Jump to content

davejjj

Honorary Members
 View Profile  See their activity

  • Posts

    33

  • Joined

  • Last visited

 Content Type 

Everything posted by davejjj

  1. davejjj
    Thanks. I have run this before and I did get an extras.txt file but now I don't. OTL logfile created on: 3/31/2011 10:08:41 PM - Run 5 OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Dave\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free 3.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 37.26 Gb Total Space | 4.32 Gb Free Space | 11.59% Space Free | Partition Type: NTFS Drive E: | 3.73 Gb Total Space | 0.61 Gb Free Space | 16.47% Space Free | Partition Type: FAT32 Computer Name: YOUR-BFE930219B | User Name: Dave | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2011/03/31 16:09:57 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dave\Desktop\69876976OTL.exe PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe PRC - [2010/03/16 01:58:36 | 000,718,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe ========== Modules (SafeList) ========== MOD - [2011/03/31 16:09:57 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dave\Desktop\69876976OTL.exe MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- -- (HidServ) SRV - File not found [Auto | Stopped] -- -- (Ati HotKey Poller) SRV - [2011/03/31 15:45:17 | 000,482,176 | ---- | M] (Sysinternals - www.sysinternals.com) [On_Demand | Stopped] -- C:\Documents and Settings\Dave\Local Settings\Temp\WZBYNTPRU.exe -- (WZBYNTPRU) SRV - [2011/03/31 15:34:23 | 000,506,752 | ---- | M] (Sysinternals - www.sysinternals.com) [On_Demand | Stopped] -- C:\Documents and Settings\Dave\Local Settings\Temp\DBA.exe -- (DBA) SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc) SRV - [2010/03/25 09:25:22 | 030,969,208 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service) SRV - [2008/07/29 12:10:46 | 003,201,024 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon90) ========== Driver Services (SafeList) ========== DRV - [2011/03/31 16:13:05 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EF7A33E0-34DC-4D0D-89FE-D4273C5C6B79}\MpKslefc87fea.sys -- (MpKslefc87fea) DRV - [2010/07/09 13:18:56 | 000,020,328 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\cpuz134_x32.sys -- (cpuz134) DRV - [2008/07/10 01:49:14 | 000,242,712 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\RsFx0102.sys -- (RsFx0102) DRV - [2003/01/07 19:41:12 | 000,166,016 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k) DRV - [2003/01/03 19:41:00 | 000,540,672 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2002/11/11 19:57:16 | 000,193,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97) Audio Driver (WDM) DRV - [2002/11/08 15:13:50 | 000,020,579 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ozscr.sys -- (O2SCBUS) DRV - [2001/08/22 10:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "www.google.com" FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.14.2 FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.4 FF - prefs.js..extensions.enabledItems: {61ED2A9A-39EB-4AAF-BD14-06DFBE8880C3}:1.0.2 FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 FF - prefs.js..extensions.enabledItems: {E6C1199F-E687-42da-8C24-E7770CC3AE66}:1.7.2 FF - prefs.js..extensions.enabledItems: {6e098d65-7d2d-46d4-ada0-2f882a29f795}:0.2.3 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.6.2 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.9 FF - prefs.js..extensions.enabledItems: {9c51bd27-6ed8-4000-a2bf-36cb95c0c947}:11.0.1 FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/28 23:58:36 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/28 23:58:30 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.3\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/01/07 15:22:42 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.3\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/02/28 13:27:47 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Extensions [2010/02/28 13:27:47 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6} [2011/03/31 12:54:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions [2010/05/25 17:13:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010/10/15 07:02:20 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2010/02/14 14:47:34 | 000,000,000 | ---D | M] (Duplicate Tab) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{61ED2A9A-39EB-4AAF-BD14-06DFBE8880C3} [2010/10/13 06:20:38 | 000,000,000 | ---D | M] (CHM Reader) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795} [2011/03/03 14:53:04 | 000,000,000 | ---D | M] (Tamper Data) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947} [2010/12/03 09:31:50 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f} [2011/03/22 08:03:29 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2011/03/03 14:53:04 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12} [2010/08/25 21:20:44 | 000,000,000 | ---D | M] (QuickJava) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\{E6C1199F-E687-42da-8C24-E7770CC3AE66} [2011/02/19 12:58:30 | 000,000,000 | ---D | M] (Firebug) -- C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\mnxnqp8o.default\extensions\firebug@software.joehewitt.com [2011/03/31 12:54:05 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2010/08/12 06:27:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [2010/10/22 06:10:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [2011/01/17 09:46:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [2011/02/23 19:59:13 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [2010/06/20 14:02:42 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll O1 HOSTS File: ([2011/03/14 13:17:21 | 000,623,214 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 http://fbgdc.com O1 - Hosts: 127.0.0.1 www.experts-exchange.com O1 - Hosts: 127.0.0.1 www.msn.com O1 - Hosts: 127.0.0.1 www.kayak.com O1 - Hosts: 127.0.0.1 qcckayak.com O1 - Hosts: 127.0.0.1 grouply.com O1 - Hosts: 127.0.0.1 allturtle.ru O1 - Hosts: 127.0.0.1 ashdog.ru O1 - Hosts: 127.0.0.1 badmap.ru O1 - Hosts: 127.0.0.1 boldrace.ru O1 - Hosts: 127.0.0.1 cooltrack.ru O1 - Hosts: 127.0.0.1 cornerrat.ru O1 - Hosts: 127.0.0.1 fastermail.ru O1 - Hosts: 127.0.0.1 firmwriter.ru O1 - Hosts: 127.0.0.1 freenetbox.ru O1 - Hosts: 127.0.0.1 hairybelt.ru O1 - Hosts: 127.0.0.1 kindsunday.ru O1 - Hosts: 127.0.0.1 lameflash.ru O1 - Hosts: 127.0.0.1 macroarea.ru O1 - Hosts: 127.0.0.1 ministate.ru O1 - Hosts: 127.0.0.1 modelprod.ru O1 - Hosts: 127.0.0.1 passportblues.ru O1 - Hosts: 127.0.0.1 pearlpole.ru O1 - Hosts: 127.0.0.1 petlips.ru O1 - Hosts: 16471 more lines... O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found. O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.) O4 - HKLM..\Run: [ATIPTA] File not found O4 - HKLM..\Run: [avast5] File not found O4 - HKLM..\Run: [bCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation) O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4 - HKLM..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe (Simply Super Software) O4 - HKCU..\Run: [OfficeSyncProcess] C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation) O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab (F-Secure Online Scanner Launcher) O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.) O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab (Windows Live Safety Center Base Module) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264585099638 (WUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Documents and Settings\Dave\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dave\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2010/01/27 03:11:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2011/03/31 16:50:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\IceSword122en [2011/03/31 16:09:32 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dave\Desktop\69876976OTL.exe [2011/03/31 14:36:42 | 001,137,360 | ---- | C] (F-Secure Corporation) -- C:\Documents and Settings\Dave\Desktop\fsbl.exe [2011/03/31 12:59:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\765762RootkitRevealer [2011/03/31 12:21:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\FBI CODE [2011/03/30 22:35:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP [2011/03/30 22:34:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\My Documents\Simply Super Software [2011/03/30 22:33:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Trojan Remover [2011/03/30 22:33:45 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ztvcabinet.dll [2011/03/30 22:33:21 | 000,000,000 | ---D | C] -- C:\Program Files\Trojan Remover [2011/03/30 22:33:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Application Data\Simply Super Software [2011/03/30 22:33:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software [2011/03/30 16:38:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Start Menu\Programs\WinRAR [2011/03/30 16:38:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Application Data\WinRAR [2011/03/30 16:38:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR [2011/03/30 16:38:32 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR [2011/03/30 09:01:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\NUCLEAR [2011/03/25 16:01:06 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC [2011/03/24 14:57:38 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2011/03/21 09:22:49 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client [2011/03/17 10:58:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\antivirus logs [2011/03/17 10:56:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\malicious [2011/03/16 16:07:32 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy [2011/03/16 16:07:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy [2011/03/16 15:40:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\McAfee [2011/03/16 15:24:55 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center [2011/03/14 22:25:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\jpg [2011/03/14 22:17:59 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF [2011/03/14 19:43:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Iconoid [2011/03/14 19:43:25 | 000,000,000 | ---D | C] -- C:\Program Files\Iconoid [2011/03/14 19:42:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\iconoid [2011/03/14 12:43:28 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys [2011/03/14 12:43:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\log [2011/03/13 12:19:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\mar12_11 [2011/03/11 17:38:03 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe [2011/03/10 11:08:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\SERVER ERRORS [2011/03/05 20:34:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\mar05_11 [2011/03/05 08:32:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\feb14_11 [2011/03/04 12:32:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Desktop\kayak_trip forms [2011/03/03 16:51:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave\Local Settings\Application Data\Temp [2011/03/02 22:39:44 | 000,000,000 | ---D | C] -- C:\ASP.NET 3.5 VB [2011/03/02 22:39:09 | 000,000,000 | ---D | C] -- C:\Murach [2011/03/02 20:42:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe ========== Files - Modified Within 30 Days ========== [2011/03/31 17:01:05 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2011/03/31 17:00:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2011/03/31 16:52:19 | 000,068,426 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\is001.JPG [2011/03/31 16:09:57 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dave\Desktop\69876976OTL.exe [2011/03/31 15:55:15 | 003,271,617 | ---- | M] () -- C:\WINDOWS\System32\LHAPSGKKT [2011/03/31 15:34:48 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\DTIUURQ [2011/03/31 15:33:57 | 000,025,577 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\fsb006.JPG [2011/03/31 15:33:05 | 000,036,727 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\fsb005.JPG [2011/03/31 15:31:27 | 000,027,196 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\fsb004.JPG [2011/03/31 14:55:41 | 000,028,464 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\fsb003.JPG [2011/03/31 14:54:18 | 000,063,076 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\fsb002.JPG [2011/03/31 14:52:21 | 000,212,684 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\rkr003.JPG [2011/03/31 14:37:08 | 001,137,360 | ---- | M] (F-Secure Corporation) -- C:\Documents and Settings\Dave\Desktop\fsbl.exe [2011/03/31 14:36:19 | 000,149,950 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\fsb001.JPG [2011/03/31 13:20:48 | 000,144,278 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\rkr002.JPG [2011/03/31 12:59:11 | 000,181,535 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\rkr001.JPG [2011/03/31 12:58:09 | 000,231,390 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\RootkitRevealer.zip [2011/03/31 12:36:12 | 000,071,092 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\icesword007.JPG [2011/03/31 12:34:12 | 000,203,593 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\icesword006.JPG [2011/03/31 12:33:17 | 000,124,185 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\icesword005.JPG [2011/03/31 12:32:15 | 000,175,678 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\icesword004.JPG [2011/03/31 12:31:30 | 000,112,683 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\icesword003.JPG [2011/03/31 12:24:21 | 000,067,285 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\icesword002.JPG [2011/03/31 12:23:16 | 000,062,305 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\icesword001.JPG [2011/03/29 17:34:36 | 000,130,666 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\stl_race07.jpg [2011/03/29 14:01:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job [2011/03/29 00:30:28 | 088,190,976 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP [2011/03/28 23:58:38 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Dave\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2011/03/28 23:58:37 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2011/03/28 15:42:34 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\chwx0l59.exe [2011/03/28 15:35:45 | 000,058,730 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\plutonium.pdf [2011/03/28 14:53:52 | 000,003,706 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\itrs.sql [2011/03/25 15:19:29 | 000,089,088 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\mbr.exe [2011/03/24 04:15:49 | 000,026,523 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\mse_error.JPG [2011/03/24 03:17:53 | 000,158,372 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\gmer002.JPG [2011/03/23 20:45:29 | 000,134,795 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\gmer001.JPG [2011/03/23 17:58:28 | 000,620,465 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\Autoruns.zip [2011/03/21 09:24:01 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif [2011/03/21 09:04:37 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT [2011/03/16 23:13:20 | 000,056,495 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\110315g.pdf [2011/03/14 21:56:10 | 000,169,081 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\procexp_some_verified.JPG [2011/03/14 19:29:36 | 000,168,766 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\procexp_some2.JPG [2011/03/14 19:28:51 | 000,158,432 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\procexp_some.JPG [2011/03/14 18:01:02 | 000,170,023 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\procexp_all_verified.JPG [2011/03/14 15:00:24 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Dave\defogger_reenable [2011/03/14 13:17:21 | 000,623,214 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS [2011/03/14 12:43:28 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys [2011/03/11 07:35:00 | 000,005,963 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\Default.aspx.html [2011/03/11 02:01:47 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat [2011/03/10 14:21:42 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2011/03/09 21:31:02 | 000,101,136 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\aspnet1.pdf [2011/03/09 21:11:00 | 000,010,017 | ---- | M] () -- C:\Documents and Settings\Dave\Desktop\web.config.bak [2011/03/07 13:25:54 | 000,139,146 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\rootkit03.JPG [2011/03/07 12:02:53 | 000,298,048 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2011/03/07 10:58:09 | 000,138,352 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\rootkit02.JPG [2011/03/07 10:08:20 | 000,142,424 | ---- | M] () -- C:\Documents and Settings\Dave\My Documents\rootkit01.JPG [2011/03/07 00:05:02 | 000,001,208 | ---- | M] () -- C:\bar.emf [2011/03/02 10:20:37 | 000,095,232 | ---- | M] () -- C:\Documents and Settings\Dave\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ========== Files Created - No Company Name ========== [2011/03/31 16:52:19 | 000,068,426 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\is001.JPG [2011/03/31 15:51:40 | 003,271,617 | ---- | C] () -- C:\WINDOWS\System32\LHAPSGKKT [2011/03/31 15:34:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\DTIUURQ [2011/03/31 15:33:57 | 000,025,577 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\fsb006.JPG [2011/03/31 15:33:05 | 000,036,727 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\fsb005.JPG [2011/03/31 15:31:27 | 000,027,196 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\fsb004.JPG [2011/03/31 14:55:41 | 000,028,464 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\fsb003.JPG [2011/03/31 14:54:18 | 000,063,076 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\fsb002.JPG [2011/03/31 14:52:21 | 000,212,684 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\rkr003.JPG [2011/03/31 14:36:18 | 000,149,950 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\fsb001.JPG [2011/03/31 13:20:48 | 000,144,278 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\rkr002.JPG [2011/03/31 12:59:10 | 000,181,535 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\rkr001.JPG [2011/03/31 12:58:07 | 000,231,390 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\RootkitRevealer.zip [2011/03/31 12:36:11 | 000,071,092 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\icesword007.JPG [2011/03/31 12:34:12 | 000,203,593 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\icesword006.JPG [2011/03/31 12:33:17 | 000,124,185 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\icesword005.JPG [2011/03/31 12:32:15 | 000,175,678 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\icesword004.JPG [2011/03/31 12:31:30 | 000,112,683 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\icesword003.JPG [2011/03/31 12:24:21 | 000,067,285 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\icesword002.JPG [2011/03/31 12:23:15 | 000,062,305 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\icesword001.JPG [2011/03/30 22:33:45 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll [2011/03/30 22:33:45 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll [2011/03/30 22:33:45 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll [2011/03/30 22:33:44 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll [2011/03/29 17:34:32 | 000,130,666 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\stl_race07.jpg [2011/03/28 15:42:15 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\chwx0l59.exe [2011/03/28 15:35:43 | 000,058,730 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\plutonium.pdf [2011/03/28 14:53:51 | 000,003,706 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\itrs.sql [2011/03/25 15:19:27 | 000,089,088 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\mbr.exe [2011/03/24 04:15:49 | 000,026,523 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\mse_error.JPG [2011/03/24 03:17:53 | 000,158,372 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\gmer002.JPG [2011/03/23 20:45:29 | 000,134,795 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\gmer001.JPG [2011/03/23 17:58:20 | 000,620,465 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\Autoruns.zip [2011/03/23 15:37:35 | 088,190,976 | ---- | C] () -- C:\WINDOWS\MEMORY.DMP [2011/03/17 10:32:28 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif [2011/03/16 23:13:19 | 000,056,495 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\110315g.pdf [2011/03/14 21:56:09 | 000,169,081 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\procexp_some_verified.JPG [2011/03/14 19:29:35 | 000,168,766 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\procexp_some2.JPG [2011/03/14 19:28:50 | 000,158,432 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\procexp_some.JPG [2011/03/14 18:01:01 | 000,170,023 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\procexp_all_verified.JPG [2011/03/14 15:00:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Dave\defogger_reenable [2011/03/11 07:31:36 | 000,005,963 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\Default.aspx.html [2011/03/09 21:31:00 | 000,101,136 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\aspnet1.pdf [2011/03/09 15:06:37 | 000,010,017 | ---- | C] () -- C:\Documents and Settings\Dave\Desktop\web.config.bak [2011/03/07 13:25:53 | 000,139,146 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\rootkit03.JPG [2011/03/07 10:58:09 | 000,138,352 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\rootkit02.JPG [2011/03/07 10:08:20 | 000,142,424 | ---- | C] () -- C:\Documents and Settings\Dave\My Documents\rootkit01.JPG [2010/10/07 01:04:40 | 000,179,272 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat [2010/06/22 08:20:23 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat [2010/06/21 20:01:26 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat [2010/03/12 11:11:14 | 000,208,036 | ---- | C] () -- C:\Documents and Settings\Dave\Local Settings\Application Data\debuggee.mdmp [2010/02/03 23:02:24 | 000,000,130 | ---- | C] () -- C:\WINDOWS\cfplogvw.INI [2010/01/30 18:31:41 | 000,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini [2010/01/30 18:31:39 | 000,001,004 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2010/01/28 20:16:36 | 000,095,232 | ---- | C] () -- C:\Documents and Settings\Dave\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/01/27 09:34:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat [2010/01/27 03:29:18 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe.bak [2010/01/27 03:16:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat [2010/01/27 03:07:13 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat [2010/01/26 18:59:00 | 000,004,346 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2010/01/26 18:57:19 | 000,298,048 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll [2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe [2004/08/03 19:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin [2004/08/02 08:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat [2001/08/23 14:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin [2001/08/23 14:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat [2001/08/23 14:00:00 | 000,507,040 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat [2001/08/23 14:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat [2001/08/23 14:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat [2001/08/23 14:00:00 | 000,096,282 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat [2001/08/23 14:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin [2001/08/23 14:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat [2001/08/23 14:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat [2001/08/23 14:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat [1997/08/26 02:00:00 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\WRKGADM.EXE [1997/08/26 02:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL [1997/08/26 02:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL [1997/08/26 02:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL < End of report >
  2. davejjj
    Hi Screen317, My primary symptom is an inability to download anything from Microsoft. This includes Windows updates. The downloads fizzle and terminate after a few minutes after perhaps 500KB to 1MB has been downloaded. I have not noticed any problem downloading from any other websites. I have two computers with this problem. Both are XP sp3. I have tried downloading without my router but the problem is still present. I just tried to download the MS Malicious Software Removal Tool and the download terminated after 615kb of 11.9mb. I am unable to run DDS.com or .scr in normal or safe mode. The system always locks up at the exact same point when the DDS progress bar is about 3/4 across the screen. Running GMER usually results in a BSOD. Since it seems unlikely that downloads from Microsoft would become impossible for no reason I suspect I have some sort of infection. I am taking a class on malware at the community college so I think it is possible I have stumbled into some sort of infection. Thanks for any advice. Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6219 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 3/30/2011 3:37:08 PM mbam-log-2011-03-30 (15-37-08).txt Scan type: Quick scan Objects scanned: 166257 Time elapsed: 14 minute(s), 28 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  3. davejjj
    Updating this thread: http://forums.malwarebytes.org/index.php?showtopic=77815 I have still been unable to run DDS.com or DDS.scr in either normal or safe modes. DDS runs for a minute or so but then the system locks up. I have occasionally been able to run GMER although it usually produces a BSOD. Here is a GMER log... Thanks. GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-03-28 22:52:38 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HITACHI_DK23EB-40 rev.00K0A0C0 Running: chwx0l59.exe; Driver: C:\DOCUME~1\Dave\LOCALS~1\Temp\ugqcykob.sys ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\Drivers\PROCEXP141.SYS The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[3604] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x97 0x20 0x4E 0x9A ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ... ---- EOF - GMER 1.0.15 ----
  4. davejjj
    I reported this here a few days ago but have seen no response. I have had no luck following the suggested procedure. Both DDS and GMER cause a system lockup even in safe-mode. Complete MalwareBytes and Avast scans find nothing. Malicious Software Removal Tool 3.17 also finds nothing. Could this be Conficker? What known threats throttle downloads from Microsoft? Thanks.
  5. davejjj
    The "clean" Procexp display has vanished and now I'm back to where I was. Also DDS and GMER lock up the system even in safe mode. I need some expert advice. Thanks. Attached: Process Explorer views
  6. davejjj
    Ok, I'm not making much progress with the recommended sequence. Both DDS and GMER seem to hang the system. Whatever it is I have seems to have gone into defensive mode because Process Explorer now looks clean with every process verifying. Can I perhaps find partial logs from the DDS or GMER programs? For DDS it says I should disable any script blockers. Such as what? I do have a Flash blocker and a Java blocker on the browser. Thanks. System: XP pro sp3
  7. davejjj
    Oops. I see there is a sticky process I'm supposed to go through before posting a log. Let me go do that. Sorry.
  8. davejjj
    I'm having a few minor symptoms but the most obvious and serious is a problem downloading from Microsoft. Advice appreciated. I have run Malwarebytes and the MaliciousSwRemovalTool v3.17 and Avast and they don't see anything, however Process Explorer sees a number of processes (maybe five?) that it is unable to verify the signature of. Also RootKit Revealer shows 14 keys that contain embedded nulls. Most of the keys are of the form HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer32* while two others are HKLM\SECURITY\Policy\Secrets\SAC* and SAI* The Trend Micro RootkitBuster 3.60.0.1016 says; --== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==-- No hidden files found. --== Dump Hidden Registry Value on HKLM ==-- [HIDDEN_REGISTRY][Hidden Reg Key]: KeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data SubKey : Data FullLength: 0x5c [HIDDEN_REGISTRY][Hidden Reg Key]: KeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2 SubKey : Data 2 FullLength: 0x5e 2 hidden registry entries found. --== Dump Hidden Process ==-- No hidden processes found. --== Dump Hidden Driver ==-- No hidden drivers found. --== Service Win32 API Hook List ==-- [HOOKED_SERVICE_API]: Service API : ZwAddBootEntry Image Path : C:\WINDOWS\System32\Drivers\aswSnx.SYS OriginalHandler : 0x8064986f CurrentHandler : 0xa7a779ca ServiceNumber : 0x9 ModuleName : aswSnx.SYS SDTType : 0x0 [HOOKED_SERVICE_API]: Service API : ZwAllocateVirtualMemory Image Path : C:\WINDOWS\System32\Drivers\aswSP.SYS OriginalHandler : 0x805691ea CurrentHandler : 0xa7acca68 ServiceNumber : 0x11 ModuleName : aswSP.SYS SDTType : 0x0 [HOOKED_SERVICE_API]: Service API : ZwClose Image Path : C:\WINDOWS\System32\Drivers\aswSnx.SYS OriginalHandler : 0x80567aed CurrentHandler : 0xa7a97af5 ServiceNumber : 0x19 ModuleName : aswSnx.SYS SDTType : 0x0 [...Long list omitted here...] [HOOKED_SERVICE_API]: Service API : ZwVdmControl Image Path : C:\WINDOWS\System32\Drivers\aswSnx.SYS OriginalHandler : 0x805c02da CurrentHandler : 0xa7a77a7e ServiceNumber : 0x10c ModuleName : aswSnx.SYS SDTType : 0x0 --== Dump Hidden Port ==-- No hidden ports found. --== Dump Kernel Code Patching ==-- [KERNEL_CODE][PATCHED]: Service API : ZwCreateProcessEx Address : 8058124C CurrentCode : E991065627 ExpectedCode : 6A0C68A0CA ServiceNumber : 0x30 SDTType : 0x0 1 Kernel code patching found. And my HijackThis log is; Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 9:43:46 AM, on 3/11/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre6\bin\jqs.exe c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE C:\Documents and Settings\Dave\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office14\GROOVEEX.DLL O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MI1933~1\Office14\URLREDIR.DLL O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office14\EXCEL.EXE/3000 O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MI1933~1\Office14\ONBttnIE.dll/105 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264585099638 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{0713B2E3-5582-4FFB-83D2-04E45329E47A}: NameServer = 68.94.156.1,68.94.157.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{0713B2E3-5582-4FFB-83D2-04E45329E47A}: NameServer = 68.94.156.1,68.94.157.1 O20 - AppInit_DLLs: O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing) O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe -- End of file - 5728 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.