Jump to content

Laptop riddled with malware


Recommended Posts

Hi. I inherited this laptop a few months ago. It worked well until

last week. Any help greatly appreciated.

Usual malware situation, false Windows-like warnings on the

taskbar, LAN settings changed to divert internet traffic through a

proxy.

So this is what I've done:

* Started in safe mode, reset LAN settings

* Tried to run Avira free but it wouldn't. I then uninstalled it to

try to install Trend Micro.

* Uninstalled Java

* Tried to install trend Micro Ultimate Security (have paid for 3

licences). It would get to the point where it should finish the

installation, but gace an error message.

* Installed malwarebytes free (i have paid licences on my other

computers) but it wouldn't update.

* transferred the latest rules.ref from another computer and

manually installed it. The full system scan gave the results below.

I'm sure I told it to fix the issues, but it says 'no action taken'.

* Other requested scans below that.

* Tried to post this from the infected laptop in safe mode, but

couldn't.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4629

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 7.0.5730.13

16/09/2010 19:29:04

mbam-log-2010-09-16 (19-29-04).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 207819

Time elapsed: 38 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 3

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 29

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> No

action taken.

HKEY_CURRENT_USER\SOFTWARE\OTGV1DNWQQ (Trojan.FakeAlert) -> No

action taken.

HKEY_CURRENT_USER\SOFTWARE\YXE7DXCQ37 (Trojan.FakeAlert) -> No

action taken.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action

taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wm

gjkgqn (Rogue.SecuritySuite) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0c

1e9254-519d-796b-1a03-0df955d4ecfd} (Trojan.Agent) -> No action

taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yxe

7dxcq37 (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Paramete

rs\Interfaces\{f2b9e7c4-01ef-4f1e-b40a-e0378aa6d187}\NameServer

(Trojan.DNSChanger) -> Data: 93.188.162.235,93.188.161.235 -> No

action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Paramete

rs\NameServer (Trojan.DNSChanger) -> Data:

93.188.162.235,93.188.161.235 -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Paramete

rs\Interfaces\{392592a4-2c3a-4e88-a9e5-c34796bc3ad1}\NameServer

(Trojan.DNSChanger) -> Data: 93.188.162.235,93.188.161.235 -> No

action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Paramete

rs\Interfaces\{f2b9e7c4-01ef-4f1e-b40a-e0378aa6d187}\DhcpNameServer

(Trojan.DNSChanger) -> Data: 93.188.162.235,93.188.161.235 -> No

action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Polly\Local Settings\Application

Data\ydwveidvk\tvbkubxuqiw.exe (Rogue.SecuritySuite) -> No action

taken.

C:\Documents and Settings\Polly\Local Settings\Temporary Internet

Files\Content.IE5\1ZDY19H2\mqupjickr[4].htm (Rogue.SecuritySuite)

-> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\wtpvaae.exe

(Rogue.SecuritySuite) -> No action taken.

C:\WINDOWS\Temp\EIQG9i1qG.sys (Rootkit.Agent) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\1D.tmp

(Rootkit.Dropper) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\28.tmp

(Rootkit.Dropper) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\22.tmp

(Rootkit.Dropper) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\21.tmp

(Rootkit.Dropper) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\1E.tmp

(Rootkit.Dropper) -> No action taken.

C:\Documents and Settings\Polly\Application Data\Arad\byam.exe

(Trojan.Agent) -> No action taken.

C:\Documents and Settings\Polly\Application

Data\093D8D2F02F0D850AFA6A6AF7E1366EB\mediafix70700en02.exe

(Trojan.Agent.Gen) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\Hcy.exe

(Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\Hc0.exe

(Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\Hcz.exe

(Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\Hcu.exe

(Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\Hcv.exe

(Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\Hcx.exe

(Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\Hc2.exe

(Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\Hct.exe

(Trojan.Downloader) -> No action taken.

C:\WINDOWS\Htugea.exe (Trojan.Downloader) -> No action taken.

C:\WINDOWS\Htugeb.exe (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\Hc1.exe

(Trojan.Downloader) -> No action taken.

C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job

(Trojan.Downloader) -> No action taken.

C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

(Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temporary Internet

Files\Content.IE5\1ZDY19H2\nezgb[2].htm (Trojan.Downloader) -> No

action taken.

C:\Documents and Settings\Polly\Application Data\Ovac\ifog.exe

(Trojan.Dropper.XGen) -> No action taken.

C:\Documents and Settings\Polly\Local Settings\Temp\oswrcxamne.tmp

(Trojan.Spambot) -> No action taken.

C:\Documents and Settings\Polly\Application

Data\Sun\Java\Deployment\cache\6.0\33\4768d721-54f38376

(Trojan.Zbot) -> No action taken.

C:\Documents and Settings\Polly\Application

Data\Sun\Java\Deployment\cache\6.0\33\4768d721-74df7c3d

(Trojan.Zbot) -> No action taken.

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK

Run by Polly at 22:34:27.78 on 16/09/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Home Edition

5.1.2600.3.1252.1.1033.18.511.215 [GMT 1:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Polly\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Reader Link Helper:

{06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Groove GFS Browser Helper:

{72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft

office\office12\GrooveShellExtensions.dll

BHO: Java Plug-In 2 SSV Helper:

{dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class:

{e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"c:\program files\common files\ahead\lib\NMBgMonitor.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [bluetoothAuthenticationAgent] rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [NvCplDaemon] RUNDLL32.EXE

c:\windows\system32\NvCpl.dll,NvStartup

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [NeroFilterCheck] c:\program files\common

files\ahead\lib\NeroCheck.exe

mRun: [GrooveMonitor] "c:\program files\microsoft

office\office12\GrooveMonitor.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader

8.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program

files\java\jre6\bin\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe"

-atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [AppleSyncNotifier] c:\program files\common

files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program

files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRunOnce: [Malwarebytes' Anti-Malware] c:\program

files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder:

c:\docume~1\polly\startm~1\programs\startup\adobeg~1.lnk -

c:\program files\common files\adobe\calibration\Adobe Gamma

Loader.exe

StartupFolder:

c:\docume~1\polly\startm~1\programs\startup\onenot~1.lnk -

c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk -

c:\program files\dell\bluetooth software\BTTray.exe

IE: E&xport to Microsoft Excel -

c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\dell\bluetooth

software\btsendto_ie_ctx.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program

files\dell\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} -

{48E73304-E1D6-4330-914C-F5F514E3486C} -

c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

{FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/

client/wuweb_site.cab?1207411054058

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x8

6/client/muweb_site.cab?1207411162765

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -

c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} -

c:\windows\system32\BTXPPanel.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook:

{b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft

office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath -

c:\docume~1\polly\applic~1\mozilla\firefox\profiles\8iiclskv.defaul

t\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk

FF - component: c:\documents and settings\polly\application

data\mozilla\firefox\profiles\8iiclskv.default\extensions\{a7c6cf7f

-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ip

c.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant:

{20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference -

c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference -

c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference -

c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js -

pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl.allow_unrestricted_renego_everywhere__temporaril

y_available_pref", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js

- pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2010-5-9

11264]

S3 L6PODLV;PODxt Live

Service;c:\windows\system32\drivers\l6podlv.sys -->

c:\windows\system32\drivers\L6PODLV.sys [?]

=============== Created Last 30 ================

2010-09-16 20:09:55 0 ----a-w- c:\documents and

settings\polly\defogger_reenable

2010-09-16 20:04:16 38224 ----a-w-

c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-16 20:04:15 20952 ----a-w-

c:\windows\system32\drivers\mbam.sys

2010-09-16 20:04:15 0 d-----w- c:\program

files\Malwarebytes' Anti-Malware

2010-09-16 17:52:43 72706 ----a-w-

c:\docume~1\alluse~1\applic~1\3S14R3CC.exe

2010-09-16 17:51:56 112 ----a-w-

c:\docume~1\alluse~1\applic~1\t6GF0d2.dat

2010-09-12 19:43:08 664 ----a-w-

c:\windows\system32\d3d9caps.dat

2010-09-12 19:32:14 0 d-----w-

c:\docume~1\alluse~1\applic~1\Trend Micro

2010-09-10 10:33:06 0 d-----w-

c:\docume~1\polly\applic~1\093D8D2F02F0D850AFA6A6AF7E1366EB

==================== Find3M ====================

2010-09-16 17:50:53 35328 ----a-w-

c:\windows\fonts\5O6RtO.com

2010-09-10 10:45:56 36763 ----a-w-

c:\windows\system32\nvModes.dat

2008-04-05 15:49:34 604 ---ha-w- c:\program

files\STLL Notifier

2008-12-22 03:01:38 32768 --sha-w-

c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008122220081223\index.dat

============= FINISH: 22:35:21.79 ===============

attach.rar

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

That empty post was made from the infected laptop. I then ran the scans but couldn't post the results from the same machine and have had to do it from another computer. Logs as follows:

OTL logfile created on: 19/09/2010 08:17:54 - Run 1

OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\Polly\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.00 Mb Total Physical Memory | 341.00 Mb Available Physical Memory | 67.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 91.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 29.29 Gb Total Space | 2.42 Gb Free Space | 8.26% Space Free | Partition Type: NTFS

Drive D: | 26.60 Gb Total Space | 17.75 Gb Free Space | 66.73% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

Drive F: | 1.87 Gb Total Space | 1.85 Gb Free Space | 99.16% Space Free | Partition Type: FAT

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: MARLY

Current User Name: Polly

Logged in as Administrator.

Current Boot Mode: SafeMode with Networking

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/19 08:14:54 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Polly\Desktop\OTL.exe

PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/09/19 08:14:54 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Polly\Desktop\OTL.exe

MOD - [2008/04/14 06:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)

SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)

SRV - [2004/04/26 17:02:14 | 000,163,840 | ---- | M] (WIDCOMM, Inc.) [Auto | Stopped] -- C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe -- (btwdins)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\UIUSys.sys -- (UIUSys)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\L6PODLV.sys -- (L6PODLV)

DRV - [2005/11/02 13:24:34 | 000,424,320 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)

DRV - [2005/09/28 20:57:18 | 000,113,847 | R--- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)

DRV - [2005/07/06 19:52:00 | 003,208,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)

DRV - [2005/05/03 15:09:28 | 001,033,728 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DPV.SYS -- (HSF_DPV)

DRV - [2005/05/03 15:08:50 | 000,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)

DRV - [2005/05/03 15:08:44 | 000,705,408 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)

DRV - [2004/11/15 15:37:52 | 000,264,440 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\stac97.sys -- (STAC97) Audio Driver (WDM)

DRV - [2004/04/26 16:31:56 | 001,239,338 | ---- | M] (WIDCOMM, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)

DRV - [2004/04/26 16:15:16 | 000,053,336 | ---- | M] (WIDCOMM, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)

DRV - [2003/09/26 10:41:10 | 000,044,032 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)

DRV - [2002/04/17 20:27:02 | 000,011,264 | ---- | M] (VOB Computersysteme GmbH) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\asapi.sys -- (Asapi)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-343818398-152049171-854245398-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie

IE - HKU\S-1-5-21-343818398-152049171-854245398-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

IE - HKU\S-1-5-21-343818398-152049171-854245398-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

IE - HKU\S-1-5-21-343818398-152049171-854245398-1004\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKU\S-1-5-21-343818398-152049171-854245398-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKU\S-1-5-21-343818398-152049171-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk"

FF - prefs.js..extensions.enabledItems: {097d3191-e6fa-4728-9826-b533d755359d}:0.7.11

FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19

FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.7

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/28 16:18:27 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/27 10:11:20 | 000,000,000 | ---D | M]

[2008/08/30 14:00:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Polly\Application Data\Mozilla\Extensions

[2010/09/10 11:22:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Polly\Application Data\Mozilla\Firefox\Profiles\8iiclskv.default\extensions

[2010/01/25 18:18:19 | 000,000,000 | ---D | M] (All-in-One Sidebar) -- C:\Documents and Settings\Polly\Application Data\Mozilla\Firefox\Profiles\8iiclskv.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}

[2009/09/09 15:37:59 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Polly\Application Data\Mozilla\Firefox\Profiles\8iiclskv.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/01/25 18:18:25 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Polly\Application Data\Mozilla\Firefox\Profiles\8iiclskv.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}

[2008/04/19 20:36:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Polly\Application Data\Mozilla\Firefox\Profiles\8iiclskv.default\extensions\en-GB@dictionaries.addons.mozilla.org

[2010/09/10 11:22:08 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2009/09/03 19:37:30 | 010,437,264 | ---- | M] (PDFTron Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\PDFNetC.dll

[2009/09/03 19:58:36 | 000,107,760 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ScorchPDFWrapper.dll

[2010/01/22 15:55:17 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml

[2010/01/22 15:55:18 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml

[2010/01/22 15:55:18 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml

[2010/01/22 15:55:18 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/12/24 20:41:22 | 000,000,963 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 adobeereg.com

O1 - Hosts: 127.0.0.1 www.adobeereg.com

O1 - Hosts: 127.0.0.1 activate.adobe.com

O1 - Hosts: 127.0.0.1 activate-sea.adobe.com

O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com

O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe ()

O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe ()

O4 - HKLM..\Run: [bluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)

O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe ()

O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe ()

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKU\S-1-5-21-343818398-152049171-854245398-1004..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)

O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk = C:\Program Files\Dell\Bluetooth Software\BTTray.exe (WIDCOMM, Inc.)

O4 - Startup: C:\Documents and Settings\Polly\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

O4 - Startup: C:\Documents and Settings\Polly\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-343818398-152049171-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm ()

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm ()

O9 - Extra 'Tools' menuitem : @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm ()

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1207411054058 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1207411162765 (MUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\widimg {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\BTXPPanel.dll (WIDCOMM, Inc.)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\Polly\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Polly\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/04/05 15:11:48 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/09/19 08:14:50 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Polly\Desktop\OTL.exe

[2010/09/16 21:04:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/09/16 21:04:15 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/09/16 21:04:15 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/09/16 19:29:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Polly\Desktop\New Folder

[2010/09/16 18:55:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/09/16 18:55:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/09/12 20:33:49 | 057,554,555 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\All Users\Desktop\TTi_HE_Download_32bit.exe

[2010/09/12 20:32:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trend Micro

[2010/09/12 20:31:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\TTi_HE_Download_32bit

[2010/09/10 11:34:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Polly\Local Settings\Application Data\ydwveidvk

[2010/09/10 11:33:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Polly\Application Data\093D8D2F02F0D850AFA6A6AF7E1366EB

[2010/09/10 11:32:47 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Server

[2010/08/23 10:32:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Polly\Recent

[2010/07/27 11:03:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google

[2010/07/26 19:03:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google

[2010/07/26 18:58:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Temp

[2010/07/26 18:56:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software

[2010/07/05 23:16:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Polly\Application Data\Malwarebytes

[2010/07/05 23:15:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/06/28 18:04:11 | 000,000,000 | ---D | C] -- C:\Program Files\iPod

[2010/06/28 18:03:34 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes

[2010/06/28 18:03:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2010/06/28 18:00:12 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime

[2010/06/28 17:52:20 | 000,000,000 | ---D | C] -- C:\Program Files\Safari

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/09/19 08:15:10 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Polly\Desktop\RKUnhookerLE.EXE

[2010/09/19 08:14:54 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Polly\Desktop\OTL.exe

[2010/09/19 08:11:46 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/09/19 08:11:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/09/16 23:20:34 | 008,912,896 | -H-- | M] () -- C:\Documents and Settings\Polly\NTUSER.DAT

[2010/09/16 23:20:34 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Polly\ntuser.ini

[2010/09/16 23:20:31 | 004,768,656 | -H-- | M] () -- C:\Documents and Settings\Polly\Local Settings\Application Data\IconCache.db

[2010/09/16 22:34:22 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Polly\Desktop\dds.scr

[2010/09/16 21:10:23 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Polly\Desktop\eod7bgcq.exe

[2010/09/16 21:09:55 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Polly\defogger_reenable

[2010/09/16 21:09:38 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Polly\Desktop\Defogger.exe

[2010/09/16 21:04:19 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/09/16 18:52:45 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\t6GF0d2.dat

[2010/09/16 18:52:42 | 000,072,706 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\3S14R3CC.exe

[2010/09/12 22:09:16 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/09/12 21:59:41 | 000,036,763 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001

[2010/09/12 21:59:16 | 000,030,098 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml

[2010/09/12 20:43:26 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/09/12 20:35:36 | 057,554,555 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\All Users\Desktop\TTi_HE_Download_32bit.exe

[2010/09/12 20:27:31 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT

[2010/09/10 11:45:56 | 000,036,763 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat

[2010/08/05 13:57:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2010/07/27 13:53:59 | 000,017,920 | ---- | M] () -- C:\Documents and Settings\Polly\Desktop\Copy of Cocktails.xls

[2010/07/19 19:50:08 | 000,037,888 | ---- | M] () -- C:\Documents and Settings\Polly\Desktop\challenging behaviour.doc

[2010/06/28 18:05:21 | 000,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/19 08:15:09 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Polly\Desktop\RKUnhookerLE.EXE

[2010/09/16 22:34:19 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Polly\Desktop\dds.scr

[2010/09/16 21:10:22 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Polly\Desktop\eod7bgcq.exe

[2010/09/16 21:09:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Polly\defogger_reenable

[2010/09/16 21:09:50 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Polly\Desktop\Defogger.exe

[2010/09/16 21:04:19 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/09/16 18:52:43 | 000,072,706 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\3S14R3CC.exe

[2010/09/16 18:51:56 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\t6GF0d2.dat

[2010/09/16 18:51:06 | 000,035,328 | ---- | C] () -- C:\WINDOWS\Fonts\5O6RtO.com

[2010/09/12 20:43:08 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/07/27 13:53:58 | 000,017,920 | ---- | C] () -- C:\Documents and Settings\Polly\Desktop\Copy of Cocktails.xls

[2010/07/19 19:09:17 | 000,037,888 | ---- | C] () -- C:\Documents and Settings\Polly\Desktop\challenging behaviour.doc

[2010/06/28 18:05:21 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2008/05/11 12:04:56 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.INI

[2008/04/20 00:20:43 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2008/04/11 23:20:46 | 000,111,104 | ---- | C] () -- C:\Documents and Settings\Polly\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/04/05 16:49:34 | 000,000,604 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\T2

[2008/04/05 16:49:34 | 000,000,604 | -H-- | C] () -- C:\Program Files\STLL Notifier

[2008/04/05 16:47:03 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll

[2008/04/05 16:46:59 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll

[2008/04/05 16:46:58 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll

[2008/04/05 16:46:58 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest

[2008/04/05 15:49:35 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll

[2008/04/05 15:49:34 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll

[2004/04/26 16:53:42 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll

[2002/05/15 23:29:04 | 000,000,607 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest

[2001/11/23 18:18:00 | 000,000,597 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest

[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2010/09/12 20:27:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software

[2009/12/04 19:50:59 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ

[2008/08/22 23:29:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Channel4

[2010/07/19 18:13:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kontiki

[2010/05/09 14:04:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle

[2010/06/28 18:05:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2010/09/16 19:29:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Polly\Application Data\093D8D2F02F0D850AFA6A6AF7E1366EB

[2010/09/12 20:42:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Polly\Application Data\Amgyyx

[2010/09/16 19:29:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Polly\Application Data\Arad

[2008/09/15 20:59:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Polly\Application Data\LimeWire

[2008/12/02 19:29:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Polly\Application Data\Line 6

[2010/09/10 11:16:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Polly\Application Data\Luhizu

[2010/09/16 19:29:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Polly\Application Data\Ovac

[2010/06/27 18:47:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Polly\Application Data\Spotify

========== Purity Check ==========

< End of report >

OTL Extras logfile created on: 19/09/2010 08:17:54 - Run 1

OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\Polly\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.00 Mb Total Physical Memory | 341.00 Mb Available Physical Memory | 67.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 91.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 29.29 Gb Total Space | 2.42 Gb Free Space | 8.26% Space Free | Partition Type: NTFS

Drive D: | 26.60 Gb Total Space | 17.75 Gb Free Space | 66.73% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

Drive F: | 1.87 Gb Total Space | 1.85 Gb Free Space | 99.16% Space Free | Partition Type: FAT

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: MARLY

Current User Name: Polly

Logged in as Administrator.

Current Boot Mode: SafeMode with Networking

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-343818398-152049171-854245398-1004\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" File not found

https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" File not found

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found

"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Grisoft\AVG7\avginet.exe" = C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe -- File not found

"C:\Program Files\Grisoft\AVG7\avgamsvr.exe" = C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe -- File not found

"C:\Program Files\Grisoft\AVG7\avgcc.exe" = C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe -- File not found

"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)

"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found

"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- File not found

"C:\Program Files\QNAP\Finder\Finder.exe" = C:\Program Files\QNAP\Finder\Finder.exe:*:Enabled:Finder -- ()

"C:\Program Files\Kontiki\KService.exe" = C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service -- File not found

"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found

"C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd)

"C:\Program Files\Steinberg\WaveLab 6\WaveLab.exe" = C:\Program Files\Steinberg\WaveLab 6\WaveLab.exe:*:Disabled:WaveLab 6 -- (Steinberg Media Technologies)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Disabled:Windows Explorer -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{235BBFC6-D863-4066-A01A-3BD504C31033}" = Nero 7 Ultra Edition

"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2

"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java 6 Update 13

"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime

"{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller

"{58BAA8D0-404E-4585-9FD3-ED1BB72AC2EE}" = Adobe Flash Player 9 ActiveX

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0

"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes

"{7DE1AE26-8599-4378-9F17-328B5A3984A4}" = Sibelius Scorch (Firefox, Opera, Netscape only)

"{7F815C5F-D2A4-4173-B7C0-55A9D6F87E38}" = MobileMe Control Panel

"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007

"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007

"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007

"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007

"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007

"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007

"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007

"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007

"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90535871-81B9-4D99-8A13-A7EE97F2D7FE}" = Dell Bluetooth Software

"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio

"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer

"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2

"{AFAC914D-9E83-4A89-8ABE-427521C82CCF}" = Safari

"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support

"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2

"Adobe Photoshop CS4_is1" = Adobe Photoshop CS4

"Adobe Shockwave Player" = Adobe Shockwave Player

"ASAPI Update" = ASAPI Update

"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card

"CCleaner" = CCleaner

"CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D480 MDC V.92 Modem

"ENTERPRISE" = Microsoft Office Enterprise 2007

"FairUse Wizard 2" = FairUse Wizard 2

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller

"KLiteCodecPack_is1" = K-Lite Codec Pack 3.8.0 Full

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Mozilla Firefox (3.5.11)" = Mozilla Firefox (3.5.11)

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"NVIDIA Drivers" = NVIDIA Drivers

"QNAP_FINDER" = QNAP Finder

"Sibelius 4" = Sibelius 4

"Spotify" = Spotify

"VLC media player" = VideoLAN VLC media player 0.8.6f

"WaveLabPro" = WaveLab 6

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinRAR archiver" = WinRAR archiver

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 04/12/2009 14:40:05 | Computer Name = MARLY | Source = Application Hang | ID = 1002

Description = Hanging application ONENOTE.EXE, version 12.0.6415.1000, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 05/12/2009 07:04:29 | Computer Name = MARLY | Source = Application Error | ID = 1000

Description = Faulting application vlc.exe, version 0.8.6.0, faulting module libffmpeg_plugin.dll,

version 0.0.0.0, fault address 0x002f2706.

Error - 05/12/2009 07:04:36 | Computer Name = MARLY | Source = Application Error | ID = 1001

Description = Fault bucket 709997748.

Error - 05/12/2009 07:07:43 | Computer Name = MARLY | Source = Application Error | ID = 1000

Description = Faulting application vlc.exe, version 0.8.6.0, faulting module libffmpeg_plugin.dll,

version 0.0.0.0, fault address 0x002f2706.

Error - 19/12/2009 20:11:33 | Computer Name = MARLY | Source = Application Hang | ID = 1002

Description = Hanging application vlc.exe, version 0.8.6.0, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 20/12/2009 18:51:56 | Computer Name = MARLY | Source = Application Error | ID = 1000

Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting

module avisplitter.ax, version 1.0.0.9, fault address 0x00023048.

Error - 24/12/2009 16:32:29 | Computer Name = MARLY | Source = Application Hang | ID = 1002

Description = Hanging application firefox.exe, version 1.9.0.3623, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 24/12/2009 16:32:29 | Computer Name = MARLY | Source = Application Hang | ID = 1002

Description = Hanging application firefox.exe, version 1.9.0.3623, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 08/01/2010 15:46:28 | Computer Name = MARLY | Source = Application Hang | ID = 1002

Description = Hanging application Sibelius.exe, version 4.0.0.23, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 08/01/2010 15:47:54 | Computer Name = MARLY | Source = Application Hang | ID = 1002

Description = Hanging application WINWORD.EXE, version 12.0.6504.5000, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

[ OSession Events ]

Error - 25/09/2009 06:01:04 | Computer Name = MARLY | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:

12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 18

seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]

Error - 16/09/2010 15:54:58 | Computer Name = MARLY | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

Fips intelppm

Error - 16/09/2010 15:58:52 | Computer Name = MARLY | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service MSIServer with

arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

Error - 16/09/2010 15:59:11 | Computer Name = MARLY | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service wuauserv with

arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 16/09/2010 17:56:17 | Computer Name = MARLY | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 16/09/2010 18:11:29 | Computer Name = MARLY | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 16/09/2010 18:20:32 | Computer Name = MARLY | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 19/09/2010 03:11:27 | Computer Name = MARLY | Source = Ftdisk | ID = 262189

Description = The system could not sucessfully load the crash dump driver.

Error - 19/09/2010 03:11:27 | Computer Name = MARLY | Source = Ftdisk | ID = 262193

Description = Configuring the Page file for crash dump failed. Make sure there is

a page file on the boot partition and that is large enough to contain all physical

memory.

Error - 19/09/2010 03:12:11 | Computer Name = MARLY | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 19/09/2010 03:12:47 | Computer Name = MARLY | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

Fips intelppm

< End of report >

"Error Loading Opening Driver" - when opening RKunhookerLE

Link to post
Share on other sites

Hi, looks like there might be a rootkit involved.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

ComboFix 10-09-17.04 - Polly 19/09/2010 10:08:35.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.329 [GMT 1:00]

Running from: c:\documents and settings\Polly\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\3S14R3CC.exe

c:\documents and settings\All Users\Documents\Server\admin.txt

c:\documents and settings\All Users\Documents\Server\server.dat

c:\documents and settings\Polly\Application Data\Amgyyx

c:\documents and settings\Polly\Application Data\Amgyyx\wiyz.tmp

c:\documents and settings\Polly\Application Data\Amgyyx\wiyz.zis

c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe

c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

c:\program files\iTunes\iTunesHelper.exe

c:\program files\Java\jre6\bin\jusched.exe

c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

c:\program files\QuickTime\QTTask.exe

c:\windows\Fonts\5O6RtO.com

c:\windows\system32\spool\prtprocs\w32x86\9oCE93kU9.dll

c:\windows\system32\spool\prtprocs\w32x86\KUOC1s.dll

c:\windows\system32\spool\prtprocs\w32x86\MYWS3eI9.dll

c:\windows\system32\spool\prtprocs\w32x86\SKUO5.dll

c:\windows\Tasks\At1.job

c:\windows\Tasks\At12.job

 <pre>
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe ---^> c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
c:\program files\Common Files\Ahead\Lib\NeroCheck .exe ---^> c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe ---^> c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
c:\program files\iTunes\iTunesHelper .exe ---^> c:\program files\iTunes\iTunesHelper.exe
c:\program files\Java\jre6\bin\jusched .exe ---^> c:\program files\Java\jre6\bin\jusched.exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe ---^> c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
c:\program files\QuickTime\QTTask .exe ---^> c:\program files\QuickTime\QTTask.exe
</pre>

.

Infected copy of c:\windows\system32\drivers\intelide.sys was found and disinfected

Restored copy from - Kitty had a snack :)

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.

((((((((((((((((((((((((( Files Created from 2010-08-19 to 2010-09-19 )))))))))))))))))))))))))))))))

.

2010-09-16 20:04 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-16 20:04 . 2010-09-16 20:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-16 20:04 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-12 19:43 . 2010-09-12 19:43 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-12 19:32 . 2010-09-12 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro

2010-09-10 10:34 . 2010-09-16 18:29 -------- d-----w- c:\documents and settings\Polly\Local Settings\Application Data\ydwveidvk

2010-09-10 10:33 . 2010-09-16 18:29 -------- d-----w- c:\documents and settings\Polly\Application Data\093D8D2F02F0D850AFA6A6AF7E1366EB

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-19 09:18 . 2010-06-28 17:03 -------- d-----w- c:\program files\iTunes

2010-09-19 09:18 . 2010-06-28 17:00 -------- d-----w- c:\program files\QuickTime

2010-09-19 08:52 . 2010-09-16 17:51 112 ----a-w- c:\documents and settings\All Users\Application Data\t6GF0d2.dat

2010-09-16 19:59 . 2008-04-05 15:52 -------- d-----w- c:\program files\uTorrent

2010-09-16 18:29 . 2009-10-18 04:13 -------- d-----w- c:\documents and settings\Polly\Application Data\Arad

2010-09-16 18:29 . 2008-12-05 14:39 -------- d-----w- c:\documents and settings\Polly\Application Data\Ovac

2010-09-12 19:27 . 2010-07-26 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-09-10 10:45 . 2008-04-05 14:51 36763 ----a-w- c:\windows\system32\nvModes.dat

2010-09-10 10:16 . 2008-07-21 02:05 -------- d-----w- c:\documents and settings\Polly\Application Data\Luhizu

2010-07-27 10:03 . 2008-08-17 09:09 -------- d-----w- c:\program files\Google

2010-07-27 09:00 . 2009-06-22 19:21 -------- d-----w- c:\program files\Alwil Software

2010-06-28 16:53 . 2010-06-28 16:53 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

2010-06-28 16:51 . 2010-06-28 16:51 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe

2010-06-27 17:47 . 2010-06-27 17:47 282624 ----a-w- c:\documents and settings\Polly\Application Data\Spotify\Gracenote\gnsdk_musicid_file.dll

2010-06-27 17:47 . 2010-06-27 17:47 655360 ----a-w- c:\documents and settings\Polly\Application Data\Spotify\Gracenote\gnsdk_sdkmanager.dll

2010-06-27 17:47 . 2010-06-27 17:47 208896 ----a-w- c:\documents and settings\Polly\Application Data\Spotify\Gracenote\gnsdk_dsp.dll

2008-04-05 15:49 . 2008-04-05 15:49 604 ---ha-w- c:\program files\STLL Notifier

2009-09-03 18:37 . 2009-09-03 18:37 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll

2009-09-03 18:58 . 2009-09-03 18:58 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-06 7118848]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Polly\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

BTTray.lnk - c:\program files\Dell\Bluetooth Software\BTTray.exe [2004-4-26 561213]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

2005-10-07 13:13 176128 ----a-r- c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-06-15 15:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 05:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2005-07-06 18:52 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wltrysvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\QNAP\\Finder\\Finder.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Steinberg\\WaveLab 6\\WaveLab.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [09/05/2010 12:25 11264]

S3 L6PODLV;PODxt Live Service;c:\windows\system32\Drivers\L6PODLV.sys --> c:\windows\system32\Drivers\L6PODLV.sys [?]

S3 Normandy;Normandy SR2; [x]

.

Contents of the 'Scheduled Tasks' folder

2010-08-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\Dell\Bluetooth Software\btsendto_ie_ctx.htm

FF - ProfilePath - c:\documents and settings\Polly\Application Data\Mozilla\Firefox\Profiles\8iiclskv.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk

FF - component: c:\documents and settings\Polly\Application Data\Mozilla\Firefox\Profiles\8iiclskv.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-4oD - c:\program files\Kontiki\KHost.exe

MSConfigStartUp-maswenrxco - c:\docume~1\Polly\LOCALS~1\Temp\maswenrxco.tmp

MSConfigStartUp-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe

MSConfigStartUp-onwesxcmra - c:\docume~1\Polly\LOCALS~1\Temp\onwesxcmra.tmp

MSConfigStartUp-OTGV1DNWQQ - c:\windows\Htugea.exe

MSConfigStartUp-wmgjkgqn - c:\documents and settings\Polly\Local Settings\Application Data\ydwveidvk\tvbkubxuqiw.exe

MSConfigStartUp-YXE7DXCQ37 - c:\docume~1\Polly\LOCALS~1\Temp\Hcu.exe

MSConfigStartUp-{0C1E9254-519D-796B-1A03-0DF955D4ECFD} - c:\documents and settings\Polly\Application Data\Arad\byam.exe

MSConfigStartUp-{1C4EF019-B344-7EF9-4F97-72AF892CA965} - c:\documents and settings\Polly\Application Data\Ovac\ifog.exe

AddRemove-Sibelius 4 - c:\progra~1\SIBELI~1\SIBELI~1\UNWISE.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-19 10:20

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(4064)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\hnetcfg.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Dell\Bluetooth Software\bin\btwdins.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

c:\progra~1\Dell\BLUETO~1\BTSTAC~1.EXE

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-09-19 10:25:29 - machine was rebooted

ComboFix-quarantined-files.txt 2010-09-19 09:25

Pre-Run: 2,461,306,880 bytes free

Post-Run: 2,497,630,208 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 6EE6B6C733C7AF2587743D2FB03B6373

Link to post
Share on other sites

That took care of a lot of bad stuff, including a nasty rootkit. It is gone now, however please read the following first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Now please launch MBAM, update it and run a full scan. Post me the resulting log together with a description of any remaining problems.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.