Jump to content

128 inections found, please help


Fillip

Recommended Posts

I consider myself a very malware savvy computer user. I use Firefox with NoScript and AdBlockPlus. I use Avira real time, Comodo software firewall, MVPS hosts file, SpywareBlaster, I surf always with Sandboxie, I use only a restricted user account with Windows Vista, and I am diligent about updating browsers, software, and windows. I do regular scans, I never get infected, and I've come to wonder whether scanning is a waste of time.

Today I did a Malwarebytes quick-scan and it returned 128 infections, all execution files on the root directory. Malwayrebytes asks me to reboot to remove. I reboot, rescan and receive the exact same results.

Here is the log file (note, the execution files named in the log cannot be seen in windows-explorer (even when opened with elevated privileges and viewing hidden files).

I have noticed no out of the ordinary computer behavior, no strange files connecting to the internet, no out of the ordinary CPU usage.

Any help would be greatly appreciated.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4980

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18975

10/28/2010 6:40:30 PM

mbam-log-2010-10-28 (18-40-30).txt

Scan type: Quick scan

Objects scanned: 148592

Time elapsed: 8 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 128

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\dblnq.exe (Spyware.OnlineGames) -> Delete on reboot.

C:\dydejwbp.exe (Worm.AutoRun) -> Delete on reboot.

C:\d.com (Trojan.Agent) -> Delete on reboot.

C:\d08sle6.exe (Spyware.OnlineGames) -> Delete on reboot.

C:\d1.exe (Trojan.Agent) -> Delete on reboot.

C:\d1vmq.exe (Spyware.OnlineGames) -> Delete on reboot.

C:\d1y36.com (Spyware.OnlineGames) -> Delete on reboot.

C:\d2.exe (Trojan.Agent) -> Delete on reboot.

C:\d218eht.exe (Spyware.OnlineGames) -> Delete on reboot.

C:\d3.exe (Trojan.Agent) -> Delete on reboot.

C:\d3bn0j.exe (Trojan.Agent) -> Delete on reboot.

C:\d4.exe (Trojan.Agent) -> Delete on reboot.

C:\d45.bat (Malware.Trace) -> Delete on reboot.

C:\d6fagcs8.cmd (Spyware.OnlineGames) -> Delete on reboot.

C:\d6r6jmp.exe (Spyware.OnlineGames) -> Delete on reboot.

C:\dannyl.exe (Trojan.Dropper) -> Delete on reboot.

C:\daping.dll (Trojan.Agent) -> Delete on reboot.

C:\dari komputer lonte.exe (Trojan.Agent) -> Delete on reboot.

C:\DATUS.PIF (Worm.AutoRun) -> Delete on reboot.

C:\dbagmtsq.exe (Trojan.Downloader) -> Delete on reboot.

C:\dbeie.exe (Trojan.Agent) -> Delete on reboot.

C:\dbrxubcw.com (Spyware.OnlineGames) -> Delete on reboot.

C:\dbss3nk.exe (Spyware.OnlineGames) -> Delete on reboot.

C:\dca.exe (Backdoor.Bot) -> Delete on reboot.

C:\dcgwhpoh.exe (Trojan.Downloader) -> Delete on reboot.

C:\dcitrwx.exe (Trojan.Downloader) -> Delete on reboot.

C:\dcjacmc.exe (Trojan.Dropper) -> Delete on reboot.

C:\DCOM Exploit.exe (Trojan.Agent) -> Delete on reboot.

C:\dcp6w.exe (Spyware.OnlineGames) -> Delete on reboot.

C:\ddbpu.exe (Trojan.Downloader) -> Delete on reboot.

C:\DDDDD.EXE (Backdoor.PoisonIvy.Gen) -> Delete on reboot.

C:\ddqud.exe (Trojan.Downloader) -> Delete on reboot.

C:\ddv2.dat (Malware.Trace) -> Delete on reboot.

C:\debgx.exe (Trojan.Downloader) -> Delete on reboot.

C:\delextra.exe (Trojan.Agent) -> Delete on reboot.

C:\DellPlung.exe (Trojan.Banker) -> Delete on reboot.

C:\DelUS.bat (Malware.Trace) -> Delete on reboot.

C:\dens.exe (Trojan.Downloader) -> Delete on reboot.

C:\desae.exe (Trojan.Agent) -> Delete on reboot.

C:\desktop.exe (Trojan.Agent) -> Delete on reboot.

C:\dews.exe (Backdoor.PoisonIvy) -> Delete on reboot.

C:\dfg.exe (Trojan.Downloader) -> Delete on reboot.

C:\dfgh6.exe (Trojan.Tibia) -> Delete on reboot.

C:\dfghfghgfj.dll (Trojan.Agent) -> Delete on reboot.

C:\dfhore.exe (Trojan.Dropper) -> Delete on reboot.

C:\dfna.exe (Trojan.Dropper) -> Delete on reboot.

C:\dfsinstall.exe (Backdoor.Bot) -> Delete on reboot.

C:\dcensored.ico (Adware.EGDAccess) -> Delete on reboot.

C:\dfuf.exe (Trojan.Agent) -> Delete on reboot.

C:\dgf.exe (Trojan.Agent) -> Delete on reboot.

C:\dgfus.exe (Trojan.Agent) -> Delete on reboot.

C:\dgism.exe (Trojan.Dropper) -> Delete on reboot.

C:\dgkx.exe (Spyware.OnlineGames) -> Delete on reboot.

C:\dh66ln.cmd (Spyware.OnlineGames) -> Delete on reboot.

C:\dhasbrbc.exe (Trojan.Dropper) -> Delete on reboot.

C:\dhrhyje.bat (Spyware.OnlineGames) -> Delete on reboot.

C:\dHwp.exe (Trojan.Agent) -> Delete on reboot.

C:\dhxbxshe.exe (Trojan.Agent) -> Delete on reboot.

C:\di3su.exe (Worm.Taterf) -> Delete on reboot.

C:\di69.exe (Spyware.OnlineGames) -> Delete on reboot.

C:\dicjprhd.exe (Trojan.Dropper) -> Delete on reboot.

C:\difkghmd.exe (Trojan.Agent) -> Delete on reboot.

C:\diopero.exe (Trojan.Agent) -> Delete on reboot.

C:\dioyw.exe (Trojan.Downloader) -> Delete on reboot.

C:\dipset.exe (Trojan.Agent) -> Delete on reboot.

C:\disk (Trojan.Agent) -> Delete on reboot.

C:\disk32dll.exe (Backdoor.Agent) -> Delete on reboot.

C:\DiskAutoRun.exe (Worm.AutoRun) -> Delete on reboot.

C:\DivX 5.0 Pro KeyGen.exe (Trojan.Agent) -> Delete on reboot.

C:\djwv.exe (Trojan.Agent) -> Delete on reboot.

C:\djxvxmek.exe (Trojan.Dropper) -> Delete on reboot.

C:\dk.exe (Trojan.Agent) -> Delete on reboot.

C:\dkkqptfc.exe (Trojan.Dropper) -> Delete on reboot.

C:\dkpiw.com (Spyware.OnlineGames) -> Delete on reboot.

C:\dll32.bat (Worm.KoobFace) -> Delete on reboot.

C:\dll32.exe (Trojan.Dropper) -> Delete on reboot.

C:\dlldll.vbe (Malware.Trace) -> Delete on reboot.

C:\dllhost32.exe (Worm.AutoRun) -> Delete on reboot.

C:\dlllhost.exe (Backdoor.Agent) -> Delete on reboot.

C:\dlnrg.exe (Trojan.Downloader) -> Delete on reboot.

C:\dmlt.exe (Trojan.Agent) -> Delete on reboot.

C:\dn.exe (Trojan.Dropper) -> Delete on reboot.

C:\DNO.exe (Trojan.Dropper) -> Delete on reboot.

C:\dnsstuff.bat (Malware.Trace) -> Delete on reboot.

C:\Do not open - secrets!.exe (Worm.AutoRun) -> Delete on reboot.

C:\Document1.exe (Trojan.Agent) -> Delete on reboot.

C:\documents.exe (Spyware.OnlineGames) -> Delete on reboot.

C:\DocumentsPay.TMP.DOC.cmd (Backdoor.IRCBot) -> Delete on reboot.

C:\dogyx90.exe (Spyware.OnlineGames) -> Delete on reboot.

C:\don bigg.exe (Backdoor.Bifrose) -> Delete on reboot.

C:\dones.exe (Backdoor.Bot) -> Delete on reboot.

C:\dos.com (Trojan.Agent) -> Delete on reboot.

C:\Downloads.exe (Backdoor.Hupigon) -> Delete on reboot.

C:\dp1.fne (Worm.Autorun) -> Delete on reboot.

C:\dpapa.exe (Trojan.Dropper) -> Delete on reboot.

C:\dpcbx.exe (Trojan.Dropper) -> Delete on reboot.

C:\dpdftck.exe (Trojan.Downloader) -> Delete on reboot.

C:\dpgjvftm.exe (Trojan.Agent) -> Delete on reboot.

C:\dpu1.exe (Spyware.OnlineGames) -> Delete on reboot.

C:\dpxjsdc.exe (Trojan.Dropper) -> Delete on reboot.

C:\dqccpnq.exe (Trojan.Downloader) -> Delete on reboot.

C:\dqm.exe (Spyware.OnlineGames) -> Delete on reboot.

C:\Dr.AdNaN.exe (Backdoor.Bifrose) -> Delete on reboot.

C:\Dr.Dmar!.exe (Backdoor.Bifrose) -> Delete on reboot.

C:\Dr.viurs.exe (Trojan.Agent) -> Delete on reboot.

C:\Drivers.exe (Backdoor.Hupigon) -> Delete on reboot.

C:\drpskh.exe (Trojan.Agent) -> Delete on reboot.

C:\drvvgan.exe (Trojan.Agent) -> Delete on reboot.

C:\ds.exe (Worm.Taterf) -> Delete on reboot.

C:\DSC141742179852.jpg (Malware.Trace) -> Delete on reboot.

C:\dsitxsxq.exe (Trojan.Dropper) -> Delete on reboot.

C:\dskgcpg.exe (Trojan.Downloader) -> Delete on reboot.

C:\dsty.com (Spyware.OnlineGames) -> Delete on reboot.

C:\dsyg.exe (Trojan.Dropper) -> Delete on reboot.

C:\dtacmawh.exe (Trojan.Downloader) -> Delete on reboot.

C:\dtmb.exe (Trojan.Downloader) -> Delete on reboot.

C:\dubfa.exe (Trojan.Dropper) -> Delete on reboot.

C:\duehpow.exe (Trojan.Downloader) -> Delete on reboot.

C:\durpupy.exe (Trojan.Dropper) -> Delete on reboot.

C:\dv6pp.exe (Spyware.OnlineGames) -> Delete on reboot.

C:\dvqsujj.exe (Trojan.Dropper) -> Delete on reboot.

C:\dwmg.exe (Backdoor.IRCBot) -> Delete on reboot.

C:\dygyx.exe (Trojan.Dropper) -> Delete on reboot.

C:\dynrn6e.cmd (Spyware.OnlineGames) -> Delete on reboot.

C:\dypeucmp.exe (Trojan.Dropper) -> Delete on reboot.

C:\dyr2j6mv.exe (Spyware.OnlineGames) -> Delete on reboot.

C:\dyvj.exe (Trojan.Downloader) -> Delete on reboot.

C:\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

Thank you Blonde!!!!!!!!

For privacy purposes, I have altered all three logs in this sense: whereever the name of the computer or the name of the administrator account appeared, I changed it to "Admin." Whereever the restricted user account name appeared, I changed it to "XXXXXX."

As per your instructions, here is the OTL log

OTL logfile created on: 10/29/2010 8:32:21 AM - Run 1

OTL by OldTimer - Version 3.2.17.1 Folder = C:\Users\Adeimantus\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18975)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 57.00% Memory free

6.00 Gb Paging File | 5.00 Gb Available in Paging File | 80.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 287.21 Gb Total Space | 190.26 Gb Free Space | 66.24% Space Free | Partition Type: NTFS

Drive D: | 10.88 Gb Total Space | 1.82 Gb Free Space | 16.70% Space Free | Partition Type: NTFS

Unable to calculate disk information.

Computer Name: GLAUCON-PC | User Name: Glaucon | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/10/29 08:25:18 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Adeimantus\Desktop\OTL.exe

PRC - [2010/10/28 14:56:04 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe

PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe

PRC - [2010/02/03 17:31:43 | 001,800,464 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

PRC - [2010/02/03 17:31:30 | 000,723,632 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

PRC - [2010/02/03 03:40:20 | 000,394,984 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SbieCtrl.exe

PRC - [2010/02/03 03:40:16 | 000,073,960 | ---- | M] (tzuk) -- C:\Program Files\Sandboxie\SbieSvc.exe

PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

PRC - [2009/04/10 23:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2008/10/06 09:54:52 | 000,365,952 | ---- | M] () -- C:\Program Files\SMINST\BLService.exe

========== Modules (SafeList) ==========

MOD - [2010/10/29 08:25:18 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Adeimantus\Desktop\OTL.exe

MOD - [2010/08/31 08:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll

MOD - [2010/02/03 17:32:44 | 000,171,552 | ---- | M] (COMODO) -- C:\Windows\System32\guard32.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/09/01 15:52:56 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®

SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)

SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)

SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)

SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)

SRV - [2010/02/03 17:31:30 | 000,723,632 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)

SRV - [2010/02/03 03:40:16 | 000,073,960 | ---- | M] (tzuk) [Auto | Running] -- C:\Program Files\Sandboxie\SbieSvc.exe -- (SbieSvc)

SRV - [2009/09/24 18:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)

SRV - [2008/10/06 09:54:52 | 000,365,952 | ---- | M] () [Auto | Running] -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows)

SRV - [2008/01/20 19:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Adeimantus\Desktop\Tools\SysinternalsSuite\PORTMSYS.SYS -- (PORTMON)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)

DRV - File not found [File_System | Boot | Stopped] -- C:\Windows\System32\DRIVERS\Lbd.sys -- (Lbd)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)

DRV - File not found [File_System | Auto | Stopped] -- C:\Windows\System32\DRIVERS\eamonm.sys -- (eamonm)

DRV - [2010/08/26 00:27:15 | 000,016,968 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hitmanpro35.sys -- (hitmanpro35)

DRV - [2010/08/25 19:31:30 | 009,024,512 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)

DRV - [2010/06/23 09:21:32 | 000,259,176 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)

DRV - [2010/05/10 11:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)

DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)

DRV - [2010/02/17 11:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)

DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)

DRV - [2010/02/03 17:34:46 | 000,074,328 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\Windows\System32\drivers\inspect.sys -- (inspect)

DRV - [2010/02/03 17:32:41 | 000,029,520 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\Windows\System32\drivers\cmdhlp.sys -- (cmdHlp)

DRV - [2010/02/03 17:32:40 | 000,130,960 | ---- | M] (COMODO) [File_System | System | Running] -- C:\Windows\System32\drivers\cmdguard.sys -- (cmdGuard)

DRV - [2010/02/03 03:40:08 | 000,115,432 | ---- | M] (tzuk) [Kernel | On_Demand | Running] -- C:\Program Files\Sandboxie\SbieDrv.sys -- (SbieDrv)

DRV - [2009/05/19 15:52:20 | 001,166,848 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)

DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)

DRV - [2009/04/23 11:33:34 | 000,064,512 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTSTOR.sys -- (RTSTOR)

DRV - [2008/10/23 03:05:13 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)

DRV - [2008/10/23 03:05:13 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)

DRV - [2008/10/23 03:05:13 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)

DRV - [2008/10/03 03:39:28 | 000,222,208 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)

DRV - [2008/06/29 07:52:26 | 000,112,128 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®

DRV - [2008/04/17 11:05:16 | 000,199,344 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)

DRV - [2008/01/20 19:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)

DRV - [2008/01/20 19:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)

DRV - [2008/01/20 19:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)

DRV - [2008/01/20 19:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)

DRV - [2008/01/20 19:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)

DRV - [2008/01/20 19:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)

DRV - [2008/01/20 19:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)

DRV - [2008/01/20 19:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)

DRV - [2008/01/20 19:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)

DRV - [2008/01/20 19:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®

DRV - [2008/01/20 19:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)

DRV - [2008/01/20 19:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)

DRV - [2008/01/20 19:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)

DRV - [2008/01/20 19:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)

DRV - [2008/01/20 19:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)

DRV - [2008/01/20 19:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)

DRV - [2008/01/20 19:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\arc.sys -- (arc)

DRV - [2008/01/20 19:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)

DRV - [2008/01/20 19:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)

DRV - [2008/01/20 19:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)

DRV - [2008/01/20 19:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)

DRV - [2008/01/20 19:23:20 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®

DRV - [2008/01/20 19:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)

DRV - [2007/10/31 18:51:26 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)

DRV - [2007/10/31 18:47:54 | 000,208,896 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)

DRV - [2007/10/31 18:47:08 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)

DRV - [2007/10/17 16:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)

DRV - [2007/06/18 17:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)

DRV - [2006/11/02 02:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)

DRV - [2006/11/02 02:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)

DRV - [2006/11/02 02:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)

DRV - [2006/11/02 02:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)

DRV - [2006/11/02 02:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)

DRV - [2006/11/02 02:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)

DRV - [2006/11/02 02:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)

DRV - [2006/11/02 02:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)

DRV - [2006/11/02 02:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)

DRV - [2006/11/02 02:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)

DRV - [2006/11/02 02:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)

DRV - [2006/11/02 01:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)

DRV - [2006/11/02 01:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)

DRV - [2006/11/02 01:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)

DRV - [2006/11/02 01:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)

DRV - [2006/11/02 01:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)

DRV - [2006/11/02 01:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)

DRV - [2006/11/02 00:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)

DRV - [2006/11/02 00:30:56 | 000,194,048 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\yk60x86.sys -- (yukonwlh)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3903886535-2933960046-2338027323-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb

IE - HKU\S-1-5-21-3903886535-2933960046-2338027323-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

IE - HKU\S-1-5-21-3903886535-2933960046-2338027323-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKU\S-1-5-21-3903886535-2933960046-2338027323-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3903886535-2933960046-2338027323-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb

IE - HKU\S-1-5-21-3903886535-2933960046-2338027323-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

IE - HKU\S-1-5-21-3903886535-2933960046-2338027323-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "google.com"

FF - prefs.js..extensions.enabledItems: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}:0.4.4

FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.3.5

FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.48.3

FF - prefs.js..extensions.enabledItems: {69D30031-F4A8-452a-A5B3-5D6787C3C5CF}:3.6

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/28 14:56:06 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/28 14:56:06 | 000,000,000 | ---D | M]

[2009/05/20 07:28:27 | 000,000,000 | ---D | M] -- C:\Users\Glaucon\AppData\Roaming\Mozilla\Extensions

[2010/07/01 19:42:13 | 000,000,000 | ---D | M] -- C:\Users\Glaucon\AppData\Roaming\Mozilla\Firefox\Profiles\b29ns3j4.default\extensions

[2009/05/18 14:41:45 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\Glaucon\AppData\Roaming\Mozilla\Firefox\Profiles\b29ns3j4.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

[2009/05/18 14:41:40 | 000,000,000 | ---D | M] (Aquatint Black Gloss) -- C:\Users\Glaucon\AppData\Roaming\Mozilla\Firefox\Profiles\b29ns3j4.default\extensions\{7694c49c-9fbd-11dc-8314-0800200c9a66}

[2009/05/18 17:37:04 | 000,000,000 | ---D | M] (Tor-Proxy.NET Toolbar) -- C:\Users\Glaucon\AppData\Roaming\Mozilla\Firefox\Profiles\b29ns3j4.default\extensions\{9815d32d-08c2-42ca-a8c6-43e501a4512f}

[2010/10/19 23:27:59 | 000,000,000 | ---D | M] -- C:\Users\Glaucon\AppData\Roaming\Mozilla\Firefox\Profiles\yeedpwrj.default\extensions

[2009/07/28 23:36:08 | 000,000,000 | ---D | M] (iFox Metal) -- C:\Users\Glaucon\AppData\Roaming\Mozilla\Firefox\Profiles\yeedpwrj.default\extensions\{08c834b4-e025-44a3-9b95-e9885adc4be0}

[2010/04/02 01:37:26 | 000,000,000 | ---D | M] (Image Zoom) -- C:\Users\Glaucon\AppData\Roaming\Mozilla\Firefox\Profiles\yeedpwrj.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}

[2010/10/19 23:27:04 | 000,000,000 | ---D | M] (OldFactory Black) -- C:\Users\Glaucon\AppData\Roaming\Mozilla\Firefox\Profiles\yeedpwrj.default\extensions\{69D30031-F4A8-452a-A5B3-5D6787C3C5CF}

[2010/10/19 23:27:08 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\Glaucon\AppData\Roaming\Mozilla\Firefox\Profiles\yeedpwrj.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

[2009/07/28 23:34:34 | 000,000,000 | ---D | M] (iFox Smooth) -- C:\Users\Glaucon\AppData\Roaming\Mozilla\Firefox\Profiles\yeedpwrj.default\extensions\{d3d70bca-2d54-425e-b02c-b7e2f4b07688}

[2010/07/30 20:31:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Glaucon\AppData\Roaming\Mozilla\Firefox\Profiles\yeedpwrj.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}

[2010/07/20 16:19:51 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/04/20 17:14:03 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

[2010/10/05 08:54:38 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS File: ([2010/10/25 18:11:57 | 000,620,096 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 fr.a2dfp.net

O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net

O1 - Hosts: 127.0.0.1 ad.a8.net

O1 - Hosts: 127.0.0.1 asy.a8ww.net

O1 - Hosts: 127.0.0.1 abcstats.com

O1 - Hosts: 127.0.0.1 a.abv.bg

O1 - Hosts: 127.0.0.1 adserver.abv.bg

O1 - Hosts: 127.0.0.1 adv.abv.bg

O1 - Hosts: 127.0.0.1 bimg.abv.bg

O1 - Hosts: 127.0.0.1 ca.abv.bg

O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua

O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com

O1 - Hosts: 127.0.0.1 accuserveadsystem.com

O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com

O1 - Hosts: 127.0.0.1 achmedia.com

O1 - Hosts: 127.0.0.1 aconti.net

O1 - Hosts: 127.0.0.1 secure.aconti.net

O1 - Hosts: 127.0.0.1 www.aconti.net #[Dialer.Aconti]

O1 - Hosts: 127.0.0.1 ads.active.com

O1 - Hosts: 127.0.0.1 am1.activemeter.com

O1 - Hosts: 127.0.0.1 www.activemeter.com #[Tracking.Cookie]

O1 - Hosts: 127.0.0.1 ads.activepower.net

O1 - Hosts: 127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]

O1 - Hosts: 127.0.0.1 ad2games.com

O1 - Hosts: 16349 more lines...

O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.

O3 - HKU\S-1-5-21-3903886535-2933960046-2338027323-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.

O3 - HKU\S-1-5-21-3903886535-2933960046-2338027323-1001\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.

O3 - HKU\S-1-5-21-3903886535-2933960046-2338027323-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.

O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)

O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)

O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)

O4 - HKU\S-1-5-21-3903886535-2933960046-2338027323-1000..\Run: [sandboxieControl] C:\Program Files\Sandboxie\SbieCtrl.exe (tzuk)

O4 - HKU\S-1-5-21-3903886535-2933960046-2338027323-1001..\Run: [sandboxieControl] C:\Program Files\Sandboxie\SbieCtrl.exe (tzuk)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutorunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255

O7 - HKU\S-1-5-21-3903886535-2933960046-2338027323-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutorunSetting = 1

O7 - HKU\S-1-5-21-3903886535-2933960046-2338027323-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-3903886535-2933960046-2338027323-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255

O13 - gopher Prefix: missing

O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)

O15 - HKU\S-1-5-21-3903886535-2933960046-2338027323-1000\..Trusted Ranges: Range1 ([http] in Local intranet)

O15 - HKU\S-1-5-21-3903886535-2933960046-2338027323-1001\..Trusted Ranges: Range1 ([http] in Local intranet)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.233.217.5 64.233.217.2

O20 - AppInit_DLLs: (C:\Windows\system32\guard32.dll) - C:\Windows\System32\guard32.dll (COMODO)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)

O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg

O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O32 - AutoRun File - [2010/07/14 18:49:42 | 000,000,796 | ---- | M] () - C:\AutoRunDisable.reg -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/10/29 08:19:18 | 000,000,000 | R--D | C] -- C:\Sandbox

[2010/10/23 20:05:42 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler

[2010/08/25 18:59:08 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll

========== Files - Modified Within 30 Days ==========

[2010/10/29 08:34:00 | 000,000,422 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{FB114DBE-7BB0-47DC-A724-10F1ED399B2C}.job

[2010/10/29 08:32:13 | 000,000,402 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{CAF1886B-0F74-4D99-8A4E-1B6F53E6A68C}.job

[2010/10/29 07:01:47 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2010/10/29 07:01:47 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2010/10/29 01:01:26 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010/10/28 18:52:27 | 000,004,068 | ---- | M] () -- C:\Windows\Sandboxie.ini

[2010/10/23 20:05:58 | 000,001,702 | ---- | M] () -- C:\Users\Glaucon\Desktop\Defraggler.lnk

[2010/10/23 20:01:15 | 000,001,057 | ---- | M] () -- C:\Users\Glaucon\Desktop\Revo Uninstaller.lnk

[2010/10/12 17:22:20 | 000,381,728 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2010/10/23 20:05:58 | 000,001,702 | ---- | C] () -- C:\Users\Glaucon\Desktop\Defraggler.lnk

[2010/07/02 13:42:43 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini

[2010/07/02 13:42:39 | 000,790,528 | ---- | C] () -- C:\Windows\System32\xvidcore.dll

[2010/07/02 13:42:39 | 000,134,144 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll

[2010/07/02 13:42:37 | 000,108,032 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll

[2010/06/28 13:42:52 | 000,000,000 | ---- | C] () -- C:\Windows\System32\dfshim.dll

[2010/04/21 17:22:50 | 000,208,896 | ---- | C] () -- C:\Windows\System32\iglhsip32.dll

[2010/04/21 17:22:50 | 000,143,360 | ---- | C] () -- C:\Windows\System32\iglhcp32.dll

[2010/03/29 02:21:54 | 000,016,968 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys

[2010/03/02 00:52:27 | 000,165,376 | ---- | C] () -- C:\Windows\System32\unrar.dll

[2009/12/03 09:27:30 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll

[2009/12/01 14:35:54 | 000,004,068 | ---- | C] () -- C:\Windows\Sandboxie.ini

[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll

[2009/07/29 00:00:02 | 000,000,021 | ---- | C] () -- C:\ProgramData\hpqp.txt

[2009/05/29 10:13:10 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll

[2009/05/20 22:55:34 | 000,061,678 | ---- | C] () -- C:\Users\Glaucon\AppData\Roaming\PFP120JPR.{PB

[2009/05/20 22:55:34 | 000,012,358 | ---- | C] () -- C:\Users\Glaucon\AppData\Roaming\PFP120JCM.{PB

[2009/05/19 19:34:05 | 000,033,792 | ---- | C] () -- C:\Users\Glaucon\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/05/18 16:40:46 | 000,000,000 | ---- | C] () -- C:\Users\Glaucon\AppData\Local\QSwitch.txt

[2009/05/18 16:40:46 | 000,000,000 | ---- | C] () -- C:\Users\Glaucon\AppData\Local\DSwitch.txt

[2009/05/18 16:40:46 | 000,000,000 | ---- | C] () -- C:\Users\Glaucon\AppData\Local\AtStart.txt

[2009/05/18 14:31:45 | 000,006,648 | ---- | C] () -- C:\Users\Glaucon\AppData\Local\d3d9caps.dat

[2009/03/26 01:06:55 | 000,000,105 | ---- | C] () -- C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log

[2009/03/26 01:06:46 | 000,000,032 | ---- | C] () -- C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log

[2009/03/26 01:06:23 | 000,000,032 | ---- | C] () -- C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log

[2009/03/26 01:05:50 | 000,000,032 | ---- | C] () -- C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log

[2009/03/26 01:04:03 | 000,000,032 | ---- | C] () -- C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log

[2009/03/26 01:03:33 | 000,000,284 | ---- | C] () -- C:\ProgramData\hpqp.ini

[2008/10/23 03:50:32 | 000,000,109 | ---- | C] () -- C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log

[2008/10/23 03:46:14 | 000,000,110 | ---- | C] () -- C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log

[2008/10/23 03:44:45 | 000,000,105 | ---- | C] () -- C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log

[2008/10/23 03:43:42 | 000,000,107 | ---- | C] () -- C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log

[2008/07/06 13:29:46 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1518.dll

[2008/06/29 07:52:14 | 000,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll

[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2006/03/09 02:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== LOP Check ==========

[2009/06/02 17:03:17 | 000,000,000 | ---D | M] -- C:\Users\Adeimantus\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

[2010/05/24 00:22:31 | 000,000,000 | ---D | M] -- C:\Users\Adeimantus\AppData\Roaming\Foxit Software

[2010/08/03 19:40:24 | 000,000,000 | ---D | M] -- C:\Users\Adeimantus\AppData\Roaming\PeerNetworking

[2010/02/09 14:16:21 | 000,000,000 | ---D | M] -- C:\Users\Adeimantus\AppData\Roaming\Template

[2009/12/24 12:32:25 | 000,000,000 | ---D | M] -- C:\Users\Adeimantus\AppData\Roaming\TrueCrypt

[2010/07/01 19:38:29 | 000,000,000 | ---D | M] -- C:\Users\Glaucon\AppData\Roaming\Foxit

[2010/07/01 19:38:31 | 000,000,000 | ---D | M] -- C:\Users\Glaucon\AppData\Roaming\Foxit Software

[2010/08/04 20:33:57 | 000,000,000 | ---D | M] -- C:\Users\Glaucon\AppData\Roaming\TrueCrypt

[2010/10/29 01:00:19 | 000,032,560 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

[2010/10/29 08:32:13 | 000,000,402 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{CAF1886B-0F74-4D99-8A4E-1B6F53E6A68C}.job

[2010/10/29 08:34:00 | 000,000,422 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{FB114DBE-7BB0-47DC-A724-10F1ED399B2C}.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\ProgramData\Temp:5C321E34

< End of report >

Here is the Extras log:

OTL Extras logfile created on: 10/29/2010 8:32:21 AM - Run 1

OTL by OldTimer - Version 3.2.17.1 Folder = C:\Users\XXXXXX\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18975)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 57.00% Memory free

6.00 Gb Paging File | 5.00 Gb Available in Paging File | 80.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 287.21 Gb Total Space | 190.26 Gb Free Space | 66.24% Space Free | Partition Type: NTFS

Drive D: | 10.88 Gb Total Space | 1.82 Gb Free Space | 16.70% Space Free | Partition Type: NTFS

Unable to calculate disk information.

Computer Name: Admin-PC | User Name: Admin | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3903886535-2933960046-2338027323-1000\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-3903886535-2933960046-2338027323-1001\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"EnableFirewall" = 0

"DisableNotifications" = 0

"DoNotAllowExceptions" = 1

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{0054A0F6-00C9-4498-B821-B5C9578F433E}" = HP Help and Support

"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam

"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer

"{0E7DBD52-B097-4F2B-A7C7-F105B0D20FDB}" = LightScribe System Software 1.14.17.1

"{154A4184-1A3D-4BF9-A5AE-4FA1660445F3}" = HP Total Care Advisor

"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite

"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant

"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library

"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 H2

"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZero Preloader

"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Vista

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting

"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go

"{415B2719-AD3A-4944-B404-C472DB6085B3}" = Cisco EAP-FAST Module

"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 3.7

"{57A5AEC1-97FC-474D-92C4-908FCC2253D4}" = HP Customer Experience Enhancements

"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053

"{6423EF83-6E1D-4D22-A36F-689CD19FD4D2}" = Juno Preloader

"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites

"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module

"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{7B15D70E-9449-4CFB-B9BC-798465B2BD5C}" = Norton Internet Security

"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module

"{846DDADA-0239-4B67-A6B1-33658863793B}" = HPTCSSetup

"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}" = HP Wireless Assistant

"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B6D0B141-B2BE-4DD0-B08F-B9186F3E36B3}" = HP User Guides 0118

"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program

"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint

"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update

"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector

"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CE7E3BE0-2DD3-4416-A690-F9E4A99A8CFF}" = HP Active Support Library

"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader

"{DD35C328-F115-BEDA-6EEE-E00C5AACCCBC}" = muvee Reveal

"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01

"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe Shockwave Player" = Adobe Shockwave Player 11.5

"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus

"CCleaner" = CCleaner

"CNXT_AUDIO_HDA" = Conexant HD Audio

"CNXT_MODEM_HDAUDIO_HERMOSA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP

"COMODO Internet Security" = COMODO Internet Security

"Defraggler" = Defraggler

"Foxit Reader" = Foxit Reader

"HDMI" = Intel® Graphics Media Accelerator Driver

"HOMESTUDENTR" = Microsoft Office Home and Student 2007

"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam

"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite

"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go

"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint

"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector

"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 6.1.0

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)

"PokerStars" = PokerStars

"Revo Uninstaller" = Revo Uninstaller 1.90

"Sandboxie" = Sandboxie 3.44

"SpywareBlaster_is1" = SpywareBlaster 4.4

"SynTPDeinstKey" = Synaptics Pointing Device Driver

"TrueCrypt" = TrueCrypt

"WildTangent hp Master Uninstall" = My HP Games

"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

And here is the RootKitUnhooker log:

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows Vista

Version 6.0.6002 (Service Pack 2)

Number of processors #2

==============================================

>Drivers

==============================================

0x8FE02000 C:\Windows\system32\DRIVERS\igdkmd32.sys 9555968 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)

0x82406000 C:\Windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)

0x82406000 PnpManager 3903488 bytes

0x82406000 RAW 3903488 bytes

0x82406000 WMIxWDM 3903488 bytes

0x9CE90000 Win32k 2109440 bytes

0x9CE90000 C:\Windows\System32\win32k.sys 2109440 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0x8AE03000 C:\Windows\system32\drivers\ql2300.sys 1277952 bytes (QLogic Corporation, QLogic Fibre Channel Stor Miniport Driver)

0x90A0F000 C:\Windows\system32\DRIVERS\athr.sys 1179648 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver)

0x8B404000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)

0x8B080000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)

0x95800000 C:\Windows\system32\DRIVERS\HSX_DPV.sys 1060864 bytes (Conexant Systems, Inc., HSF_DP driver)

0x8B200000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)

0x804E0000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)

0xAE674000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)

0x8AC09000 C:\Windows\system32\drivers\megasr.sys 749568 bytes (LSI Corporation, Inc., LSI MegaRAID Software RAID Driver)

0x95903000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 741376 bytes (Conexant Systems, Inc., HSF_CNXT driver)

0xAFC0E000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)

0x9071F000 C:\Windows\System32\drivers\dxgkrnl.sys 659456 bytes (Microsoft Corporation, DirectX Graphics Kernel)

0x82A39000 C:\Windows\system32\drivers\iastorv.sys 659456 bytes (Intel Corporation, Intel Matrix Storage Manager driver (base))

0x8AAF6000 C:\Windows\system32\drivers\elxstor.sys 606208 bytes (Emulex, Storport Miniport Driver for LightPulse HBAs)

0x8B35B000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)

0x8060D000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)

0x8B00F000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0x80416000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)

0xAFCBE000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)

0x82B70000 C:\Windows\system32\drivers\adp94xx.sys 434176 bytes (Adaptec, Inc., Adaptec Windows SAS/SATA Storport Driver)

0x8AF3B000 C:\Windows\system32\drivers\ql40xx.sys 348160 bytes (QLogic Corporation, QLogic iSCSI Storport Miniport Driver)

0xAE60A000 C:\Windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver)

0x8AA03000 C:\Windows\system32\drivers\adpahci.sys 311296 bytes (Adaptec, Inc., Adaptec Windows SATA Storport Driver)

0x9D0E0000 C:\Windows\System32\ATMFD.DLL 311296 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0x8076A000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)

0x8EE93000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0x80696000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)

0x8049F000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)

0x8ADB1000 C:\Windows\system32\DRIVERS\Rtlh86.sys 266240 bytes (Realtek , Realtek 8136/8168/8169 NDIS6 32-bit Driver )

0x82B1A000 C:\Windows\system32\drivers\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)

0x8FD3E000 C:\Windows\system32\DRIVERS\HSXHWAZL.sys 253952 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)

0x8B31D000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0x8EF87000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0x8ACE6000 C:\Windows\system32\drivers\uliahci.sys 245760 bytes (ULi Electronics Inc., ULi SATA Controller Driver)

0x8FCB1000 C:\Windows\system32\drivers\CHDRT32.sys 241664 bytes (Conexant Systems Inc., High Definition Audio Function Driver)

0x8B1B6000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)

0x95D54000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)

0x8B51C000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0x8FC6B000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)

0x827BF000 ACPI_HAL 208896 bytes

0x827BF000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0x8AD6F000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0x8EEDB000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)

0x90B52000 C:\Windows\system32\DRIVERS\SynTP.sys 196608 bytes (Synaptics, Inc., Synaptics Touchpad Driver)

0x90BAB000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)

0x8FCEC000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0x8AD22000 C:\Windows\system32\drivers\ulsata2.sys 180224 bytes (Promise Technology, Inc., Promise SATAII150 Series Windows Drivers)

0x8B18B000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)

0x8FC2A000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)

0x95CB8000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)

0x95DA5000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)

0x8B581000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)

0x806ED000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0x8AA90000 C:\Windows\system32\drivers\adpu320.sys 155648 bytes (Adaptec, Inc., Adaptec StorPort Ultra320 SCSI Driver)

0x8AA6A000 C:\Windows\system32\drivers\SCSIPORT.SYS 155648 bytes (Microsoft Corporation, SCSI Port Driver)

0x8FD19000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0x8FDDC000 C:\Windows\System32\DRIVERS\cmdguard.sys 143360 bytes (COMODO, COMODO Internet Security Sandbox Driver)

0x82BDA000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0x95C05000 C:\Windows\system32\DRIVERS\avipbb.sys 139264 bytes (Avira GmbH, Avira Driver for Security Enhancement)

0x8EF5F000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)

0x82A09000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)

0x959C5000 C:\Windows\system32\drivers\IntcHdmi.sys 135168 bytes (Intel® Corporation, Intel® High Definition Audio HDMI)

0x8AFD4000 C:\Windows\system32\drivers\ulsata.sys 135168 bytes (Promise Technology, Inc., Promise Ultra/Sata Series Driver for Win2003)

0x8FDB3000 C:\Windows\System32\Drivers\usbvideo.sys 135168 bytes (Microsoft Corporation, USB Video Class Driver)

0x8EE0C000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)

0x8AD4E000 C:\Windows\system32\drivers\vsmraid.sys 135168 bytes (VIA Technologies Inc.,Ltd, VIA RAID DRIVER FOR AMD-X86-64)

0x95D35000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0x82AE2000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)

0xAE768000 C:\Program Files\Sandboxie\SbieDrv.sys 122880 bytes (tzuk, Sandboxie Kernel Mode Driver)

0x95CFF000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)

0x80723000 C:\Windows\system32\drivers\mpio.sys 114688 bytes (Microsoft Corporation, MultiPath Support Bus-Driver)

0x8AA4F000 C:\Windows\system32\drivers\adpu160m.sys 110592 bytes (Adaptec, Inc., Adaptec LH Ultra160 Driver (x86))

0x8B2EA000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)

0x95C8D000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)

0x805DA000 C:\Windows\system32\drivers\nvraid.sys 110592 bytes (NVIDIA Corporation, NVIDIA

Link to post
Share on other sites

Hello again,

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hi Blonde,

As instructed, I ran combofix. However, I wasn't sure whether to run it from the admin user account or from the limited user account (which I nearly always use). I ran it from the limited user account after disabling disabling Avira and Comodo firewall as instructed.

The scan went without hitch until the end. A window popped up stating, "The application failed to initiate property." My computer then rebooted and, after reboot, the ComboFix window the reappeared stating, "Preparing log report. Do not run any programs until ComboFix has finished." This window remained for approximately 15 minutes, at which time I assumed the program had hanged and I closed out the window.

Reading through the log, I realize I forgot to disable Windows Defender -- although I do not run WD with real-time protection.

Please advise if I should again run ComboFix or what other further instructions you have.

I'm really curious how it is possible I picked up something given the lengths I go and multiple layers I employ to stay malware free.

And, also, thank you very much for your help!!!!!!!!!!!!!!!!!!!!!!!!!!

Here is the ComboFix log:

ComboFix 10-10-28.09 - Admin 10/29/2010 18:00:43.1.2 - x86

Microsoft

Link to post
Share on other sites

Elise, I attempted to run combofix in the admin account as instructed and the program failed to run.

I would double click ComboFix, the ComboFix load window would appear, and then I would receive approximately 20 windows as appears in the attached screen shot. I would click OK on each one, but ComboFix would then stop.

post-57341-1288452366_thumb.jpg

Link to post
Share on other sites

Hi Elise,

I logged into the admin account, downloaded a fresh copy of ComboFix, and it did indeed run.

At Stage 6, a Microsoft window popped up stating, "PEV.exe has stopped working. Please stop the program." Fearing it would be improper to do anything while ComboFix was running, I did not click the window the stop the program. The window disappeared after Stage 50.

ComboFix ran and the system did not reboot. When it stopped running and the ComboFix window disappeared, I tried to start programs, however, when I would double click on any program, I would receive a window with this message: "Illegal operation on a registry key that has been marked for deletion." So, I rebooted and did not encounter that problem again.

After reboot, and upon first logging in, I received the pop-up window that is in the screen-shot in the first attachment below, "Windows cannot access...." I am not sure what that means.

Upon connecting to my wireless, Comodo Defense+ immediately produced the pop-up warning window that is reproduced in the screen-shot in the second attachment below. I checked "Block," I did not check "Remember my answer." I have never encountered this Defense+ warning. Not sure whether it is noteworthy. I am trying to be as thorough as possible.

As always, really appreciate your help, Elise!!!!!

Here is the second ComboFix log:

ComboFix 10-10-30.01 - Admin 10/30/2010 21:32:25.2.2 - x86

Microsoft

post-57341-1288492191_thumb.jpg

post-57341-1288492324_thumb.jpg

Link to post
Share on other sites

Hello there, you can allow the process comodo is blocking. I recommend to turn off this feature anyway. This is a script blocker. It means that, whenever a change to the registry is made, Comodo will pop up. Most changes are legitimate and should not be blocked.

Besides this, how are things running?

Link to post
Share on other sites

Hey Elise,

Things seem to be running great. But nothing seemed wrong before Malwarebytes discovered the multiple infections in the root directory -- no out of the ordinary CPU usage, no firewall warnings about any file drying to connect to the internet. I haven't told you this, and I think it's important: three days before Malwarebytes found the 128 infections, I ran a Malwarebutes scan and it found nothing. This would seem to suggest that all of these 128 infections happened at once.

Would you suggest I do anything else? Would you have any idea how I got infected? Do you know what kind of infection I had? ComboFix says it fixed csc.exe. Do you know what that is?

Would you suggest I do take any further steps?

And, once again, thank you very much, Elise!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Link to post
Share on other sites

Hi again, its indeed weird MBAM detected those files. The most strange is that they all were in the C root. That is nto the normal place of those files and for that reason I don't think they were active. Is it possible you downloaded "somthing" that deposited stuff there?

I'm curious about csc.exe as well. Can you upload the following to http://www.virustotal.com

c:\qoobox\quarantine\c\windows\Microsoft.NET\Framework\v2.0.50727\csc.vir

Link to post
Share on other sites

Hi Elise,

If you do not believe any of the malware files were active, would you also then advise it unnecessary to change passwords etc?

I have no idea how I got it. No one else uses my computer and I employ multiple lawyers of protection: real-time antivirus, firewall, MVPS Hosts file, sandboxed browsing, Spyware blaster, and regular scans with Avira, Malwarebytes, and SuperAntiSpyware.

The only thing possible could be: the day before Malwarebytes found the infections, I downloaded this http://www.reallegal.com/softwareDownloade...criptviewer.asp

Also, the day before, I logged into a publicly available unsecured wireless network. I surfed the web from this using Firefox that was sandboxed for approximately 10 minutes.

Speaking of hosts file, I notice ComboFix wiped out my hosts file. Can I now replace it with a fresh copy of MVPS Hosts file or should I wait until I get a clean bill of health?

I uploaded it to VirusTotal. Results are 0/43. The file I uploaded, however, was csc.exe.vir. Could this extra extension have prevented VirusTotal from properly scanning the file? If so, would it be be safe to rename the file by removing the ".vir" and re-upload it?

Antivirus Version Last Update Result

AhnLab-V3 2010.11.01.00 2010.10.31 -

AntiVir 7.10.13.75 2010.10.31 -

Antiy-AVL 2.0.3.7 2010.10.31 -

Authentium 5.2.0.5 2010.10.31 -

Avast 4.8.1351.0 2010.10.31 -

Avast5 5.0.594.0 2010.10.31 -

AVG 9.0.0.851 2010.10.31 -

BitDefender 7.2 2010.10.31 -

CAT-QuickHeal 11.00 2010.10.26 -

ClamAV 0.96.2.0-git 2010.10.31 -

Comodo 6576 2010.10.31 -

DrWeb 5.0.2.03300 2010.10.31 -

Emsisoft 5.0.0.50 2010.10.31 -

eSafe 7.0.17.0 2010.10.31 -

eTrust-Vet None 2010.10.29 -

F-Prot 4.6.2.117 2010.10.31 -

F-Secure 9.0.16160.0 2010.10.31 -

Fortinet 4.2.249.0 2010.10.31 -

GData 21 2010.10.31 -

Ikarus T3.1.1.90.0 2010.10.31 -

Jiangmin 13.0.900 2010.10.31 -

K7AntiVirus 9.67.2865 2010.10.29 -

Kaspersky 7.0.0.125 2010.10.31 -

McAfee 5.400.0.1158 2010.10.31 -

McAfee-GW-Edition 2010.1C 2010.10.31 -

Microsoft 1.6301 2010.10.31 -

NOD32 5580 2010.10.31 -

Norman 6.06.10 2010.10.31 -

nProtect 2010-10-31.01 2010.10.31 -

Panda 10.0.2.7 2010.10.31 -

PCTools 7.0.3.5 2010.10.31 -

Prevx 3.0 2010.10.31 -

Rising 22.71.03.02 2010.10.29 -

Sophos 4.59.0 2010.10.31 -

Sunbelt 7180 2010.10.31 -

SUPERAntiSpyware 4.40.0.1006 2010.10.31 -

Symantec 20101.2.0.161 2010.10.31 -

TheHacker 6.7.0.1.074 2010.10.31 -

TrendMicro 9.120.0.1004 2010.10.31 -

TrendMicro-HouseCall 9.120.0.1004 2010.10.31 -

VBA32 3.12.14.1 2010.10.29 -

ViRobot 2010.10.30.4121 2010.10.31 -

VirusBuster 12.70.14.0 2010.10.31 -

Link to post
Share on other sites

Hi, I installed the same program, nothing was created. However, I have only a VM with XP, so that might be a factor, who knows.

You can replace the hosts file now. Lets do one last scan for leftovers.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Well Elise, it's back.

Before I had the chance to do the Eset online scan, I discovered 've been reinfected.

Last week when I found these infections, I was at a friend's office logged onto his wireless network. He tells me the network is secured and behind a hardware router, but that everyone in his office has access to it. This made me wonder if I was somehow infected through his network. Today I was there and logged onto his wireless network trying to send email through a Gmail account. For whatever reason, I could not type anything in the Gmail text window and had to switch back to regular html Gmail to send things. This spiked my curiosity, so I did a Malwarebytes quick scan. Instead of 128, there are 129 bugs on the root directory. I lack the sophistication to know if it's possible to become infected by connecting to a wireless network, nor do I know if his network is somehow infected.

At rate, below is the Malwarebytes log and I will do nothing until you instruct me on how to proceed.

Once again, I very much appreciate your help!!!!

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5016

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18975

11/2/2010 12:31:04 AM

mbam-log-2010-11-02 (00-31-04).txt

Scan type: Quick scan

Objects scanned: 151529

Time elapsed: 8 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 129

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\dblnq.exe (Spyware.OnlineGames) -> No action taken.

C:\dydejwbp.exe (Worm.AutoRun) -> No action taken.

C:\d.com (Trojan.Agent) -> No action taken.

C:\d08sle6.exe (Spyware.OnlineGames) -> No action taken.

C:\d1.exe (Trojan.Agent) -> No action taken.

C:\d1vmq.exe (Spyware.OnlineGames) -> No action taken.

C:\d1y36.com (Spyware.OnlineGames) -> No action taken.

C:\d2.exe (Trojan.Agent) -> No action taken.

C:\d218eht.exe (Spyware.OnlineGames) -> No action taken.

C:\d3.exe (Trojan.Agent) -> No action taken.

C:\d3bn0j.exe (Trojan.Agent) -> No action taken.

C:\d4.exe (Trojan.Agent) -> No action taken.

C:\d45.bat (Malware.Trace) -> No action taken.

C:\d6fagcs8.cmd (Spyware.OnlineGames) -> No action taken.

C:\d6r6jmp.exe (Spyware.OnlineGames) -> No action taken.

C:\dannyl.exe (Trojan.Dropper) -> No action taken.

C:\daping.dll (Trojan.Agent) -> No action taken.

C:\dari komputer lonte.exe (Trojan.Agent) -> No action taken.

C:\DATUS.PIF (Worm.AutoRun) -> No action taken.

C:\dbagmtsq.exe (Trojan.Downloader) -> No action taken.

C:\dbeie.exe (Trojan.Agent) -> No action taken.

C:\dbrxubcw.com (Spyware.OnlineGames) -> No action taken.

C:\dbss3nk.exe (Spyware.OnlineGames) -> No action taken.

C:\dca.exe (Backdoor.Bot) -> No action taken.

C:\dcgwhpoh.exe (Trojan.Downloader) -> No action taken.

C:\dcitrwx.exe (Trojan.Downloader) -> No action taken.

C:\dcjacmc.exe (Trojan.Dropper) -> No action taken.

C:\DCOM Exploit.exe (Trojan.Agent) -> No action taken.

C:\dcp6w.exe (Spyware.OnlineGames) -> No action taken.

C:\ddbpu.exe (Trojan.Downloader) -> No action taken.

C:\DDDDD.EXE (Backdoor.PoisonIvy.Gen) -> No action taken.

C:\ddqud.exe (Trojan.Downloader) -> No action taken.

C:\ddv2.dat (Malware.Trace) -> No action taken.

C:\debgx.exe (Trojan.Downloader) -> No action taken.

C:\delextra.exe (Trojan.Agent) -> No action taken.

C:\DellPlung.exe (Trojan.Banker) -> No action taken.

C:\DelUS.bat (Malware.Trace) -> No action taken.

C:\dens.exe (Trojan.Downloader) -> No action taken.

C:\desae.exe (Trojan.Agent) -> No action taken.

C:\desktop.exe (Trojan.Agent) -> No action taken.

C:\dews.exe (Backdoor.PoisonIvy) -> No action taken.

C:\dfg.exe (Trojan.Downloader) -> No action taken.

C:\dfgh6.exe (Trojan.Tibia) -> No action taken.

C:\dfghfghgfj.dll (Trojan.Agent) -> No action taken.

C:\dfhore.exe (Trojan.Dropper) -> No action taken.

C:\dfna.exe (Trojan.Dropper) -> No action taken.

C:\dfsinstall.exe (Backdoor.Bot) -> No action taken.

C:\dcensored.ico (Adware.EGDAccess) -> No action taken.

C:\dfuf.exe (Trojan.Agent) -> No action taken.

C:\dgf.exe (Trojan.Agent) -> No action taken.

C:\dgfus.exe (Trojan.Agent) -> No action taken.

C:\dgism.exe (Trojan.Dropper) -> No action taken.

C:\dgkx.exe (Spyware.OnlineGames) -> No action taken.

C:\dh66ln.cmd (Spyware.OnlineGames) -> No action taken.

C:\dhasbrbc.exe (Trojan.Dropper) -> No action taken.

C:\dhrhyje.bat (Spyware.OnlineGames) -> No action taken.

C:\dHwp.exe (Trojan.Agent) -> No action taken.

C:\dhxbxshe.exe (Trojan.Agent) -> No action taken.

C:\di3su.exe (Worm.Taterf) -> No action taken.

C:\di69.exe (Spyware.OnlineGames) -> No action taken.

C:\dicjprhd.exe (Trojan.Dropper) -> No action taken.

C:\difkghmd.exe (Trojan.Agent) -> No action taken.

C:\diopero.exe (Trojan.Agent) -> No action taken.

C:\dioyw.exe (Trojan.Downloader) -> No action taken.

C:\dipset.exe (Trojan.Agent) -> No action taken.

C:\disk (Trojan.Agent) -> No action taken.

C:\disk32dll.exe (Backdoor.Agent) -> No action taken.

C:\DiskAutoRun.exe (Worm.AutoRun) -> No action taken.

C:\DivX 5.0 Pro KeyGen.exe (Trojan.Agent) -> No action taken.

C:\djwv.exe (Trojan.Agent) -> No action taken.

C:\djxvxmek.exe (Trojan.Dropper) -> No action taken.

C:\dk.exe (Trojan.Agent) -> No action taken.

C:\dkkqptfc.exe (Trojan.Dropper) -> No action taken.

C:\dkpiw.com (Spyware.OnlineGames) -> No action taken.

C:\dll32.bat (Worm.KoobFace) -> No action taken.

C:\dll32.exe (Trojan.Dropper) -> No action taken.

C:\dlldll.vbe (Malware.Trace) -> No action taken.

C:\dllhost32.exe (Worm.AutoRun) -> No action taken.

C:\dlllhost.exe (Backdoor.Agent) -> No action taken.

C:\dlnrg.exe (Trojan.Downloader) -> No action taken.

C:\dmlt.exe (Trojan.Agent) -> No action taken.

C:\dn.exe (Trojan.Dropper) -> No action taken.

C:\DNO.exe (Trojan.Dropper) -> No action taken.

C:\dnsstuff.bat (Malware.Trace) -> No action taken.

C:\Do not open - secrets!.exe (Worm.AutoRun) -> No action taken.

C:\Document1.exe (Trojan.Agent) -> No action taken.

C:\documents.exe (Spyware.OnlineGames) -> No action taken.

C:\DocumentsPay.TMP.DOC.cmd (Backdoor.IRCBot) -> No action taken.

C:\dogyx90.exe (Spyware.OnlineGames) -> No action taken.

C:\don bigg.exe (Backdoor.Bifrose) -> No action taken.

C:\dones.exe (Backdoor.Bot) -> No action taken.

C:\dos.com (Trojan.Agent) -> No action taken.

C:\Downloads.exe (Backdoor.Hupigon) -> No action taken.

C:\dp1.fne (Worm.Autorun) -> No action taken.

C:\dpapa.exe (Trojan.Dropper) -> No action taken.

C:\dpcbx.exe (Trojan.Dropper) -> No action taken.

C:\dpdftck.exe (Trojan.Downloader) -> No action taken.

C:\dpgjvftm.exe (Trojan.Agent) -> No action taken.

C:\dpu1.exe (Spyware.OnlineGames) -> No action taken.

C:\dpxjsdc.exe (Trojan.Dropper) -> No action taken.

C:\dqccpnq.exe (Trojan.Downloader) -> No action taken.

C:\dqm.exe (Spyware.OnlineGames) -> No action taken.

C:\Dr.AdNaN.exe (Backdoor.Bifrose) -> No action taken.

C:\Dr.Dmar!.exe (Backdoor.Bifrose) -> No action taken.

C:\Dr.viurs.exe (Trojan.Agent) -> No action taken.

C:\Drivers.exe (Backdoor.Hupigon) -> No action taken.

C:\drpskh.exe (Trojan.Agent) -> No action taken.

C:\drvvgan.exe (Trojan.Agent) -> No action taken.

C:\ds.exe (Worm.Taterf) -> No action taken.

C:\DSC141742179852.jpg (Malware.Trace) -> No action taken.

C:\dsitxsxq.exe (Trojan.Dropper) -> No action taken.

C:\dskgcpg.exe (Trojan.Downloader) -> No action taken.

C:\dsty.com (Spyware.OnlineGames) -> No action taken.

C:\dsyg.exe (Trojan.Dropper) -> No action taken.

C:\dtacmawh.exe (Trojan.Downloader) -> No action taken.

C:\dtmb.exe (Trojan.Downloader) -> No action taken.

C:\dubfa.exe (Trojan.Dropper) -> No action taken.

C:\duehpow.exe (Trojan.Downloader) -> No action taken.

C:\durpupy.exe (Trojan.Dropper) -> No action taken.

C:\dv6pp.exe (Spyware.OnlineGames) -> No action taken.

C:\dvqsujj.exe (Trojan.Dropper) -> No action taken.

C:\dwmg.exe (Backdoor.IRCBot) -> No action taken.

C:\dygyx.exe (Trojan.Dropper) -> No action taken.

C:\dynrn6e.cmd (Spyware.OnlineGames) -> No action taken.

C:\dypeucmp.exe (Trojan.Dropper) -> No action taken.

C:\dyr2j6mv.exe (Spyware.OnlineGames) -> No action taken.

C:\dyvj.exe (Trojan.Downloader) -> No action taken.

C:\dfgnntm.exe (Worm.AutoRun) -> No action taken.

C:\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Link to post
Share on other sites

Please remove all these files with MBAM (if you didn't do it already) and rerun Combofix.

It is possible you got this from his network, although it is hard to say what it is. Its all fine to be on a secured network, but if something is active on there, it will infect all connected machines.

Maybe you can ask them to verify those same files get detected on other computers as well?

Link to post
Share on other sites

Hey Elise,

A MalwareBytes scan on one of his computers revealed only spyware and tracking cookies. Nothing like the serious infections I am getting.

Malwarebytes asks to reboot for removal, however, after reboot the same bugs return.

I will download a fresh copy of ComboFix and post the log.

Thanks again, Elise.

Link to post
Share on other sites

Hi Elise,

I'm not sure what is happening. ComboFix ran and it automatically rebooted the machine. I logged in, but no ComboFox window reappeared, as per normal, to inform me that ComboFix was still running and would produce a log. I looked in C:\ and there is no ComboFix log.

Additionally, in Windows Explorer, the c:\ComboFix directory has a computer icon and the this directory appears to have an entire copy of my hard drive and it goes on ad infinitum. I took a screen shot to help explain and that is attached below. This is weird.

What to do?

post-57341-1288714468_thumb.jpg

Link to post
Share on other sites

  • 2 weeks later...

Elise, sorry for the delay. I had to leave town on business. Ran a MBam scan and the same infection was back. So, I logged onto my admin account, downloaded a fresh copy of ComboFix, it ran without a hitch, it apparently didn't detect anything (although I'm far from being an expert on this), I rescanned with MBam quick-scan, and the infections were gone.

Also, per your instructions, I have updated nothing on my system. I would like to include the recent Windows patches along with the recent security patch to adobe flash. Can I do these updates?

Again, thank you for your help, and sorry for the delay. Any advice you have is greatly appreciated.

Here is the ComboFix log.

ComboFix 10-11-12.06 - Admin 11/13/2010 13:44:24.4.2 - x86

Microsoft

Link to post
Share on other sites

Also, per your instructions, I have updated nothing on my system. I would like to include the recent Windows patches along with the recent security patch to adobe flash. Can I do these updates?
Yes, please go ahead. :)

Can you run ESET now as instructed in post #14?

Link to post
Share on other sites

Hi Elise,

Here is the ESET online scan. What do you think?

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.url Win32/Adware.ADON application cleaned by deleting - quarantined

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\eBay.url Win32/Adware.ADON application cleaned by deleting - quarantined

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.