Jump to content

Malware Doctor and MySecurityEngine


Recommended Posts

I have no idea how or why but a computer that we use as a pos register in a paint store has contracted these two items...I have used MBAM in the past and it has worked like a charm every time but this problem seems a bit beyond me. There is a similar thread going on here now that I have read through and in addition to having no internet connection to update MBAM I am also unable to even run rkill or mbam or anything else because I get messages that the programs cant open because they are infected files. I have a clean PC right here next to it that I can use to DL files with but I am at a loss as to where to start. Any other time I just run Rkill then MBAM and voila! Its fixed but not this time!!

Ryan

Link to post
Share on other sites

ok something is reaalllllly wrong with this computer

I downloaded and ran OTH from a flash drive and then tried to "start otl" and got a message that said that "otl.exe is infected and must be closed" and it wont let me run that or any other programs....

i really need help with this one..im close to format c:

Link to post
Share on other sites

here are my two log files the first is from the OTL scan and the second is from GMER

OTL logfile created on: 6/22/2010 10:15:10 AM - Run 1

OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Paladin User\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

981.00 Mb Total Physical Memory | 703.00 Mb Available Physical Memory | 72.00% Memory free

3.00 Gb Paging File | 3.00 Gb Available in Paging File | 92.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.01 Gb Total Space | 134.96 Gb Free Space | 90.57% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 1.86 Gb Total Space | 1.86 Gb Free Space | 99.94% Space Free | Partition Type: FAT

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive P: | 232.81 Gb Total Space | 159.10 Gb Free Space | 68.34% Space Free | Partition Type: NTFS

Computer Name: TERMINAL-4

Current User Name: Paladin User

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Paladin User\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Documents and Settings\Paladin User\Desktop\OTH.scr (OldTimer Tools)

PRC - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (Trend Micro Inc.)

PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)

PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE (Software 2000 Limited)

PRC - C:\Program Files\Intel\AMT\UNS.exe (Intel)

PRC - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (The Firebird Project)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Paladin User\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (MSWU-f36decbb) -- C:\WINDOWS\system32\f36decbb.exe ()

SRV - (MSWU-e505e9f9) -- C:\WINDOWS\system32\e505e9f9.exe ()

SRV - (SfCtlCom) -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (Trend Micro Inc.)

SRV - (TmProxy) -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (Trend Micro Inc.)

SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)

SRV - (GoToAssist) -- C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)

SRV - (TMBMServer) -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe (Trend Micro Inc.)

SRV - (PortEmulatorHSP7000) Port Emulator (HSP7000) -- C:\Program Files\StarMicronics\HSP7000\Software\VirtualPortEmulator\Software\VSPEU\portemu_umdf.exe (Star Micronics Co., Ltd.)

SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)

SRV - (UNS) Intel® -- C:\Program Files\Intel\AMT\UNS.exe (Intel)

SRV - (atchksrv) Intel® -- C:\Program Files\Intel\AMT\atchksrv.exe (Intel Corporation)

SRV - (LMS) Intel® -- C:\Program Files\Intel\AMT\LMS.exe (Intel)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

SRV - (EPSON ESCPOS Status Service) -- C:\WINDOWS\System32\EpStsSrv.exe (SEIKO EPSON Corp.)

SRV - (FirebirdServerDefaultInstance) -- C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (The Firebird Project)

SRV - (FirebirdGuardianDefaultInstance) -- C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (The Firebird Project)

========== Driver Services (SafeList) ==========

DRV - (tmxpflt) -- C:\WINDOWS\system32\drivers\tmxpflt.sys (Trend Micro Inc.)

DRV - (tmpreflt) -- C:\WINDOWS\system32\drivers\tmpreflt.sys (Trend Micro Inc.)

DRV - (vsapint) -- C:\WINDOWS\system32\drivers\vsapint.sys (Trend Micro Inc.)

DRV - (tmactmon) -- C:\WINDOWS\system32\drivers\tmactmon.sys (Trend Micro Inc.)

DRV - (tmevtmgr) -- C:\WINDOWS\system32\drivers\tmevtmgr.sys (Trend Micro Inc.)

DRV - (tmcomm) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)

DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (iastor) -- C:\WINDOWS\system32\DRIVERS\iaStor.sys (Intel Corporation)

DRV - (ADIHdAudAddService) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys (Analog Devices, Inc.)

DRV - (DLADResM) -- C:\WINDOWS\system32\drivers\DLADResM.SYS (Roxio)

DRV - (DLABMFSM) -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS (Roxio)

DRV - (DLAUDF_M) -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS (Roxio)

DRV - (DLAUDFAM) -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS (Roxio)

DRV - (DLAOPIOM) -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS (Roxio)

DRV - (DLABOIOM) -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS (Roxio)

DRV - (DLAPoolM) -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS (Roxio)

DRV - (DLAIFS_M) -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS (Roxio)

DRV - (DRVMCDB) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions)

DRV - (DLARTL_M) -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS (Roxio)

DRV - (DLACDBHM) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS (Roxio)

DRV - (DRVNDDM) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Roxio)

DRV - (HECI) Intel® -- C:\WINDOWS\system32\drivers\HECI.sys (Intel Corporation)

DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)

DRV - (e1express) Intel® -- C:\WINDOWS\system32\drivers\e1e5132.sys (Intel Corporation)

DRV - (Esdpdx01) -- C:\WINDOWS\system32\drivers\ESDPDX01.SYS (MK Systems CO., LTD.)

DRV - (SenFiltService) -- C:\WINDOWS\system32\drivers\senfilt.sys (Sensaura)

DRV - (3c1807pd) -- C:\WINDOWS\system32\drivers\3c1807pd.sys (U.S. Robotics Corporation)

DRV - (USRpdA) -- C:\WINDOWS\system32\drivers\USRpdA.sys (U.S. Robotics Corporation)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://support.paladinpos.com/

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 03:00:17 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/05/19 16:46:43 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010/06/22 07:09:06 | 000,262,631 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.1001-search.info

O1 - Hosts: 127.0.0.1 1001-search.info

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.123topsearch.com

O1 - Hosts: 127.0.0.1 123topsearch.com

O1 - Hosts: 127.0.0.1 www.132.com

O1 - Hosts: 127.0.0.1 132.com

O1 - Hosts: 127.0.0.1 www.136136.net

O1 - Hosts: 127.0.0.1 136136.net

O1 - Hosts: 127.0.0.1 www.139mm.com

O1 - Hosts: 127.0.0.1 139mm.com

O1 - Hosts: 127.0.0.1 www.163ns.com

O1 - Hosts: 127.0.0.1 163ns.com

O1 - Hosts: 127.0.0.1 171203.com

O1 - Hosts: 9098 more lines...

O2 - BHO: (C:\WINDOWS\system32\gwd7v3zw2f.dll) - {C7BA40A1-74F2-52BD-F411-04B15A2C8953} - C:\WINDOWS\system32\gwd7v3zw2f.dll ()

O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)

O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

O4 - HKLM..\Run: [3c1807pd] File not found

O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe File not found

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [ESDUSBMon.exe] C:\WINDOWS\system32\ESDUSBMon.exe (SEIKO EPSON Corp.)

O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)

O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)

O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)

O4 - HKLM..\Run: [iSUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)

O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corp.)

O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)

O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

O4 - HKLM..\Run: [synchronization Manager] C:\WINDOWS\System32\mobsync.exe (Microsoft Corporation)

O4 - HKLM..\Run: [ufSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)

O4 - HKLM..\Run: [uSRpdA] File not found

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKCU..\Run: [asam] C:\Documents and Settings\Paladin User\Local Settings\Application Data\asam.exe ()

O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

O4 - HKCU..\Run: [hsfg9w8gujsokgahi8gysgnsdgefshyjy] C:\Documents and Settings\Paladin User\Local Settings\Temp\mdm.exe ()

O4 - HKCU..\Run: [iSUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)

O4 - HKCU..\Run: [M5T8QL3YW3] C:\Documents and Settings\Paladin User\Local Settings\Temp\Vpx.exe ()

O4 - HKCU..\Run: [mcexecwin] C:\Documents and Settings\Paladin User\Local Settings\Temp\t5q2qr.dll ()

O4 - HKCU..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)

O4 - HKCU..\Run: [qeaensbk] C:\Documents and Settings\Paladin User\Local Settings\Application Data\nwbwlcvia\mqtiytgtssd.exe ()

O4 - HKCU..\Run: [QZAIB7KITK] C:\WINDOWS\Vhuqya.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O15 - HKLM\..Trusted Domains: acehardware-acenet.com ([]* in Trusted sites)

O15 - HKLM\..Trusted Domains: acehardware-aceonline.com ([]* in Trusted sites)

O15 - HKLM\..Trusted Domains: acehardware-eaglevision.com ([]* in Trusted sites)

O15 - HKLM\..Trusted Domains: acehardware-vendors.com ([]* in Trusted sites)

O15 - HKLM\..Trusted Domains: aceservices.com ([]* in Trusted sites)

O15 - HKCU\..Trusted Domains: acehardware-acenet.com ([]* in Trusted sites)

O15 - HKCU\..Trusted Domains: acehardware-aceonline.com ([]* in Trusted sites)

O15 - HKCU\..Trusted Domains: acehardware-eaglevision.com ([]* in Trusted sites)

O15 - HKCU\..Trusted Domains: acehardware-vendors.com ([]* in Trusted sites)

O15 - HKCU\..Trusted Domains: aceservices.com ([]* in Trusted sites)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {24B8CB65-C0D2-11D0-A523-444553540000} http://ww1.acehardware-acenet.com/ACENET/C...xpl/AceExpl.cab (AceExplorer Control)

O16 - DPF: {41F841C0-AE16-11D5-8817-0050DA6EF5E5} http://ww1.acehardware-acenet.com/ACENET/c...t60/fpspr60.cab (FarPoint Spread 6.0 (OLEDB))

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1233855965781 (WUWebControl Class)

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab (GMNRev Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {8BF1A503-001F-11D0-A296-00A0246497B9} http://ww1.acehardware-acenet.com/ACENET/C...ENET/ACECTL.CAB (ACENET Control)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} http://onbase.aceservices.com/AppNet/activex/OBXPopup.cab (OBXPopupBlockerAssistant Control)

O16 - DPF: {C903C000-9C6E-419D-A0AC-2E760BBA3764} http://ww1.acehardware-acenet.com/ACENET/C...Si/McsiMenu.cab (MCSiMenuCtl Class)

O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O16 - DPF: {EAE50EB0-4A62-11CE-BED6-00AA00611080} http://ww1.acehardware-acenet.com/ACEnet/c...ft/MSpert10.cab (Microsoft Forms 2.0 TabStrip)

O16 - DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} http://imagemax.aceservices.com/appnet/act...BXWebViewer.cab (OBXWebViewer Control)

O16 - DPF: AceIESecuritySettings http://ww1.acehardware-acenet.com/Controls...itySettings.CAB (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.167,93.188.161.171

O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)

O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)

O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)

O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)

O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {C7BA40A1-74F2-52BD-F411-04B15A2C8953} - har98fefiesjfs93s8i9sejsdf - C:\WINDOWS\system32\gwd7v3zw2f.dll ()

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O24 - Desktop WallPaper: C:\Documents and Settings\Paladin User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Paladin User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O27 - HKLM IFEO\brastk.exe: Debugger - svchost.exe (Microsoft Corporation)

O27 - HKLM IFEO\mrt.exe: Debugger - svchost.exe (Microsoft Corporation)

O27 - HKLM IFEO\msfwsvc.exe: Debugger - svchost.exe (Microsoft Corporation)

O27 - HKLM IFEO\MsMpEng.exe: Debugger - svchost.exe (Microsoft Corporation)

O27 - HKLM IFEO\msseces.exe: Debugger - svchost.exe (Microsoft Corporation)

O27 - HKLM IFEO\OcHealthMon.exe: Debugger - svchost.exe (Microsoft Corporation)

O27 - HKLM IFEO\winss.exe: Debugger - svchost.exe (Microsoft Corporation)

O27 - HKLM IFEO\winssnotify.exe: Debugger - svchost.exe (Microsoft Corporation)

O27 - HKLM IFEO\WinSSUI.exe: Debugger - svchost.exe (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/03/14 19:34:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2008/03/14 19:34:49 | 000,000,000 | ---- | M] () - P:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/03/14 11:24:47 | 000,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT

Error starting restore point: System Restore is disabled.

Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 30 Days ==========

[2010/06/22 09:54:14 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Paladin User\Desktop\OTH.scr

[2010/06/22 09:54:13 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Paladin User\Desktop\OTL.exe

[2010/06/21 18:15:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\nwbwlcvia

[2010/06/21 16:42:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/06/21 16:42:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/06/21 16:14:41 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Paladin User\Application Data\My Security Engine

[2010/06/21 16:14:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\MSTMJVEE

[2010/06/21 16:12:50 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\0d9c71d

[2010/06/21 16:09:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\Windows Server

[2010/06/21 16:09:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Application Data\6565FAC67FD5EA98CB1770FD0F965885

[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/22 10:10:38 | 000,000,260 | -H-- | M] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

[2010/06/22 10:10:07 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/06/22 10:09:04 | 000,000,302 | -H-- | M] () -- C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job

[2010/06/22 10:08:51 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/06/22 10:08:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/06/22 10:07:02 | 005,767,168 | -H-- | M] () -- C:\Documents and Settings\Paladin User\NTUSER.DAT

[2010/06/22 10:07:02 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Paladin User\ntuser.ini

[2010/06/22 09:57:15 | 000,000,024 | ---- | M] () -- C:\WINDOWS\herjek.config

[2010/06/22 09:55:38 | 003,184,656 | -H-- | M] () -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\IconCache.db

[2010/06/22 09:55:31 | 000,000,552 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/06/22 09:55:31 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/06/22 09:55:31 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2010/06/22 07:09:14 | 000,001,867 | ---- | M] () -- C:\Documents and Settings\Paladin User\Desktop\My Security Engine.lnk

[2010/06/22 07:09:06 | 000,262,631 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/06/22 03:03:46 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/06/22 01:15:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\Nightly Reboot.job

[2010/06/21 18:18:08 | 000,060,160 | ---- | M] () -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\syssvc.exe

[2010/06/21 18:18:08 | 000,060,160 | ---- | M] () -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\asam.exe

[2010/06/21 16:11:16 | 000,001,264 | ---- | M] () -- C:\Documents and Settings\Paladin User\Desktop\Antimalware Doctor.lnk

[2010/06/21 16:09:51 | 000,030,000 | ---- | M] () -- C:\WINDOWS\System32\gwd7v3zw2f.dll

[2010/06/21 15:36:52 | 000,184,832 | ---- | M] () -- C:\WINDOWS\Vhuqyb.exe

[2010/06/21 15:36:52 | 000,184,832 | ---- | M] () -- C:\WINDOWS\Vhuqya.exe

[2010/06/21 15:36:50 | 000,075,264 | ---- | M] () -- C:\WINDOWS\System32\f36decbb.exe

[2010/06/21 15:36:50 | 000,075,264 | ---- | M] () -- C:\WINDOWS\System32\e505e9f9.exe

[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/22 10:06:10 | 000,000,260 | -H-- | C] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

[2010/06/22 09:57:15 | 000,000,024 | ---- | C] () -- C:\WINDOWS\herjek.config

[2010/06/22 09:54:17 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Paladin User\Desktop\jrp97bg9.exe

[2010/06/21 18:19:08 | 000,060,160 | ---- | C] () -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\asam.exe

[2010/06/21 18:18:07 | 000,060,160 | ---- | C] () -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\syssvc.exe

[2010/06/21 16:57:47 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\f36decbb.exe

[2010/06/21 16:31:12 | 000,184,832 | ---- | C] () -- C:\WINDOWS\Vhuqyb.exe

[2010/06/21 16:23:06 | 000,001,867 | ---- | C] () -- C:\Documents and Settings\Paladin User\Desktop\My Security Engine.lnk

[2010/06/21 16:11:13 | 000,001,264 | ---- | C] () -- C:\Documents and Settings\Paladin User\Desktop\Antimalware Doctor.lnk

[2010/06/21 16:09:51 | 000,030,000 | ---- | C] () -- C:\WINDOWS\System32\gwd7v3zw2f.dll

[2010/06/21 15:37:03 | 000,000,302 | -H-- | C] () -- C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job

[2010/06/21 15:36:56 | 000,184,832 | ---- | C] () -- C:\WINDOWS\Vhuqya.exe

[2010/06/21 15:36:50 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\e505e9f9.exe

[2009/11/02 12:56:07 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll

[2009/10/31 12:59:27 | 000,001,244 | ---- | C] () -- C:\WINDOWS\RegalRailing.INI

[2008/03/20 16:15:35 | 000,000,539 | ---- | C] () -- C:\WINDOWS\label.ini

[2008/03/19 00:36:30 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\EpsStmEW.DLL

[2008/03/19 00:36:30 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\SharpImg.dll

[2008/03/19 00:31:22 | 000,001,345 | ---- | C] () -- C:\WINDOWS\LMAAT2DD.ini

[2008/03/19 00:24:34 | 000,466,944 | R--- | C] () -- C:\WINDOWS\System32\softcoin.dll

[2008/03/19 00:24:34 | 000,344,064 | R--- | C] () -- C:\WINDOWS\System32\gencoin.dll

[2008/03/18 18:14:34 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4837.dll

[2008/03/17 16:37:29 | 000,004,746 | ---- | C] () -- C:\WINDOWS\SigPlus.ini

[2008/03/17 16:33:55 | 000,000,052 | ---- | C] () -- C:\WINDOWS\odbcddp.ini

[2008/03/17 16:33:54 | 000,001,429 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2008/03/17 16:33:32 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll

[2008/03/17 11:02:35 | 000,000,554 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2006/08/31 12:46:13 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini

========== LOP Check ==========

[2010/06/22 07:10:00 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\0d9c71d

[2010/06/21 16:14:02 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\MSTMJVEE

[2009/08/27 07:33:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games

[2008/08/29 14:56:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2010/05/07 08:03:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall

[2010/06/21 18:15:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paladin User\Application Data\6565FAC67FD5EA98CB1770FD0F965885

[2010/01/11 15:32:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paladin User\Application Data\Amazon

[2010/03/20 13:50:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paladin User\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

[2009/02/05 13:45:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paladin User\Application Data\MSNInstaller

[2010/06/21 16:14:41 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Paladin User\Application Data\My Security Engine

[2008/04/28 10:49:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paladin User\Application Data\Paladin Data Corp

[2008/08/29 13:20:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paladin User\Application Data\Paladin Data Corporation

[2010/06/22 03:03:46 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

[2009/03/11 15:47:16 | 000,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\Nightly Backup.job

[2010/06/22 01:15:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\Tasks\Nightly Reboot.job

[2010/06/22 10:10:38 | 000,000,260 | -H-- | M] () -- C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

[2010/06/22 10:09:04 | 000,000,302 | -H-- | M] () -- C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2010/04/12 07:10:03 | 000,000,817 | -H-- | M] () -- C:\AppUpdate.log

[2008/03/14 19:34:49 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT

[2010/06/22 09:55:31 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2008/03/14 19:34:49 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS

[2010/06/22 09:47:46 | 000,003,024 | ---- | M] () -- C:\feed.txt

[2008/03/14 19:34:49 | 000,000,000 | RHS- | M] () -- C:\IO.SYS

[2008/03/14 19:34:49 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS

[2004/08/04 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM

[2008/06/04 18:25:40 | 000,250,048 | RHS- | M] () -- C:\ntldr

[2010/06/22 10:08:32 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

[2008/05/06 12:24:38 | 009,362,088 | ---- | M] () -- C:\server_setup_5w.exe

< %systemroot%\*./mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

[2008/03/14 11:28:07 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav

[2008/03/14 11:28:07 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav

[2008/03/14 11:28:07 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

Here is the Second which is the GMER log

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-22 11:08:09

Windows 5.1.2600 Service Pack 3

Running: jrp97bg9.exe; Driver: C:\DOCUME~1\PALADI~1\LOCALS~1\Temp\pxrirpoc.sys

---- System - GMER 1.0.15 ----

SSDT 84EC7CC0 ZwCreateKey

SSDT 84EC71C0 ZwCreateProcess

SSDT 84EC7480 ZwCreateProcessEx

SSDT 84EC8B20 ZwCreateThread

SSDT 84EC8240 ZwDeleteKey

SSDT 84EC8500 ZwDeleteValueKey

SSDT 84EC8CC0 ZwLoadDriver

SSDT 84EC7740 ZwOpenProcess

SSDT 84EC7F80 ZwSetValueKey

SSDT 84EC7A00 ZwTerminateProcess

SSDT 84EC8980 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xA9E1CA00]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009D000A

.text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009E000A

.text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009C000C

.text C:\WINDOWS\System32\svchost.exe[1240] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01C2000A

.text C:\WINDOWS\System32\svchost.exe[1240] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0106000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----

I really appreciate any and all help with this. I am at a total loss with this as of now.

Ryan

Link to post
Share on other sites

another update

when i try to run hijack this it says that the computer will not allow it to write to the hosts file and that i need to manually edit it in notepad which i have done and resave it as 'hosts.' with the quotes...i have done this and rebooted as it said to do and have gotten no results from it.....

i am really getting desperate here as we are totally without a register until this is resolved

Link to post
Share on other sites

well after playing with this thing all day I have managed to get MBAM to update and i just ran it in safe mode where it detected about 125 problems and fixed most of them except for a few that it said would have to be fixed on reboot...i rebooted and still have internet connection in normal mode or in safe mode (meaning browser functions I can ping google in either safe mode with networking or in normal mode) i am assuming that I have something messing with the DNS entries?

here is the MBAM log i really hope someone has time to help as I am sorta poking around in the dark on this still

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4131

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 7.0.5730.13

6/22/2010 3:22:40 PM

mbam-log-2010-06-22 (15-22-40).txt

Scan type: Full scan (C:\|)

Objects scanned: 195573

Time elapsed: 27 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 23

Registry Values Infected: 9

Registry Data Items Infected: 8

Folders Infected: 1

Files Infected: 86

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\gwd7v3zw2f.dll (Trojan.Ertfor) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{c7ba40a1-74f2-52bd-f411-04b15a2c8953} (Trojan.Ertfor) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c7ba40a1-74f2-52bd-f411-04b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c7ba40a1-74f2-52bd-f411-04b15a2c8953} (Trojan.Ertfor) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mswu-e505e9f9 (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mswu-f36decbb (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\M5T8QL3YW3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSSUI.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winssnotify.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winss.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OcHealthMon.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfwsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrt.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c7ba40a1-74f2-52bd-f411-04b15a2c8953} (Trojan.Ertfor) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeaensbk (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsfg9w8gujsokgahi8gysgnsdgefshyjy (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\m5t8ql3yw3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzaib7kitk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-20\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.167,93.188.161.171 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{833f0bb7-4f86-4cf6-a7f1-a4feae6d7a0c}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.167,93.188.161.171 -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\Paladin User\Application Data\My Security Engine (Rogue.MySecurityEngine) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\gwd7v3zw2f.dll (Trojan.Ertfor) -> Delete on reboot.

C:\Documents and Settings\Paladin User\Local Settings\Temp\t5q2qr.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Application Data\nwbwlcvia\mqtiytgtssd.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Application Data\asam.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Application Data\syssvc.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temp\3A.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temp\ansewocxrm.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temp\arapj.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temp\b82umg05aah.exe (Trojan.Hatigh) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temp\cjxaymdn.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temp\cxgxdna.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temp\debug.exe (Trojan.Hatigh) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temp\gbcp4dp.exe (Trojan.Ertfor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temp\RElB.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temp\rpyuhbu.exe (Trojan.Crypt) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temp\sitlpsqc.exe (Trojan.Ertfor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temporary Internet Files\Content.IE5\2EO0VNI6\packupdate_build107_302[3].exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temporary Internet Files\Content.IE5\2EO0VNI6\packupdate_build107_302[4].exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temporary Internet Files\Content.IE5\2EO0VNI6\packupdate_build107_328[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\e505e9f9.exe (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\f36decbb.exe (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\a79317.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\AA55e.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\cE55k.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\cE9317.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\CE93k7.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\e79kUO.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\e9a17e3.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\gM555.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\i3qGMY1cE.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\I79317.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\I9q1w9u.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\iQ5wS.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\IQGMY.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\k9yWS93.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\KU317aA.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\M93wSKU.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\mY5cE.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\OC793y79.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\q7wSKU.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\qG31aAA.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\s5eIQ.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\S9eIQG3.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\UOCE9317s.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\W79y17.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\wS9eIQ.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\YW93yW.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\yWS179u.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\3C.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\aA5k5y5c.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\aAA9k179.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\c55u5m5g.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\G1iQ3w.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\g5555555.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\G93a79.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\kUO5o5o5.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\KUOCEI.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\OCEIQ5.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\Q1w93y.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\Q55c5s.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\q9wS7eIQ.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\qG5i55q5.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\S3e793.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\sKU7m3gM.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\sKUOC3s7.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\u179a1k9.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\u5555kUO.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\U93iQ9.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\uO93m79w.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\w55y5c5s.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\w7uOC793.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temp\mdm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temp\Vpx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Desktop\My Security Engine.lnk (Rogue.MySecurityEngine) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Application Data\Microsoft\Internet Explorer\Quick Launch\My Security Engine.lnk (Rogue.MySecurityEngine) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Start Menu\My Security Engine.lnk (Rogue.MySecurityEngine) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Start Menu\Programs\My Security Engine.lnk (Rogue.MySecurityEngine) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Desktop\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

C:\WINDOWS\herjek.config (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Temp\iexplarer.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Vhuqya.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Link to post
Share on other sites

ok i am posting from the infected computer now..one of the programs had set me up to run through a fake proxy server...i am going to try hijack this again and post the log file here as I am sure there are remnants of files here and if someone could review all of this and let me know what they think it would be great!!

Link to post
Share on other sites

here is the newest hijack this log...cant get rid of all those hosts even when i go in and manually delete them any ideas?

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 4:00:49 PM, on 6/22/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17023)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\WINDOWS\system32\EpStsSrv.exe

C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\ESDUSBMon.EXE

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\AMT\UNS.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Paladin User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.paladinpos.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O1 - Hosts: 74.125.45.100 4-open-davinci.com

O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com

O1 - Hosts: 74.125.45.100 privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getavplusnow.com

O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com

O1 - Hosts: 74.125.45.100 urs.microsoft.com

O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com

O1 - Hosts: 173.236.107.243 www.google.com

O1 - Hosts: 173.236.107.243 google.com

O1 - Hosts: 173.236.107.243 google.com.au

O1 - Hosts: 173.236.107.243 www.google.com.au

O1 - Hosts: 173.236.107.243 google.be

O1 - Hosts: 173.236.107.243 www.google.be

O1 - Hosts: 173.236.107.243 google.com.br

O1 - Hosts: 173.236.107.243 www.google.com.br

O1 - Hosts: 173.236.107.243 google.ca

O1 - Hosts: 173.236.107.243 www.google.ca

O1 - Hosts: 173.236.107.243 google.ch

O1 - Hosts: 173.236.107.243 www.google.ch

O1 - Hosts: 173.236.107.243 google.de

O1 - Hosts: 173.236.107.243 www.google.de

O1 - Hosts: 173.236.107.243 google.dk

O1 - Hosts: 173.236.107.243 www.google.dk

O1 - Hosts: 173.236.107.243 google.fr

O1 - Hosts: 173.236.107.243 www.google.fr

O1 - Hosts: 173.236.107.243 google.ie

O1 - Hosts: 173.236.107.243 www.google.ie

O1 - Hosts: 173.236.107.243 google.it

O1 - Hosts: 173.236.107.243 www.google.it

O1 - Hosts: 173.236.107.243 google.co.jp

O1 - Hosts: 173.236.107.243 www.google.co.jp

O1 - Hosts: 173.236.107.243 google.nl

O1 - Hosts: 173.236.107.243 www.google.nl

O1 - Hosts: 173.236.107.243 google.no

O1 - Hosts: 173.236.107.243 www.google.no

O1 - Hosts: 173.236.107.243 google.co.nz

O1 - Hosts: 173.236.107.243 www.google.co.nz

O1 - Hosts: 173.236.107.243 google.pl

O1 - Hosts: 173.236.107.243 www.google.pl

O1 - Hosts: 173.236.107.243 google.se

O1 - Hosts: 173.236.107.243 www.google.se

O1 - Hosts: 173.236.107.243 google.co.uk

O1 - Hosts: 173.236.107.243 www.google.co.uk

O1 - Hosts: 173.236.107.243 google.co.za

O1 - Hosts: 173.236.107.243 www.google.co.za

O1 - Hosts: 173.236.107.243 www.google-analytics.com

O1 - Hosts: 173.236.107.243 www.bing.com

O1 - Hosts: 173.236.107.243 search.yahoo.com

O1 - Hosts: 173.236.107.243 www.search.yahoo.com

O1 - Hosts: 173.236.107.243 uk.search.yahoo.com

O1 - Hosts: 173.236.107.243 ca.search.yahoo.com

O1 - Hosts: 173.236.107.243 de.search.yahoo.com

O1 - Hosts: 173.236.107.243 fr.search.yahoo.com

O1 - Hosts: 173.236.107.243 au.search.yahoo.com

O1 - Hosts: 74.125.45.100 4-open-davinci.com

O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com

O1 - Hosts: 74.125.45.100 privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getavplusnow.com

O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com

O1 - Hosts: 74.125.45.100 urs.microsoft.com

O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com

O1 - Hosts: 173.236.107.243 www.google.com

O1 - Hosts: 173.236.107.243 google.com

O1 - Hosts: 173.236.107.243 google.com.au

O1 - Hosts: 173.236.107.243 www.google.com.au

O1 - Hosts: 173.236.107.243 google.be

O1 - Hosts: 173.236.107.243 www.google.be

O1 - Hosts: 173.236.107.243 google.com.br

O1 - Hosts: 173.236.107.243 www.google.com.br

O1 - Hosts: 173.236.107.243 google.ca

O1 - Hosts: 173.236.107.243 www.google.ca

O1 - Hosts: 173.236.107.243 google.ch

O1 - Hosts: 173.236.107.243 www.google.ch

O1 - Hosts: 173.236.107.243 google.de

O1 - Hosts: 173.236.107.243 www.google.de

O1 - Hosts: 173.236.107.243 google.dk

O1 - Hosts: 173.236.107.243 www.google.dk

O1 - Hosts: 173.236.107.243 google.fr

O1 - Hosts: 173.236.107.243 www.google.fr

O1 - Hosts: 173.236.107.243 google.ie

O1 - Hosts: 173.236.107.243 www.google.ie

O1 - Hosts: 173.236.107.243 google.it

O1 - Hosts: 173.236.107.243 www.google.it

O1 - Hosts: 173.236.107.243 google.co.jp

O1 - Hosts: 173.236.107.243 www.google.co.jp

O1 - Hosts: 173.236.107.243 google.nl

O1 - Hosts: 173.236.107.243 www.google.nl

O1 - Hosts: 173.236.107.243 google.no

O1 - Hosts: 173.236.107.243 www.google.no

O1 - Hosts: 173.236.107.243 google.co.nz

O1 - Hosts: 173.236.107.243 www.google.co.nz

O1 - Hosts: 173.236.107.243 google.pl

O1 - Hosts: 173.236.107.243 www.google.pl

O1 - Hosts: 173.236.107.243 google.se

O1 - Hosts: 173.236.107.243 www.google.se

O1 - Hosts: 173.236.107.243 google.co.uk

O1 - Hosts: 173.236.107.243 www.google.co.uk

O1 - Hosts: 173.236.107.243 google.co.za

O1 - Hosts: 173.236.107.243 www.google.co.za

O1 - Hosts: 173.236.107.243 www.google-analytics.com

O1 - Hosts: 173.236.107.243 www.bing.com

O1 - Hosts: 173.236.107.243 search.yahoo.com

O1 - Hosts: 173.236.107.243 www.search.yahoo.com

O1 - Hosts: 173.236.107.243 uk.search.yahoo.com

O1 - Hosts: 173.236.107.243 ca.search.yahoo.com

O1 - Hosts: 173.236.107.243 de.search.yahoo.com

O1 - Hosts: 173.236.107.243 fr.search.yahoo.com

O1 - Hosts: 173.236.107.243 au.search.yahoo.com

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd

O4 - HKLM\..\Run: [ESDUSBMon.exe] C:\WINDOWS\system32\ESDUSBMon.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.acehardware-acenet.com

O15 - Trusted Zone: *.acehardware-aceonline.com

O15 - Trusted Zone: *.acehardware-eaglevision.com

O15 - Trusted Zone: *.acehardware-vendors.com

O15 - Trusted Zone: *.aceservices.com

O15 - Trusted Zone: *.acehardware-acenet.com (HKLM)

O15 - Trusted Zone: *.acehardware-aceonline.com (HKLM)

O15 - Trusted Zone: *.acehardware-eaglevision.com (HKLM)

O15 - Trusted Zone: *.acehardware-vendors.com (HKLM)

O15 - Trusted Zone: *.aceservices.com (HKLM)

O16 - DPF: AceIESecuritySettings - http://ww1.acehardware-acenet.com/Controls...itySettings.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {24B8CB65-C0D2-11D0-A523-444553540000} (AceExplorer Control) - http://ww1.acehardware-acenet.com/ACENET/C...xpl/AceExpl.cab

O16 - DPF: {41F841C0-AE16-11D5-8817-0050DA6EF5E5} (FarPoint Spread 6.0 (OLEDB)) - http://ww1.acehardware-acenet.com/ACENET/c...t60/fpspr60.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1233855965781

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab

O16 - DPF: {8BF1A503-001F-11D0-A296-00A0246497B9} (ACENET Control) - http://ww1.acehardware-acenet.com/ACENET/C...ENET/ACECTL.CAB

O16 - DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} (OBXPopupBlockerAssistant Control) - http://onbase.aceservices.com/AppNet/activex/OBXPopup.cab

O16 - DPF: {C903C000-9C6E-419D-A0AC-2E760BBA3764} (MCSiMenuCtl Class) - http://ww1.acehardware-acenet.com/ACENET/C...Si/McsiMenu.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {EAE50EB0-4A62-11CE-BED6-00AA00611080} (Microsoft Forms 2.0 TabStrip) - http://ww1.acehardware-acenet.com/ACEnet/c...ft/MSpert10.cab

O16 - DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} (OBXWebViewer Control) - http://imagemax.aceservices.com/appnet/act...BXWebViewer.cab

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe

O23 - Service: EPSON ESC/POS Status Service (EPSON ESCPOS Status Service) - SEIKO EPSON Corp. - C:\WINDOWS\SYSTEM32\EpStsSrv.exe

O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe

O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe

O23 - Service: Port Emulator (HSP7000) (PortEmulatorHSP7000) - Star Micronics Co., Ltd. - C:\Program Files\StarMicronics\HSP7000\Software\VirtualPortEmulator\Software\VSPEU\portemu_umdf.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe

--

End of file - 15978 bytes

Link to post
Share on other sites

as of this morning it is back to doing the same thing that it was doing yesterday except that I have internet access on it...i really need help with this...there have been plenty of views on this thread but no responses....i hate to be the whiney new guy but i am in a jam here....

Ryan

Link to post
Share on other sites

Hi HeyUvaVT welcome to malarebytes.

  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

Link to post
Share on other sites

thank you thank you thank you for the response kahdah!

here is the log

OTL logfile created on: 5/23/2010 10:55:18 AM - Run 2

OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Paladin User\Desktop\New Folder

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

981.00 Mb Total Physical Memory | 598.00 Mb Available Physical Memory | 61.00% Memory free

3.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.01 Gb Total Space | 135.00 Gb Free Space | 90.60% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive P: | 232.81 Gb Total Space | 158.52 Gb Free Space | 68.09% Space Free | Partition Type: NTFS

Computer Name: TERMINAL-4

Current User Name: Paladin User

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Paladin User\Desktop\New Folder\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)

PRC - C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)

PRC - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (Trend Micro Inc.)

PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)

PRC - C:\Program Files\Trend Micro\BM\TMBMSRV.exe (Trend Micro Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)

PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)

PRC - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

PRC - C:\Program Files\Intel\AMT\UNS.exe (Intel)

PRC - C:\Program Files\Intel\AMT\atchksrv.exe (Intel Corporation)

PRC - C:\Program Files\Intel\AMT\LMS.exe (Intel)

PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

PRC - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)

PRC - C:\WINDOWS\system32\EpStsSrv.exe (SEIKO EPSON Corp.)

PRC - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (The Firebird Project)

PRC - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (The Firebird Project)

PRC - C:\WINDOWS\system32\ESDUSBMon.exe (SEIKO EPSON Corp.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Paladin User\Desktop\New Folder\OTL.exe (OldTimer Tools)

MOD - C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEHook.dll ()

MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (SfCtlCom) -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (Trend Micro Inc.)

SRV - (TmProxy) -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (Trend Micro Inc.)

SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)

SRV - (GoToAssist) -- C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)

SRV - (TMBMServer) -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe (Trend Micro Inc.)

SRV - (PortEmulatorHSP7000) Port Emulator (HSP7000) -- C:\Program Files\StarMicronics\HSP7000\Software\VirtualPortEmulator\Software\VSPEU\portemu_umdf.exe (Star Micronics Co., Ltd.)

SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)

SRV - (UNS) Intel® -- C:\Program Files\Intel\AMT\UNS.exe (Intel)

SRV - (atchksrv) Intel® -- C:\Program Files\Intel\AMT\atchksrv.exe (Intel Corporation)

SRV - (LMS) Intel® -- C:\Program Files\Intel\AMT\LMS.exe (Intel)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

SRV - (EPSON ESCPOS Status Service) -- C:\WINDOWS\System32\EpStsSrv.exe (SEIKO EPSON Corp.)

SRV - (FirebirdServerDefaultInstance) -- C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (The Firebird Project)

SRV - (FirebirdGuardianDefaultInstance) -- C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (The Firebird Project)

========== Driver Services (SafeList) ==========

DRV - (tmxpflt) -- C:\WINDOWS\system32\drivers\tmxpflt.sys (Trend Micro Inc.)

DRV - (tmpreflt) -- C:\WINDOWS\system32\drivers\tmpreflt.sys (Trend Micro Inc.)

DRV - (vsapint) -- C:\WINDOWS\system32\drivers\vsapint.sys (Trend Micro Inc.)

DRV - (tmactmon) -- C:\WINDOWS\system32\drivers\tmactmon.sys (Trend Micro Inc.)

DRV - (tmevtmgr) -- C:\WINDOWS\system32\drivers\tmevtmgr.sys (Trend Micro Inc.)

DRV - (tmcomm) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)

DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (iastor) -- C:\WINDOWS\system32\DRIVERS\iaStor.sys (Intel Corporation)

DRV - (ADIHdAudAddService) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys (Analog Devices, Inc.)

DRV - (DLADResM) -- C:\WINDOWS\system32\drivers\DLADResM.SYS (Roxio)

DRV - (DLABMFSM) -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS (Roxio)

DRV - (DLAUDF_M) -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS (Roxio)

DRV - (DLAUDFAM) -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS (Roxio)

DRV - (DLAOPIOM) -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS (Roxio)

DRV - (DLABOIOM) -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS (Roxio)

DRV - (DLAPoolM) -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS (Roxio)

DRV - (DLAIFS_M) -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS (Roxio)

DRV - (DRVMCDB) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions)

DRV - (DLARTL_M) -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS (Roxio)

DRV - (DLACDBHM) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS (Roxio)

DRV - (DRVNDDM) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Roxio)

DRV - (HECI) Intel® -- C:\WINDOWS\system32\drivers\HECI.sys (Intel Corporation)

DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)

DRV - (e1express) Intel® -- C:\WINDOWS\system32\drivers\e1e5132.sys (Intel Corporation)

DRV - (Esdpdx01) -- C:\WINDOWS\system32\drivers\ESDPDX01.SYS (MK Systems CO., LTD.)

DRV - (SenFiltService) -- C:\WINDOWS\system32\drivers\senfilt.sys (Sensaura)

DRV - (3c1807pd) -- C:\WINDOWS\system32\drivers\3c1807pd.sys (U.S. Robotics Corporation)

DRV - (USRpdA) -- C:\WINDOWS\system32\drivers\USRpdA.sys (U.S. Robotics Corporation)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://support.paladinpos.com/

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 03:00:17 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/05/19 16:46:43 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010/06/22 07:09:06 | 000,262,631 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.1001-search.info

O1 - Hosts: 127.0.0.1 1001-search.info

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.123topsearch.com

O1 - Hosts: 127.0.0.1 123topsearch.com

O1 - Hosts: 127.0.0.1 www.132.com

O1 - Hosts: 127.0.0.1 132.com

O1 - Hosts: 127.0.0.1 www.136136.net

O1 - Hosts: 127.0.0.1 136136.net

O1 - Hosts: 127.0.0.1 www.139mm.com

O1 - Hosts: 127.0.0.1 139mm.com

O1 - Hosts: 127.0.0.1 www.163ns.com

O1 - Hosts: 127.0.0.1 163ns.com

O1 - Hosts: 127.0.0.1 171203.com

O1 - Hosts: 9098 more lines...

O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)

O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

O4 - HKLM..\Run: [3c1807pd] File not found

O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe File not found

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [ESDUSBMon.exe] C:\WINDOWS\system32\ESDUSBMon.exe (SEIKO EPSON Corp.)

O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)

O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)

O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)

O4 - HKLM..\Run: [iSUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)

O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corp.)

O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)

O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

O4 - HKLM..\Run: [synchronization Manager] C:\WINDOWS\System32\mobsync.exe (Microsoft Corporation)

O4 - HKLM..\Run: [ufSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)

O4 - HKLM..\Run: [uSRpdA] File not found

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

O4 - HKCU..\Run: [iSUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)

O4 - HKCU..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O15 - HKLM\..Trusted Domains: acehardware-acenet.com ([]* in Trusted sites)

O15 - HKLM\..Trusted Domains: acehardware-aceonline.com ([]* in Trusted sites)

O15 - HKLM\..Trusted Domains: acehardware-eaglevision.com ([]* in Trusted sites)

O15 - HKLM\..Trusted Domains: acehardware-vendors.com ([]* in Trusted sites)

O15 - HKLM\..Trusted Domains: aceservices.com ([]* in Trusted sites)

O15 - HKCU\..Trusted Domains: acehardware-acenet.com ([]* in Trusted sites)

O15 - HKCU\..Trusted Domains: acehardware-aceonline.com ([]* in Trusted sites)

O15 - HKCU\..Trusted Domains: acehardware-eaglevision.com ([]* in Trusted sites)

O15 - HKCU\..Trusted Domains: acehardware-vendors.com ([]* in Trusted sites)

O15 - HKCU\..Trusted Domains: aceservices.com ([]* in Trusted sites)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {24B8CB65-C0D2-11D0-A523-444553540000} http://ww1.acehardware-acenet.com/ACENET/C...xpl/AceExpl.cab (AceExplorer Control)

O16 - DPF: {41F841C0-AE16-11D5-8817-0050DA6EF5E5} http://ww1.acehardware-acenet.com/ACENET/c...t60/fpspr60.cab (FarPoint Spread 6.0 (OLEDB))

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1233855965781 (WUWebControl Class)

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab (GMNRev Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {8BF1A503-001F-11D0-A296-00A0246497B9} http://ww1.acehardware-acenet.com/ACENET/C...ENET/ACECTL.CAB (ACENET Control)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} http://onbase.aceservices.com/AppNet/activex/OBXPopup.cab (OBXPopupBlockerAssistant Control)

O16 - DPF: {C903C000-9C6E-419D-A0AC-2E760BBA3764} http://ww1.acehardware-acenet.com/ACENET/C...Si/McsiMenu.cab (MCSiMenuCtl Class)

O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O16 - DPF: {EAE50EB0-4A62-11CE-BED6-00AA00611080} http://ww1.acehardware-acenet.com/ACEnet/c...ft/MSpert10.cab (Microsoft Forms 2.0 TabStrip)

O16 - DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} http://imagemax.aceservices.com/appnet/act...BXWebViewer.cab (OBXWebViewer Control)

O16 - DPF: AceIESecuritySettings http://ww1.acehardware-acenet.com/Controls...itySettings.CAB (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)

O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)

O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)

O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)

O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O24 - Desktop WallPaper: C:\Documents and Settings\Paladin User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Paladin User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/03/14 19:34:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2008/03/14 19:34:49 | 000,000,000 | ---- | M] () - P:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/22 19:18:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\cjubqgwcb

[2010/06/22 16:00:23 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Paladin User\Desktop\HijackThis.exe

[2010/06/22 12:28:08 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy

[2010/06/21 18:15:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\nwbwlcvia

[2010/06/21 16:42:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/06/21 16:42:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/06/21 16:14:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\MSTMJVEE

[2010/06/21 16:12:50 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\0d9c71d

[2010/06/21 16:09:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\Windows Server

[2010/06/21 16:09:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Application Data\6565FAC67FD5EA98CB1770FD0F965885

[2010/05/14 10:27:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Desktop\denis cimaf

[2010/05/07 08:08:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\Roxio

[2010/05/07 08:03:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Uninstall

[2010/05/07 08:03:05 | 000,099,808 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\DRVMCDB.SYS

[2010/05/07 08:03:05 | 000,098,448 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLAUDF_M.SYS

[2010/05/07 08:03:05 | 000,093,552 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLAUDFAM.SYS

[2010/05/07 08:03:05 | 000,052,000 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DRVNDDM.SYS

[2010/05/07 08:03:05 | 000,037,360 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLABMFSM.SYS

[2010/05/07 08:03:05 | 000,032,848 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLABOIOM.SYS

[2010/05/07 08:03:05 | 000,027,216 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLAOPIOM.SYS

[2010/05/07 08:03:05 | 000,016,304 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLAPoolM.SYS

[2010/05/07 08:03:04 | 000,108,752 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLAIFS_M.SYS

[2010/05/07 08:03:04 | 000,030,064 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLARTL_M.SYS

[2010/05/07 08:03:04 | 000,014,576 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLACDBHM.SYS

[2010/05/07 08:03:04 | 000,009,104 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLADResM.SYS

[2010/05/07 08:02:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SureThing Shared

[2010/05/07 08:02:22 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Sonic Shared

[2010/05/07 08:02:00 | 000,000,000 | ---D | C] -- C:\Program Files\Roxio

[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/23 01:15:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\Nightly Reboot.job

[2010/06/22 15:53:17 | 000,262,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.new

[2010/06/22 07:09:06 | 000,262,631 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/06/21 15:36:52 | 000,184,832 | ---- | M] () -- C:\WINDOWS\Vhuqyb.exe

[2010/05/23 10:57:12 | 000,823,808 | ---- | M] () -- C:\WINDOWS\System32\drivers\enworf.sys

[2010/05/23 10:57:07 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/05/23 10:54:55 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/05/23 10:54:15 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/05/23 10:53:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/05/23 10:53:29 | 006,029,312 | -H-- | M] () -- C:\Documents and Settings\Paladin User\NTUSER.DAT

[2010/05/23 10:53:29 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Paladin User\ntuser.ini

[2010/05/23 10:53:28 | 003,184,656 | -H-- | M] () -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\IconCache.db

[2010/05/23 10:53:27 | 000,000,552 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/05/23 10:53:27 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/05/23 10:53:27 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2010/05/22 13:36:40 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Paladin User\Desktop\HijackThis.exe

[2010/05/21 10:39:43 | 000,000,319 | ---- | M] () -- C:\Documents and Settings\Paladin User\Desktop\ACENET Default1.url

[2010/05/18 13:23:40 | 000,017,301 | ---- | M] () -- C:\Documents and Settings\Paladin User\My Documents\Stan Barry.docx

[2010/05/12 11:21:16 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

[2010/05/11 09:30:21 | 000,017,317 | ---- | M] () -- C:\Documents and Settings\Paladin User\My Documents\Stan Berry.docx

[2010/05/11 09:29:53 | 000,066,127 | ---- | M] () -- C:\Documents and Settings\Paladin User\My Documents\IMG00151-20100510-0951.jpg

[2010/05/07 08:03:05 | 000,000,554 | ---- | M] () -- C:\WINDOWS\wininit.ini

[2010/04/30 16:12:03 | 000,011,232 | ---- | M] () -- C:\Documents and Settings\Paladin User\My Documents\ivyclassic.docx

[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/22 19:18:47 | 000,823,808 | ---- | C] () -- C:\WINDOWS\System32\drivers\enworf.sys

[2010/06/21 16:31:12 | 000,184,832 | ---- | C] () -- C:\WINDOWS\Vhuqyb.exe

[2010/05/18 13:23:40 | 000,017,301 | ---- | C] () -- C:\Documents and Settings\Paladin User\My Documents\Stan Barry.docx

[2010/05/11 09:30:21 | 000,017,317 | ---- | C] () -- C:\Documents and Settings\Paladin User\My Documents\Stan Berry.docx

[2010/05/11 09:29:55 | 000,066,127 | ---- | C] () -- C:\Documents and Settings\Paladin User\My Documents\IMG00151-20100510-0951.jpg

[2010/05/07 08:09:00 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameD.txt

[2010/05/07 08:03:04 | 000,001,109 | ---- | C] () -- C:\WINDOWS\System32\drivers\PConfig.DCF

[2010/04/30 16:12:03 | 000,011,232 | ---- | C] () -- C:\Documents and Settings\Paladin User\My Documents\ivyclassic.docx

[2009/11/02 12:56:07 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll

[2009/10/31 12:59:27 | 000,001,244 | ---- | C] () -- C:\WINDOWS\RegalRailing.INI

[2008/03/20 16:15:35 | 000,000,539 | ---- | C] () -- C:\WINDOWS\label.ini

[2008/03/19 00:36:30 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\EpsStmEW.DLL

[2008/03/19 00:36:30 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\SharpImg.dll

[2008/03/19 00:31:22 | 000,001,345 | ---- | C] () -- C:\WINDOWS\LMAAT2DD.ini

[2008/03/19 00:24:34 | 000,466,944 | R--- | C] () -- C:\WINDOWS\System32\softcoin.dll

[2008/03/19 00:24:34 | 000,344,064 | R--- | C] () -- C:\WINDOWS\System32\gencoin.dll

[2008/03/18 18:14:34 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4837.dll

[2008/03/17 16:37:29 | 000,004,746 | ---- | C] () -- C:\WINDOWS\SigPlus.ini

[2008/03/17 16:33:55 | 000,000,052 | ---- | C] () -- C:\WINDOWS\odbcddp.ini

[2008/03/17 16:33:54 | 000,001,429 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2008/03/17 16:33:32 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll

[2008/03/17 11:02:35 | 000,000,554 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2006/08/31 12:46:13 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >

Link to post
Share on other sites

You are welcome :D

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    O4 - HKLM..\Run: [3c1807pd] File not found
    O4 - HKLM..\Run: [USRpdA] File not found
    [2010/06/22 19:18:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\cjubqgwcb
    [2010/06/21 18:15:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\nwbwlcvia
    [2010/06/21 16:14:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\MSTMJVEE
    [2010/06/21 16:12:50 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\0d9c71d
    [2010/06/21 16:09:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\Windows Server
    [2010/06/21 16:09:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Application Data\6565FAC67FD5EA98CB1770FD0F965885
    [2010/06/21 15:36:52 | 000,184,832 | ---- | M] () -- C:\WINDOWS\Vhuqyb.exe
    [2010/05/23 10:57:12 | 000,823,808 | ---- | M] () -- C:\WINDOWS\System32\drivers\enworf.sys


    :Commands
    [emptytemp]
    [resethosts]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

===============

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

here is the otl log the combo fix is coming in a second

All processes killed

========== OTL ==========

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\3c1807pd deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\USRpdA deleted successfully.

C:\Documents and Settings\Paladin User\Local Settings\Application Data\cjubqgwcb folder moved successfully.

C:\Documents and Settings\Paladin User\Local Settings\Application Data\nwbwlcvia folder moved successfully.

C:\Documents and Settings\All Users\Application Data\MSTMJVEE folder moved successfully.

C:\Documents and Settings\All Users\Application Data\0d9c71d\Quarantine Items folder moved successfully.

C:\Documents and Settings\All Users\Application Data\0d9c71d\MSESys folder moved successfully.

C:\Documents and Settings\All Users\Application Data\0d9c71d\BackUp folder moved successfully.

C:\Documents and Settings\All Users\Application Data\0d9c71d folder moved successfully.

C:\Documents and Settings\Paladin User\Local Settings\Application Data\Windows Server folder moved successfully.

C:\Documents and Settings\Paladin User\Application Data\6565FAC67FD5EA98CB1770FD0F965885 folder moved successfully.

C:\WINDOWS\Vhuqyb.exe moved successfully.

File move failed. C:\WINDOWS\system32\drivers\enworf.sys scheduled to be moved on reboot.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 25226 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 41620 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 143662 bytes

User: NetworkService

->Temp folder emptied: 934364 bytes

->Temporary Internet Files folder emptied: 6163350 bytes

->Flash cache emptied: 8090 bytes

User: Paladin User

->Temp folder emptied: 289444558 bytes

->Temporary Internet Files folder emptied: 28179837 bytes

->Java cache emptied: 56569488 bytes

->Flash cache emptied: 307366 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2195181 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 145328812 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10947822 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 143650163 bytes

Total Files Cleaned = 652.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

OTL by OldTimer - Version 3.2.5.0 log created on 05232010_115056

Files\Folders moved on Reboot...

File move failed. C:\WINDOWS\system32\drivers\enworf.sys scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Link to post
Share on other sites

here is the combo fix log

ComboFix 10-05-22.03 - Paladin User 05/23/2010 12:22:22.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.981.635 [GMT -4:00]

Running from: c:\documents and settings\Paladin User\Desktop\ComboFix.exe

AV: Trend Micro Internet Security *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\Paladin User\Application Data\Microsoft\HTML Help\hh.dat

c:\documents and settings\Paladin User\GoToAssistDownloadHelper.exe

c:\documents and settings\Paladin User\Recent\cb.dll

c:\documents and settings\Paladin User\Recent\eb.dll

c:\documents and settings\Paladin User\Recent\eb.exe

c:\documents and settings\Paladin User\Recent\energy.tmp

c:\documents and settings\Paladin User\Recent\exec.drv

c:\documents and settings\Paladin User\Recent\FW.exe

c:\documents and settings\Paladin User\Recent\kernel32.exe

c:\documents and settings\Paladin User\Recent\pal.dll

c:\documents and settings\Paladin User\Recent\PE.exe

c:\documents and settings\Paladin User\Recent\PE.sys

c:\documents and settings\Paladin User\Recent\ppal.drv

c:\documents and settings\Paladin User\Recent\runddl.exe

c:\documents and settings\Paladin User\Recent\snl2w.drv

c:\documents and settings\Paladin User\Recent\tempdoc.dll

c:\documents and settings\Paladin User\Recent\tjd.drv

c:\documents and settings\Paladin User\Start Menu\Programs\Antimalware Doctor

c:\documents and settings\Paladin User\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk

c:\documents and settings\Paladin User\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk

C:\feed.txt

c:\windows\system32\driVERs\enworf.sys

c:\windows\system32\service

c:\windows\system32\service\01022010_TIS17_SfFniAU.log

c:\windows\system32\service\01092009_TIS17_SfFniAU.log

c:\windows\system32\service\02012010_TIS17_SfFniAU.log

c:\windows\system32\service\02072009_TIS17_SfFniAU.log

c:\windows\system32\service\04062009_TIS17_SfFniAU.log

c:\windows\system32\service\09012010_TIS17_SfFniAU.log

c:\windows\system32\service\11012010_TIS17_SfFniAU.log

c:\windows\system32\service\12102009_TIS17_SfFniAU.log

c:\windows\system32\service\13052010_TIS17_SfFniAU.log

c:\windows\system32\service\13072009_TIS17_SfFniAU.log

c:\windows\system32\service\14102009_TIS17_SfFniAU.log

c:\windows\system32\service\16032009_TIS17_SfFniAU.log

c:\windows\system32\service\16042009_TIS17_SfFniAU.log

c:\windows\system32\service\17052010_TIS17_SfFniAU.log

c:\windows\system32\service\18042010_TIS17_SfFniAU.log

c:\windows\system32\service\19122009_TIS17_SfFniAU.log

c:\windows\system32\service\20052010_TIS17_SfFniAU.log

c:\windows\system32\service\22102009_TIS17_SfFniAU.log

c:\windows\system32\service\23062009_TIS17_SfFniAU.log

c:\windows\system32\service\23082009_TIS17_SfFniAU.log

c:\windows\system32\service\26082009_TIS17_SfFniAU.log

c:\windows\system32\service\26122009_TIS17_SfFniAU.log

c:\windows\system32\service\27052009_TIS17_SfFniAU.log

c:\windows\system32\service\27102009_TIS17_SfFniAU.log

c:\windows\system32\service\29102009_TIS17_SfFniAU.log

c:\windows\system32\service\30012010_TIS17_SfFniAU.log

----- BITS: Possible infected sites -----

hxxp://update.paladinpos.com

Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected

Restored copy from - Kitty had a snack :D

c:\windows\system32\ws2_32.dll . . . is infected!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_enworf

-------\Service_enworf

((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 )))))))))))))))))))))))))))))))

.

2010-06-22 16:28 . 2010-06-22 16:28 -------- d--h--w- c:\windows\system32\GroupPolicy

2010-05-23 15:50 . 2010-05-23 15:50 -------- d-----w- C:\_OTL

2010-05-07 12:08 . 2010-05-07 12:08 -------- d-----w- c:\documents and settings\Paladin User\Local Settings\Application Data\Roxio

2010-05-07 12:02 . 2010-05-07 12:02 -------- d-----w- c:\program files\Common Files\SureThing Shared

2010-05-07 12:02 . 2010-05-07 12:03 -------- d-----w- c:\program files\Common Files\Sonic Shared

2010-05-07 12:02 . 2010-05-07 12:03 -------- d-----w- c:\program files\Roxio

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-22 18:47 . 2010-01-09 15:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-12 15:21 . 2009-10-03 02:55 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-12 07:01 . 2009-06-10 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-05-07 12:03 . 2010-05-07 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Uninstall

2010-05-07 12:02 . 2008-03-17 15:02 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-05-07 12:02 . 2009-02-05 17:41 -------- d-----w- c:\documents and settings\Paladin User\Application Data\InstallShield

2010-05-07 12:02 . 2008-03-14 23:29 -------- d-----w- c:\program files\Common Files\InstallShield

2010-05-06 13:53 . 2009-05-06 15:27 -------- d-----w- c:\program files\Auction Client

2010-04-29 19:39 . 2010-01-09 15:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2010-01-09 15:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\AdobeARM.exe

2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\AdobeExtractFiles.dll

2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\ReaderUpdater.exe

2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\AcrobatUpdater.exe

2010-03-11 12:38 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2004-08-04 10:00 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-24 13:11 . 2004-08-04 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

------- Sigcheck -------

[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll

[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll

[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll

[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll

[7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll

[7] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2_32.dll

[-] 2008-04-14 . 5D567A625ECB5B4728130E4B31CA87EF . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll

[7] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162328]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 137752]

"ESDUSBMon.exe"="c:\windows\system32\ESDUSBMon.exe" [2005-05-27 188416]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-05-05 21:44 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Paladin User^Start Menu^Programs^Startup^Antimalware Doctor.lnk]

path=c:\documents and settings\Paladin User\Start Menu\Programs\Startup\Antimalware Doctor.lnk

backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atchk]

2007-06-13 01:09 408344 ----a-w- c:\program files\Intel\AMT\atchk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LionClock Server]

2008-04-22 19:12 3412280 ----a-w- c:\program files\LionClock Server\LionClock Server.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]

R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [5/11/2006 1:51 PM 95485]

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [3/11/2009 5:09 PM 50192]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/11/2009 5:06 PM 36368]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [3/14/2008 7:47 PM 2521880]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 11:19 PM 13592]

R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]

S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [3/11/2009 5:09 PM 677128]

S3 PortEmulatorHSP7000;Port Emulator (HSP7000);c:\program files\StarMicronics\HSP7000\Software\VirtualPortEmulator\Software\VSPEU\portemu_umdf.exe [7/1/2008 11:44 PM 163840]

.

Contents of the 'Scheduled Tasks' folder

2010-05-23 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

2009-03-11 c:\windows\Tasks\Nightly Backup.job

- c:\paladinpos\PaladinPOS.exe [2008-03-17 15:30]

2010-06-23 c:\windows\Tasks\Nightly Reboot.job

- c:\windows\system32\shutdown.exe [2004-08-04 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://support.paladinpos.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: acehardware-acenet.com

Trusted Zone: acehardware-aceonline.com

Trusted Zone: acehardware-eaglevision.com

Trusted Zone: acehardware-vendors.com

Trusted Zone: aceservices.com

Trusted Zone: acehardware-acenet.com

Trusted Zone: acehardware-aceonline.com

Trusted Zone: acehardware-eaglevision.com

Trusted Zone: acehardware-vendors.com

Trusted Zone: aceservices.com

DPF: AceIESecuritySettings - hxxp://ww1.acehardware-acenet.com/Controls/AceIESecuritySettings.CAB

DPF: {24B8CB65-C0D2-11D0-A523-444553540000} - hxxp://ww1.acehardware-acenet.com/ACENET/Controls/AceExpl/AceExpl.cab

DPF: {41F841C0-AE16-11D5-8817-0050DA6EF5E5} - hxxp://ww1.acehardware-acenet.com/ACENET/controls/FarPoint60/fpspr60.cab

DPF: {8BF1A503-001F-11D0-A296-00A0246497B9} - hxxp://ww1.acehardware-acenet.com/ACENET/Controls/ACENET/ACECTL.CAB

DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} - hxxp://onbase.aceservices.com/AppNet/activex/OBXPopup.cab

DPF: {C903C000-9C6E-419D-A0AC-2E760BBA3764} - hxxp://ww1.acehardware-acenet.com/ACENET/Controls/MCSi/McsiMenu.cab

DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} - hxxp://imagemax.aceservices.com/appnet/activex/OBXWebViewer.cab

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKLM-Run-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

AddRemove-Free Invoicer_is1 - c:\program files\Citrusware\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-23 12:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)

c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2528)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\wudfhost.exe

c:\program files\Trend Micro\BM\TMBMSRV.exe

c:\program files\Intel\AMT\atchksrv.exe

c:\windows\system32\EpStsSrv.exe

c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe

c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\igfxsrvc.exe

.

**************************************************************************

.

Completion time: 2010-05-23 12:35:35 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-23 16:35

Pre-Run: 145,558,949,888 bytes free

Post-Run: 145,462,886,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - DF5E2DEEFB24E5B72AE44C141D0A27C4

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

Fcopy::
c:\windows\ServicePackFiles\i386\user32.dll|c:\windows\system32\user32.dll
c:\windows\ServicePackFiles\i386\user32.dll|c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
c:\windows\ServicePackFiles\i386\user32.dll|c:\windows\$NtServicePackUninstall$\user32.dll
c:\windows\ServicePackFiles\i386\user32.dll|c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
c:\windows\ServicePackFiles\i386\user32.dll|c:\windows\$NtUninstallKB925902$\user32.dll
c:\windows\ServicePackFiles\i386\ws2_32.dll|c:\windows\system32\ws2_32.dll

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Paladin User^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

Link to post
Share on other sites

here is the newest CF log...sorry it took so long!

ComboFix 10-05-23.07 - Paladin User 05/24/2010 7:17.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.981.518 [GMT -4:00]

Running from: c:\documents and settings\Paladin User\Desktop\ComboFix.exe

Command switches used :: E:\CFScript.txt

AV: Trend Micro Internet Security *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\feed.txt

.

--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\system32\user32.dll

c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll

c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\$NtServicePackUninstall$\user32.dll

c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\$NtUninstallKB925902$\user32.dll

c:\windows\ServicePackFiles\i386\ws2_32.dll --> c:\windows\system32\ws2_32.dll

.

((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 )))))))))))))))))))))))))))))))

.

2010-06-22 16:28 . 2010-06-22 16:28 -------- d--h--w- c:\windows\system32\GroupPolicy

2010-05-24 11:23 . 2010-05-24 11:23 -------- d-----w- c:\windows\system32\Service

2010-05-23 15:50 . 2010-05-23 15:50 -------- d-----w- C:\_OTL

2010-05-07 12:08 . 2010-05-07 12:08 -------- d-----w- c:\documents and settings\Paladin User\Local Settings\Application Data\Roxio

2010-05-07 12:02 . 2010-05-07 12:02 -------- d-----w- c:\program files\Common Files\SureThing Shared

2010-05-07 12:02 . 2010-05-07 12:03 -------- d-----w- c:\program files\Common Files\Sonic Shared

2010-05-07 12:02 . 2010-05-07 12:03 -------- d-----w- c:\program files\Roxio

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-22 18:47 . 2010-01-09 15:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-12 15:21 . 2009-10-03 02:55 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-12 07:01 . 2009-06-10 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-05-07 12:03 . 2010-05-07 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Uninstall

2010-05-07 12:02 . 2008-03-17 15:02 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-05-07 12:02 . 2009-02-05 17:41 -------- d-----w- c:\documents and settings\Paladin User\Application Data\InstallShield

2010-05-07 12:02 . 2008-03-14 23:29 -------- d-----w- c:\program files\Common Files\InstallShield

2010-05-06 13:53 . 2009-05-06 15:27 -------- d-----w- c:\program files\Auction Client

2010-04-29 19:39 . 2010-01-09 15:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2010-01-09 15:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\AdobeARM.exe

2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\AdobeExtractFiles.dll

2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\ReaderUpdater.exe

2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\AcrobatUpdater.exe

2010-03-11 12:38 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2004-08-04 10:00 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-02-24 13:11 . 2004-08-04 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162328]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 137752]

"ESDUSBMon.exe"="c:\windows\system32\ESDUSBMon.exe" [2005-05-27 188416]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2009-05-05 21:44 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atchk]

2007-06-13 01:09 408344 ----a-w- c:\program files\Intel\AMT\atchk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LionClock Server]

2008-04-22 19:12 3412280 ----a-w- c:\program files\LionClock Server\LionClock Server.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]

R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [5/11/2006 1:51 PM 95485]

R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [3/11/2009 5:09 PM 50192]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/11/2009 5:06 PM 36368]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [3/14/2008 7:47 PM 2521880]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 11:19 PM 13592]

R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]

S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [3/11/2009 5:09 PM 677128]

S3 PortEmulatorHSP7000;Port Emulator (HSP7000);c:\program files\StarMicronics\HSP7000\Software\VirtualPortEmulator\Software\VSPEU\portemu_umdf.exe [7/1/2008 11:44 PM 163840]

.

Contents of the 'Scheduled Tasks' folder

2010-05-24 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

2009-03-11 c:\windows\Tasks\Nightly Backup.job

- c:\paladinpos\PaladinPOS.exe [2008-03-17 15:30]

2010-05-24 c:\windows\Tasks\Nightly Reboot.job

- c:\windows\system32\shutdown.exe [2004-08-04 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://support.paladinpos.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: acehardware-acenet.com

Trusted Zone: acehardware-aceonline.com

Trusted Zone: acehardware-eaglevision.com

Trusted Zone: acehardware-vendors.com

Trusted Zone: aceservices.com

Trusted Zone: acehardware-acenet.com

Trusted Zone: acehardware-aceonline.com

Trusted Zone: acehardware-eaglevision.com

Trusted Zone: acehardware-vendors.com

Trusted Zone: aceservices.com

DPF: AceIESecuritySettings - hxxp://ww1.acehardware-acenet.com/Controls/AceIESecuritySettings.CAB

DPF: {24B8CB65-C0D2-11D0-A523-444553540000} - hxxp://ww1.acehardware-acenet.com/ACENET/Controls/AceExpl/AceExpl.cab

DPF: {41F841C0-AE16-11D5-8817-0050DA6EF5E5} - hxxp://ww1.acehardware-acenet.com/ACENET/controls/FarPoint60/fpspr60.cab

DPF: {8BF1A503-001F-11D0-A296-00A0246497B9} - hxxp://ww1.acehardware-acenet.com/ACENET/Controls/ACENET/ACECTL.CAB

DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} - hxxp://onbase.aceservices.com/AppNet/activex/OBXPopup.cab

DPF: {C903C000-9C6E-419D-A0AC-2E760BBA3764} - hxxp://ww1.acehardware-acenet.com/ACENET/Controls/MCSi/McsiMenu.cab

DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} - hxxp://imagemax.aceservices.com/appnet/activex/OBXWebViewer.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-24 07:24

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)

c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(1184)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\wudfhost.exe

c:\program files\Trend Micro\BM\TMBMSRV.exe

c:\program files\Intel\AMT\atchksrv.exe

c:\windows\system32\EpStsSrv.exe

c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe

c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\igfxsrvc.exe

.

**************************************************************************

.

Completion time: 2010-05-24 07:30:12 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-24 11:30

ComboFix2.txt 2010-05-23 16:35

Pre-Run: 145,448,366,080 bytes free

Post-Run: 145,413,873,664 bytes free

- - End Of File - - D72F61F3476EC4A24929A38220BD4258

Link to post
Share on other sites

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.