2010.03.19 -
Authentium 5.2.0.5 2010.03.22 W32/Bagle.IJ
Avast 4.8.1351.0 2010.03.22 -
Avast5 5.0.332.0 2010.03.22 -
AVG 9.0.0.787 2010.03.22 -
BitDefender 7.2 2010.03.22 -
CAT-QuickHeal 10.00 2010.03.22 -
ClamAV 0.96.0.0-git 2010.03.22 Trojan.Agent-66914
Comodo 4349 2010.03.22 -
DrWeb 5.0.1.12222 2010.03.22 -
eSafe 7.0.17.0 2010.03.21 Win32.Bagle.RC.worm
eTrust-Vet 35.2.7381 2010.03.22 -
F-Prot 4.5.1.85 2010.03.22 W32/Bagle.IJ
F-Secure 9.0.15370.0 2010.03.22 Rootkit:W32/Bagle.SR
Fortinet 4.0.14.0 2010.03.22 W32/Bagle.ZNG!worm
GData 19 2010.03.22 -
Ikarus T3.1.1.80.0 2010.03.22 Trojan.Win32.Bagle
Jiangmin 13.0.900 2010.03.22 Trojan/Agent.cmdf
K7AntiVirus 7.10.1002 2010.03.19 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2010.03.22 -
McAfee 5927 2010.03.21 -
McAfee+Artemis 5927 2010.03.21 -
McAfee-GW-Edition 6.8.5 2010.03.22 -
Microsoft 1.5605 2010.03.22 -
NOD32 4965 2010.03.22 -
Norman 6.04.09 2010.03.22 W32/Bagle.GEX
nProtect 2009.1.8.0 2010.03.22 Worm/W32.Bagle.7168
Panda 10.0.2.2 2010.03.22 -
PCTools 7.0.3.5 2010.03.22 Trojan-Downloader.Bagle
Prevx 3.0 2010.03.22 Medium Risk Malware
Rising 22.40.00.04 2010.03.22 Trojan.Win32.Generic.51E920C9
Sophos 4.51.0 2010.03.22 -
Sunbelt 6024 2010.03.22 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.03.22 -
TheHacker 6.5.2.0.241 2010.03.22 Trojan/Rootkit.gen
TrendMicro 9.120.0.1004 2010.03.22 -
VBA32 3.12.12.2 2010.03.19 -
ViRobot 2010.3.22.2238 2010.03.22 Trojan.Win32.Bagle.7168
VirusBuster 5.0.27.0 2010.03.21 -
==================
Additional information
File size: 7168 bytes
MD5...: 524d8d450622db4a7875b111c299a76b
SHA1..: fe22db1e0b864e77baeca5520c05c42431784fd8
SHA256: 7ae9aae77884ac0baa2f8168b3ed4de0c0c9834a42d8e5a775f47a2c66cec237
ssdeep: 96:wQQovxXZHQ7SioGfU2zSVeUvaUOPLNI8n1Sw1xJj0o:w+PQ/oV2z2eaaUOW8R
I
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x1990
timedatestamp.....: 0x4788d40f (Sat Jan 12 14:51:59 2008)
machinetype.......: 0x14c (I386)
( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x9d4 0xa00 5.78 b65e29f81689fbde8b3d49891e4011de
.rdata 0x2000 0x144 0x200 2.93 4c5e3a3a7d9a4ad57704be677563d7ca
.data 0x3000 0x20 0x200 0.26 4f4f5306b935a3d853c02c6c206aa506
INIT 0x4000 0x292 0x400 3.74 a077364ef66a2ed1ad88d7557f37474a
.rsrc 0x5000 0x300 0x400 2.56 85021f99de084aa59772f678fd7aaf3a
.reloc 0x6000 0x106 0x200 2.65 173202905f3e2cfaecaf72eb73fd3c1c
( 2 imports )
> ntoskrnl.exe: MmIsAddressValid, MmProbeAndLockPages, MmMapLockedPagesSpecifyCache, MmBuildMdlForNonPagedPool, IoAllocateMdl, _except_handler3, ObfDereferenceObject, ObReferenceObjectByName, MmUnlockPages, RtlInitUnicodeString, KeServiceDescriptorTable, PsGetCurrentProcessId, IoGetCurrentProcess, IoDeleteDevice, IoCreateSymbolicLink, IoCreateDevice, IoDeleteSymbolicLink, IoFreeMdl, IoDriverObjectType, IofCompleteRequest
> HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=524d8d450622db4a7875b111c299a76b' target='_blank'>http://www.threatexpert.com/report.aspx?md5=524d8d450622db4a7875b111c299a76b</a>
sigcheck:
publisher....: n/a
copyright....: Zaitsev Oleg, Copyright © 2004-2006
product......: AVZ Driver
description..: AVZ Driver
original name: avz.sys
internal name: avz.sys
file version.: 1, 2, 0, 0
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=16590770003B863E1CA000B5C14F3D00CCFB2D16' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=16590770003B863E1CA000B5C14F3D00CCFB2D16</a>
---------------------------------
File bocomfx.exe received on 2010.03.22 13:47:59 (UTC)
Current status: finished
Result: 7/42 (16.67%)
======================
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.22 -
AhnLab-V3 5.0.0.2 2010.03.22 -
AntiVir 8.2.1.196 2010.03.22 -
Antiy-AVL 2.0.3.7 2010.03.19 -
Authentium 5.2.0.5 2010.03.22 -
Avast 4.8.1351.0 2010.03.22 -
Avast5 5.0.332.0 2010.03.22 -
AVG 9.0.0.787 2010.03.22 -
BitDefender 7.2 2010.03.22 -
CAT-QuickHeal 10.00 2010.03.22 -
ClamAV 0.96.0.0-git 2010.03.22 -
Comodo 4349 2010.03.22 ApplicUnsaf.Win32.Hide.~AB
DrWeb 5.0.1.12222 2010.03.22 -
eSafe 7.0.17.0 2010.03.21 -
eTrust-Vet 35.2.7381 2010.03.22 -
F-Prot 4.5.1.85 2010.03.22 -
F-Secure 9.0.15370.0 2010.03.22 -
Fortinet 4.0.14.0 2010.03.22 PossibleThreat
GData 19 2010.03.22 -
Ikarus T3.1.1.80.0 2010.03.22 -
Jiangmin 13.0.900 2010.03.22 Backdoor/RBot.oqm
K7AntiVirus 7.10.1002 2010.03.19 -
Kaspersky 7.0.0.125 2010.03.22 -
McAfee 5927 2010.03.21 -
McAfee+Artemis 5927 2010.03.21 Artemis!696CAFEF7D46
McAfee-GW-Edition 6.8.5 2010.03.22 -
Microsoft 1.5605 2010.03.22 -
NOD32 4965 2010.03.22 -
Norman 6.04.09 2010.03.22 -
nProtect 2009.1.8.0 2010.03.22 -
Panda 10.0.2.2 2010.03.22 -
PCTools 7.0.3.5 2010.03.22 Application.NirCmd
Prevx 3.0 2010.03.22 -
Rising 22.40.00.04 2010.03.22 -
Sophos 4.51.0 2010.03.22 NirCmd
Sunbelt 6024 2010.03.22 -
Symantec 20091.2.0.41 2010.03.22 -
TheHacker 6.5.2.0.241 2010.03.22 -
TrendMicro 9.120.0.1004 2010.03.22 -
VBA32 3.12.12.2 2010.03.19 Trojan.Win32.Agent2.cpop
ViRobot 2010.3.22.2238 2010.03.22 -
VirusBuster 5.0.27.0 2010.03.21 -
Additional information
File size: 3888953 bytes
MD5...: 696cafef7d468312521ca0daf9443c22
SHA1..: cf338a8111bb34c47023cd27ed9e15576a253116
SHA256: 12139e4259122142a5e79877faa8404d2add9ba36acfbd38dd1af6e884a0b43b
ssdeep: 98304:ZdT5ACRG3hpdqdg4t6lrhikwZqIB+HpPsFj8:7y+GIdtWikwvoH6Fj8
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x25a60
timedatestamp.....: 0x4a6427af (Mon Jul 20 08:15:43 2009)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x1a000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x1b000 0xb000 0xac00 7.91 1bc1245ff9048fed736ae63682ed39f4
.rsrc 0x26000 0x2000 0x1800 4.36 e4b3312c3ff4026176ec0979d40e3540
( 9 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: RegCloseKey
> COMCTL32.dll: -
> COMDLG32.dll: GetSaveFileNameA
> GDI32.dll: DeleteDC
> ole32.dll: OleInitialize
> OLEAUT32.dll: -
> SHELL32.dll: SHGetMalloc
> USER32.dll: GetDC
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.PECompact, PecBundle, PECompact, PE_Patch.PECompact, PecBundle, PECompact, UPX, PE_Patch.UPX, UPX, UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, UPX, UPX, PE_Patch.UPX, UPX
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
packers (F-Prot): RAR, UPX, PecBundle, PECompact
====================
Here is the GMER file
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-22 09:05:15
Windows 5.1.2600 Service Pack 3
Running: mrge.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdrpoc.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
---- EOF - GMER 1.0.15 ----
====================
Toodles.
Please clarify, is Internet access completely blocked on the infected PC or just access to Security related sites such as Malwarebytes ?Also please confirm that your ISP is COX-ATLANTA.
Please submit the following files to Virustotal and post the results in your next reply.
C:\WINDOWS\system32\drivers\utm5nje2.sys
C:\Documents and Settings\Administrator\Desktop\bocomfx.exe
It seems that Combofix has already been run on the computer, please post the log from that run it should be located at c:\combofix.txt
Now please run a new GMER scan using the original instructions and post the log in your next reply.
-
Okay.
Ran TFC. It took a few seconds.
Uploaded fqomoa.exe to Virus Total. I don't understand, is 67% bad? It's a passing grade. Note that I have to do things from the desktop pc, so the upload to VirusTotal is done from the non-infected desktop.
My little eee pc does not compute nslookup or ping. I tested the script on the desktop pc and it did return DNS for both, but was only able to contact safer-net.
========================
VirusTotal
Scan of fqomoa.exe
File Fqomoa.exe received on 2010.03.21 02:05:35 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 28/42 (66.67%)
============================================================================
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.20 Packed.Win32.Krap.as!A2
AhnLab-V3 5.0.0.2 2010.03.20 -
AntiVir 8.2.1.196 2010.03.19 TR/Crypt.XPACK.Gen2
Antiy-AVL 2.0.3.7 2010.03.19 Packed/Win32.Krap.gen
Authentium 5.2.0.5 2010.03.21 W32/FraudPack.E!Generic
Avast 4.8.1351.0 2010.03.20 Win32:Rootkit-gen
Avast5 5.0.332.0 2010.03.20 Win32:Rootkit-gen
AVG 9.0.0.787 2010.03.20 FakeAV.ACM
BitDefender 7.2 2010.03.21 -
CAT-QuickHeal 10.00 2010.03.19 Trojan.Krap.as
ClamAV 0.96.0.0-git 2010.03.20 -
Comodo 4335 2010.03.21 -
DrWeb 5.0.1.12222 2010.03.21 Trojan.DownLoad1.16994
eSafe 7.0.17.0 2010.03.18 -
eTrust-Vet 35.2.7376 2010.03.19 Win32/Wardunlo.EG
F-Prot 4.5.1.85 2010.03.21 W32/FraudPack.E!Generic
F-Secure 9.0.15370.0 2010.03.20 -
Fortinet 4.0.14.0 2010.03.20 -
GData 19 2010.03.21 Win32:Rootkit-gen
Ikarus T3.1.1.80.0 2010.03.20 -
Jiangmin 13.0.900 2010.03.20 Packed.Krap.brif
K7AntiVirus 7.10.1002 2010.03.19 -
Kaspersky 7.0.0.125 2010.03.21 Packed.Win32.Krap.as
McAfee 5926 2010.03.20 Downloader-CEW
McAfee+Artemis 5926 2010.03.20 Downloader-CEW
McAfee-GW-Edition 6.8.5 2010.03.20 Trojan.Crypt.XPACK.Gen2
Microsoft 1.5605 2010.03.20 TrojanDownloader:Win32/Renos.KF
NOD32 4961 2010.03.20 Win32/TrojanDownloader.FakeAlert.AQI
Norman 6.04.09 2010.03.20 -
nProtect 2009.1.8.0 2010.03.20 -
Panda 10.0.2.2 2010.03.20 -
PCTools 7.0.3.5 2010.03.20 -
Prevx 3.0 2010.03.21 Medium Risk Malware
Rising 22.39.06.01 2010.03.21 Trojan.Win32.Nodef.zaf
Sophos 4.51.0 2010.03.21 Mal/FakeAV-CO
Sunbelt 5999 2010.03.21 Trojan.Win32.Generic!SB.0
Symantec 20091.2.0.41 2010.03.21 Suspicious.Insight
TheHacker 6.5.2.0.241 2010.03.21 Trojan/Krap.as
TrendMicro 9.120.0.1004 2010.03.20 TROJ_RENOS.SMPE
VBA32 3.12.12.2 2010.03.19 -
ViRobot 2010.3.19.2236 2010.03.20 Trojan.Win32.Krap.152064.E
VirusBuster 5.0.27.0 2010.03.20 Trojan.Codecpack.Gen.3
Additional information
File size: 152064 bytes
MD5...: a05fa53fb7b153933193d8e636d9132e
SHA1..: 761432e3cc4942d3a2b51f0d9e087d900c588cff
SHA256: 1b48d574076109503221c9fa698d33ee9df6c41b115ab38b3e6614995ef9cffc
ssdeep: 3072:uCoV0uyTwEwc1Iq+p/xwnvnd6fqXWIpRd:m01rJIq+pZwn/UiGIB
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x1446
timedatestamp.....: 0x4aeb0cb7 (Fri Oct 30 15:56:39 2009)
machinetype.......: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
BSS 0x1000 0x697e 0x6a00 5.42 b2f8f08fdd6ab7545d68a7ac25769281
DATA 0x8000 0x32cc5 0x1ce00 7.27 027ec3a7754f776339b6377ac7c69d3f
.tls 0x3b000 0x101d 0x1200 2.70 ce10e5f1eb474d8669597ac678b2dfda
.edata 0x3d000 0x12b 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.data 0x3e000 0x1e0 0x200 0.06 ca23f95849f3213e71961b45b3f0f880
( 6 imports )
> KERNEL32.DLL: LocalAlloc, GetStartupInfoA, ExitProcess, FindResourceA, CreateFileA, VirtualAlloc, GetUserDefaultLCID, GetStringTypeA, GetStringTypeW, GetVersion, VirtualAllocEx, SetEndOfFile, LocalFree, MoveFileA, GetOEMCP, InitializeCriticalSection, GetProcessHeap, lstrlenA, LoadLibraryExA
> user32.dll: DrawMenuBar, GetMenuItemInfoA, MessageBoxA, EnumThreadWindows, GetSysColor, CreateWindowExA, DrawFrameControl, DrawIcon, SetWindowTextA, DrawEdge, CreatePopupMenu, BeginDeferWindowPos, EndDeferWindowPos, SystemParametersInfoA, DefMDIChildProcA, GetMenuState, RegisterClassA, FrameRect
> comdlg32.dll: GetOpenFileNameA
> OLE32.DLL: StringFromIID, CoCreateGuid, CoGetMalloc, WriteClassStm, CreateOleAdviseHolder, CoUnmarshalInterface
> advapi32.dll: RegDeleteValueA
> MSVCRT.DLL: atol, time, sprintf, wcscspn, exit, swprintf, rand, memcpy, tolower, sqrt, calloc, memmove, memset
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=F0887DE30065B2CD525E027B77201F0070C8CDC2' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=F0887DE30065B2CD525E027B77201F0070C8CDC2</a>
=============================
script
'Nslookup' is not recognized as an internal or external command,
operable program or batch file.
'Nslookup' is not recognized as an internal or external command,
operable program or batch file.
'Ping' is not recognized as an internal or external command,
operable program or batch file.
'ping' is not recognized as an internal or external command,
operable program or batch file.
===================
results.txt should open in Notepad automatically when the script has complete, post the contents of this file in your next response along with the results from Virustotal. -
Alas, DeltaLima, would 'twere that easy.
They are clever.
Here is the log. I cannot get to malwarebytes.org or spybot (safer-networking.org).
I don't want to confuse things with too much information, but I do have:
- someone else answered my original post with some info on where the tubezz.org url redirects to -- Ohmniscient's post. I can't find the message placed on malwarebytes, but I did find another post at McAfee site:
-------------------------------
"then redirects to:
http://update-center.net/microsoft/get_update.php?sid=2
which redirects to: http://thetubestores.com/xplays.php?id=45158, which redirects to: http://besttoolsonline.com/video-plugin.45158.exe
which is a malware!
-----------------------------------------------
- This article just came up on Google: "It seems that fans around the world are not the only ones who are hooked on the Oscars. Just a day after this year
-
Hi, here are the OTL results - I'm attaching the txt files.
=====================
OTL logfile created on: 3/20/2010 3:44:53 AM - Run 2
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
503.00 Mb Total Physical Memory | 343.00 Mb Available Physical Memory | 68.00% Memory free
974.00 Mb Paging File | 852.00 Mb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 500 1512 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 3.72 Gb Total Space | 1.23 Gb Free Space | 33.07% Space Free | Partition Type: NTFS
Drive D: | 1.88 Gb Total Space | 1.47 Gb Free Space | 78.27% Space Free | Partition Type: FAT32
Drive E: | 1.85 Gb Total Space | 0.98 Gb Free Space | 53.24% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: ASUS
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Administrator\Desktop\random.exe (OldTimer Tools)
PRC - E:\Program Files\File Unlocker\Unlocker\UnlockerAssistant.exe ()
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
PRC - C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
PRC - C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Administrator\Desktop\random.exe (OldTimer Tools)
MOD - E:\Program Files\File Unlocker\Unlocker\UnlockerHook.dll ()
MOD - C:\WINDOWS\system32\DrvPatch.dll (WangYue@BLCU.EDU.CN)
========== Win32 Services (SafeList) ==========
SRV - (UPS) -- File not found
SRV - (ose) -- File not found
SRV - (odserv) -- File not found
SRV - (ClipSrv) -- File not found
SRV - (CiSvc) -- File not found
SRV - (HauppaugeTVServer) -- C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (Hauppauge Computer Works)
SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (ACS) -- C:\WINDOWS\system32\acs.exe (Atheros)
========== Driver Services (SafeList) ==========
DRV - (utm5nje2) -- C:\WINDOWS\system32\drivers\utm5nje2.sys ()
DRV - (hcw72DTV) -- C:\WINDOWS\system32\drivers\hcw72DTV.sys (Hauppauge Computer Works, Inc.)
DRV - (hcw72ATV) -- C:\WINDOWS\system32\drivers\hcw72ATV.sys (Hauppauge Computer Works, Inc.)
DRV - (hcw72ADFilter) -- C:\WINDOWS\system32\drivers\hcw72ADFilter.sys (Hauppauge Computer Works, Inc.)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (MPE) -- C:\WINDOWS\system32\drivers\MPE.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (AtcL002) -- C:\WINDOWS\system32\drivers\l251x86.sys (Atheros Communications, Inc.)
DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)
DRV - (WSIMD) -- C:\WINDOWS\system32\drivers\wsimd.sys (Atheros Communications, Inc.)
DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (APL531) -- C:\WINDOWS\system32\drivers\ov550i.sys (Omnivision Technologies, Inc.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O1 HOSTS File: ([2001/08/23 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\adobe\Acrobat\ActiveX\AcroIEHelper.ocx File not found
O4 - HKLM..\Run: [ACU] C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [skyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [unlockerAssistant] E:\Program Files\File Unlocker\Unlocker\UnlockerAssistant.exe ()
O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [sUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = D:\Program Files\Adobe\Distillr\AcroTray.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk = C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideRunAsVerb = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.117,93.188.161.67
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - E:\Program Files\SASWINLO.dll - E:\Program Files\SASWINLO.dll File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - E:\Program Files\SASSEH.DLL File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/27 15:27:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/08/27 17:52:02 | 000,000,103 | ---- | M] () - D:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2010/03/20 03:44:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/03/20 03:16:15 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\random.exe
[2010/03/19 11:38:27 | 000,000,000 | --SD | C] -- C:\bocomfx
[2010/03/18 13:15:49 | 000,056,816 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/03/14 20:16:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\gmer
[2010/03/14 15:12:25 | 000,040,448 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll
[2010/03/14 15:08:32 | 000,047,104 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\AsTray.exe
[2010/03/14 15:08:29 | 000,011,264 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\DrvPatch.dll
[2010/03/14 15:04:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\7-Zip
[2010/03/14 15:03:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\New Folder
[2010/03/14 14:58:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\EEEPC graphics drivers
[2010/03/14 14:34:22 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera
[2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Opera
[2010/03/14 12:59:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff
[2010/03/14 11:49:18 | 000,000,000 | ---D | C] -- C:\MGtools
[2010/03/14 11:46:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/14 11:46:30 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/14 11:46:30 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/14 11:46:30 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/14 11:46:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/14 11:45:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/14 10:51:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/03/14 10:48:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
[2010/03/14 10:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/03/14 10:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/03/14 10:42:46 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/03/14 10:42:46 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/03/14 10:42:11 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/03/13 06:23:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/12 20:43:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\AVG8
[2010/03/12 12:11:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\possible virus or malware
[2010/03/12 12:04:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\igfx Intel graphics driver files
[2010/03/12 11:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/03/12 11:29:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/12 11:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/12 11:29:24 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/10 21:23:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\ProjectX_Portable
[2010/03/10 21:19:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\tsMuxeR_1.10.6
[2010/03/08 05:27:49 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2010/03/08 05:27:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2010/03/08 05:27:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
[2010/03/08 05:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2010/03/08 05:26:38 | 000,022,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spupdsvc.exe
[2010/03/08 05:26:38 | 000,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll
[2010/03/07 17:46:52 | 000,485,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\evr.dll
[2010/03/07 17:46:52 | 000,000,000 | ---D | C] -- C:\My Videos
[2010/03/07 17:46:31 | 000,036,921 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwutl32.dll
[2010/03/07 17:36:09 | 000,000,000 | R-SD | C] -- C:\WINDOWS\assembly
[2010/03/07 17:35:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\v7 wintv
[2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\PCHEALTH
[2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft.NET
[2010/03/07 17:12:30 | 000,307,256 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwpnp32.dll
[2010/03/07 17:12:30 | 000,106,552 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwi2c32.dll
[2010/03/07 17:11:01 | 001,220,224 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72DTV.sys
[2010/03/07 17:10:55 | 000,028,928 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ADFilter.sys
[2010/03/07 17:10:36 | 000,095,744 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwcpxx.ax
[2010/03/07 17:10:36 | 000,044,032 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcw72Co.dll
[2010/03/07 17:10:34 | 001,217,920 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ATV.sys
[2010/03/07 13:58:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\LitBirthdays March 2010
[2009/08/27 15:29:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2010/03/20 03:24:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/20 03:24:24 | 002,883,584 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/03/20 03:24:24 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/03/20 03:24:17 | 005,879,024 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/03/20 03:14:51 | 000,056,816 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/03/19 18:23:44 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\random.exe
[2010/03/18 13:44:46 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/18 13:43:09 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/03/18 12:44:22 | 000,525,824 | ---- | M] () -- C:\dds.com
[2010/03/16 21:38:38 | 000,000,558 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/16 21:38:38 | 000,000,270 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/16 21:38:38 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/03/16 21:26:22 | 000,007,168 | ---- | M] () -- C:\WINDOWS\System32\drivers\utm5nje2.sys
[2010/03/16 07:14:07 | 000,004,972 | ---- | M] () -- C:\WINDOWS\System32\AsTray.ini
[2010/03/14 15:53:30 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/14 15:05:42 | 000,939,956 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe
[2010/03/14 14:34:22 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2010/03/14 13:25:27 | 000,000,430 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2010/03/14 10:45:01 | 000,000,558 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
[2010/03/14 10:42:17 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/03/14 10:42:17 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/03/14 10:42:17 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/03/13 13:19:48 | 003,888,953 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\bocomfx.exe
[2010/03/08 13:42:20 | 000,041,568 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/08 13:41:59 | 000,181,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/08 13:36:31 | 000,399,130 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/08 13:36:30 | 000,444,028 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/08 13:36:30 | 000,058,458 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/07 18:10:52 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2010/03/07 18:10:52 | 000,000,483 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010/03/07 18:09:09 | 000,003,536 | ---- | M] () -- C:\WINDOWS\HCWPNP.INI
[2010/03/07 17:52:17 | 000,000,769 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk
[2010/03/07 17:52:17 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk
[2010/03/07 16:32:46 | 000,000,425 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2010/03/18 13:43:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/03/18 13:25:37 | 000,525,824 | ---- | C] () -- C:\dds.com
[2010/03/16 21:26:22 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\utm5nje2.sys
[2010/03/14 19:04:37 | 003,888,953 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\bocomfx.exe
[2010/03/14 15:08:32 | 000,004,972 | ---- | C] () -- C:\WINDOWS\System32\AsTray.ini
[2010/03/14 15:08:28 | 000,125,952 | ---- | C] () -- C:\WINDOWS\System32\igxpun.exe
[2010/03/14 15:05:41 | 000,939,956 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe
[2010/03/14 14:34:22 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2010/03/14 13:25:27 | 000,000,430 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2010/03/14 11:46:30 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/14 11:46:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/14 11:46:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/14 11:46:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/14 11:46:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/08 05:29:15 | 000,114,400 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/03/07 17:52:17 | 000,000,769 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk
[2010/03/07 17:52:17 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk
[2010/03/07 17:48:54 | 000,142,337 | ---- | C] () -- C:\WINDOWS\System32\Wait.exe
[2010/03/07 17:12:02 | 000,003,536 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI
[2010/03/07 16:32:46 | 000,000,425 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk
[2009/12/13 20:48:42 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/14 15:56:22 | 000,399,360 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll
[2009/10/14 15:17:51 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2009/10/11 19:35:14 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dmcrypto.dll
[2009/10/11 19:22:03 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2009/09/07 10:53:12 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/06 14:59:41 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll
[2009/09/02 09:43:25 | 000,000,483 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/29 16:58:57 | 000,016,773 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/08/28 10:00:57 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2009/08/27 16:18:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll
< End of report >
======================
EXTRAS
OTL Extras logfile created on: 3/20/2010 3:36:02 AM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
503.00 Mb Total Physical Memory | 351.00 Mb Available Physical Memory | 70.00% Memory free
974.00 Mb Paging File | 865.00 Mb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 500 1512 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 3.72 Gb Total Space | 1.23 Gb Free Space | 33.07% Space Free | Partition Type: NTFS
Drive D: | 1.88 Gb Total Space | 1.47 Gb Free Space | 78.27% Space Free | Partition Type: FAT32
Drive E: | 1.85 Gb Total Space | 0.98 Gb Free Space | 53.24% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: ASUS
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- E:\Program Files\OPERA BROWSER\opera.exe (Opera Software)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "E:\Office12\msohtmed.exe" %1 File not found
htmlfile [open] -- Reg Error: Key error.
htmlfile [opennew] -- Reg Error: Key error.
htmlfile [print] -- "E:\Office12\msohtmed.exe" /p %1 File not found
http [open] -- "E:\Program Files\OPERA BROWSER\opera.exe" (Opera Software)
https [open] -- "E:\Program Files\OPERA BROWSER\opera.exe" (Opera Software)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" File not found
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- Reg Error: Key error.
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" File not found
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\WinTV\WinTV7\WinTV7.exe" = C:\Program Files\WinTV\WinTV7\WinTV7.exe:*:Enabled:WinTV7 -- (Hauppauge Computer Works, Inc.)
"E:\Program Files\OPERA BROWSER\opera.exe" = E:\Program Files\OPERA BROWSER\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{063E409E-3D7C-4A4A-95AB-2F124B9224B3}" = ArcSoft PhotoImpression 6
"{0A755762-EED8-47AB-A446-505766F93D43}" = Atheros Communications Inc.® L2 Fast Ethernet Driver
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java 6 Update 18
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5
"{332BCC03-A1B7-4BE7-8C8A-2B1333E22C33}" = Opera 10.50
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5A347920-4AFC-11D5-9FB0-800649886934}" = SDFormatter
"{6B566EFE-DC1D-471F-93DD-84832663F140}" = OVT Scanner X86
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{91120000-0013-0000-0000-0000000FF1CE}" = Microsoft Office Basic 2007
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"7-Zip" = 7-Zip 4.65
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Audacity_is1" = Audacity 1.2.6
"CCleaner" = CCleaner
"Cool Edit Pro 2.1" = Cool Edit Pro 2.1
"Gadwin PrintScreen" = Gadwin PrintScreen
"Hauppauge WinTV 7" = Hauppauge WinTV 7
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"Karen's Computer Profiler" = Karen's Computer Profiler
"Karen's Time Sync" = Karen's Time Sync
"Karen's WhoIs" = Karen's WhoIs
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5
"Nero - Burning Rom!UninstallKey" = Nero OEM
"OVT Scanner" = Uninstall OVT Scanner
"QuicktimeAlt_is1" = QuickTime Alternative 3.0.0
"RealAlt_is1" = Real Alternative 2.0.1
"ST6UNST #1" = Karen's Disk Slack Checker
"SUPER
-
Thanks, DL
Here is the TDSskiller text. Even though it says it found and removed something, my browser still cannot go to malwarebytes.org or safer-networking.org, the home of Spybot.
------------------------
10:22:14:984 2264 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
10:22:14:984 2264 ================================================================================
10:22:14:984 2264 SystemInfo:
10:22:14:984 2264 OS Version: 5.1.2600 ServicePack: 3.0
10:22:14:984 2264 Product type: Workstation
10:22:14:984 2264 ComputerName: ASUS
10:22:14:984 2264 UserName: Administrator
10:22:14:984 2264 Windows directory: C:\WINDOWS
10:22:14:984 2264 Processor architecture: Intel x86
10:22:14:984 2264 Number of processors: 1
10:22:14:984 2264 Page size: 0x1000
10:22:15:000 2264 Boot type: Normal boot
10:22:15:000 2264 ================================================================================
10:22:15:000 2264 UnloadDriverW: NtUnloadDriver error 2
10:22:15:000 2264 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
10:22:15:093 2264 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
10:22:15:093 2264 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:22:15:093 2264 wfopen_ex: Trying to KLMD file open
10:22:15:093 2264 wfopen_ex: File opened ok (Flags 2)
10:22:15:093 2264 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
10:22:15:093 2264 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:22:15:093 2264 wfopen_ex: Trying to KLMD file open
10:22:15:093 2264 wfopen_ex: File opened ok (Flags 2)
10:22:15:093 2264 Initialize success
10:22:15:093 2264
10:22:15:093 2264 Scanning Services ...
10:22:16:500 2264 GetAdvancedServicesInfo: Raw services enum returned 243 services
10:22:16:515 2264
10:22:16:515 2264 Scanning Kernel memory ...
10:22:16:515 2264 Devices to scan: 6
10:22:16:515 2264
10:22:16:515 2264 Driver Name: Disk
10:22:16:515 2264 IRP_MJ_CREATE : F8578BB0
10:22:16:515 2264 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
10:22:16:515 2264 IRP_MJ_CLOSE : F8578BB0
10:22:16:515 2264 IRP_MJ_READ : F8572D1F
10:22:16:515 2264 IRP_MJ_WRITE : F8572D1F
10:22:16:515 2264 IRP_MJ_QUERY_INFORMATION : 804FA87E
10:22:16:515 2264 IRP_MJ_SET_INFORMATION : 804FA87E
10:22:16:515 2264 IRP_MJ_QUERY_EA : 804FA87E
10:22:16:515 2264 IRP_MJ_SET_EA : 804FA87E
10:22:16:515 2264 IRP_MJ_FLUSH_BUFFERS : F85732E2
10:22:16:515 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
10:22:16:515 2264 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
10:22:16:515 2264 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
10:22:16:515 2264 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
10:22:16:515 2264 IRP_MJ_DEVICE_CONTROL : F85733BB
10:22:16:515 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8576F28
10:22:16:515 2264 IRP_MJ_SHUTDOWN : F85732E2
10:22:16:515 2264 IRP_MJ_LOCK_CONTROL : 804FA87E
10:22:16:515 2264 IRP_MJ_CLEANUP : 804FA87E
10:22:16:515 2264 IRP_MJ_CREATE_MAILSLOT : 804FA87E
10:22:16:515 2264 IRP_MJ_QUERY_SECURITY : 804FA87E
10:22:16:515 2264 IRP_MJ_SET_SECURITY : 804FA87E
10:22:16:515 2264 IRP_MJ_POWER : F8574C82
10:22:16:515 2264 IRP_MJ_SYSTEM_CONTROL : F857999E
10:22:16:515 2264 IRP_MJ_DEVICE_CHANGE : 804FA87E
10:22:16:515 2264 IRP_MJ_QUERY_QUOTA : 804FA87E
10:22:16:515 2264 IRP_MJ_SET_QUOTA : 804FA87E
10:22:16:515 2264 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:22:16:515 2264
10:22:16:515 2264 Driver Name: usbstor
10:22:16:515 2264 IRP_MJ_CREATE : F8907218
10:22:16:515 2264 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
10:22:16:515 2264 IRP_MJ_CLOSE : F8907218
10:22:16:515 2264 IRP_MJ_READ : F890723C
10:22:16:515 2264 IRP_MJ_WRITE : F890723C
10:22:16:515 2264 IRP_MJ_QUERY_INFORMATION : 804FA87E
10:22:16:515 2264 IRP_MJ_SET_INFORMATION : 804FA87E
10:22:16:515 2264 IRP_MJ_QUERY_EA : 804FA87E
10:22:16:515 2264 IRP_MJ_SET_EA : 804FA87E
10:22:16:515 2264 IRP_MJ_FLUSH_BUFFERS : 804FA87E
10:22:16:515 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
10:22:16:515 2264 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
10:22:16:515 2264 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
10:22:16:515 2264 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
10:22:16:515 2264 IRP_MJ_DEVICE_CONTROL : F8907180
10:22:16:515 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F89029E6
10:22:16:515 2264 IRP_MJ_SHUTDOWN : 804FA87E
10:22:16:515 2264 IRP_MJ_LOCK_CONTROL : 804FA87E
10:22:16:515 2264 IRP_MJ_CLEANUP : 804FA87E
10:22:16:515 2264 IRP_MJ_CREATE_MAILSLOT : 804FA87E
10:22:16:515 2264 IRP_MJ_QUERY_SECURITY : 804FA87E
10:22:16:515 2264 IRP_MJ_SET_SECURITY : 804FA87E
10:22:16:515 2264 IRP_MJ_POWER : F89065F0
10:22:16:515 2264 IRP_MJ_SYSTEM_CONTROL : F8904A6E
10:22:16:515 2264 IRP_MJ_DEVICE_CHANGE : 804FA87E
10:22:16:515 2264 IRP_MJ_QUERY_QUOTA : 804FA87E
10:22:16:515 2264 IRP_MJ_SET_QUOTA : 804FA87E
10:22:16:531 2264 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
10:22:16:531 2264
10:22:16:531 2264 Driver Name: Disk
10:22:16:531 2264 IRP_MJ_CREATE : F8578BB0
10:22:16:531 2264 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
10:22:16:531 2264 IRP_MJ_CLOSE : F8578BB0
10:22:16:531 2264 IRP_MJ_READ : F8572D1F
10:22:16:531 2264 IRP_MJ_WRITE : F8572D1F
10:22:16:531 2264 IRP_MJ_QUERY_INFORMATION : 804FA87E
10:22:16:531 2264 IRP_MJ_SET_INFORMATION : 804FA87E
10:22:16:531 2264 IRP_MJ_QUERY_EA : 804FA87E
10:22:16:531 2264 IRP_MJ_SET_EA : 804FA87E
10:22:16:531 2264 IRP_MJ_FLUSH_BUFFERS : F85732E2
10:22:16:531 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
10:22:16:531 2264 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
10:22:16:531 2264 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
10:22:16:531 2264 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
10:22:16:531 2264 IRP_MJ_DEVICE_CONTROL : F85733BB
10:22:16:531 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8576F28
10:22:16:531 2264 IRP_MJ_SHUTDOWN : F85732E2
10:22:16:531 2264 IRP_MJ_LOCK_CONTROL : 804FA87E
10:22:16:531 2264 IRP_MJ_CLEANUP : 804FA87E
10:22:16:531 2264 IRP_MJ_CREATE_MAILSLOT : 804FA87E
10:22:16:531 2264 IRP_MJ_QUERY_SECURITY : 804FA87E
10:22:16:531 2264 IRP_MJ_SET_SECURITY : 804FA87E
10:22:16:531 2264 IRP_MJ_POWER : F8574C82
10:22:16:531 2264 IRP_MJ_SYSTEM_CONTROL : F857999E
10:22:16:531 2264 IRP_MJ_DEVICE_CHANGE : 804FA87E
10:22:16:531 2264 IRP_MJ_QUERY_QUOTA : 804FA87E
10:22:16:531 2264 IRP_MJ_SET_QUOTA : 804FA87E
10:22:16:531 2264 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:22:16:531 2264
10:22:16:531 2264 Driver Name: usbstor
10:22:16:531 2264 IRP_MJ_CREATE : F8907218
10:22:16:531 2264 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
10:22:16:531 2264 IRP_MJ_CLOSE : F8907218
10:22:16:531 2264 IRP_MJ_READ : F890723C
10:22:16:531 2264 IRP_MJ_WRITE : F890723C
10:22:16:531 2264 IRP_MJ_QUERY_INFORMATION : 804FA87E
10:22:16:531 2264 IRP_MJ_SET_INFORMATION : 804FA87E
10:22:16:531 2264 IRP_MJ_QUERY_EA : 804FA87E
10:22:16:531 2264 IRP_MJ_SET_EA : 804FA87E
10:22:16:531 2264 IRP_MJ_FLUSH_BUFFERS : 804FA87E
10:22:16:531 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
10:22:16:531 2264 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
10:22:16:531 2264 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
10:22:16:531 2264 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
10:22:16:531 2264 IRP_MJ_DEVICE_CONTROL : F8907180
10:22:16:531 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F89029E6
10:22:16:531 2264 IRP_MJ_SHUTDOWN : 804FA87E
10:22:16:531 2264 IRP_MJ_LOCK_CONTROL : 804FA87E
10:22:16:531 2264 IRP_MJ_CLEANUP : 804FA87E
10:22:16:531 2264 IRP_MJ_CREATE_MAILSLOT : 804FA87E
10:22:16:531 2264 IRP_MJ_QUERY_SECURITY : 804FA87E
10:22:16:531 2264 IRP_MJ_SET_SECURITY : 804FA87E
10:22:16:531 2264 IRP_MJ_POWER : F89065F0
10:22:16:531 2264 IRP_MJ_SYSTEM_CONTROL : F8904A6E
10:22:16:531 2264 IRP_MJ_DEVICE_CHANGE : 804FA87E
10:22:16:546 2264 IRP_MJ_QUERY_QUOTA : 804FA87E
10:22:16:546 2264 IRP_MJ_SET_QUOTA : 804FA87E
10:22:16:546 2264 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
10:22:16:546 2264
10:22:16:546 2264 Driver Name: Disk
10:22:16:546 2264 IRP_MJ_CREATE : F8578BB0
10:22:16:546 2264 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
10:22:16:546 2264 IRP_MJ_CLOSE : F8578BB0
10:22:16:546 2264 IRP_MJ_READ : F8572D1F
10:22:16:546 2264 IRP_MJ_WRITE : F8572D1F
10:22:16:546 2264 IRP_MJ_QUERY_INFORMATION : 804FA87E
10:22:16:546 2264 IRP_MJ_SET_INFORMATION : 804FA87E
10:22:16:546 2264 IRP_MJ_QUERY_EA : 804FA87E
10:22:16:546 2264 IRP_MJ_SET_EA : 804FA87E
10:22:16:546 2264 IRP_MJ_FLUSH_BUFFERS : F85732E2
10:22:16:546 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
10:22:16:546 2264 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
10:22:16:546 2264 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
10:22:16:546 2264 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
10:22:16:546 2264 IRP_MJ_DEVICE_CONTROL : F85733BB
10:22:16:546 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8576F28
10:22:16:546 2264 IRP_MJ_SHUTDOWN : F85732E2
10:22:16:546 2264 IRP_MJ_LOCK_CONTROL : 804FA87E
10:22:16:546 2264 IRP_MJ_CLEANUP : 804FA87E
10:22:16:546 2264 IRP_MJ_CREATE_MAILSLOT : 804FA87E
10:22:16:546 2264 IRP_MJ_QUERY_SECURITY : 804FA87E
10:22:16:546 2264 IRP_MJ_SET_SECURITY : 804FA87E
10:22:16:546 2264 IRP_MJ_POWER : F8574C82
10:22:16:546 2264 IRP_MJ_SYSTEM_CONTROL : F857999E
10:22:16:546 2264 IRP_MJ_DEVICE_CHANGE : 804FA87E
10:22:16:546 2264 IRP_MJ_QUERY_QUOTA : 804FA87E
10:22:16:546 2264 IRP_MJ_SET_QUOTA : 804FA87E
10:22:16:546 2264 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:22:16:546 2264
10:22:16:546 2264 Driver Name: atapi
10:22:16:546 2264 IRP_MJ_CREATE : F848EB3A
10:22:16:546 2264 IRP_MJ_CREATE_NAMED_PIPE : F848EB3A
10:22:16:546 2264 IRP_MJ_CLOSE : F848EB3A
10:22:16:546 2264 IRP_MJ_READ : F848EB3A
10:22:16:546 2264 IRP_MJ_WRITE : F848EB3A
10:22:16:546 2264 IRP_MJ_QUERY_INFORMATION : F848EB3A
10:22:16:546 2264 IRP_MJ_SET_INFORMATION : F848EB3A
10:22:16:546 2264 IRP_MJ_QUERY_EA : F848EB3A
10:22:16:546 2264 IRP_MJ_SET_EA : F848EB3A
10:22:16:546 2264 IRP_MJ_FLUSH_BUFFERS : F848EB3A
10:22:16:546 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : F848EB3A
10:22:16:546 2264 IRP_MJ_SET_VOLUME_INFORMATION : F848EB3A
10:22:16:546 2264 IRP_MJ_DIRECTORY_CONTROL : F848EB3A
10:22:16:546 2264 IRP_MJ_FILE_SYSTEM_CONTROL : F848EB3A
10:22:16:546 2264 IRP_MJ_DEVICE_CONTROL : F848EB3A
10:22:16:546 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F848EB3A
10:22:16:546 2264 IRP_MJ_SHUTDOWN : F848EB3A
10:22:16:546 2264 IRP_MJ_LOCK_CONTROL : F848EB3A
10:22:16:546 2264 IRP_MJ_CLEANUP : F848EB3A
10:22:16:546 2264 IRP_MJ_CREATE_MAILSLOT : F848EB3A
10:22:16:546 2264 IRP_MJ_QUERY_SECURITY : F848EB3A
10:22:16:546 2264 IRP_MJ_SET_SECURITY : F848EB3A
10:22:16:546 2264 IRP_MJ_POWER : F848EB3A
10:22:16:546 2264 IRP_MJ_SYSTEM_CONTROL : F848EB3A
10:22:16:546 2264 IRP_MJ_DEVICE_CHANGE : F848EB3A
10:22:16:546 2264 IRP_MJ_QUERY_QUOTA : F848EB3A
10:22:16:546 2264 IRP_MJ_SET_QUOTA : F848EB3A
10:22:16:546 2264 Driver "atapi" infected by TDSS rootkit!
10:22:16:562 2264 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
10:22:16:562 2264 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 10:22:16:562 2264 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
10:22:16:562 2264 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
10:22:16:640 2264 vfvi6
10:22:16:984 2264 !dsvbh1
10:22:17:937 2264 dsvbh2
10:22:17:937 2264 fdfb2
10:22:17:937 2264 Backup copy found, using it..
10:22:18:203 2264 will be cured on next reboot
10:22:18:203 2264 Reboot required for cure complete..
10:22:18:234 2264 Cure on reboot scheduled successfully
10:22:18:234 2264
10:22:18:234 2264 Completed
10:22:18:234 2264
10:22:18:234 2264 Results:
10:22:18:234 2264 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
10:22:18:234 2264 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
10:22:18:234 2264 File objects infected / cured / cured on reboot: 1 / 0 / 1
10:22:18:234 2264
10:22:18:234 2264 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
10:22:18:234 2264 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
10:22:18:234 2264 UnloadDriverW: NtUnloadDriver error 1
10:22:18:234 2264 KLMD_Unload: UnloadDriverW(klmd21) error 1
10:22:18:250 2264 KLMD(ARK) unloaded successfully
-------------------------
[*]Download the file TDSSKiller.zip and save it on your desktop
[*]Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
[*]Next double-click the tdsskiller Folder on your desktop.
[*]Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
[*]Highlight and copy the text in the codebox below.
"%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
[*]Click Start, click Run... and paste the text above into the Open: line and click OK.
[*]Wait for the scan and disinfection process to be over.
[*]Open tdskiller.txt on your desktop and post the contents in your next reply
-
Reposting this after instructions from forum:
On March 12, 2010 I did something not too bright. I was looking to watch the 2010 Academy Awards again and I followed a link from a Cleveland newspaper site to watch-oscar-online.com which directed me to tubezz.org (href="http://tubezz.org/oscars-2010/").
Dumb and dumber, I allowed the Active-X download, which caused an infection that I still cannot completely get rid of. I used malwarebytes (I had to go to another machine and transport via thumb drive). It found a trojan which I deleted, but it did not resolve the browser hijack.
I am sending this from another computer. From the infected notebook, an eee pc, I cannot access any anti-malware site, including malwarebytes. I am directed to a 404-style error page.
Has anyone else run into this problem?
==================
March 18:
Followed the instructions but the only thing I could get was a gmer log. DDS.scr and DDS.com pop open a DOS window for a second but don't give a log. Avira, like malwarebytes and every other anti-v, anti-m software I've run does NOT give any indication of a problem/infection.
Posting the gmer log
======================
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-18 14:13:50
Windows 5.1.2600 Service Pack 3
Running: mrge.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdrpoc.sys
---- System - GMER 1.0.15 ----
SSDT F8BF80F6 ZwCreateKey
SSDT F8BF80EC ZwCreateThread
SSDT F8BF80FB ZwDeleteKey
SSDT F8BF8105 ZwDeleteValueKey
SSDT F8BF810A ZwLoadKey
SSDT F8BF80D8 ZwOpenProcess
SSDT F8BF80DD ZwOpenThread
SSDT F8BF8114 ZwReplaceKey
SSDT F8BF810F ZwRestoreKey
SSDT F8BF8100 ZwSetValueKey
SSDT F8BF80E7 ZwTerminateProcess
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi \Device\Ide\IdePort0 [F848EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F848EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 [F848EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
===============
P.S. More info - Not to confuse things but ...
When I first was trying to deal with this, last week, I looked at the Task Manager processes running and removed or noted down some possibly suspicious things.
I removed c:\documents&etc\Admin\Local settings\temp\Fx1.exe
I removed c:\windows\fqomoa.exe
I segregated and subsequently replaced the Intel graphics drivers igfx-etc with a new set of Intel graphics drivers tweaked especially for the eee pc. These new drivers, attached to a process that allows you to swap screen resolution in the systray, could be the suspicious atapi.
Thanks for any help.
Can't access my podcast upload site www.lexy.com
in Malwarebytes for Windows Support Forum
Posted
I spent a good portion of last night and today finding out how to remove and then removing the AV malware -- the one that takes over your browser/OS and bombards you with warnings that your system is infected with viruses and only buyiing their software will make the messages go away.
Well, I was feeling quite relieved that Malwarebytes had found 5 trojans and taken care of them.
But wait. There's more.
After everything seemed back to normal, no more proxy IP, etc .... I cannot access www.lexy.com, the site where I post my podcast. At first I thought their server was down, but I went to the library and was able to log in and post my podcast there -- no problem.
This is so weird, because why would a virus or malware block lexy.com and not youtube or vimeo or something like that? I don't have any problem accessing other popular video / audio websites.
Can someone explain what is going on and if it's related to my malware removal of the past 24 hours?
Thanks.