Jump to content

MBAM won't run; GMER . . . reboots

ken42

By ken42
in Resolved Malware Removal Logs

 Share

Recommended Posts

ken42

ken42

Posted
Posted (edited)

Hi,

My wife's computer has a malware attack. Google search links get hijacked to bogus destinations on the first clicks; sometimes go to correct destination on second or third click. McAfee VirusScan Enterprise 8.0 can't update, but will run and report no viruses (based on the old definitions). Malwarebytes starts to run but exits a few seconds after launching - no error message or anything, it just goes away. I followed the instructions for disabling the CD emulator drivers with Defogger - that seemed to work. I was able to run DDS and have attached the logs, but then I tried running the GMER and my system reboots before the scan completes (and no log file remains on m disk).

Any help is GREATLY appreciated. I'm really in the doghouse this week since my wife's car died leaving her stranded (on the way to a doctor appointment), and our septic pump died last night (meaning now showers or flushing!). So having her computer out of commission now is kinda my 3rd strike! :(

Thanks,

Ken

DDS.txt

DDS (Ver_09-12-01.01) - NTFSx86

Run by Tammi at 21:05:42.84 on Mon 03/15/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1280.298 [GMT -5:00]

AV: System Defender *On-access scanning enabled* (Updated) {7DABE7D7-FEFE-4C27-8749-6981824480CD}

FW: System Defender *enabled* {3CD4113F-F68E-41D7-904C-4B9093B5E300}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\WINDOWS\System32\mfsyncsv.exe

C:\Program Files\MozyHome\mozybackup.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\WebDrive\wdService.exe

C:\Program Files\UltraVNC\winvnc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\FA-950\BIN\Klslink.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\MozyHome\mozystat.exe

C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\Program Files\Network Associates\VirusScan\mcconsol.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Kits\SpyWareCheckers\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8

uWindow Title = Microsoft Internet Explorer provided by GTE

uSEARCH PAGE = hxxp://www.google.com

uDefault_Search_Url = hxxp://www.google.com/ie

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local

uCustomizeSearch = about:blank

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

uRun: [PDFSaver] c:\program files\pdf-xchange 2.5\PDFSaver.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"

mRun: [AtiPTA] maybe-delete-this-atiptaxx.exe

mRun: [C-Media Mixer] Mixer.exe /startup

mRun: [Opware12] "c:\program files\scansoft\omnipagepro12.0\Opware12.exe"

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe

mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe

mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE

mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"

mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"

mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"

mRun: [<NO NAME>]

mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"

mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"

mRun: [shStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey

mRun: [WinVNC] "c:\program files\ultravnc\winvnc.exe" -servicehelper

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [ATT-SST_UninstallTracking] c:\docume~1\tammi\locals~1\temp\InstallHelper.exe /uninstalltrackingvendor=ATT-SST

mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRunOnce: [RunNarrator] Narrator.exe

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\fa-950.lnk - c:\fa-950\bin\Klslink.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tablet~1.lnk - c:\program files\gtco calcomp\tabletworks\TWCP.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe

mPolicies-system: DisableStatusMessages = 1 (0x1)

IE: &Search

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {10101010-1010-1111-1010-101010101011} - mhtml:c:\\WINX.MHT!http://216.240.137.41/counter/ie.exe

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - hxxp://download.ebay.com/turbo_lister/US/install.cab

DPF: {6054D082-355D-4B47-B77C-36A778899F48} - hxxp://qmedia.xlontech.net/100348/qm/latest/qsp2ieFull06061501.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37873.940150463

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

IFEO: image file execution options - svchost.exe

IFEO: brastk.exe - svchost.exe

Hosts: 192.168.1.254 sbc_gateway # Firewall / router to WAN (SBC DSL)

Hosts: 192.168.1.155 HP000D9D22EA65

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-8 64288]

R0 mrfoldr;MirrorFolder real-time replication driver;c:\windows\system32\drivers\mrfoldr.sys [2004-7-19 53632]

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-1-16 58464]

R1 WebDriveFSD;WebDrive File System Driver;c:\program files\webdrive\rffsd.sys [2002-9-7 67204]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2007-1-16 102463]

R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2004-9-22 28672]

R2 mfsyncsv;MirrorFolder auto-synchronization service;c:\windows\system32\mfsyncsv.exe [2004-7-19 98304]

R3 Klsmpad;Klsmpad Device;c:\windows\system32\drivers\Klsmpad.sys [2004-2-27 24142]

S2 gupdate1c9e4a13256cfec;Google Update Service (gupdate1c9e4a13256cfec);c:\program files\google\update\GoogleUpdate.exe [2009-6-3 133104]

S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2002-8-29 96256]

S3 DCamUSBOvt;Intel Play Me2Cam;c:\windows\system32\drivers\Me2Cam.sys [2005-5-21 72556]

S3 EL59X;3Com Fast EtherLink 59x Adapter Driver;c:\windows\system32\drivers\el59x.sys --> c:\windows\system32\drivers\el59x.sys [?]

S3 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2004-9-22 221191]

S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2007-1-16 108480]

S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys --> c:\windows\system32\drivers\scsiscan.sys [?]

S3 WBMSA;Winbond Memory Stick Storage (MS) Device Driver - A;c:\windows\system32\drivers\wbmsa.sys [2002-9-17 24214]

S4 RFNP32;WebDrive Provider; [x]

=============== Created Last 30 ================

2793-06-26 23:20:07 3120 -c--a-w- c:\windows\MF_C421.lfa

2793-06-26 23:20:07 3120 -c--a-w- c:\windows\MF_C420.lfa

2010-03-16 01:03:41 0 ----a-w- c:\documents and settings\tammi\defogger_reenable

2010-03-12 15:18:24 0 d-----w- c:\docume~1\tammi\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

==================== Find3M ====================

2010-01-27 10:14:31 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll

2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll

2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe

2008-06-18 03:33:12 0 -c--a-w- c:\program files\temp01

2005-11-15 01:45:33 774144 -c--a-w- c:\program files\RngInterstitial.dll

============= FINISH: 21:07:20.28 ===============

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskDmVolumes\Arriva2Dg0\Volume1

Install Date: 5/22/2005 7:48:00 PM

System Uptime: 3/15/2010 8:37:28 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P4S533

Processor: Intel

Edited by Maurice Naggar
2 log reports place In-line
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello Ken,

You had 2 earlier (duplicate) posts. I have deleted those.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Do us much as possible of the following. I also need for you to tell whether the redirects happen in Firefox or Internet Explorer or both !!

BY the way, do NOT do any websurfing nor any web searches while we hunt for malware.

Only go to this forum and the websites I guide you to.

You will want to print out or copy these instructions to Notepad for offline reference!

eusa_hand.gifIf you are a casual viewer, do NOT try this on your system!

If you are not Ken42 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Next: Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    C:\Windows\System32\brastk.exe


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • icon_exclaim.gifMake sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Step 3

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

Step 4

Download & SAVE OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.com

  • Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  • Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Step 5

Please download Rooter.exe and save to your desktop.

alternate download link

  • Double-click on Rooter.exe to start the tool. If using Vista, right-click and Run as Administrator...
  • Click the Scan button to begin.
  • Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
  • A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
  • Rooter will automatically close. If it doesn't, just press the Close button.
  • Copy and paste the contents of Rooter_#.txt in your next reply.

Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Then copy/paste the following into your post (in order):

  • c:\avenger.txt
  • the contents of OTL.txt
  • the contents of Extras.txt
  • the contents of checkup.txt
  • the contents of Rooter log

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites
ken42

ken42

Posted
  • Author
Posted

Hi Maurice,

Thanks for the detailed instructions! I followed them exactly, but I noticed that while Security Check (screen317) was in the "Preparing" phase, I got an error window saying "Objlist.exe has encountered a problem and needs to close. . . ." So I don't know if it did anything useful. Below are the output of the scans in the order request.

I don't know if the redirects would happen in Firefox (not installed on my wife's computer), but the redirects DO happen in Chrome as well as IE 7.

Thanks,

Ken

- - - - - - - - - - - - - - - - - - - -

>>>>>>>>>>>>>>>>>>>> avenger.txt . . . <<<<<<<<<<<<<<<<<<<<

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\Windows\System32\brastk.exe" not found!

Deletion of file "C:\Windows\System32\brastk.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

>>>>>>>>>>>>>>>>>>>> OTL.txt . . . <<<<<<<<<<<<<<<<<<<<

OTL logfile created on: 3/16/2010 12:37:11 PM - Run 1

OTL by OldTimer - Version 3.1.37.2 Folder = C:\Kits\SpyWareCheckers

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 28.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 86.00% Paging File free

Paging file location(s): C:\pagefile.sys 3200 3200 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 78.13 Gb Total Space | 17.57 Gb Free Space | 22.49% Space Free | Partition Type: NTFS

Drive D: | 78.13 Gb Total Space | 8.34 Gb Free Space | 10.68% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

Drive F: | 77.50 Gb Total Space | 66.84 Gb Free Space | 86.25% Space Free | Partition Type: NTFS

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: ARRIVA2

Current User Name: Tammi

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/16 12:35:12 | 000,556,032 | ---- | M] (OldTimer Tools) -- C:\Kits\SpyWareCheckers\OTL.com

PRC - [2010/02/04 17:14:16 | 001,181,328 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

PRC - [2010/01/27 05:14:22 | 000,788,880 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

PRC - [2010/01/04 12:36:28 | 002,893,624 | ---- | M] (Mozy, Inc.) -- C:\Program Files\MozyHome\mozystat.exe

PRC - [2009/07/25 05:23:22 | 000,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe

PRC - [2008/02/05 15:29:20 | 000,054,512 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

PRC - [2008/01/22 11:13:32 | 001,201,448 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

PRC - [2008/01/22 11:13:20 | 000,152,872 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

PRC - [2007/06/14 12:08:09 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/03/23 16:40:41 | 000,067,128 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

PRC - [2007/01/18 19:04:04 | 000,067,056 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

PRC - [2006/08/11 11:15:36 | 000,200,704 | ---- | M] (InterVideo Inc.) -- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

PRC - [2006/05/05 12:18:54 | 000,036,864 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

PRC - [2005/08/06 20:45:14 | 000,974,848 | ---- | M] (UltraVNC) -- C:\Program Files\UltraVNC\winvnc.exe

PRC - [2005/02/16 23:11:42 | 000,049,152 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

PRC - [2004/11/28 00:01:40 | 000,319,488 | ---- | M] (Roxio, Inc.) -- C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

PRC - [2004/11/28 00:01:38 | 000,118,784 | ---- | M] (Roxio, Inc.) -- C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

PRC - [2004/11/04 19:36:46 | 000,425,984 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe

PRC - [2004/11/04 19:28:24 | 000,258,048 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

PRC - [2004/09/22 21:00:00 | 000,094,208 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\VirusScan\shstat.exe

PRC - [2004/09/22 21:00:00 | 000,028,672 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

PRC - [2004/08/06 04:50:00 | 000,237,623 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe

PRC - [2004/08/06 04:50:00 | 000,139,320 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

PRC - [2004/08/06 04:50:00 | 000,102,463 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

PRC - [2004/07/19 19:05:04 | 000,098,304 | ---- | M] (Techsoft Pvt. Ltd.) -- C:\WINDOWS\system32\mfsyncsv.exe

PRC - [2004/03/18 09:33:26 | 000,892,928 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\iTouch\iTouch.exe

PRC - [2002/08/01 05:49:54 | 000,049,152 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\Scansoft\OmniPagePro12.0\opware12.exe

PRC - [2002/07/09 11:50:00 | 000,028,672 | ---- | M] (Logitech Inc. ) -- C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE

PRC - [2002/04/17 12:49:16 | 000,077,824 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

PRC - [2002/04/17 12:42:56 | 000,069,632 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

PRC - [2001/09/26 19:31:34 | 000,094,208 | ---- | M] () -- C:\Program Files\WebDrive\wdService.exe

PRC - [2000/07/05 15:00:00 | 000,065,536 | ---- | M] (CASIO COMPUTER CO., LTD.) -- C:\FA-950\BIN\Klslink.exe

========== Modules (SafeList) ==========

MOD - [2010/03/16 12:35:12 | 000,556,032 | ---- | M] (OldTimer Tools) -- C:\Kits\SpyWareCheckers\OTL.com

MOD - [2006/08/25 10:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

MOD - [2004/08/04 02:56:44 | 001,028,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mfc42.dll

MOD - [2004/03/18 11:26:48 | 000,114,688 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\Scrolling\LGMSGHK.DLL

MOD - [2004/03/18 09:26:50 | 000,004,608 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\iTouch\itchhk.dll

MOD - [2002/08/01 05:49:34 | 000,159,744 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\Scansoft\OmniPagePro12.0\ophook12.dll

MOD - [2002/07/09 11:50:00 | 000,024,576 | ---- | M] (Logitech Inc. ) -- C:\Program Files\Logitech\MouseWare\system\LGMOUSHK.DLL

MOD - [2000/07/05 15:00:00 | 000,028,672 | ---- | M] (CASIO COMPUTER CO., LTD.) -- C:\FA-950\BIN\Syshook.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/02/04 17:14:16 | 001,181,328 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)

SRV - [2007/01/18 19:04:04 | 000,067,056 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)

SRV - [2006/09/14 08:56:06 | 000,102,400 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor5.0)

SRV - [2006/08/11 11:15:36 | 000,200,704 | ---- | M] (InterVideo Inc.) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe -- (Capture Device Service)

SRV - [2006/01/05 00:06:02 | 000,163,840 | ---- | M] (Alex Feinman) [On_Demand | Stopped] -- C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe -- (Imapi Helper)

SRV - [2005/11/14 02:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)

SRV - [2005/08/06 20:45:14 | 000,974,848 | ---- | M] (UltraVNC) [Auto | Running] -- C:\Program Files\UltraVNC\winvnc.exe -- (winvnc)

SRV - [2004/09/22 21:00:00 | 000,221,191 | ---- | M] (Network Associates, Inc.) [On_Demand | Stopped] -- C:\Program Files\Network Associates\VirusScan\mcshield.exe -- (McShield)

SRV - [2004/09/22 21:00:00 | 000,028,672 | ---- | M] (Network Associates, Inc.) [Auto | Running] -- C:\Program Files\Network Associates\VirusScan\vstskmgr.exe -- (McTaskManager)

SRV - [2004/08/06 04:50:00 | 000,102,463 | ---- | M] (Network Associates, Inc.) [Auto | Running] -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe -- (McAfeeFramework)

SRV - [2004/07/19 19:05:04 | 000,098,304 | ---- | M] (Techsoft Pvt. Ltd.) [Auto | Running] -- C:\WINDOWS\system32\mfsyncsv.exe -- (mfsyncsv)

SRV - [2003/03/31 07:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\tcpsvcs.exe -- (LPDSVC)

SRV - [2001/09/26 19:31:34 | 000,094,208 | ---- | M] () [Auto | Running] -- C:\Program Files\WebDrive\wdService.exe -- (WebDriveService)

========== Driver Services (SafeList) ==========

DRV - [2009/09/23 07:55:23 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)

DRV - [2007/06/20 03:00:00 | 000,009,072 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)

DRV - [2006/02/21 21:46:26 | 001,505,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2005/02/10 21:00:00 | 000,058,464 | ---- | M] (Network Associates, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mvstdi5x.sys -- (NaiAvTdi1)

DRV - [2005/01/14 21:00:00 | 000,108,480 | ---- | M] (Network Associates, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\naiavf5x.sys -- (NaiAvFilter1)

DRV - [2005/01/14 21:00:00 | 000,008,320 | ---- | M] (Network Associates, Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\entdrv51.sys -- (EntDrv51)

DRV - [2004/11/28 00:01:53 | 000,213,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\UdfReadr_xp.sys -- (UdfReadr_xp)

DRV - [2004/11/28 00:01:53 | 000,118,409 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pwd_2K.sys -- (pwd_2k)

DRV - [2004/11/28 00:01:52 | 000,260,224 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\Cdudf_xp.sys -- (cdudf_xp)

DRV - [2004/11/28 00:01:52 | 000,022,777 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Mmc_2k.sys -- (mmc_2K)

DRV - [2004/11/28 00:01:52 | 000,021,993 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Dvd_2k.sys -- (dvd_2K)

DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AFS2K.SYS -- (AFS2K)

DRV - [2004/08/04 01:08:22 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)

DRV - [2004/08/04 01:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp)

DRV - [2004/08/04 00:31:36 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)

DRV - [2004/08/04 00:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)

DRV - [2004/07/19 19:05:04 | 000,053,632 | ---- | M] (Techsoft Pvt. Ltd.) [File_System | Boot | Running] -- C:\WINDOWS\System32\drivers\mrfoldr.sys -- (mrfoldr)

DRV - [2004/03/10 15:42:24 | 000,012,953 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\itchfltr.sys -- (itchfltr)

DRV - [2004/03/03 11:50:00 | 000,037,887 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Lhidusb.sys -- (LHidUsb)

DRV - [2004/03/03 11:50:00 | 000,014,095 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LCcfltr.sys -- (LCcfltr)

DRV - [2003/12/12 15:29:10 | 000,031,048 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irstusb.sys -- (STIrUsb)

DRV - [2003/11/30 21:54:20 | 000,043,136 | R--- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)

DRV - [2003/07/03 01:18:08 | 000,088,269 | R--- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emDevice.sys -- (DCamUSBEMPIA)

DRV - [2003/07/03 01:18:00 | 000,004,621 | R--- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emScan.sys -- (ScanUSBEMPIA)

DRV - [2002/11/18 15:51:40 | 000,377,358 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cmaudio.sys -- (cmpci) C-Media PCI Audio Driver (WDM)

DRV - [2002/09/06 00:15:23 | 000,022,585 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.old -- (Cdralw2k)

DRV - [2002/07/09 04:50:00 | 000,070,382 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFlt2.sys -- (LMouFlt2)

DRV - [2002/07/09 04:50:00 | 000,050,862 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042Pr2.sys -- (l8042pr2)

DRV - [2002/07/09 04:50:00 | 000,023,854 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHIDFLT2.SYS -- (LHidFlt2)

DRV - [2002/07/09 04:50:00 | 000,006,030 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LKbdFlt2.sys -- (LKbdFlt2)

DRV - [2002/03/26 14:43:34 | 000,006,016 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr)

DRV - [2001/09/26 19:32:04 | 000,135,168 | ---- | M] (River Front Software) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\RFNP32.dll -- (RFNP32)

DRV - [2001/09/26 19:30:56 | 000,067,204 | ---- | M] () [File_System | System | Running] -- C:\Program Files\WebDrive\rffsd.sys -- (WebDriveFSD)

DRV - [2001/08/22 12:14:36 | 000,024,214 | R--- | M] (Winbond Electronics Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wbmsa.sys -- (WBMSA) Winbond Memory Stick Storage (MS)

DRV - [2001/08/17 07:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4.sys -- (nv4)

DRV - [2001/08/17 07:19:20 | 000,096,256 | ---- | M] (Copyright © Creative Technology Ltd. 1994-2001) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctlsb16.sys -- (ctlsb16) Creative SB16/AWE32/AWE64 Driver (WDM)

DRV - [2000/07/05 08:00:00 | 000,024,142 | R--- | M] (CASIO COMPUTER CO.,LTD.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Klsmpad.sys -- (Klsmpad)

DRV - [2000/01/11 09:41:09 | 000,072,556 | R--- | M] (ViewQuest Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Me2Cam.sys -- (DCamUSBOvt)

DRV - [1997/12/22 20:02:46 | 000,023,936 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\aspi32.sys -- (ASPI32)

DRV - [1997/04/22 12:16:00 | 000,006,272 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASLM75.SYS -- (aslm75)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default Font Size = 02 00 00 00 [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_Url = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SEARCH PAGE = http://www.google.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/webhp?sourceid=navclient&ie=UTF-8

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Data = C3 17 11 E0 B2 A4 AC 29 3E F1 D7 B3 41 B1 F2 21 F8 FE DE 71 3C 18 BA 0A F9 AA 17 17 FE 78 [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;localhost;*.local

O1 HOSTS File: ([2009/11/16 12:01:06 | 000,001,032 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 192.168.1.254 sbc_gateway # Firewall / router to WAN (SBC DSL)

O1 - Hosts:

O1 - Hosts: 192.168.1.155 HP000D9D22EA65

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)

O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)

O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)

O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)

O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)

O4 - HKLM..\Run: [AtiPTA] File not found

O4 - HKLM..\Run: [ATT-SST_UninstallTracking] C:\DOCUME~1\Tammi\LOCALS~1\Temp\InstallHelper.exe File not found

O4 - HKLM..\Run: [C-Media Mixer] C:\WINDOWS\mixer.exe (C-Media Electronic Inc. (www.cmedia.com.tw))

O4 - HKLM..\Run: [EM_EXEC] C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE (Logitech Inc. )

O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe (Hewlett-Packard Co.)

O4 - HKLM..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)

O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe (Network Associates, Inc.)

O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)

O4 - HKLM..\Run: [Opware12] C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe (ScanSoft, Inc.)

O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)

O4 - HKLM..\Run: [RoxioAudioCentral] C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe (Roxio, Inc.)

O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe (Roxio)

O4 - HKLM..\Run: [RoxioEngineUtility] C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe (Roxio)

O4 - HKLM..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)

O4 - HKLM..\Run: [shStatEXE] C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE (Network Associates, Inc.)

O4 - HKLM..\Run: [sSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Scansoft, Inc.)

O4 - HKLM..\Run: [WinVNC] C:\Program Files\UltraVNC\winvnc.exe (UltraVNC)

O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe (Logitech Inc.)

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)

O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Logitech Inc.)

O4 - HKCU..\Run: [PDFSaver] C:\Program Files\PDF-XChange 2.5\pdfSaver.exe (Tracker Software Products)

O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)

O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\FA-950.lnk = C:\FA-950\BIN\Klslink.exe (CASIO COMPUTER CO., LTD.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Logitech Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe (Mozy, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabletWorks.lnk = C:\Program Files\GTCO CalComp\TabletWorks\TWCP.exe (GTCO CalComp, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe (Yahoo! Inc.)

O4 - Startup: C:\Documents and Settings\Tammi\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: verbosestatus = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 1

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: _NoDriveTypeAutoRun = 0

O8 - Extra context menu item: &Yahoo! Search - C:\Program Files\Yahoo!\Common [2007/09/21 12:05:09 | 000,000,000 | ---D | M]

O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)

O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)

O8 - Extra context menu item: Yahoo! &Dictionary - C:\Program Files\Yahoo!\Common [2007/09/21 12:05:09 | 000,000,000 | ---D | M]

O8 - Extra context menu item: Yahoo! &Maps - C:\Program Files\Yahoo!\Common [2007/09/21 12:05:09 | 000,000,000 | ---D | M]

O8 - Extra context menu item: Yahoo! &SMS - C:\Program Files\Yahoo!\Common [2007/09/21 12:05:09 | 000,000,000 | ---D | M]

O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)

O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - Reg Error: Value error. File not found

O9 - Extra Button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)

O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKLM\..Trusted Domains: myspace.com ([]* in Internet)

O16 - DPF: {10101010-1010-1111-1010-101010101011} mhtml:C:\\WINX.MHT!http://216.240.137.41/counter/ie.exe (Reg Error: Key error.)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} http://download.ebay.com/turbo_lister/US/install.cab (Reg Error: Key error.)

O16 - DPF: {6054D082-355D-4B47-B77C-36A778899F48} http://qmedia.xlontech.net/100348/qm/lates...ull06061501.cab (Reg Error: Key error.)

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...37873.940150463 (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O27 - HKLM IFEO\brastk.exe: Debugger - svchost.exe (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2002/08/29 21:56:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (sprestrt) - C:\WINDOWS\System32\sprestrt.exe (Microsoft Corporation)

O34 - HKLM BootExecute: (sprestrt) - C:\WINDOWS\System32\sprestrt.exe (Microsoft Corporation)

O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/16 11:16:51 | 000,000,000 | ---D | C] -- C:\Avenger

[2010/03/16 10:59:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/03/16 10:56:22 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT

[2010/03/12 10:18:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tammi\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

[2010/03/12 10:14:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9 Installer

[2010/03/12 10:13:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR

[2010/03/12 10:10:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS

[2009/06/12 03:09:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

[2006/12/11 16:19:47 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[2006/03/11 04:00:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2005/11/14 20:45:45 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll

[2005/03/03 15:08:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2002/08/29 22:04:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2 C:\Documents and Settings\Tammi\My Documents\*.tmp files -> C:\Documents and Settings\Tammi\My Documents\*.tmp -> ]

[1 C:\Documents and Settings\Tammi\*.tmp files -> C:\Documents and Settings\Tammi\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2793/06/26 18:20:07 | 000,003,120 | ---- | M] () -- C:\WINDOWS\MF_C421.lfa

[2793/06/26 18:20:07 | 000,003,120 | ---- | M] () -- C:\WINDOWS\MF_C420.lfa

[2010/03/16 12:34:46 | 000,000,211 | ---- | M] () -- C:\Documents and Settings\Tammi\Desktop\MBAM won't run; GMER . . . reboots - Malwarebytes Forum.url

[2010/03/16 12:30:12 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/03/16 12:30:01 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/03/16 12:28:37 | 000,000,512 | ---- | M] () -- C:\WINDOWS\randseed.rnd

[2010/03/16 12:25:32 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2010/03/16 12:25:31 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job

[2010/03/16 12:25:31 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job

[2010/03/16 12:25:30 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job

[2010/03/16 12:25:30 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job

[2010/03/16 12:23:21 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/03/16 12:23:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/03/16 12:23:04 | 1341,755,392 | -HS- | M] () -- C:\hiberfil.sys

[2010/03/16 12:22:29 | 012,582,912 | ---- | M] () -- C:\Documents and Settings\Tammi\ntuser.dat

[2010/03/16 12:22:29 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Tammi\ntuser.ini

[2010/03/16 12:01:12 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/03/16 11:15:37 | 000,000,717 | ---- | M] () -- C:\WINDOWS\KLSLINK.INI

[2010/03/16 10:56:59 | 000,000,818 | ---- | M] () -- C:\Documents and Settings\Tammi\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk

[2010/03/16 01:05:09 | 000,011,058 | ---- | M] () -- C:\WINDOWS\mozy.blk

[2010/03/16 01:05:08 | 000,015,752 | ---- | M] () -- C:\WINDOWS\mozy.flt

[2010/03/15 20:03:41 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Tammi\defogger_reenable

[2010/03/15 20:02:55 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Tammi\Desktop\Defogger.exe

[2010/03/15 14:15:05 | 000,000,747 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/03/15 08:51:27 | 000,444,028 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/03/15 08:51:26 | 000,071,904 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/03/15 08:51:23 | 000,525,946 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/03/12 10:14:32 | 000,000,783 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk

[2010/03/10 12:50:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2010/03/04 11:50:42 | 000,000,164 | ---- | M] () -- C:\Documents and Settings\Tammi\default.pls

[2010/03/04 11:40:47 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2010/03/01 03:01:06 | 000,000,966 | ---- | M] () -- C:\WINDOWS\tasks\BackupTammiStuff.job

[2010/02/25 04:00:42 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/02/16 15:11:33 | 000,001,891 | ---- | M] () -- C:\Documents and Settings\Tammi\Desktop\eBay Blackthorne.lnk

[2010/02/15 23:58:43 | 000,000,680 | ---- | M] () -- C:\WINDOWS\AUTOLNCH.REG

[2 C:\Documents and Settings\Tammi\My Documents\*.tmp files -> C:\Documents and Settings\Tammi\My Documents\*.tmp -> ]

[1 C:\Documents and Settings\Tammi\*.tmp files -> C:\Documents and Settings\Tammi\*.tmp -> ]

========== Files Created - No Company Name ==========

[2793/06/26 18:20:07 | 000,003,120 | ---- | C] () -- C:\WINDOWS\MF_C421.lfa

[2793/06/26 18:20:07 | 000,003,120 | ---- | C] () -- C:\WINDOWS\MF_C420.lfa

[2010/03/16 12:34:46 | 000,000,211 | ---- | C] () -- C:\Documents and Settings\Tammi\Desktop\MBAM won't run; GMER . . . reboots - Malwarebytes Forum.url

[2010/03/16 10:56:59 | 000,000,818 | ---- | C] () -- C:\Documents and Settings\Tammi\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk

[2010/03/15 20:03:41 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Tammi\defogger_reenable

[2010/03/15 20:03:09 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Tammi\Desktop\Defogger.exe

[2010/03/15 15:55:20 | 1341,755,392 | -HS- | C] () -- C:\hiberfil.sys

[2010/03/12 10:14:32 | 000,000,783 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk

[2010/02/16 15:11:32 | 000,001,891 | ---- | C] () -- C:\Documents and Settings\Tammi\Desktop\eBay Blackthorne.lnk

[2010/01/14 12:13:27 | 000,038,438 | ---- | C] () -- C:\Documents and Settings\Tammi\Application Data\Comma Separated Values (DOS).ADR

[2009/07/29 21:59:09 | 000,000,737 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini

[2009/05/31 23:47:22 | 000,003,127 | ---- | C] () -- C:\WINDOWS\DMUSProd.INI

[2009/05/05 13:25:30 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt

[2009/03/01 22:40:28 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI

[2008/07/30 17:27:58 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2008/06/28 14:45:01 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll

[2008/06/28 14:45:01 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll

[2008/06/28 14:45:01 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll

[2008/06/28 14:45:00 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll

[2008/06/28 14:45:00 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll

[2008/06/28 14:45:00 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll

[2008/06/17 22:33:12 | 000,000,000 | ---- | C] () -- C:\Program Files\temp01

[2007/01/03 17:02:23 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll

[2007/01/03 16:58:11 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll

[2006/10/20 22:44:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI

[2006/10/07 23:13:50 | 000,000,557 | ---- | C] () -- C:\WINDOWS\DcmLtbox.ini

[2006/10/05 20:47:11 | 000,000,033 | ---- | C] () -- C:\WINDOWS\BiMonitor.ini

[2006/10/05 20:47:05 | 000,031,378 | ---- | C] () -- C:\WINDOWS\maxlink.ini

[2006/10/05 20:44:47 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\LLHttpsUpload2.dll

[2006/10/05 20:44:47 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll

[2006/07/31 21:28:59 | 000,005,385 | ---- | C] () -- C:\Documents and Settings\Tammi\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log

[2006/07/31 21:28:59 | 000,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini

[2006/07/27 22:52:05 | 000,000,224 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI

[2006/03/22 10:33:06 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll

[2005/12/28 12:36:19 | 000,008,521 | ---- | C] () -- C:\WINDOWS\lmpcl2a.ini

[2005/10/03 15:02:18 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Tammi\Local Settings\Application Data\fusioncache.dat

[2005/09/29 02:51:13 | 000,000,454 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini

[2005/09/29 02:51:12 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

[2005/09/28 20:25:00 | 000,003,397 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log

[2005/09/07 12:00:44 | 000,257,536 | ---- | C] () -- C:\WINDOWS\System32\BiImg.dll

[2005/09/07 12:00:44 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\JPEG32.DLL

[2005/06/04 23:06:58 | 000,136,448 | ---- | C] () -- C:\WINDOWS\RMTOOLS.DLL

[2005/05/21 22:45:31 | 000,000,599 | R--- | C] () -- C:\WINDOWS\mt110.ini

[2005/03/04 03:45:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2005/02/20 00:23:34 | 000,000,017 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2005/02/20 00:22:29 | 000,000,045 | ---- | C] () -- C:\WINDOWS\DBHMMIKM.ini

[2004/11/28 02:34:06 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameV.txt

[2004/11/04 23:23:57 | 000,000,699 | ---- | C] () -- C:\WINDOWS\E-REGTLC.INI

[2004/11/04 23:23:15 | 000,000,113 | ---- | C] () -- C:\WINDOWS\TLCAPPS.INI

[2004/10/16 19:41:01 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

[2004/09/04 20:45:08 | 000,000,060 | ---- | C] () -- C:\WINDOWS\SIERRA.INI

[2004/09/04 20:44:27 | 000,000,044 | ---- | C] () -- C:\WINDOWS\KA.INI

[2004/08/30 17:09:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Game.INI

[2004/08/29 22:07:49 | 000,000,101 | ---- | C] () -- C:\WINDOWS\CMMIXER.INI

[2004/03/01 15:53:06 | 000,000,717 | ---- | C] () -- C:\WINDOWS\KLSLINK.INI

[2003/10/12 22:01:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\TEXTART.INI

[2003/10/12 20:32:32 | 000,000,048 | ---- | C] () -- C:\WINDOWS\wpd99.drv

[2003/10/12 20:30:49 | 000,127,026 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll

[2003/10/12 20:30:49 | 000,048,936 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll

[2003/09/25 19:32:53 | 000,000,814 | ---- | C] () -- C:\Documents and Settings\Tammi\Local Settings\Application Data\FASTApp.html

[2003/08/19 10:03:22 | 000,450,560 | ---- | C] () -- C:\WINDOWS\System32\tls704d.dll

[2003/08/18 18:42:09 | 000,000,235 | ---- | C] () -- C:\WINDOWS\QTW.INI

[2003/07/04 19:06:22 | 000,096,768 | ---- | C] () -- C:\WINDOWS\System32\LGUICOM.DLL

[2003/06/28 12:09:53 | 000,001,600 | ---- | C] () -- C:\WINDOWS\cdplayer.ini

[2003/02/27 08:42:54 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll

[2003/02/15 11:43:28 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Tammi\Application Data\PFP100JPR.{PB

[2003/02/15 11:43:28 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Tammi\Application Data\PFP100JCM.{PB

[2003/02/08 14:16:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ATIMMC.INI

[2003/01/11 23:02:03 | 000,119,296 | ---- | C] () -- C:\Documents and Settings\Tammi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2003/01/07 18:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

[2002/12/06 03:37:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI

[2002/11/30 04:15:51 | 000,000,032 | ---- | C] () -- C:\WINDOWS\iltwain.ini

[2002/11/30 04:08:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI

[2002/11/06 21:39:18 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI

[2002/10/15 01:05:07 | 000,413,696 | ---- | C] () -- C:\WINDOWS\System32\RFHelper.dll

[2002/10/15 01:05:07 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\rfwdres.dll

[2002/10/15 01:05:07 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\rfshext.dll

[2002/10/15 01:05:07 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\rfhres.dll

[2002/10/15 01:05:07 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\rfshres.dll

[2002/10/15 01:05:07 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\rfstrres.dll

[2002/10/15 01:05:07 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\rfwdui.dll

[2002/09/30 02:56:35 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\FTPStubInstUtils.dll

[2002/09/23 22:46:53 | 000,000,896 | ---- | C] () -- C:\WINDOWS\System32\hpsj16.dll

[2002/09/23 22:46:52 | 000,000,057 | ---- | C] () -- C:\WINDOWS\HPDS23.INI

[2002/09/18 00:20:00 | 000,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS

[2002/09/18 00:17:23 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll

[2002/09/17 23:24:03 | 000,000,312 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI

[2002/09/17 23:23:31 | 000,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI

[2002/09/17 05:01:29 | 000,003,698 | ---- | C] () -- C:\WINDOWS\mixerdef.ini

[2002/09/17 04:19:40 | 000,002,964 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini

[2002/09/17 04:19:38 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS

[2002/09/17 04:16:05 | 000,000,011 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.ini

[2002/09/17 04:15:55 | 000,009,136 | ---- | C] () -- C:\WINDOWS\System32\INETWH16.DLL

[2002/09/03 00:21:54 | 000,000,578 | ---- | C] () -- C:\WINDOWS\PSADMIN.INI

[2002/09/02 20:59:28 | 000,021,186 | ---- | C] () -- C:\Documents and Settings\Tammi\Local Settings\Application Data\FASTWiz.html

[2002/09/02 19:59:29 | 000,066,067 | ---- | C] () -- C:\Documents and Settings\Tammi\Local Settings\Application Data\FASTWiz.log

[2002/06/06 02:01:58 | 000,029,696 | ---- | C] () -- C:\WINDOWS\System32\asutl8.dll

[2002/03/16 19:00:00 | 000,007,420 | ---- | C] () -- C:\WINDOWS\UA000071.DLL

[1998/10/11 01:07:38 | 000,088,576 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll

========== LOP Check ==========

[2003/08/18 21:42:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund LLC

[2007/01/16 00:59:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData

[2005/02/08 20:27:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GameHouse

[2009/11/16 16:02:44 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\InfectedBy_e4b4d56

[2009/11/16 10:35:01 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\InfectedBy_WSDDSys

[2008/06/28 14:45:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InterVideo

[2008/07/29 16:15:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe

[2004/10/31 00:10:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MirrorFolder

[2005/11/25 17:36:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster

[2007/01/16 01:00:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Network Associates

[2006/10/21 14:32:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap

[2006/10/21 16:37:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games

[2006/10/05 20:52:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft

[2002/11/06 20:49:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir

[2002/11/06 20:49:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SSScanWizard

[2008/06/17 22:40:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2008/06/28 14:43:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems

[2006/10/31 13:51:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO

[2006/10/05 20:51:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\zeon

[2009/10/31 16:34:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

[2009/05/11 18:21:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

[2009/11/16 17:12:55 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

[2009/05/21 22:31:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tammi\Application Data\Anvil Studio

[2010/03/12 10:18:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tammi\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

[2007/06/26 07:34:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tammi\Application Data\eBay

[2008/07/18 15:50:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tammi\Application Data\EPSON

[2007/03/01 12:38:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tammi\Application Data\IMVU

[2009/11/16 10:37:14 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Tammi\Application Data\InfectedBy System Defender

[2009/05/31 23:06:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tammi\Application Data\MtStudio

[2005/02/20 00:11:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tammi\Application Data\oenl

[2007/02/18 21:51:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tammi\Application Data\Opera

[2006/08/01 16:50:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tammi\Application Data\PPIMAGES

[2006/10/05 20:47:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tammi\Application Data\ScanSoft

[2008/06/28 14:53:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tammi\Application Data\Ulead Systems

[2006/03/08 18:12:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tammi\Application Data\Webshots

[2006/10/05 20:53:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tammi\Application Data\Zeon

[2010/03/16 12:25:30 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job

[2010/03/16 12:25:30 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job

[2010/03/16 12:25:31 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job

[2010/03/16 12:25:31 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job

[2010/03/16 12:25:32 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

[2010/03/01 03:01:06 | 000,000,966 | ---- | M] () -- C:\WINDOWS\Tasks\BackupTammiStuff.job

[2002/09/30 03:51:55 | 000,000,374 | ---- | M] () -- C:\WINDOWS\Tasks\TASK20020930010621.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 155 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5F1019FF

< End of report >

>>>>>>>>>>>>>>>>>>>> Extras.txt . . . <<<<<<<<<<<<<<<<<<<<

OTL Extras logfile created on: 3/16/2010 12:37:11 PM - Run 1

OTL by OldTimer - Version 3.1.37.2 Folder = C:\Kits\SpyWareCheckers

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 28.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 86.00% Paging File free

Paging file location(s): C:\pagefile.sys 3200 3200 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 78.13 Gb Total Space | 17.57 Gb Free Space | 22.49% Space Free | Partition Type: NTFS

Drive D: | 78.13 Gb Total Space | 8.34 Gb Free Space | 10.68% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

Drive F: | 77.50 Gb Total Space | 66.84 Gb Free Space | 86.25% Space Free | Partition Type: NTFS

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: ARRIVA2

Current User Name: Tammi

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 1

"FirewallOverride" = 0

"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

"21:TCP" = 21:TCP:*:Disabled:ftp

"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger -- (Logitech Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Real\RealOne Player\realplay.exe" = C:\Program Files\Real\RealOne Player\realplay.exe:*:Disabled:RealOne Player -- (RealNetworks, Inc.)

"C:\Program Files\eBay\Seller's Assistant Pro\SAPro.exe" = C:\Program Files\eBay\Seller's Assistant Pro\SAPro.exe:*:Enabled:Seller's Assistant Pro executable -- File not found

"V:\Setup\HPZnet01.exe" = V:\Setup\HPZnet01.exe:*:Enabled:Install Consumer Experience Network Plug in -- File not found

"C:\Program Files\IncrediMail\bin\IMApp.exe" = C:\Program Files\IncrediMail\bin\IMApp.exe:*:Enabled:IncrediMail -- File not found

"C:\Program Files\IncrediMail\bin\IncMail.exe" = C:\Program Files\IncrediMail\bin\IncMail.exe:*:Enabled:IncrediMail -- File not found

"C:\Program Files\IncrediMail\bin\ImpCnt.exe" = C:\Program Files\IncrediMail\bin\ImpCnt.exe:*:Enabled:IncrediMail -- File not found

"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger -- File not found

"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)

"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Disabled:File Transfer Program -- (Microsoft Corporation)

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)

"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger -- (Logitech Inc.)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\Documents and Settings\All Users\Application Data\e4b4d56\WSe4b4.exe" = C:\Documents and Settings\All Users\Application Data\e4b4d56\WSe4b4.exe:*:Enabled:System Defender -- File not found

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{02E73E50-6513-4802-8600-B5A5BA185BE3}" = ScanSoft PaperPort 11

"{031C88EF-4EA5-4A9D-A77D-857A914CAFA5}" = ScanSoft RealSpeak

"{036AA4D4-6D32-11D4-9875-00105ACE7734}" = Logitech iTouch Software

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan

"{0DDFF679-AEDE-4BD3-8B56-0180A96BD1A7}" = OmniPage Pro 12.0

"{0F9196C6-58B4-445B-B56E-B1200FECC151}" = Microsoft Bootvis

"{10C69612-017B-45F5-B986-7D113D5A2EA3}" = MSN Toolbar

"{10F5D9BB-E2F2-4B18-A65D-928B73D22E6F}" = IFSYS-8003 IrDA FIR USB Adapter

"{118A578C-FBFF-43EE-8C1A-6598EE0E3741}" = GTCO CalComp TabletWorks

"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy

"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update

"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant

"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare

"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy

"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{25569723-DC5A-4467-A639-79535BF01B71}" = Adobe Help Center 2.1

"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java 6 Update 15

"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1

"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006

"{29302832-88E4-4748-AC13-E8FB91B0D9DD}" = Dress Shop Download Master 7.00

"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload

"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6

"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11

"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java SE Runtime Environment 6 Update 1

"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java 6 Update 2

"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java 6 Update 3

"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7

"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour

"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext

"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel

"{3D719053-5593-11D3-8F25-0060085C1758}" = Microsoft Streets and Trips 2001

"{413CEBC4-ABA1-4AC4-ADFB-69FA195F09AB}" = 7300_Help

"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme

"{521AAD14-5030-44BB-8B0E-5CE65FCE57E0}" = InterVideo DeviceService

"{5421155F-B033-49DB-9B33-8F80F233D4D5}" = GdiplusUpgrade

"{54AA707B-68DA-49A4-9916-68DD670241BD}" = AT&T Yahoo! Music Jukebox

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.71

"{590D4F8F-98FE-47FA-AC2B-3F22FDCF7C09}" = ShareIns

"{5DF3D1BB-894E-4DCD-8275-159AC9829B43}" = McAfee VirusScan Enterprise

"{5E8D588F-307C-4250-B622-26969027319A}" = PanoStandAlone

"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com

"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects

"{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}" = Easy CD & DVD Creator 6

"{646A65DD-23FC-418E-B9F0-E0500FB42CB1}" = PhotoGallery

"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan

"{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}" = CmdHere Powertoy For Windows XP

"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6D48CC96-AC7C-449F-BD06-7C52A791848B}" = 7400

"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm

"{7088EC18-1D00-43EA-B37B-608E71D88A5D}" = EpsonNet Config V1

"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{73643FB0-21FF-4800-95AF-BD0DB4A2171F}" = Dress Shop Download Master 7.00

"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762

"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics

"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}" = SkinsHP1

"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware

"{86B77B5A-B157-6386-37B0-DB2494DEEAFF}" = MozyHome Remote Backup

"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder

"{885283DA-46D5-4F9A-85AA-45B421BB6077}" = ATI Multimedia Center

"{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}" = DocProc

"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update

"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine

"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger

"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{93ECA342-9C9B-4334-80DD-5476E1DAB81A}" = CoZmanager 2.0

"{987D1E20-24AE-424F-89F9-2973FC9C2A57}" = eBay Blackthorne

"{9EF5B77F-703E-4953-9DA9-186E28A62568}" = 7300Trb

"{A0B295C3-FD3C-11D4-A811-0090279106C3}" = WordPerfect Office 2002

"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime

"{A5B9D22C-755A-4AC6-9904-875E80838BB6}" = CP_AtenaShokunin1Config

"{A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}" = Adobe Photoshop Elements 5.0

"{A87B11AC-4344-4E5D-8B12-8F471A87DAD9}" = LightScribe 1.4.136.1

"{A8AD990E-355A-4413-8647-A9B168978423}_is1" = UltraVNC v1.0.1

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support

"{ABC52CF9-2D43-4278-A152-CB2CD3ED8FE9}" = MIDI-OX

"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9

"{AC76BA86-7AD7-5464-3428-7050000000A7}" = Adobe Reader 7.0.5 Language Support

"{AD1D8B40-F83C-41CA-BA08-9DB8D1653316}" = ScanSoft PDF Create! 3

"{B4E96960-5F6B-48B9-A5BD-6A5A9BB4F027}" = Avery Wizard 3.1

"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser

"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support

"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player

"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director

"{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster

"{BFF54E94-8BF2-4A9C-9452-6EF320C53B80}" = ENCAD NovaJet 600 Series ICC Profiles

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C5B573BD-21D3-4CB7-9474-502B8E0AB8D4}" = PaperPort Professional 11

"{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CCC4E428-411E-4605-B515-317D50ABD477}" = Ulead DVD MovieFactory 6

"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg

"{CE0C8CC5-E396-442B-A50E-D1D374A9E820}" = DocumentViewer

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes

"{D94A8E22-DF2B-4107-9E51-608A60A7671D}" = Personal Ancestral File 5

"{DCB91C79-B78B-44B1-A7FE-28DECA6E9245}" = Dell TrueMobile 2300 Wireless Broadband Router Control Utility

"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware

"{DFC6573E-124D-4026-BFA4-B433C9D3FF21}" = ISO Recorder

"{E56D39F8-2A9F-44B4-B068-A72E45A073E6}" = Safari

"{EF729AE1-4AE9-402A-AF64-5C5A8150F549}" = HP Photo and Imaging 1.2 - Scanjet 4570c Series

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01

"{F90D6825-8F1F-4E3A-9E42-A9C8A9DD1033}" = Nero 7 Essentials

"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates

"{FDCD7EE4-1515-4172-AE20-AF5A69F627FE}" = Intel® Integrated Performance Primitives RTI 3.0

"3DGroove" = OTOY

"Ad-Aware" = Ad-Aware

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Photoshop Elements 5" = Adobe Photoshop Elements 5.0

"AstroAvenger_is1" = AstroAvenger

"AsUninst.exe" = Anvil Studio

"ASUS Probe V2.16.01" = ASUS Probe V2.16.01

"AsusUpdate V3.29.08" = AsusUpdate V3.29.08

"ATI Display Driver" = ATI Display Driver

"Bingo Card Creator_is1" = Bingo Card Creator 2.0

"Cameo 3.0 Apparel Pattern Software" = Cameo 3.0 Apparel Pattern Software

"ce876f80-8a31-11d4-b9d2-002018382069_is1" = MirrorFolder 3.0

"Click and Sew Demo1101" = Click and Sew Demo1101

"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com

"DirectMusic Producer" = Microsoft DirectMusic Producer

"DXTXTRA" = Microsoft DirectX Transform optional components

"EPSON Scanner" = EPSON Scan

"ERUNT_is1" = ERUNT 1.1j

"Google Chrome" = Google Chrome

"HijackThis" = HijackThis 2.0.2

"Home Control Center" = Home Control Center

"hp instant support" = hp instant support

"HP Photo & Imaging" = HP Image Zone 4.7

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"InstallShield_{118A578C-FBFF-43EE-8C1A-6598EE0E3741}" = GTCO CalComp TabletWorks

"InstallShield_{CCC4E428-411E-4605-B515-317D50ABD477}" = Ulead DVD MovieFactory 6 TBYB

"InterActual Player" = InterActual Player

"jZip" = jZip

"LABEL PRINTER APPLICATION FA-950" = LABEL PRINTER APPLICATION FA-950

"Lexmark Printer Software Uninstall" = Lexmark Printer Software Uninstall

"Logitech Resource Center" = Logitech Resource Center

"Macromedia Shockwave Player" = Macromedia Shockwave Player

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"MultitrackStudio_is1" = MultitrackStudio Lite 5.21

"Musicnotes Player_is1" = Musicnotes Player V1.22.3

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"OmniFormat" = OmniFormat

"Pattern Master 4 Movies" = Pattern Master 4 Movies

"PatternMaster Celebrations 4" = PatternMaster Celebrations 4

"PatternMaster Celebrations 4 Demo" = PatternMaster Celebrations 4 Demo

"PCI Audio Applications" = PCI Audio Applications

"PCI Audio Driver" = PCI Audio Driver

"Pdf995" = Pdf995

"PdfEdit995" = PdfEdit995

"PDF-Tools" = PDF-Tools

"PDF-XChange Registered Release" = PDF-XChange Registered Release

"Picasa 3" = Picasa 3

"QuickTime32" = QuickTime for Windows (32-bit)

"RealPlayer 6.0" = RealPlayer

"TCEssentials" = TC Native Essentials 2.02

"Vextractor_is1" = Vextractor 2.00

"VMidi" = vanBasco's Karaoke Player

"WebDrive" = WebDrive

"WIC" = Windows Imaging Component

"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 2

"WinRAR archiver" = WinRAR archiver

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"WS_FTP Pro" = Ipswitch WS_FTP Pro

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

"Yahoo! Applications" = AT&T Yahoo! Applications

"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{FC94A2F6-E490-42DD-901F-1BABDD3947F1}" = Seller's Assistant Pro

"GCalc 3" = GCalc 3

"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 3/15/2010 4:35:44 PM | Computer Name = ARRIVA2 | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 7.0.6000.16981, faulting

module msvcr71.dll, version 7.10.3052.4, fault address 0x000017fb.

Error - 3/15/2010 4:35:47 PM | Computer Name = ARRIVA2 | Source = Application Error | ID = 1001

Description = Fault bucket 1670938873.

Error - 3/15/2010 5:52:39 PM | Computer Name = ARRIVA2 | Source = Alert Manager Event Interface | ID = 257

Description = VirusScan Enterprise: The update failed; see event log.(from ARRIVA2

IP 192.168.1.142 user Tammi running VirusScan Ent. 8.0.0 UPD)

Error - 3/15/2010 5:53:19 PM | Computer Name = ARRIVA2 | Source = Alert Manager Event Interface | ID = 257

Description = VirusScan Enterprise: The update failed; see event log.(from ARRIVA2

IP 192.168.1.142 user Tammi running VirusScan Ent. 8.0.0 UPD)

Error - 3/15/2010 7:19:24 PM | Computer Name = ARRIVA2 | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 7.0.6000.16981, faulting

module , version 0.0.0.0, fault address 0x00000000.

Error - 3/15/2010 8:48:40 PM | Computer Name = ARRIVA2 | Source = EventSystem | ID = 4609

Description = The COM+ Event System detected a bad return code during its internal

processing. HRESULT was 800706BF from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.

Please contact Microsoft Product Support Services to report this erro

Error - 3/15/2010 8:48:40 PM | Computer Name = ARRIVA2 | Source = EventSystem | ID = 4609

Description = The COM+ Event System detected a bad return code during its internal

processing. HRESULT was 800706BA from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.

Please contact Microsoft Product Support Services to report this erro

Error - 3/15/2010 8:48:41 PM | Computer Name = ARRIVA2 | Source = EventSystem | ID = 4609

Description = The COM+ Event System detected a bad return code during its internal

processing. HRESULT was 800706BA from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.

Please contact Microsoft Product Support Services to report this erro

Error - 3/15/2010 8:48:41 PM | Computer Name = ARRIVA2 | Source = EventSystem | ID = 4609

Description = The COM+ Event System detected a bad return code during its internal

processing. HRESULT was 800706BA from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.

Please contact Microsoft Product Support Services to report this erro

Error - 3/15/2010 9:36:02 PM | Computer Name = ARRIVA2 | Source = Alert Manager Event Interface | ID = 257

Description = VirusScan Enterprise: Failed to connect to CMA updater.(from ARRIVA2

IP 192.168.1.142 user SYSTEM running VirusScan Ent. 8.0.0 UPD)

[ System Events ]

Error - 3/16/2010 12:57:37 PM | Computer Name = ARRIVA2 | Source = Service Control Manager | ID = 7034

Description = The VNC Server service terminated unexpectedly. It has done this

1 time(s).

Error - 3/16/2010 12:57:37 PM | Computer Name = ARRIVA2 | Source = Service Control Manager | ID = 7034

Description = The iPod Service service terminated unexpectedly. It has done this

1 time(s).

Error - 3/16/2010 12:57:37 PM | Computer Name = ARRIVA2 | Source = Service Control Manager | ID = 7034

Description = The Network Associates Task Manager service terminated unexpectedly.

It has done this 1 time(s).

Error - 3/16/2010 12:57:38 PM | Computer Name = ARRIVA2 | Source = Service Control Manager | ID = 7034

Description = The Java Quick Starter service terminated unexpectedly. It has done

this 1 time(s).

Error - 3/16/2010 12:57:38 PM | Computer Name = ARRIVA2 | Source = Service Control Manager | ID = 7034

Description = The MozyHome Backup Service service terminated unexpectedly. It has

done this 1 time(s).

Error - 3/16/2010 1:23:22 PM | Computer Name = ARRIVA2 | Source = dmboot | ID = 5242883

Description = dmboot: Failed to start volume Volume4 (M:)

Error - 3/16/2010 1:23:22 PM | Computer Name = ARRIVA2 | Source = dmboot | ID = 5242883

Description = dmboot: Failed to start volume Volume5 (N:)

Error - 3/16/2010 1:23:22 PM | Computer Name = ARRIVA2 | Source = dmboot | ID = 5242883

Description = dmboot: Failed to start volume Volume6 (O:)

Error - 3/16/2010 1:23:49 PM | Computer Name = ARRIVA2 | Source = Service Control Manager | ID = 7000

Description = The NetBEUI Protocol service failed to start due to the following

error: %%2

Error - 3/16/2010 1:23:49 PM | Computer Name = ARRIVA2 | Source = Service Control Manager | ID = 7000

Description = The Parallel port driver service failed to start due to the following

error: %%1058

< End of report >

>>>>>>>>>>>>>>>>>>>> checkup.txt . . . <<<<<<<<<<<<<<<<<<<<

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 2

Out of date service pack!!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

McAfee VirusScan Enterprise

Antivirus up to date!

``````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

HijackThis 2.0.2

Java 6 Update 15

Java SE Runtime Environment 6 Update 1

Java 6 Update 2

Java 6 Update 3

Java 6 Update 5

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 7.0.9

Adobe Reader 7.0.5 Language Support

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe

Ad-Aware AAWTray.exe is disabled!

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

>>>>>>>>>>>>>>>>>>>> Rooter_1.txt . . . <<<<<<<<<<<<<<<<<<<<

Rooter.exe (v1.0.2) by Eric_71

.

SeDebugPrivilege granted successfully ...

.

Windows XP . (5.1.2600) Service Pack 2

[32_bits] - x86 Family 15 Model 2 Stepping 4, GenuineIntel

.

[wscsvc] (Security Center) RUNNING (state:4)

[sharedAccess] RUNNING (state:4)

Windows Firewall -> Disabled !

.

Internet Explorer 7.0.5730.13

.

A:\ [Removable]

C:\ [Fixed-NTFS] .. ( Total:78 Go - Free:17 Go )

D:\ [Fixed-NTFS] .. ( Total:78 Go - Free:8 Go )

E:\ [CD_Rom]

F:\ [Fixed-NTFS] .. ( Total:77 Go - Free:66 Go )

.

Scan : 13:37.35

Path : C:\Kits\SpyWareCheckers\Rooter.exe

User : Tammi ( Administrator -> YES )

.

----------------------\\ Processes

.

Locked [system Process] (0)

______ System (4)

______ \SystemRoot\System32\smss.exe (496)

______ \??\C:\WINDOWS\system32\csrss.exe (560)

______ \??\C:\WINDOWS\system32\winlogon.exe (588)

______ C:\WINDOWS\system32\services.exe (640)

______ C:\WINDOWS\system32\lsass.exe (660)

______ C:\WINDOWS\system32\Ati2evxx.exe (852)

______ C:\WINDOWS\system32\svchost.exe (868)

______ C:\WINDOWS\system32\svchost.exe (964)

______ C:\WINDOWS\System32\svchost.exe (1060)

______ C:\WINDOWS\System32\svchost.exe (1156)

______ C:\WINDOWS\System32\svchost.exe (1252)

______ C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (1388)

______ C:\WINDOWS\system32\spoolsv.exe (1492)

______ C:\WINDOWS\System32\svchost.exe (1624)

______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1668)

______ C:\Program Files\Bonjour\mDNSResponder.exe (1696)

______ C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe (1768)

______ C:\Program Files\Java\jre6\bin\jqs.exe (1972)

______ C:\Program Files\Common Files\LightScribe\LSSrvc.exe (196)

______ C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (252)

______ C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe (304)

______ C:\Program Files\Network Associates\VirusScan\vstskmgr.exe (376)

______ C:\WINDOWS\System32\mfsyncsv.exe (452)

______ C:\Program Files\MozyHome\mozybackup.exe (512)

______ C:\WINDOWS\system32\IoctlSvc.exe (552)

______ C:\WINDOWS\System32\svchost.exe (664)

______ C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (912)

______ C:\Program Files\WebDrive\wdService.exe (1080)

______ C:\Program Files\UltraVNC\winvnc.exe (1208)

______ C:\WINDOWS\System32\wbem\unsecapp.exe (2052)

______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2172)

______ C:\WINDOWS\System32\alg.exe (2236)

______ C:\WINDOWS\system32\Ati2evxx.exe (3356)

______ C:\WINDOWS\Explorer.EXE (3588)

______ C:\WINDOWS\system32\wuauclt.exe (3840)

______ C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe (3908)

______ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (3916)

______ C:\Program Files\Logitech\iTouch\iTouch.exe (3924)

______ C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE (3948)

______ C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe (4040)

______ C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (4068)

______ C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe (2004)

______ C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE (1368)

______ C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe (916)

______ C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (2168)

______ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe (2204)

______ C:\Program Files\Java\jre6\bin\jusched.exe (2296)

______ C:\Program Files\iTunes\iTunesHelper.exe (2428)

______ C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (820)

______ C:\Program Files\Messenger\msmsgs.exe (2564)

______ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (2624)

______ C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe (2656)

______ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (1780)

______ C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe (2992)

______ C:\FA-950\BIN\Klslink.exe (288)

______ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe (2856)

______ C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (3016)

______ C:\Program Files\MozyHome\mozystat.exe (904)

______ C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe (3148)

______ C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (2632)

______ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe (3516)

______ C:\Program Files\iPod\bin\iPodService.exe (3688)

______ C:\Program Files\Internet Explorer\iexplore.exe (3752)

______ C:\Program Files\Java\jre6\bin\jucheck.exe (2636)

______ C:\WINDOWS\system32\NOTEPAD.EXE (3788)

______ C:\Kits\SpyWareCheckers\Rooter.exe (3892)

.

----------------------\\ Device\Harddisk0\

.

\Device\Harddisk0 [sectors : 63 x 512 Bytes]

.

\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:83889598464)

\Device\Harddisk0\Partition2 (Start_Offset:83889630720 | Length:167104788480)

.

----------------------\\ Scheduled Tasks

.

C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job

C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job

C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job

C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job

C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

C:\WINDOWS\Tasks\BackupTammiStuff.job

C:\WINDOWS\Tasks\desktop.ini

C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job

C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job

C:\WINDOWS\Tasks\SA.DAT

C:\WINDOWS\Tasks\TASK20020930010621.job

.

----------------------\\ Registry

.

.

----------------------\\ Files & Folders

.

----------------------\\ Scan completed at 13:39.02

.

C:\Rooter$\Rooter_1.txt - (16/03/2010 | 13:39.02)

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello,

Reminder for you & all users of this pc, do NOT do any websurfing nor any web searches while we hunt for malware.

Only go to this forum and the websites I guide you to.

You will want to print out or copy these instructions to Notepad for offline reference!

eusa_hand.gifIf you are a casual viewer, do NOT try this on your system!

If you are not Ken42 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Next:

  • A new run of Avenger to remove 2 suspect files
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.

Files to delete:
C:\WINDOWS\MF_C421.lfa
C:\WINDOWS\MF_C420.lfa

  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • icon_exclaim.gifMake sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Next Step

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Copy & Paste into a reply the contents of C:\Avenger.txt & C:\Combofix.txt

Do not put them as attachments.

Link to post
Share on other sites
ken42

ken42

Posted
  • Author
Posted

Hi Maurice, and thanks again. Here is the output from the tasks you specified . . . .

Ken

>>>>>>>>>>>>>>>>>>>> Avenger(2).txt . . . . <<<<<<<<<<<<<<<<<<<<

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File "C:\WINDOWS\MF_C421.lfa" deleted successfully.

File "C:\WINDOWS\MF_C420.lfa" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

>>>>>>>>>>>>>>>>>>>> Combo-fix-log.txt . . . . <<<<<<<<<<<<<<<<<<<<

ComboFix 10-03-16.03 - Tammi 03/16/2010 21:17:56.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1280.591 [GMT -5:00]

Running from: c:\kits\SpyWareCheckers\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\AUTOLNCH.REG

c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15.inf

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\eSellerateEngine.dll

c:\windows\run.log

c:\windows\system32\advpack0.3x3

c:\windows\system32\asycfilt.3x3

c:\windows\system32\RFHelper.dll

c:\windows\system32\SHELLLNK.TLB

.

((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))

.

2010-03-16 18:39 . 2010-03-16 18:39 -------- d-----w- C:\Rooter$

2010-03-16 15:56 . 2010-03-16 15:56 -------- d-----w- c:\program files\ERUNT

2010-03-12 15:18 . 2010-03-12 15:18 -------- d-----w- c:\documents and settings\Tammi\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2010-03-12 15:13 . 2010-03-12 15:13 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-03-12 15:10 . 2010-03-15 13:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-16 00:28 . 2009-11-16 19:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-12 15:11 . 2010-03-12 15:11 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-03-01 10:14 . 2009-09-22 02:46 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe

2010-02-16 20:11 . 2010-02-16 20:11 65536 ----a-r- c:\documents and settings\Tammi\Application Data\Microsoft\Installer\{987D1E20-24AE-424F-89F9-2973FC9C2A57}\NewShortcut2.4747EFCD_A8CE_4016_80F6_050BCAD9FE72.exe

2010-02-16 20:11 . 2010-02-16 20:11 49152 ----a-r- c:\documents and settings\Tammi\Application Data\Microsoft\Installer\{987D1E20-24AE-424F-89F9-2973FC9C2A57}\NewShortcut3_CE3444101D0046CBA9F1EEBEFCF138B2.exe

2010-02-16 20:11 . 2010-02-16 20:11 49152 ----a-r- c:\documents and settings\Tammi\Application Data\Microsoft\Installer\{987D1E20-24AE-424F-89F9-2973FC9C2A57}\NewShortcut1_CE3444101D0046CBA9F1EEBEFCF138B2_1.exe

2010-02-16 20:11 . 2010-02-16 20:11 49152 ----a-r- c:\documents and settings\Tammi\Application Data\Microsoft\Installer\{987D1E20-24AE-424F-89F9-2973FC9C2A57}\DatabaseRepair_116B79E778BA4FE8BD6B967DB1BB46F1.exe

2010-02-16 20:11 . 2010-02-16 20:11 45056 ----a-r- c:\documents and settings\Tammi\Application Data\Microsoft\Installer\{987D1E20-24AE-424F-89F9-2973FC9C2A57}\ARPPRODUCTICON.exe

2010-02-04 22:14 . 2009-06-18 02:46 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2010-02-04 22:14 . 2009-06-18 02:46 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

2010-02-04 16:16 . 2009-06-18 02:46 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe

2010-01-07 21:07 . 2009-11-16 19:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07 . 2009-11-16 19:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-05 10:00 . 2003-03-31 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2003-03-31 12:00 17408 ------w- c:\windows\system32\corpol.dll

2009-12-31 16:14 . 2003-03-31 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys

2008-06-18 03:33 . 2008-06-18 03:33 0 -c--a-w- c:\program files\temp01

2005-11-15 01:45 . 2005-11-15 01:45 774144 -c--a-w- c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]

@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]

2010-01-04 17:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]

@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]

2010-01-04 17:36 2848568 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-23 67128]

"PDFSaver"="c:\program files\PDF-XChange 2.5\PDFSaver.exe" [2003-02-21 61440]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"C-Media Mixer"="Mixer.exe" [2002-10-15 1818624]

"Opware12"="c:\program files\ScanSoft\OmniPagePro12.0\Opware12.exe" [2002-08-01 49152]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]

"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]

"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-09 28672]

"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2004-11-28 65536]

"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-11-28 868352]

"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2004-11-28 319488]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2006-05-05 36864]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2006-05-05 40960]

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-23 94208]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]

"WinVNC"="c:\program files\UltraVNC\winvnc.exe" [2005-08-07 974848]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-01-27 788880]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2006-10-04 53760]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Tammi\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

FA-950.lnk - c:\fa-950\BIN\Klslink.exe [2004-2-27 65536]

HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-3-23 67128]

MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2010-1-4 2893624]

TabletWorks.lnk - c:\program files\GTCO CalComp\TabletWorks\TWCP.exe [2005-3-7 933888]

ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableStatusMessages"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"21:TCP"= 21:TCP:*:Disabled:ftp

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/8/2009 9:46 PM 64288]

R0 mrfoldr;MirrorFolder real-time replication driver;c:\windows\system32\drivers\mrfoldr.sys [7/19/2004 12:05 PM 53632]

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [1/16/2007 1:00 AM 58464]

R1 WebDriveFSD;WebDrive File System Driver;c:\program files\WebDrive\rffsd.sys [9/7/2002 4:28 PM 67204]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1181328]

R2 mfsyncsv;MirrorFolder auto-synchronization service;c:\windows\system32\mfsyncsv.exe [7/19/2004 7:05 PM 98304]

R3 Klsmpad;Klsmpad Device;c:\windows\system32\drivers\Klsmpad.sys [2/27/2004 4:55 PM 24142]

S2 gupdate1c9e4a13256cfec;Google Update Service (gupdate1c9e4a13256cfec);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2009 6:15 PM 133104]

S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [8/29/2002 2:41 PM 96256]

S3 DCamUSBOvt;Intel Play Me2Cam;c:\windows\system32\drivers\Me2Cam.sys [5/21/2005 10:45 PM 72556]

S3 EL59X;3Com Fast EtherLink 59x Adapter Driver;c:\windows\system32\DRIVERS\el59x.sys --> c:\windows\system32\DRIVERS\el59x.sys [?]

S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\DRIVERS\scsiscan.sys --> c:\windows\system32\DRIVERS\scsiscan.sys [?]

S3 WBMSA;Winbond Memory Stick Storage (MS) Device Driver - A;c:\windows\system32\drivers\wbmsa.sys [9/17/2002 11:21 PM 24214]

S4 RFNP32;WebDrive Provider; [x]

.

Contents of the 'Scheduled Tasks' folder

2010-03-17 c:\windows\Tasks\Ad-Aware Update (Daily 1).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:16]

2010-03-17 c:\windows\Tasks\Ad-Aware Update (Daily 2).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:16]

2010-03-17 c:\windows\Tasks\Ad-Aware Update (Daily 3).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:16]

2010-03-17 c:\windows\Tasks\Ad-Aware Update (Daily 4).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:16]

2010-03-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:16]

2010-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-01 c:\windows\Tasks\BackupTammiStuff.job

- c:\windows\system32\ntbackup.exe [2003-03-31 07:56]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 23:15]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 23:15]

2002-09-30 c:\windows\Tasks\TASK20020930010621.job

- c:\program files\WS_FTP Pro\ftpsync.exe [2002-09-30 18:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8

uDefault_Search_Url = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local

uCustomizeSearch = about:blank

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {10101010-1010-1111-1010-101010101011} - mhtml:c:\\WINX.MHT!http://216.240.137.41/counter/ie.exe

DPF: {6054D082-355D-4B47-B77C-36A778899F48} - hxxp://qmedia.xlontech.net/100348/qm/latest/qsp2ieFull06061501.cab

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKLM-Run-AtiPTA - maybe-delete-this-atiptaxx.exe

MSConfigStartUp-Motive SmartBridge - c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-16 21:54

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)

c:\windows\system32\wininet.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(664)

c:\windows\system32\wininet.dll

- - - - - - - > 'explorer.exe'(1720)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPagePro12.0\ophook12.dll

c:\program files\MozyHome\mozyshell.dll

c:\program files\Logitech\iTouch\iTchHk.dll

c:\windows\system32\ieframe.dll

c:\fa-950\BIN\syshook.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

c:\progra~1\Logitech\MOUSEW~1\SYSTEM\LGMOUSHK.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WS_FTP Pro\nsftpch.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Network Associates\Common Framework\FrameworkService.exe

c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe

c:\program files\Network Associates\VirusScan\vstskmgr.exe

c:\program files\MozyHome\mozybackup.exe

c:\windows\system32\IoctlSvc.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\windows\System32\wbem\unsecapp.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\wscntfy.exe

c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe

c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe

c:\program files\Java\jre6\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2010-03-16 22:05:15 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-17 03:05

Pre-Run: 18,721,529,856 bytes free

Post-Run: 18,741,071,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - E015FFA60C2D740A569B57C72BE02F60

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Close and Save any open documents/files you have open. Close any programs you started yourself.

Let these tools run without your starting any other tasks.

do this:

1. Open Internet Explorer.

2. Click "Tools," and then click "Internet Options."

3. Click "Connections," and then click "LAN Settings."

4. Make sure the check boxes for "Automatically detect settings" and "Use automatic configuration script" are not selected.

Next step

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Step 2

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with copy of MBAM latest log for my review. There will be more to do later.

Link to post
Share on other sites
ken42

ken42

Posted
  • Author
Posted

Hi Maurice,

Step 1 went fine. Step 2, MBAM launches and then exits after a couple of seconds (before I can click any options), just like before. I tried reinstalling MBAM and checked the launch MBAM check-box at the end of installation . . . same results. I also tried it again after repeating Step 1 . . . same results.

Ken

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Ken,

I'd like for you to un-install MBAM and get a special version, using the following procedures.

A) If you purchased MBAM, make sure you have saved your MBAM license key and ID --from the document you got after MBAM purchase. Otherwise, check the About Tab in MBAM.

If you did not purchase MBAM, disregard step A.

B: Go to Control Panel > Add-or-Remove Programs. Locate the entry for Malwarebytes MBAM. Now de-install it.

C: Logoff and Restart Windows for a new start.

D) Download & Save and then run the MBAM Clean utility.

It should prompt you to Restart the system. Do so. If there's no prompt, do Logoff and Restart fresh.

E) Please try this version of malwarebytes: Click the link here

Save it on your desktop. You'll see it will have a random name, and will look similar like this: mbamrandom.gif

Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.

In case the installer (random named file) won't run either, rename it to KEN.EXE and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.

In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a scan and let it remove what it found. Reboot afterwards (important).

After reboot, post the MBAM log

and tell me, How is your system now ?

Link to post
Share on other sites
ken42

ken42

Posted
  • Author
Posted

Hi Maurice,

I did steps B - E (I haven't yet purchased MBAM). On step E, the randomly-named mbam would not stay running, and also if I renamed it to KEN.EXE, it would quit just after launching. Same problem with winlogon.exe in the mbam-installer folder, BUT . . . I found that if I launched winlogon.exe twice (one right after the other), that one of the instances would stay running *IF* I also clicked on the scan button quickly enough. I actually tried that same maneuver a while back but it didn't help then - I'm not sure why it helped this time.

MBAM found 3 infected files and I clicked to remove them and then immediately rebooted.

However, clicking on google search result links is still getting redirected. I've launched MBAM again now - still had to do the double-launch trick to get it to stay up - and we'll see what it finds this time. Takes about an hour to run a full scan. Here, below, is the log from the first MBAM full-scan I ran earlier this evening.

Thanks,

Ken

>>>>>>>>>>>>>> mbam-log.txt <<<<<<<<<<<<<<<

Malwarebytes' Anti-Malware 1.44

Database version: 3878

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

3/17/2010 9:39:22 PM

mbam-log-2010-03-17 (21-39-12).txt

Scan type: Full Scan (C:\|D:\|F:\|)

Objects scanned: 383460

Time elapsed: 1 hour(s), 6 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Tammi\Application Data\Move Networks\MoveMediaPlayer_07103010.exe (Backdoor.Bot) -> No action taken.

C:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1793\A0238577.sys (Rootkit.Agent) -> No action taken.

C:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1793\A0239130.sys (Rootkit.Agent) -> No action taken.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Good going, Ken. I appreciate your persistence in getting MBAM to run under these circumstances.

Since your running another scan, I'll be looking for the report.

I would suggest you delete

C:\Documents and Settings\Tammi\Application Data\Move Networks\MoveMediaPlayer_07103010.exe <---this file

The other 2 don't count since they are out of the way (not active).

Link to post
Share on other sites
ken42

ken42

Posted
  • Author
Posted

Hi Maurice,

I couldn't find the file you said to remove - I think MBAM already removed it. Since the path where that file was is just a non-essential plug-in, I've removed everything from .\Move Networks\... and below.

The problem with MBAM getting killed after launch is still there. Fortunately the launch-twice-and-click-scan-immediately trick is still working (at least on the winlogon.exe file).

Here's the next log from MBAM (and I clicked to remove the files indicated by MBAM). . . .

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

3/18/2010 1:43:07 AM

mbam-log-2010-03-18 (01-43-07).txt

Scan type: Full Scan (C:\|D:\|F:\|)

Objects scanned: 368479

Time elapsed: 1 hour(s), 9 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malwarebytes anti-malware (reboot) (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1793\A0238591.exe (Trojan.Banker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1793\A0239141.exe (Trojan.Banker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1793\A0239243.sys (Malware.Trace) -> Quarantined and deleted successfully.

>>>>>>>>>>>>>>>>> <<<<<<<<<<<<<<<<<<<<

And here's the last log from MBAM, which shows a clean system. HOWEVER, I'm still seeing the original symptoms of infection.

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

3/18/2010 1:56:28 PM

mbam-log-2010-03-18 (13-56-28).txt

Scan type: Full Scan (C:\|D:\|F:\|)

Objects scanned: 368584

Time elapsed: 1 hour(s), 7 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

>>>>>>>>>>>>>>>>>>>> <<<<<<<<<<<<<<<<<

Any thoughts on what to do next?

Thanks!

Ken

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

The fact that a MBAM scan finds nothing means that the pc is "clear" of issues -- as far as -it- is able to check.

That does not necessarily equate to your system being "clean". No one single tool will catch all malwares.

I'd like you to run an online check at Kaspersky, followed by a try at MBAM update & a new run.

NOTE: It is quite possible this set of infection(s) would have lifted personal & bank information. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Other scans:

First

Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

icon_arrow.gifAttention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

Read the Information block presented on the screen, and then press the Accept button.

1) Accept the agreement

2) The necessary files will be downloaded and installed. Please have plenty of patience.

3) After Kaspersky AntiVirus Database is updated, look at the Scan box.

4) Click the My Computer line

5 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

6) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.

Kaspersky is a report only and does not remove files.

Second

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Report

Post back with copies of the Kaspersky.txt report

and the latest MBAM scan log

How is your system now icon_question.gif

Link to post
Share on other sites
ken42

ken42

Posted
  • Author
Posted

Hi Maurice,

I can't get Kaspersky to run on my wife's computer. Actually, I can't even get the web site to come up correctly, and now IE is crashing frequently. Maybe IE is missing a normally-important-but-recently-infected-found-and-removed file?

I'm running Kaspersky from a known-clean computer on my network, pointing to network-mapped drives on my wife's computer. I know that will miss whatever is in RAM and also the registry, but I'm hoping it will at least remove enough infection (via disk files) so that I can do a local scan/clean on my wife's computer. Looks like it will take a VERY long time, longer since it's via the network. But I can be patient. ;-)

In the meantime, I'm going to look through our backup logs and seriously consider restoring my wife's computer to a previous known-clean state. If I'm fortunate, I'll be able to just restore clean versions of now-infected files. But the way things are going, I'm feeling less averse to just wiping the disks and restoring just the personal (i.e., non-system) files. Thank goodness for mozy.com! ;-)

I'll post again when I get a completed Kaspersky scan log, if it finishes early enough today. If not, it will be about a week before I can dive back into this mess - I may be offline until 3/28.

Thanks again for all the help!

Ken

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted
Maybe IE is missing a normally-important-but-recently-infected-found-and-removed file?

NO. There were no files needed by IE that were removed. It is more likely (either) any leftover malware is blocking access, (or) IE is showing a latent browser problem, (or) the system now does not meet all that Kaspersky needs to run.

In any event, IF you have a recent "known clean" full backup of the system, then use the backup restore procedure and follow that up with an updated antivirus and a full scan.

Let me know what you decide.

As you should also know, the long-term-safest way is to pave-wipe the HD and install Windows as a clean install, followed by setup of antivirus app & MBAM , and then your application programs.

As to your current method of scan, obviously you fully know it is not the best way to do it.

Link to post
Share on other sites
ken42

ken42

Posted
  • Author
Posted

Hi Maurice!

The remote-run of Kaspersky finished. It reported a bunch of nasty stuff. I thought I'd be clever and delete the nasty files, but clearly the infection is protecting itself . . . some files I just couldn't delete and at least one file would let me delete it but the file would reappear after a few seconds. So, I thought I'd be even more clever and see if I've learned something from your VERY helpful posts. . . I used Avenger to delete the remaining nasty files! That seems to have worked. I can now launch IE again (I'm posting from IE running on my wife's computer right now), and I was also able to get Kaspersky online scan running directly on my wife's computer. I'll post the log from the local scan when it completes (or that might have to wait a week). For now, here are the logs from what I just finished.

Thanks again!

Ken

>>>>>>>>>>>>>>>>>>>> Kaspersky (remotely-run) log <<<<<<<<<<<<<<<<<<<<

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Friday, March 19, 2010

Operating system: Microsoft (build 7600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Friday, March 19, 2010 14:38:34

Records in database: 3815708

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - Folder:

M:\

Scan statistics:

Objects scanned: 171377

Threats found: 14

Infected objects found: 23

Suspicious objects found: 6

Scan duration: 08:29:55

File name / Threat / Threats count

M:\Documents and Settings\Tammi\Local Settings\Application Data\Identities\{B11A468A-75A0-4AFC-B54F-4F1605423790}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2

M:\Documents and Settings\Tammi\Local Settings\Application Data\Identities\{B11A468A-75A0-4AFC-B54F-4F1605423790}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

M:\Documents and Settings\Tammi\Local Settings\Application Data\Identities\{B11A468A-75A0-4AFC-B54F-4F1605423790}\Microsoft\Outlook Express\PayPal Fraud.dbx Infected: Email-Worm.Win32.Mydoom.e 2

M:\Documents and Settings\Tammi\Local Settings\Application Data\Identities\{B11A468A-75A0-4AFC-B54F-4F1605423790}\Microsoft\Outlook Express\Sent Items.dbx Infected: Email-Worm.Win32.Mydoom.e 2

M:\Documents and Settings\Tammi\Local Settings\Application Data\Microsoft\Outlook\Exchange\MAILBOX.PST Suspicious: Trojan-Spy.HTML.Fraud.gen 3

M:\Documents and Settings\Tammi\Local Settings\Application Data\Microsoft\Outlook\Exchange\MAILBOX.PST Infected: Email-Worm.Win32.Mydoom.e 2

M:\Documents and Settings\Tammi\Local Settings\Temp\bvnr.tmp Infected: Trojan-PSW.Win32.Kates.cu 1

M:\Kits\kadellin-bx1\Parent\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 2

M:\Kits\kadellin-bx1\Parent\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1

M:\Overpro-401.exe Infected: not-a-virus:AdWare.Win32.AdSrve.b 1

M:\Overpro-401.exe Infected: not-a-virus:AdWare.Win32.AdSrve.c 2

M:\Overpro-401.exe Infected: Trojan.Win32.Runner.d 1

M:\Overpro-401.exe Infected: Trojan.Win32.VB.od 1

M:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1

M:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1

M:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1789\A0238339.exe Infected: Trojan-PSW.Win32.Kates.cb 1

M:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1791\A0238394.exe Infected: Trojan-PSW.Win32.Kates.ct 1

M:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1792\A0238411.exe Infected: Trojan-PSW.Win32.Kates.ct 1

M:\VNC\vnc-4_1_3-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 2

M:\WINDOWS\system32\wstart3.vbs Infected: Trojan.VBS.KillAV.h 1

Selected area has been scanned.

>>>>>>>>>>>>>>>>>>>> Avenger log <<<<<<<<<<<<<<<<<<<<

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File "C:\Documents and Settings\Tammi\Local Settings\Temp\bvnr.tmp" deleted successfully.

File "C:\Kits\kadellin-bx1\Parent\UltraVNC-102-Setup.exe" deleted successfully.

File "C:\Overpro-401.exe" deleted successfully.

File "C:\Program Files\UltraVNC\vnchooks.dll" deleted successfully.

File "C:\Program Files\UltraVNC\winvnc.exe" deleted successfully.

File "C:\VNC\vnc-4_1_3-x86_win32.exe" deleted successfully.

File "C:\Windows\system32\wstart3.vbs" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

eusa_hand.gif Do NOT use Avenger tool on your own ! You may well inadvertently cause harm and render your system useless.

I would ask you to check with me before deleting things.

If and only if you cannot get a hold of me and there is an emergency AND you are absolutely sure a file is malicious, I would mention Killbox

download the Killbox.zip <---here

or here --> http://killbox.net/downloads/killbox.exe

Killbox allows you to specify a file to be deleted

But let me make it clear, if you use it, you use it at your own risk

Link to post
Share on other sites
  • 2 weeks later...
ken42

ken42

Posted
  • Author
Posted

Hi Maurice,

I'm back. Your points are well taken. I figured - in MY case - the risk was acceptable since I was on the verge of deciding to wipe the system and peice things together from backups. That said, I'm happy to find that the computer is still at least as functional as it was before I got trigger happy. :)

I ran another full Kaspersky online scan. Started it before I left a week ago, and now have the report (see below). I think it is mostly reporting infections in areas that *may* be less harmful (e.g., backup copies of infected files vs "live" infections). Based on what you've seen here, do you think a purchased copy of Kaspersky Anti-Virus 2010 + Kaspersky Internet Security 2010 would have fully detected and cleaned this computer's infections? Possibly prevented the infections? Or limited the severity of the infections or reduced the amount of time / effort required to eliminate the infections? If so, my wife suggests it would be money well spent.

Here's the latest scan report. Please let me know what steps I should take next. And thanks again for all your help!

Ken

- - - - - - - - - - - - - -

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Sunday, March 28, 2010

Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, March 20, 2010 06:17:53

Records in database: 3822046

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

F:\

Scan statistics:

Objects scanned: 201615

Threats found: 13

Infected objects found: 19

Suspicious objects found: 0

Scan duration: 06:55:17

File name / Threat / Threats count

C:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1796\A0239644.exe Infected: not-a-virus:AdWare.Win32.AdSrve.b 1

C:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1796\A0239644.exe Infected: not-a-virus:AdWare.Win32.AdSrve.c 2

C:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1796\A0239644.exe Infected: Trojan.Win32.Runner.d 1

C:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1796\A0239644.exe Infected: Trojan.Win32.VB.od 1

C:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1796\A0239645.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 2

C:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1796\A0239645.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1

C:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1796\A0239646.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 2

C:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1796\A0239647.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1

C:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1796\A0239648.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1

C:\System Volume Information\_restore{8D158EE2-D9C9-431C-9BE1-863FB6FF5C9F}\RP1796\A0239649.vbs Infected: Trojan.VBS.KillAV.h 1

D:\Kits\STT\standardsetup.exe Infected: Trojan.Win32.Clicker.a 1

D:\Kits\Util\UltraVnc-101-Setup.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 2

F:\backups\it\20070524\DAS\Tammi\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bayfraud.ib 1

F:\backups\it\20070524\DAS\Tammi\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Sobig.a 1

F:\backups\it\20070524\DAS\Tammi\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Tanatos.b.dam 1

Selected area has been scanned.

Link to post
Share on other sites
ken42

ken42

Posted
  • Author
Posted

Hi Maurice,

I downloaded the trial version of Kaspersky Internet Security 2010 and ran a full scan. It cleaned up the items from the previous online scan plus a few additional items. The scans are now clean, and as far as I can tell, my wife's computer is fully functional again.

Thanks VERY MUCH for all the help!

Ken

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Regarding the report from the Kaspersky scan:

What it tagged in the system restore folders is not of concern, since those are out of the way & will be flushed here.

Run Disk Cleanup with the System Restore Cleanup as outlined here by Bert Kinney, MS MVP

http://bertk.mvps.org/html/diskclean.html

On the others:

D:\Kits\STT\standardsetup.exe Infected: Trojan.Win32.Clicker.a 1

D:\Kits\Util\UltraVnc-101-Setup.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 2

You need to see what those 2 are for in that folder. Surely scan them with your antivirus.

These last items are email items in the Deleted items folder of Outlook Express. Use Outlook Express and empty the Deleted items folder.

F:\backups\it\20070524\DAS\Tammi\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bayfraud.ib 1

F:\backups\it\20070524\DAS\Tammi\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Sobig.a 1

F:\backups\it\20070524\DAS\Tammi\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Tanatos.b.dam 1

Link to post
Share on other sites
ken42

ken42

Posted
  • Author
Posted

Hi Maurice,

The files in \Kits\... are simply installation kits for various software tools or products. The two in question are expendable and probably not the latest versions anyway, so I'll just delete them along with the other content in those folders.

Also, we aren't using Outlook Express (it came pre-installed on the computer and we used it very briefly), so I'm thinking it best to uninstall OE and then delete any remaining OE-related files.

. . . and then I'll do another Disk Cleanup!

Thanks again!

Ken

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello Ken,

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader.

De-install also Kaspersky Online

Exit Control Panel.

Older versions of Adobe Reader pose a potential security risk.

Get latest Adobe Reader from http://get.adobe.com/reader/

Be sure to un-check the box for Free McAfee Security Scan

javaicon.gif See this topic in the AumHa Security forum and get the latest Java run-time

http://aumha.net/viewtopic.php?f=26&t=43700

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix icon_exclaim.gif), put that name in the command box stated just below.

The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space after exe and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, then click Run. Then type in 
    CMD

    and press Enter-key.
    This will open a command-prompt window.
    In the command box that opens, type or copy/paste
    c:\kits\SpyWareCheckers\Combo-Fix.exe /uninstall
    and then press ENTER key.

Close command prompt window.

  • Please double-click OTL otlDesktopIcon.png to start it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

We are finished here. Best regards.

Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept