Jump to content

Trojan Pakes.AV is being stubborn!


bubbadub
 Share

Recommended Posts

Evening all, I'm in need of your help and wealth of experience...

Lately i've been getting little alert windows popping up from my AVG anti virus telling me that there is a virus detected in my temp folders by the name of "Trojan Horse Pakes.AV".

I have done some searching about but there seems to be little information, only for pakes.aw and pakes.u...

I have done a HijackThis log file, and please find it enclosed below. Malwarebytes didn't detect it.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:39:05, on 26/02/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\ATI-CPanel\atiptaxx.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199212769281

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 6060 bytes

Any help you guys can provide will be highly appreciated. :)

Link to post
Share on other sites

Hello ,

Welcome to Malwarebytes forum! Lets first get some more information about your system.

We need to create an OTL Report

  1. Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlDesktopIcon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the runscanbutton.png button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

GMER

-------

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

In your next reply, please include the following:

  • OTL report
  • GMER log

Link to post
Share on other sites

OTL txt file below:

OTL logfile created on: 27/02/2010 18:17:07 - Run 1

OTL by OldTimer - Version 3.1.30.3 Folder = C:\Documents and Settings\Tarlton\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.00 Mb Total Physical Memory | 61.00 Mb Available Physical Memory | 12.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 58.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 127.99 Gb Total Space | 94.84 Gb Free Space | 74.10% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: COMET-RMLAT7V69

Current User Name: Tarlton

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/27 18:16:40 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tarlton\Desktop\OTL.exe

PRC - [2010/02/23 17:59:39 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2010/02/22 20:17:04 | 000,788,880 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

PRC - [2010/02/22 20:17:02 | 001,181,328 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

PRC - [2010/01/01 21:40:48 | 002,033,432 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe

PRC - [2009/12/12 17:37:13 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe

PRC - [2009/12/12 17:37:11 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe

PRC - [2009/11/23 20:03:53 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe

PRC - [2009/11/23 20:03:51 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe

PRC - [2009/11/23 20:03:43 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe

PRC - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe

PRC - [2009/02/16 00:10:22 | 000,981,384 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2005/03/04 14:09:56 | 002,803,712 | R--- | M] (RealTek Semicoductor Corp.) -- C:\WINDOWS\ALCWZRD.EXE

PRC - [2005/03/02 08:49:30 | 000,090,112 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE

PRC - [2005/02/22 21:05:00 | 000,339,968 | ---- | M] (ATI Technologies, Inc.) -- C:\ATI-CPanel\atiptaxx.exe

PRC - [2004/01/08 16:41:40 | 000,073,796 | ---- | M] (Smart Link) -- C:\WINDOWS\system32\slserv.exe

PRC - [2001/08/23 12:00:00 | 000,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe

========== Modules (SafeList) ==========

MOD - [2010/02/27 18:16:40 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tarlton\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2010/02/22 20:17:02 | 001,181,328 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)

SRV - [2009/11/23 20:03:43 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)

SRV - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)

SRV - [2008/01/16 19:14:20 | 000,053,760 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12)

SRV - [2008/01/16 19:14:18 | 000,043,520 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12)

SRV - [2007/09/29 02:56:34 | 000,483,328 | ---- | M] (ATI Technologies Inc.) [Disabled | Stopped] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)

SRV - [2007/02/05 09:11:18 | 000,075,320 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV)

SRV - [2007/02/05 09:11:16 | 000,112,184 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe -- (SonicStage Back-End Service)

SRV - [2006/12/14 01:21:20 | 000,045,056 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)

SRV - [2006/12/14 01:02:08 | 000,069,632 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)

SRV - [2006/12/14 00:46:16 | 000,057,344 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)

SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)

SRV - [2005/11/14 00:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)

SRV - [2004/07/15 01:49:26 | 000,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)

SRV - [2004/01/08 16:41:40 | 000,073,796 | ---- | M] (Smart Link) [Auto | Running] -- C:\WINDOWS\System32\slserv.exe -- (SLService)

========== Driver Services (SafeList) ==========

DRV - [2009/11/23 20:04:18 | 000,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)

DRV - [2009/11/23 20:04:12 | 000,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)

DRV - [2009/11/23 20:04:10 | 000,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)

DRV - [2009/09/23 12:55:23 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)

DRV - [2009/06/30 09:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)

DRV - [2009/02/16 00:10:26 | 000,353,672 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)

DRV - [2008/11/17 02:24:00 | 000,051,688 | ---- | M] (Check Point Software Technologies LTD) [Kernel | Boot | Running] -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan)

DRV - [2008/04/13 18:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2008/04/13 16:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2007/11/13 10:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)

DRV - [2007/11/01 03:28:07 | 000,021,568 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)

DRV - [2007/11/01 03:28:06 | 000,049,920 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)

DRV - [2007/11/01 03:28:06 | 000,016,496 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)

DRV - [2007/09/29 03:06:00 | 002,456,064 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2007/09/28 17:56:20 | 000,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)

DRV - [2007/07/11 14:51:48 | 000,019,840 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbdiag.sys -- (UsbDiag)

DRV - [2007/07/11 09:45:00 | 000,021,632 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)

DRV - [2007/07/11 09:40:18 | 000,012,416 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)

DRV - [2007/05/11 03:10:50 | 000,034,704 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\blueletaudio.sys -- (BlueletAudio)

DRV - [2007/05/09 01:59:40 | 000,036,496 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btcusb.sys -- (Btcsrusb)

DRV - [2007/03/05 06:00:04 | 000,027,792 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BlueletSCOAudio.sys -- (BlueletSCOAudio)

DRV - [2007/03/05 05:59:04 | 000,018,320 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btnetdrv.sys -- (BT)

DRV - [2007/03/05 05:57:14 | 000,019,472 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VHIDMini.sys -- (VHidMinidrv)

DRV - [2007/03/05 05:56:18 | 000,035,600 | ---- | M] (IVT Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\BTHidMgr.sys -- (BTHidMgr)

DRV - [2007/03/05 05:55:12 | 000,020,880 | ---- | M] (IVT Corporation.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\vbtenum.sys -- (BTHidEnum)

DRV - [2007/03/05 05:53:18 | 000,044,304 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VcommMgr.sys -- (VcommMgr)

DRV - [2007/03/05 05:52:18 | 000,034,448 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VComm.sys -- (VComm)

DRV - [2006/11/21 22:41:18 | 000,022,416 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Stopped] -- C:\Program Files\IVT Corporation\BlueSoleil\device\Win2k\BTNetFilter.sys -- (BTNetFilter)

DRV - [2005/03/04 15:41:18 | 002,528,192 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2005/01/08 01:15:40 | 000,051,582 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tosporte.sys -- (tosporte)

DRV - [2005/01/07 17:07:16 | 000,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)

DRV - [2005/01/06 13:42:42 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)

DRV - [2004/12/24 18:36:38 | 000,097,792 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfbd.sys -- (Tosrfbd)

DRV - [2004/12/21 11:38:12 | 000,034,816 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)

DRV - [2004/12/15 17:30:14 | 000,050,048 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfSnd.sys -- (TosRfSnd) Bluetooth Audio Device (WDM)

DRV - [2004/12/02 15:36:06 | 000,070,912 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)

DRV - [2004/11/15 22:51:54 | 000,050,048 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfhid.sys -- (Tosrfhid)

DRV - [2004/10/04 10:33:02 | 000,062,799 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)

DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)

DRV - [2004/07/08 17:07:34 | 000,036,531 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (Tosrfbnp)

DRV - [2004/04/01 08:56:00 | 000,404,990 | ---- | M] (Smart Link) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\slntamr.sys -- (Slntamr)

DRV - [2004/04/01 08:56:00 | 000,126,686 | ---- | M] (Smart Link) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mtlmnt5.sys -- (Mtlmnt5)

DRV - [2004/01/28 16:37:46 | 000,180,360 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ntmtlfax.sys -- (NtMtlFax)

DRV - [2004/01/28 16:26:28 | 000,095,424 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slnthal.sys -- (SlNtHal)

DRV - [2004/01/28 15:46:22 | 001,309,184 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mtlstrm.sys -- (Mtlstrm)

DRV - [2004/01/28 15:20:44 | 000,013,240 | ---- | M] (Smart Link) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\slwdmsup.sys -- (SlWdmSup)

DRV - [2004/01/13 16:03:30 | 000,013,776 | ---- | M] (Smart Link) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\RecAgent.sys -- (RecAgent)

DRV - [2003/06/27 02:05:38 | 000,472,332 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvcm.sys -- (QCMerced)

DRV - [2002/10/16 13:55:48 | 000,002,851 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Toshidpt.sys -- (toshidpt)

DRV - [2001/08/23 12:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)

DRV - [2001/08/23 12:00:00 | 000,005,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM)

DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)

DRV - [2001/08/17 13:56:16 | 000,007,552 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1960408961-842925246-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

IE - HKU\S-1-5-21-1960408961-842925246-682003330-1004\S-1-5-21-1960408961-842925246-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1960408961-842925246-682003330-1004\S-1-5-21-1960408961-842925246-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.co.uk"

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.716

FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20091028

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/12/12 17:41:08 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/25 17:52:52 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/23 18:00:04 | 000,000,000 | ---D | M]

[2008/09/04 12:07:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tarlton\Application Data\Mozilla\Extensions

[2010/02/27 18:17:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tarlton\Application Data\Mozilla\Firefox\Profiles\jw606ble.default\extensions

[2009/11/23 20:19:03 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Tarlton\Application Data\Mozilla\Firefox\Profiles\jw606ble.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

[2010/02/27 18:17:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/02/23 17:59:52 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml

[2010/02/23 17:59:53 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml

[2010/02/23 17:59:53 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml

[2010/02/23 17:59:54 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/11/23 22:33:53 | 000,356,633 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 1-2005-search.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 12234 more lines...

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\ALCWZRD.EXE (RealTek Semicoductor Corp.)

O4 - HKLM..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe (ATI Technologies, Inc.)

O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)

O4 - HKLM..\Run: [soundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1960408961-842925246-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1199212769281 (WUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)

O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab (Minesweeper Flags Class)

O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} https://secure.gopetslive.com/dev/GoPetsWeb.cab (GoPetsWeb Control)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/12/26 23:20:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\{2cd63cac-fc5a-11de-9800-00158307302c}\Shell - "" = AutoRun

O33 - MountPoints2\{2cd63cac-fc5a-11de-9800-00158307302c}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{2cd63cac-fc5a-11de-9800-00158307302c}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found

O33 - MountPoints2\{63b3f597-d902-11de-97af-00158307302c}\Shell - "" = AutoRun

O33 - MountPoints2\{63b3f597-d902-11de-97af-00158307302c}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{63b3f597-d902-11de-97af-00158307302c}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

O35 - comfile [open] -- "%1" %*

O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/27 18:15:01 | 000,549,888 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tarlton\Desktop\OTL.exe

[2010/02/26 18:20:54 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/02/26 18:20:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/02/26 18:20:50 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/02/26 18:20:50 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/02/26 15:55:23 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys

[2010/02/26 15:54:53 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security

[2010/02/26 15:51:36 | 000,016,384 | ---- | C] (WareSoft Software) -- C:\WINDOWS\System32\restart.exe

[2010/02/26 15:51:34 | 000,053,248 | ---- | C] (http://www.beyondlogic.org) -- C:\WINDOWS\System32\Process.exe

[2010/02/26 15:30:05 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2010/02/19 20:16:16 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys

[2010/02/19 20:15:02 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

[2010/02/19 20:14:19 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft

[2010/02/19 20:12:18 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Tarlton\Recent

[2010/02/18 17:49:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2010/02/17 21:09:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/02/17 21:09:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/02/11 23:58:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tarlton\Application Data\Canon

[2009/11/25 00:11:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2009/11/23 20:00:04 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[2009/11/23 20:00:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/27 18:16:40 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tarlton\Desktop\OTL.exe

[2010/02/27 18:11:24 | 056,305,693 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm

[2010/02/27 18:06:25 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2010/02/27 18:06:24 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job

[2010/02/27 18:06:23 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job

[2010/02/27 18:06:22 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job

[2010/02/27 18:06:20 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job

[2010/02/27 18:04:33 | 000,350,192 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml

[2010/02/27 18:03:35 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/02/27 18:03:32 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/02/27 18:03:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/02/26 20:40:54 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Tarlton\ntuser.ini

[2010/02/26 20:40:53 | 008,126,464 | -H-- | M] () -- C:\Documents and Settings\Tarlton\NTUSER.DAT

[2010/02/26 19:44:52 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Tarlton\Local Settings\Application Data\prvlcl.dat

[2010/02/26 18:20:57 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/02/25 21:05:03 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys

[2010/02/24 23:22:11 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/02/24 20:10:05 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2010/02/19 20:14:58 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk

[2010/01/31 18:15:14 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Tarlton\Desktop\hondapeopleapplicationform.doc

[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/26 18:20:57 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/02/26 15:51:36 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\strings.exe

[2010/02/26 15:51:36 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\zip.exe

[2010/02/26 15:51:36 | 000,011,254 | ---- | C] () -- C:\WINDOWS\System32\locate.com

[2010/02/26 15:51:34 | 000,039,184 | ---- | C] () -- C:\WINDOWS\System32\Ntrights.exe

[2010/02/24 23:22:10 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK

[2010/02/22 20:19:09 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job

[2010/02/22 20:19:08 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job

[2010/02/22 20:19:07 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job

[2010/02/22 20:19:06 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job

[2010/02/19 21:05:09 | 000,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe

[2010/02/19 20:14:58 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk

[2010/01/31 18:15:14 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Tarlton\Desktop\hondapeopleapplicationform.doc

[2009/11/25 22:59:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Tarlton\Local Settings\Application Data\prvlcl.dat

[2009/02/03 15:17:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2008/11/03 12:10:31 | 000,001,381 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

[2008/07/15 20:51:44 | 000,000,039 | ---- | C] () -- C:\WINDOWS\TLTitleData.ini

[2008/04/16 11:47:53 | 000,532,480 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Sony.dll

[2008/03/22 12:54:46 | 000,000,241 | ---- | C] () -- C:\WINDOWS\SIERRA.INI

[2008/02/24 14:00:34 | 000,000,097 | ---- | C] () -- C:\WINDOWS\WirelessFTP.INI

[2008/01/14 23:41:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI

[2008/01/03 14:42:05 | 000,051,712 | ---- | C] () -- C:\Documents and Settings\Tarlton\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/01/03 13:06:13 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2008/01/01 18:01:10 | 000,006,048 | ---- | C] () -- C:\WINDOWS\System32\mcc16.dll

[2007/12/31 20:41:19 | 000,001,660 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log

[2007/12/31 20:23:19 | 000,014,938 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini

[2007/12/31 20:23:04 | 000,000,268 | ---- | C] () -- C:\WINDOWS\_delis32.ini

[2007/12/31 20:13:33 | 000,156,672 | R--- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll

[2007/12/31 18:21:57 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

[2007/10/04 18:33:10 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest

[2007/10/04 18:33:10 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest

[2007/09/28 17:56:22 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll

[2007/09/28 17:53:06 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll

[2004/12/02 15:20:12 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll

[2004/09/22 10:09:06 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll

[2004/07/20 17:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll

[2004/01/15 14:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll

[2003/07/29 15:33:26 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\TosHidAPI.dll

[2002/11/27 11:30:32 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll

[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll

[1999/01/22 18:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

[1997/06/13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== Files - Unicode (All) ==========

[2009/10/22 17:31:40 | 000,000,040 | ---- | M] ()(C:\WINDOWS\System32\????????????????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥噜物楧牂慯扤湡層䍐畧牡層慓敦潃湮捥屴潃普杩塜楖睥挮湯楦g

[2009/10/22 17:31:40 | 000,000,040 | ---- | C] ()(C:\WINDOWS\System32\????????????????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥噜物楧牂慯扤湡層䍐畧牡層慓敦潃湮捥屴潃普杩塜楖睥挮湯楦g

[2009/08/05 22:13:07 | 000,000,089 | ---- | M] ()(C:\WINDOWS\System32\

Link to post
Share on other sites

Extras Doc:

OTL Extras logfile created on: 27/02/2010 18:17:07 - Run 1

OTL by OldTimer - Version 3.1.30.3 Folder = C:\Documents and Settings\Tarlton\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.00 Mb Total Physical Memory | 61.00 Mb Available Physical Memory | 12.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 58.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 127.99 Gb Total Space | 94.84 Gb Free Space | 74.10% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: COMET-RMLAT7V69

Current User Name: Tarlton

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- Reg Error: Key error.

htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Documents and Settings\Faz\Desktop\LimeWire\LimeWire.exe" = C:\Documents and Settings\Faz\Desktop\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found

"C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe" = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil -- (IVT Corporation.)

"C:\Program Files\BitLord\BitLord.exe" = C:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord -- File not found

"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found

"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- File not found

"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- File not found

"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- File not found

"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- File not found

"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- File not found

"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- File not found

"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- File not found

"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- File not found

"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- File not found

"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:

Link to post
Share on other sites

Hello ,

P2P WARNING

-------------------

Going over your logs I noticed that you have uTorrent installed.

[*] Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

[*]They are a security risk which can make your computer susceptible to a sm

Link to post
Share on other sites

Hello, thank you for your support. Once again I appreciate it greatly.

I am unable to complete the GMER log as everytime I run a scan in it. It stalls and the computer freezes once it reaches the atapi.sys file in the system32 folder.

However below, I will post the results of the ComboFix in my next post.

Link to post
Share on other sites

Combofix Log is finally completed:

ComboFix 10-02-27.04 - Tarlton 27/02/2010 21:11:25.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.83 [GMT 0:00]

Running from: c:\documents and settings\Tarlton\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Tarlton\Start Menu\Windows Live Messenger .lnk

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\lowsec\user.ds.lll

c:\windows\system32\Process.exe

c:\windows\system32\reboot.txt

c:\windows\system32\sdra64.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it :)

.

((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))

.

2010-02-26 18:21 . 2010-02-26 18:21 -------- d-----w- c:\documents and settings\Faz\Application Data\Malwarebytes

2010-02-26 18:20 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-26 18:20 . 2010-02-26 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-26 18:20 . 2010-02-26 18:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-26 18:20 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-26 15:55 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-02-26 15:54 . 2010-02-26 15:54 -------- d-----w- c:\program files\Panda Security

2010-02-26 15:51 . 2005-10-19 18:50 16384 ----a-w- c:\windows\system32\restart.exe

2010-02-26 15:51 . 2005-01-20 13:47 175616 ----a-w- c:\windows\system32\strings.exe

2010-02-26 15:51 . 2005-01-13 21:41 11254 ----a-w- c:\windows\system32\locate.com

2010-02-26 15:51 . 2005-01-13 21:41 39184 ----a-w- c:\windows\system32\Ntrights.exe

2010-02-26 15:30 . 2010-02-26 15:30 -------- d-----w- c:\program files\Trend Micro

2010-02-19 21:05 . 2009-09-03 09:17 15688 ----a-w- c:\windows\system32\lsdelete.exe

2010-02-19 20:17 . 2010-02-19 20:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-02-19 20:16 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-02-19 20:15 . 2010-02-19 20:15 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

2010-02-19 20:14 . 2010-02-19 20:14 -------- d-----w- c:\program files\Lavasoft

2010-02-11 23:58 . 2010-02-11 23:58 -------- d-----w- c:\documents and settings\Tarlton\Application Data\Canon

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-27 20:33 . 2010-02-27 20:33 20512126 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_thread_2010_02_27_19_24_31_full.dmp.zip

2010-02-27 18:44 . 2010-01-06 00:57 0 ----a-w- c:\documents and settings\Faz\Local Settings\Application Data\prvlcl.dat

2010-02-27 18:44 . 2009-11-25 22:59 0 ----a-w- c:\documents and settings\Tarlton\Local Settings\Application Data\prvlcl.dat

2010-02-25 21:05 . 2001-08-23 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-02-19 20:14 . 2009-11-24 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-02-09 23:23 . 2009-11-09 23:23 -------- d-----w- c:\documents and settings\Tarlton\Application Data\uTorrent

2010-01-31 18:40 . 2009-11-24 15:00 -------- d-----w- c:\documents and settings\Tarlton\Application Data\U3

2010-01-27 00:21 . 2009-11-02 19:51 -------- d-----w- c:\documents and settings\Faz\Application Data\uTorrent

2010-01-20 11:13 . 2009-09-06 10:29 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-16 00:43 . 2009-11-26 11:01 -------- d-----w- c:\documents and settings\Faz\Application Data\U3

2010-01-07 00:36 . 2010-01-07 11:36 1417728 ----a-w- c:\windows\Internet Logs\xDB1.tmp

2010-01-06 19:15 . 2010-01-06 19:15 -------- d-----w- c:\documents and settings\Faz\Application Data\Canon

2010-01-06 18:09 . 2010-01-06 00:04 -------- d-----w- c:\program files\Canon

2010-01-06 00:04 . 2010-01-06 00:03 -------- d-----w- c:\program files\Common Files\Canon

2009-12-31 16:50 . 2001-08-23 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-24 21:56 . 2009-12-24 21:56 32256 ----a-w- c:\windows\Internet Logs\xDB13.tmp

2009-12-24 21:56 . 2009-12-24 21:56 1342976 ----a-w- c:\windows\Internet Logs\xDB14.tmp

2009-12-24 21:55 . 2009-12-24 21:55 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2009-12-21 19:14 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2007-12-26 23:17 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2001-08-23 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:26 . 2001-08-23 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2001-08-17 13:48 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2001-08-23 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-23 19:54 . 2009-10-22 17:43 7440416 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-11-23 19:54 . 2009-10-22 17:43 406304 --sha-w- c:\windows\system32\drivers\fidbox2.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2005-03-02 90112]

"AlcWzrd"="ALCWZRD.EXE" [2005-03-04 2803712]

"ATIPTA"="c:\ati-cpanel\atiptaxx.exe" [2005-02-22 339968]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-11-23 20:04 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]

2008-04-14 00:12 110592 ------w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]

2005-01-07 17:07 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-03-05 16:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2007-07-12 04:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2006-11-03 19:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SSScsiSV"=3 (0x3)

"SPTISRV"=3 (0x3)

"mnmsrvc"=3 (0x3)

"LmHosts"=2 (0x2)

"Lavasoft Ad-Aware Service"=2 (0x2)

"ImapiService"=3 (0x3)

"Ati HotKey Poller"=2 (0x2)

"a2free"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [19/02/2010 20:16 64288]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [26/02/2010 15:55 28552]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/11/2009 20:04 333192]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/11/2009 20:04 360584]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [23/11/2009 20:03 285392]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 11:17 1181328]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-02-27 c:\windows\Tasks\Ad-Aware Update (Daily 1).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:17]

2010-02-27 c:\windows\Tasks\Ad-Aware Update (Daily 2).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:17]

2010-02-27 c:\windows\Tasks\Ad-Aware Update (Daily 3).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:17]

2010-02-27 c:\windows\Tasks\Ad-Aware Update (Daily 4).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:17]

2010-02-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:17]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyOverride = 127.0.0.1

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

FF - ProfilePath - c:\documents and settings\Tarlton\Application Data\Mozilla\Firefox\Profiles\jw606ble.default\

FF - prefs.js: browser.startup.homepage - www.google.co.uk

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp--FreedomNeedsReboot - c:\program files\Virgin Broadband\PCguard\ZkRunOnceR.exe

MSConfigStartUp-LogitechVideoTray - c:\program files\Logitech\Video\LogiTray.exe

MSConfigStartUp-Workflow - D:\Workflow.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-27 21:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2144)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\windows\System32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

c:\windows\SOUNDMAN.EXE

c:\windows\ALCWZRD.EXE

.

**************************************************************************

.

Completion time: 2010-02-27 21:40:36 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-27 21:40

Pre-Run: 101,620,260,864 bytes free

Post-Run: 101,705,302,016 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 8BA610E6697D7EACFCF33399FA07D649

Link to post
Share on other sites

Hello , and sorry for the delay. Somehow I thought I already replied :)

You had a nasty rootkit. Its gone now, but please consider the following information first...

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

UPDATE JAVA

------------------

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.

-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.

-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

MALWAREBYTES ANTIMALWARE

-------------------------------------------

Please launch MBAM and update the program before performing a scan.

  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

In your next reply, please include the following:

  • MBAM log

Link to post
Share on other sites

Thank you for the reply. I'll be changing my passwords as soon as possible.

I'll also be looking to reinstall my OS after I have backed up my files. (photos etc).

In the meantime I have updated my Java to update 18 (it was at update 2! :) ) and I have run a further MBAM scan, in which it found 10 backdoor bots.

Below is my log.

Malwarebytes' Anti-Malware 1.44

Database version: 3807

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

28/02/2010 17:05:10

mbam-log-2010-02-28 (17-05-10).txt

Scan type: Quick Scan

Objects scanned: 124708

Time elapsed: 4 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 10

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Now thats looking a lot better already :)

How are things running now?

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.