Jump to content

Can't remove 3 infected registry keys


Recommended Posts

Hi,

I have mostly cleaned up a friend's computer after he inadvertently installed some sort of fake anti-virus program but MalwareBytes is still reporting three infected registry keys which it is unable to quarantine even after a re-boot. I can't find a way to delete the three infected registry keys. I have tried running in safemode and using other spyware but the infected keys persist. I think the computer is not running as it should since web page loading seems unusually slow (my netbook loads web pages faster!).

I would appreciate it if someone could let me know how to get rid of the infected registry keys.

Here is the Malwarebytes' Anti-Malware 1.31 log file after the most recent scan:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Malwarebytes' Anti-Malware 1.31

Database version: 1506

Windows 5.1.2600 Service Pack 3

12/17/2008 12:23:57 PM

mbam-log-2008-12-17 (12-23-57).txt

Scan type: Full Scan (C:\|)

Objects scanned: 98881

Time elapsed: 19 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{e43b6656-814b-4839-8ff8-affde0da9a3f} (Trojan.Zlob) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{8710df42-3171-4a3b-9079-3f7d7101552b} (Trojan.Zlob) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{096cba44-4a4c-49f7-8903-1e75550abcb7} (Trojan.Zlob) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

And here is the HiJackThis log file :

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:09:52 PM, on 12/17/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe

C:\Program Files\OCZ Technology\Mouse\Amoumain.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.avast.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\OCZ Technology\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')

O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1214303958468

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1214304017937

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--

End of file - 7886 bytes

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Link to post
Share on other sites

  • Staff

Hello, I'm Tom, part of the Malwarebytes support team and I'll be assisting you today.

At any point if you're unsure of the directions presented to you below, don't hesitate to come back for clarification. It may help if you print them out. Also, be sure to subscribe to this topic so you'll be notified of all replies made.

I see you've got Windows Defender running. There is a very good possibility that it is preventing MBAM from removing the registry entries, so lets disable it for now.

Open Microsoft Windows Defender.

  • Click Start, Programs, Windows Defender
  • Click on Tools, then General Settings
  • Under Real-time protection options, unselect the Turn on real-time protection check box
  • Click Save

Close Windows Defender.

Kindly update MBAM, the database version you show of the scan from yesterday, seems incorrect. Once it's updated, please rescan and post results. Current database version as of this post is 1519.

Link to post
Share on other sites

Hi Tom,

I followed your instructions and disabled real-time protection in Windows Defender and then closed the program. I then updated MBAM's database to version 1520 and re-ran MBAM.

The MBAM log file is included below. MBAM instructed me to re-boot the computer to remove the 3 infected registry keys but did not automatically re-boot the computer itself. Is it supposed to do this? Based on the dialogs I have the impression that it is going to re-boot the computer but it doesn't. Anyway, I manually re-booted the computer after closing down MBAM but after re-boot I ran MBAM again and the 3 registry keys are still there.

Here is the contents of the logfile:

++++++++++++++++++++++++

Malwarebytes' Anti-Malware 1.31

Database version: 1520

Windows 5.1.2600 Service Pack 3

12/19/2008 11:10:05 AM

mbam-log-2008-12-19 (11-10-05).txt

Scan type: Full Scan (C:\|)

Objects scanned: 92183

Time elapsed: 11 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{e43b6656-814b-4839-8ff8-affde0da9a3f} (Trojan.Zlob) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{8710df42-3171-4a3b-9079-3f7d7101552b} (Trojan.Zlob) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{096cba44-4a4c-49f7-8903-1e75550abcb7} (Trojan.Zlob) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

It seems that whatever inserted those lines may have changed the way they are inserted as MBAM has deleted them in the past.

I'm going to point one of our researchers to this thread and he may step in and ask for more info.

In the meantime, lets dig around and see what else may be on the system.

Those keys btw, won't affect how sites load.

Please download OTListIt from here.

  • Save the file to your desktop.
  • Once on the desktop double click OTListit.exe and the application will open.
  • Be sure the 'Use Whitelist' box is ticked.
  • From the 'File Ages' drop down menu, please select '30 days'
  • Then click the 'Run Scan' button.

The scan will produce 2 logs for you, one will be minimized, please post both logs here for me to review. We'll continue with additional steps if required based on the output of these logs.

Link to post
Share on other sites

Here is the contens of OTListIt.txt:

++++++++++++++++++++++

OTListIt logfile created on: 12/19/2008 5:28:50 PM - Run

OTListIt by OldTimer - Version 1.0.12.1 Folder = C:\Documents and Settings\Josh Keith\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.57 Gb Available Physical Memory | 78.31% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): C:\pagefile.sys 3070 3070;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 465.75 Gb Total Space | 433.94 Gb Free Space | 93.17% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: JK

Current User Name: Josh Keith

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Whitelist: On

File Age = 30 Days

========== Processes ==========

[2008/12/01 16:38:42 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe

[2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe

[2008/12/01 16:38:42 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe

[2008/11/26 13:12:08 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

[2008/11/26 13:18:46 | 00,155,160 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe

[2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

[2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe

[2008/12/16 10:48:29 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe

[2008/08/27 12:06:08 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe

[2006/12/18 09:34:36 | 00,868,352 | R--- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe

[2008/11/26 13:18:51 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe

[2006/12/28 09:05:14 | 00,196,608 | ---- | M] () -- C:\Program Files\OCZ Technology\Mouse\Amoumain.exe

[2008/12/16 10:48:29 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe

[2008/11/20 13:20:54 | 00,290,088 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe

[2008/09/02 11:48:12 | 00,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

[2008/09/02 11:40:46 | 00,049,152 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

[2008/11/20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe

[2008/04/13 20:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe

[2008/12/19 17:28:08 | 00,418,816 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Josh Keith\Desktop\OTListIt.exe

========== (O23) Win32 Services ==========

[2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])

[2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])

[2008/11/26 13:12:08 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])

[2008/12/01 16:38:42 | 00,598,016 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])

[2008/12/01 14:35:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])

[2008/11/26 13:18:46 | 00,155,160 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])

[2008/11/26 13:18:32 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Stopped])

[2008/11/26 13:16:23 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Stopped])

[2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])

[2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])

[2008/11/20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])

[2008/12/16 10:48:29 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])

[2008/08/27 12:06:08 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA [Auto | Running])

[2007/10/18 10:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])

[2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])

[2007/10/25 14:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])

[2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2008/11/26 13:15:35 | 00,026,944 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4 [system | Running])

[2007/01/15 21:09:06 | 00,293,888 | R--- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService [On_Demand | Running])

[2006/08/06 18:57:30 | 00,093,952 | R--- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (AEAudio [On_Demand | Running])

[2008/06/24 01:17:47 | 00,021,035 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP [Auto | Running])

[2006/12/28 10:02:22 | 00,008,704 | R--- | M] (OCZ Technology Co.,Ltd.) -- C:\WINDOWS\system32\drivers\Amfilter.sys -- (Amfilter [system | Running])

[2006/12/28 10:07:34 | 00,013,824 | R--- | M] (OCZ Technology Co.,Ltd.) -- C:\WINDOWS\system32\drivers\Amusbprt.sys -- (Amusbprt [On_Demand | Stopped])

[2008/11/26 13:17:25 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk [Auto | Running])

[2008/11/26 13:18:18 | 00,094,032 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])

[2008/11/26 13:16:29 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])

[2008/11/26 13:17:36 | 00,111,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP [system | Running])

[2008/11/26 13:16:38 | 00,050,864 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi [system | Running])

[2008/12/01 18:13:40 | 03,452,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Running])

[2007/07/20 17:40:10 | 00,084,992 | ---- | M] (ATI Research Inc.) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService [On_Demand | Running])

[2005/03/21 21:48:30 | 00,039,904 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\drivers\cercsr6.sys -- (cercsr6 [boot | Stopped])

[2008/04/17 12:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])

[2006/12/28 12:44:44 | 00,084,992 | R--- | M] (ATI Research Inc.) -- C:\WINDOWS\system32\drivers\AtiHdAud.sys -- (HdAudAddService [On_Demand | Stopped])

[2008/04/13 12:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])

[2006/02/07 07:52:58 | 00,006,912 | R--- | M] (JMicron ) -- C:\WINDOWS\system32\drivers\JGOGO.sys -- (JGOGO [boot | Running])

[2007/03/23 23:20:24 | 00,046,208 | R--- | M] (JMicron Technology Corp.) -- C:\WINDOWS\system32\drivers\jraid.sys -- (JRAID [boot | Running])

[2008/04/13 14:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [system | Stopped])

[2004/08/13 06:56:20 | 00,005,810 | R--- | M] () -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor [On_Demand | Running])

[2008/06/19 17:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [boot | Running])

[2004/08/04 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])

[2008/06/27 01:39:42 | 00,332,928 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\RTL8187.sys -- (RTLWUSB [On_Demand | Running])

[2008/04/13 12:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])

[2006/03/17 05:18:58 | 00,392,960 | R--- | M] (Sensaura) -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService [On_Demand | Running])

[2007/12/06 08:51:00 | 00,285,952 | ---- | M] (Marvell) -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp [On_Demand | Running])

========== Internet Explorer ==========

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.avast.com

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

O1 HOSTS File: (290277 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 127.0.0.1 1-2005-search.com

O1 - Hosts: 9998 more lines...

O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key does not exist or could not be opened. File not found

O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)

O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)

O4 - HKLM..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot (JMicron Technology Corp.)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)

O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)

O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)

O4 - HKLM..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe ()

O4 - HKLM..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE (Logitech Inc.)

O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)

O4 - HKLM..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray (Analog Devices, Inc.)

O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

O4 - HKLM..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun (Advanced Micro Devices, Inc.)

O4 - HKLM..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [WheelMouse] C:\Program Files\OCZ Technology\Mouse\Amoumain.exe ()

O4 - HKLM..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation)

O4 - HKCU..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)

O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript (Malwarebytes Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ASUS WiFi-AP Solo.lnk = C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe (ASUSTek Computer Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O15 - HKLM\..Trusted Sites: 49 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKCU\..Trusted Sites: www.update.microsoft.com (http in Trusted sites)

O15 - HKCU\..Trusted Sites: 52 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4.../OGAControl.cab (Office Genuine Advantage Validation Tool)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} http://download.microsoft.com/download/7/4...helpcontrol.cab (Microsoft Genuine Advantage Self Support Tool)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1214303958468 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1214304017937 (MUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_06)

O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O18 - Protocol\Handler: - ipp - No CLSID value found

O18 - Protocol\Handler: - ipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - livecall - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)

O18 - Protocol\Handler: - msdaipp - No CLSID value found

O18 - Protocol\Handler: - msdaipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - msdaipp\oledb - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - msnim - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)

O18 - Protocol\Handler: - mso-offdap - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)

O20 - See sections below for AppInitDlls and Winlogon settings

========== Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]

AtiExtEvent: "DllName" = Ati2evxx.dll -- C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" (HKLM) -- C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

========== Safeboot Options ==========

"AlternateShell" = cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []

[2008/06/24 00:28:46 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]

[4 C:\WINDOWS\*.tmp files]

[2008/12/19 17:28:07 | 00,418,816 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Josh Keith\Desktop\OTListIt.exe

[2008/12/19 12:45:41 | 00,065,232 | ---- | C] (Malwarebytes) -- C:\Documents and Settings\Josh Keith\Desktop\RegASSASSIN.exe

[2008/12/18 16:14:15 | 00,000,000 | -HSD | C] -- C:\RECYCLER

[2008/12/18 12:07:42 | 00,000,000 | ---D | C] -- C:\ComboFix

[2008/12/18 11:59:47 | 00,000,211 | ---- | C] () -- C:\Boot.bak

[2008/12/18 11:59:45 | 00,260,272 | ---- | C] () -- C:\cmldr

[2008/12/18 11:59:44 | 00,000,000 | RHSD | C] -- C:\cmdcons

[2008/12/18 11:58:23 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2008/12/18 11:58:23 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2008/12/18 11:58:23 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2008/12/18 11:58:23 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2008/12/18 11:58:23 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe

[2008/12/18 11:58:23 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2008/12/18 11:58:23 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2008/12/18 11:58:23 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe

[2008/12/18 11:58:23 | 00,028,672 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2008/12/18 11:58:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2008/12/18 11:58:21 | 00,000,000 | ---D | C] -- C:\Qoobox

[2008/12/18 11:57:58 | 02,884,875 | R--- | C] () -- C:\Documents and Settings\Josh Keith\Desktop\ComboFix.exe

[2008/12/18 11:48:34 | 00,000,000 | ---D | C] -- C:\rsit

[2008/12/18 11:48:12 | 00,781,851 | ---- | C] () -- C:\Documents and Settings\Josh Keith\Desktop\RSIT.exe

[2008/12/18 08:32:32 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys

[2008/12/18 08:31:55 | 00,000,000 | ---D | C] -- C:\Program Files\Panda Security

[2008/12/18 07:37:44 | 00,000,268 | -H-- | C] () -- C:\sqmdata19.sqm

[2008/12/18 07:37:44 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt19.sqm

[2008/12/17 18:51:02 | 00,000,268 | -H-- | C] () -- C:\sqmdata18.sqm

[2008/12/17 18:51:02 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt18.sqm

[2008/12/17 18:49:25 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2008/12/17 18:49:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

[2008/12/17 18:41:13 | 00,007,662 | ---- | C] () -- C:\WINDOWS\System32\oodbs.lor

[2008/12/17 18:37:49 | 00,000,000 | ---- | C] () -- C:\WINDOWS\oodcnt.INI

[2008/12/17 17:36:24 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\oodag

[2008/12/17 17:22:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Josh Keith\Local Settings\Application Data\O&O

[2008/12/17 16:42:01 | 00,000,268 | -H-- | C] () -- C:\sqmdata17.sqm

[2008/12/17 16:42:01 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt17.sqm

[2008/12/17 16:39:40 | 00,000,268 | -H-- | C] () -- C:\sqmdata16.sqm

[2008/12/17 16:39:40 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt16.sqm

[2008/12/17 15:45:09 | 00,000,268 | -H-- | C] () -- C:\sqmdata15.sqm

[2008/12/17 15:45:09 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt15.sqm

[2008/12/17 12:25:32 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2008/12/17 11:31:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Josh Keith\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

[2008/12/16 18:37:28 | 00,000,268 | -H-- | C] () -- C:\sqmdata14.sqm

[2008/12/16 18:37:28 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt14.sqm

[2008/12/16 17:30:42 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2008/12/16 17:27:44 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender

[2008/12/16 16:50:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ATI

[2008/12/16 16:47:30 | 00,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe

[2008/12/16 16:43:12 | 00,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI

[2008/12/16 16:23:50 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump

[2008/12/16 16:11:44 | 00,000,268 | -H-- | C] () -- C:\sqmdata13.sqm

[2008/12/16 16:11:44 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt13.sqm

[2008/12/16 15:24:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Josh Keith\Local Settings\Application Data\Mozilla

[2008/12/16 15:24:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Josh Keith\Application Data\Mozilla

[2008/12/16 15:03:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2008/12/16 15:02:54 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[2008/12/16 14:55:41 | 00,000,000 | ---D | C] -- C:\Program Files\Bonjour

[2008/12/16 14:55:03 | 00,000,000 | ---D | C] -- C:\Program Files\iPod

[2008/12/16 14:55:02 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes

[2008/12/16 14:55:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

[2008/12/16 14:53:56 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime

[2008/12/16 14:35:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Josh Keith\Application Data\SUPERAntiSpyware.com

[2008/12/16 13:47:56 | 00,000,268 | -H-- | C] () -- C:\sqmdata12.sqm

[2008/12/16 13:47:56 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt12.sqm

[2008/12/16 11:58:44 | 00,000,268 | -H-- | C] () -- C:\sqmdata11.sqm

[2008/12/16 11:58:44 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt11.sqm

[2008/12/16 11:58:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Josh Keith\Application Data\Malwarebytes

[2008/12/16 11:42:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Josh Keith\Application Data\Spyware Terminator

[2008/12/16 09:59:49 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2008/12/16 09:59:47 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2008/12/16 09:59:46 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2008/12/16 09:59:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2008/12/16 07:06:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

[2008/12/16 07:05:53 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware

[2008/12/15 20:18:11 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC

[2008/12/01 16:41:02 | 00,188,416 | ---- | C] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\atipdlxx.dll

[2008/12/01 16:40:49 | 00,147,456 | ---- | C] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\Oemdspif.dll

[2008/12/01 16:40:41 | 00,026,112 | ---- | C] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\Ati2mdxx.exe

[2008/12/01 16:40:32 | 00,043,520 | ---- | C] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\ati2edxx.dll

[2008/12/01 16:11:21 | 03,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat

[2008/12/01 16:11:21 | 03,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat

[2008/12/01 16:11:21 | 00,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat

[2008/12/01 16:11:21 | 00,069,112 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.cap

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]

[4 C:\WINDOWS\*.tmp files]

[2008/12/19 17:28:08 | 00,418,816 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Josh Keith\Desktop\OTListIt.exe

[2008/12/19 17:19:00 | 00,000,264 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

[2008/12/19 15:14:25 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT

[2008/12/19 12:45:41 | 00,065,232 | ---- | M] (Malwarebytes) -- C:\Documents and Settings\Josh Keith\Desktop\RegASSASSIN.exe

[2008/12/19 11:15:48 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2008/12/19 11:14:36 | 00,000,268 | -H-- | M] () -- C:\sqmdata05.sqm

[2008/12/19 11:14:36 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm

[2008/12/19 11:13:09 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2008/12/19 11:12:46 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2008/12/19 11:12:43 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2008/12/19 11:11:28 | 00,000,268 | -H-- | M] () -- C:\sqmdata04.sqm

[2008/12/19 11:11:28 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm

[2008/12/19 11:11:27 | 04,305,586 | -H-- | M] () -- C:\Documents and Settings\Josh Keith\Local Settings\Application Data\IconCache.db

[2008/12/18 15:24:05 | 00,000,268 | -H-- | M] () -- C:\sqmdata03.sqm

[2008/12/18 15:24:05 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm

[2008/12/18 12:25:14 | 00,000,268 | -H-- | M] () -- C:\sqmdata02.sqm

[2008/12/18 12:25:14 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm

[2008/12/18 12:20:07 | 00,007,662 | ---- | M] () -- C:\WINDOWS\System32\oodbs.lor

[2008/12/18 12:19:03 | 00,000,268 | -H-- | M] () -- C:\sqmdata01.sqm

[2008/12/18 12:19:03 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm

[2008/12/18 12:08:23 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2008/12/18 11:59:47 | 00,000,281 | RHS- | M] () -- C:\boot.ini

[2008/12/18 11:58:04 | 02,884,875 | R--- | M] () -- C:\Documents and Settings\Josh Keith\Desktop\ComboFix.exe

[2008/12/18 11:48:12 | 00,781,851 | ---- | M] () -- C:\Documents and Settings\Josh Keith\Desktop\RSIT.exe

[2008/12/18 10:59:39 | 00,000,268 | -H-- | M] () -- C:\sqmdata00.sqm

[2008/12/18 10:59:39 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm

[2008/12/18 07:37:44 | 00,000,268 | -H-- | M] () -- C:\sqmdata19.sqm

[2008/12/18 07:37:44 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm

[2008/12/17 19:10:21 | 00,290,277 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2008/12/17 18:51:02 | 00,000,268 | -H-- | M] () -- C:\sqmdata18.sqm

[2008/12/17 18:51:02 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm

[2008/12/17 18:37:49 | 00,000,000 | ---- | M] () -- C:\WINDOWS\oodcnt.INI

[2008/12/17 16:42:01 | 00,000,268 | -H-- | M] () -- C:\sqmdata17.sqm

[2008/12/17 16:42:01 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm

[2008/12/17 16:39:40 | 00,000,268 | -H-- | M] () -- C:\sqmdata16.sqm

[2008/12/17 16:39:40 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm

[2008/12/17 15:45:09 | 00,000,268 | -H-- | M] () -- C:\sqmdata15.sqm

[2008/12/17 15:45:09 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm

[2008/12/16 18:37:28 | 00,000,268 | -H-- | M] () -- C:\sqmdata14.sqm

[2008/12/16 18:37:28 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm

[2008/12/16 16:43:14 | 00,000,010 | ---- | M] () -- C:\WINDOWS\WININIT.INI

[2008/12/16 16:11:44 | 00,000,268 | -H-- | M] () -- C:\sqmdata13.sqm

[2008/12/16 16:11:44 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm

[2008/12/16 15:03:04 | 00,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat

[2008/12/16 15:00:13 | 00,004,625 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2008/12/16 15:00:12 | 00,477,362 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2008/12/16 15:00:12 | 00,406,658 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2008/12/16 15:00:12 | 00,063,732 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2008/12/16 13:47:56 | 00,000,268 | -H-- | M] () -- C:\sqmdata12.sqm

[2008/12/16 13:47:56 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm

[2008/12/16 11:58:44 | 00,000,268 | -H-- | M] () -- C:\sqmdata11.sqm

[2008/12/16 11:58:44 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm

[2008/12/15 21:14:48 | 00,000,603 | ---- | M] () -- C:\WINDOWS\win.ini

[2008/12/13 02:40:02 | 03,593,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll

[2008/12/13 02:40:02 | 03,593,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll

[2008/12/09 19:24:37 | 17,593,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

[2008/12/03 19:52:38 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2008/12/03 19:52:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2008/12/01 16:41:02 | 00,188,416 | ---- | M] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\atipdlxx.dll

[2008/12/01 16:40:49 | 00,147,456 | ---- | M] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\Oemdspif.dll

[2008/12/01 16:40:41 | 00,026,112 | ---- | M] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\Ati2mdxx.exe

[2008/12/01 16:40:32 | 00,043,520 | ---- | M] (ATI Technologies, Inc.) -- C:\WINDOWS\System32\ati2edxx.dll

[2008/12/01 16:11:21 | 03,107,788 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.dat

[2008/12/01 16:11:21 | 03,107,788 | ---- | M] () -- C:\WINDOWS\System32\ativva5x.dat

[2008/12/01 16:11:21 | 00,887,724 | ---- | M] () -- C:\WINDOWS\System32\ativva6x.dat

[2008/12/01 16:11:21 | 00,069,112 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap

[2008/12/01 14:35:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\System32\ati2sgag.exe

[2008/11/26 13:21:30 | 01,236,208 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe

[2008/11/26 13:18:25 | 00,093,296 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys

[2008/11/26 13:18:18 | 00,094,032 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys

[2008/11/26 13:17:36 | 00,111,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys

[2008/11/26 13:17:25 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys

[2008/11/26 13:16:38 | 00,050,864 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys

[2008/11/26 13:16:29 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys

[2008/11/26 13:15:35 | 00,026,944 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys

[2008/11/26 13:15:10 | 00,097,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr

< End of report >

++++++++++++++++++++++++

And here is the contents of Extras.txt

++++++++++++++++++++++++

OTListIt Extras logfile created on: 12/19/2008 5:28:50 PM - Run

OTListIt by OldTimer - Version 1.0.12.1 Folder = C:\Documents and Settings\Josh Keith\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.57 Gb Available Physical Memory | 78.31% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): C:\pagefile.sys 3070 3070;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 465.75 Gb Total Space | 433.94 Gb Free Space | 93.17% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: JK

Current User Name: Josh Keith

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Whitelist: On

File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[2007/10/18 10:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger

[2007/10/02 16:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger

[2007/10/18 10:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger

[2007/10/02 16:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[2008/09/18 14:50:21 | 00,147,456 | ---- | M] (Lime Wire, LLC) -- C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire

[2008/08/27 12:06:08 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA

[2008/11/10 22:22:12 | 00,202,320 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB

[2007/10/04 03:14:26 | 03,325,952 | ---- | M] () -- C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare

[2007/08/07 12:22:12 | 09,710,464 | ---- | M] (Ensemble Studios) -- C:\Program Files\Microsoft Games\Age of Empires III\age3.exe:*:Enabled:Age of Empires III

[2008/11/20 13:20:48 | 14,294,824 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes

[2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR

"{02A10468-2F1C-447C-AD8E-4DEDDEA25AE2}" = Medieval II Total War : Kingdoms : Crusades

"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}" = Civilization III

"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1

"{1ED6E4D0-8DB0-A333-DEA6-188F957F5A43}" = Catalyst Control Center Graphics Light

"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java 6 Update 11

"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes

"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java 6 Update 6

"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMB36X Raid Configurer

"{407E0CBD-D6BF-F243-6DE9-F1EEA525BA1C}" = Catalyst Control Center Graphics Full Existing

"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger

"{5EC634FA-5047-38B2-A53A-15963D9BD872}" = CCC Help English

"{611BD998-34B9-4DDA-00AE-0CB4632E86FA}" = SimCity 4

"{651AFCC8-2F1A-8132-0A33-FA5F041380BA}" = Catalyst Control Center Graphics Full New

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{69EF33D7-3425-1409-0BE1-C4F3A6FB57A8}" = ccc-utility

"{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III

"{7510EF8C-99B9-8533-524E-BF41BDC04188}" = Skins

"{75983B66-804C-40D1-BA13-64DAF652A6F1}" = Medieval II Total War : Kingdoms : Americas

"{773040E1-3B60-6507-C387-71F8F0A03C59}" = ccc-core-static

"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)

"{77A1C7DD-E4F6-4057-92FC-710219215987}" = Logitech G11 Keyboard Software 1.03

"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com

"{7AEE1963-7001-4C37-BC20-2FAEB74AA41C}" = Medieval II Total War : Kingdoms : Teutonic

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8B3F4499-32E6-470D-8586-E6C03420F889}" = ASUS WiFi-AP Solo

"{91120409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard

"{92DEC792-A722-5991-2607-3EE3A4BD502B}" = Catalyst Control Center HydraVision Full

"{96793032-8651-805A-67EF-E1759C1A8E3D}" = Catalyst Control Center Graphics Previews Common

"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender

"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)

"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer

"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9

"{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}" = Windows Live Sign-in Assistant

"{B094F70F-2CC2-5062-8534-D3830FC4B018}" = Catalyst Control Center Core Implementation

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1

"{C0698BDA-0D29-40EE-8570-A31106DF9AB1}" = Medieval II Total War

"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver

"{CA42C38C-B369-B190-AD06-76D3AC95CFAC}" = ccc-core-preinstall

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CEDDEE73-3D36-41C2-AA40-29355D9FBD63}" = Medieval II Total War : Kingdoms : Britannia

"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding

"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar

"{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare

"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support

"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)

"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX

"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime

"ActiveScan 2.0" = Panda ActiveScan 2.0

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"All ATI Software" = ATI - Software Uninstall Utility

"ATI Display Driver" = ATI Display Driver

"avast!" = avast! Antivirus

"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com

"HijackThis" = HijackThis 2.0.2

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"InstallShield_{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III

"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare

"LimeWire" = LimeWire 4.18.8

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Mozilla Firefox (3.0.4)" = Mozilla Firefox (3.0.4)

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"MSNINST" = MSN

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"WheelMouse" = OCZ Technology Laser Gaming Mouse

"Windows Live Toolbar" = Windows Live Toolbar

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]

Error - 12/16/2008 9:56:50 AM | Computer Name = JK | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

C:\DOCUMENTS AND SETTINGS\JOSH KEITH\MY DOCUMENTS\ENGLISH.DOC failed, 00000005.

Error - 12/16/2008 9:57:11 AM | Computer Name = JK | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

C:\DOCUMENTS AND SETTINGS\JOSH KEITH\MY DOCUMENTS\PASSCHENDALE REVIEW.DOC failed,

00000005.

Error - 12/16/2008 9:57:12 AM | Computer Name = JK | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

C:\DOCUMENTS AND SETTINGS\JOSH KEITH\MY DOCUMENTS\CASINO ROYALE.DOC failed, 00000005.

Error - 12/16/2008 11:12:30 AM | Computer Name = JK | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

C:\DOCUMENTS AND SETTINGS\JOSH KEITH\MY DOCUMENTS\SOCIOLOGY ASSIGNMENT.DOC failed,

00000005.

Error - 12/16/2008 11:12:35 AM | Computer Name = JK | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

C:\DOCUMENTS AND SETTINGS\JOSH KEITH\MY DOCUMENTS\ENGLISH.DOC failed, 00000005.

Error - 12/16/2008 11:12:56 AM | Computer Name = JK | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

C:\DOCUMENTS AND SETTINGS\JOSH KEITH\MY DOCUMENTS\PASSCHENDALE REVIEW.DOC failed,

00000005.

Error - 12/16/2008 11:12:56 AM | Computer Name = JK | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

C:\DOCUMENTS AND SETTINGS\JOSH KEITH\MY DOCUMENTS\CASINO ROYALE.DOC failed, 00000005.

Error - 12/16/2008 4:25:11 PM | Computer Name = JK | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

C:\DOCUMENTS AND SETTINGS\JOSH KEITH\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\P0QI6NLH.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}\DEFAULTS\PREFERENCES\NOSCRIPT.JS

failed, 00000005.

Error - 12/16/2008 4:25:11 PM | Computer Name = JK | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

C:\DOCUMENTS AND SETTINGS\JOSH KEITH\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\P0QI6NLH.DEFAULT\PREFS.JS

failed, 00000005.

Error - 12/16/2008 4:35:51 PM | Computer Name = JK | Source = avast! | ID = 33554522

Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of

C:\DOCUMENTS AND SETTINGS\JOSH KEITH\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\P0QI6NLH.DEFAULT\PREFS.JS

failed, 00000005.

[ Application Events ]

Error - 9/23/2008 7:10:55 PM | Computer Name = JK | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/27/2008 1:46:22 PM | Computer Name = JK | Source = Application Error | ID = 1000

Description = Faulting application iw3sp.exe, version 0.0.0.0, faulting module ~df394b.tmp,

version 0.0.0.0, fault address 0x000abca8.

Error - 9/27/2008 3:33:11 PM | Computer Name = JK | Source = Application Hang | ID = 1002

Description = Hanging application CoD4.exe, version 2.5.0.32, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 9/28/2008 4:21:19 PM | Computer Name = JK | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/28/2008 4:25:30 PM | Computer Name = JK | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/29/2008 3:16:08 PM | Computer Name = JK | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/29/2008 4:48:14 PM | Computer Name = JK | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/30/2008 3:03:34 PM | Computer Name = JK | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 7.0.6000.16705, faulting

module msvcrt.dll, version 7.0.2600.5512, fault address 0x000372e3.

Error - 10/1/2008 5:45:53 PM | Computer Name = JK | Source = Application Hang | ID = 1002

Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/2/2008 10:36:20 AM | Computer Name = JK | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 7.0.6000.16705, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]

Error - 12/18/2008 7:40:08 AM | Computer Name = JK | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service netman with

arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 12/18/2008 7:40:47 AM | Computer Name = JK | Source = Service Control Manager | ID = 7001

Description = The DHCP Client service depends on the NetBios over Tcpip service

which failed to start because of the following error: %%31

Error - 12/18/2008 7:40:47 AM | Computer Name = JK | Source = Service Control Manager | ID = 7001

Description = The DNS Client service depends on the TCP/IP Protocol Driver service

which failed to start because of the following error: %%31

Error - 12/18/2008 7:40:47 AM | Computer Name = JK | Source = Service Control Manager | ID = 7001

Description = The TCP/IP NetBIOS Helper service depends on the AFD service which

failed to start because of the following error: %%31

Error - 12/18/2008 7:40:47 AM | Computer Name = JK | Source = Service Control Manager | ID = 7001

Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver

service which failed to start because of the following error: %%31

Error - 12/18/2008 7:40:47 AM | Computer Name = JK | Source = Service Control Manager | ID = 7001

Description = The Bonjour Service service depends on the TCP/IP Protocol Driver

service which failed to start because of the following error: %%31

Error - 12/18/2008 7:40:47 AM | Computer Name = JK | Source = Service Control Manager | ID = 7001

Description = The IPSEC Services service depends on the IPSEC driver service which

failed to start because of the following error: %%31

Error - 12/18/2008 7:40:47 AM | Computer Name = JK | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 12/18/2008 7:52:00 AM | Computer Name = JK | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/18/2008 12:21:45 PM | Computer Name = JK | Source = Service Control Manager | ID = 7034

Description = The O&O Defrag service terminated unexpectedly. It has done this

1 time(s).

< End of report >

Link to post
Share on other sites

  • Staff

Thanks for those logs.

I see you've got ComboFix on board, please delete the copy you have. Get a fresh copy from the link below and do as instructed, thanks.

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

I deleted the previous version of ComboFix and installed the latest version from your 1st link. Here is the ComboFix log file that I get when I run the latest version:

ComboFix 08-12-18.03 - Josh Keith 2008-12-20 7:40:43.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1551 [GMT -4:00]

Running from: c:\documents and settings\Josh Keith\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))

.

2008-12-18 11:48 . 2008-12-18 11:48 <DIR> d-------- C:\rsit

2008-12-18 08:32 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-12-18 08:31 . 2008-12-18 08:31 <DIR> d-------- c:\program files\Panda Security

2008-12-18 07:37 . 2008-12-18 07:37 268 --ah----- C:\sqmdata19.sqm

2008-12-18 07:37 . 2008-12-18 07:37 244 --ah----- C:\sqmnoopt19.sqm

2008-12-17 18:51 . 2008-12-17 18:51 268 --ah----- C:\sqmdata18.sqm

2008-12-17 18:51 . 2008-12-17 18:51 244 --ah----- C:\sqmnoopt18.sqm

2008-12-17 18:49 . 2008-12-18 07:06 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-17 18:49 . 2008-12-18 10:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-17 18:41 . 2008-12-18 12:20 7,662 --a------ c:\windows\system32\oodbs.lor

2008-12-17 18:37 . 2008-12-17 18:37 0 --a------ c:\windows\oodcnt.INI

2008-12-17 17:36 . 2008-12-17 17:36 <DIR> d-------- c:\windows\system32\oodag

2008-12-17 16:42 . 2008-12-17 16:42 268 --ah----- C:\sqmdata17.sqm

2008-12-17 16:42 . 2008-12-17 16:42 244 --ah----- C:\sqmnoopt17.sqm

2008-12-17 16:39 . 2008-12-17 16:39 268 --ah----- C:\sqmdata16.sqm

2008-12-17 16:39 . 2008-12-17 16:39 244 --ah----- C:\sqmnoopt16.sqm

2008-12-17 15:45 . 2008-12-17 15:45 268 --ah----- C:\sqmdata15.sqm

2008-12-17 15:45 . 2008-12-17 15:45 244 --ah----- C:\sqmnoopt15.sqm

2008-12-17 12:25 . 2008-12-17 12:25 <DIR> d-------- c:\program files\Trend Micro

2008-12-17 11:31 . 2008-12-17 11:31 <DIR> d-------- c:\documents and settings\Josh Keith\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2008-12-16 18:37 . 2008-12-16 18:37 268 --ah----- C:\sqmdata14.sqm

2008-12-16 18:37 . 2008-12-16 18:37 244 --ah----- C:\sqmnoopt14.sqm

2008-12-16 17:27 . 2008-12-16 17:27 <DIR> d-------- c:\program files\Windows Defender

2008-12-16 16:50 . 2008-12-16 16:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI

2008-12-16 16:47 . 2008-12-01 14:35 593,920 --------- c:\windows\system32\ati2sgag.exe

2008-12-16 16:43 . 2008-12-16 16:43 10 --a------ c:\windows\WININIT.INI

2008-12-16 16:42 . 2008-12-16 16:42 38,224,168 --a------ c:\temp\8-12_xp32_dd_ccc_wdm_enu_72271.exe

2008-12-16 16:11 . 2008-12-16 16:11 268 --ah----- C:\sqmdata13.sqm

2008-12-16 16:11 . 2008-12-16 16:11 244 --ah----- C:\sqmnoopt13.sqm

2008-12-16 15:03 . 2008-12-16 15:03 0 --a------ c:\windows\nsreg.dat

2008-12-16 15:01 . 2008-12-16 15:01 7,508,624 --a------ c:\temp\Firefox Setup 3.0.4.exe

2008-12-16 14:55 . 2008-12-16 14:55 <DIR> d-------- c:\program files\iTunes

2008-12-16 14:55 . 2008-12-16 14:55 <DIR> d-------- c:\program files\iPod

2008-12-16 14:55 . 2008-12-16 14:55 <DIR> d-------- c:\program files\Bonjour

2008-12-16 14:55 . 2008-12-16 14:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-12-16 14:54 . 2008-12-16 14:54 <DIR> d-------- c:\documents and settings\kendo\Application Data\Apple Computer

2008-12-16 14:53 . 2008-12-16 14:54 <DIR> d-------- c:\program files\QuickTime

2008-12-16 14:35 . 2008-12-16 14:35 <DIR> d-------- c:\documents and settings\Josh Keith\Application Data\SUPERAntiSpyware.com

2008-12-16 13:47 . 2008-12-16 13:47 268 --ah----- C:\sqmdata12.sqm

2008-12-16 13:47 . 2008-12-16 13:47 244 --ah----- C:\sqmnoopt12.sqm

2008-12-16 11:58 . 2008-12-16 11:58 <DIR> d-------- c:\documents and settings\Josh Keith\Application Data\Malwarebytes

2008-12-16 11:58 . 2008-12-16 11:58 268 --ah----- C:\sqmdata11.sqm

2008-12-16 11:58 . 2008-12-16 11:58 244 --ah----- C:\sqmnoopt11.sqm

2008-12-16 11:42 . 2008-12-16 16:10 <DIR> d-------- c:\documents and settings\Josh Keith\Application Data\Spyware Terminator

2008-12-16 10:48 . 2008-12-16 10:48 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-16 09:59 . 2008-12-16 09:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-16 09:59 . 2008-12-16 09:59 <DIR> d-------- c:\documents and settings\kendo\Application Data\Malwarebytes

2008-12-16 09:59 . 2008-12-16 09:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-16 09:59 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-16 09:59 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-16 09:57 . 2008-12-16 09:57 2,539,400 --a------ c:\temp\mbam-setup.exe

2008-12-16 08:59 . 2008-12-16 08:59 646,376 --a------ c:\temp\SpywareTerminatorSetup.exe

2008-12-16 07:06 . 2008-12-16 07:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2008-12-16 07:05 . 2008-12-16 16:31 <DIR> d-------- c:\program files\SUPERAntiSpyware

2008-12-16 07:02 . 2008-12-16 07:02 5,780,000 --a------ c:\temp\SUPERAntiSpyware.exe

2008-12-15 20:23 . 2008-12-15 20:23 <DIR> d-------- c:\documents and settings\kendo\Application Data\ATI

2008-12-15 20:23 . 2008-12-16 18:19 <DIR> d-------- c:\documents and settings\kendo

2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe

2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll

2008-12-01 16:52 . 2008-12-01 16:52 425,984 --a------ c:\windows\system32\ATIDEMGX.dll

2008-12-01 16:46 . 2008-12-01 16:46 11,304,960 --a------ c:\windows\system32\atioglxx.dll

2008-12-01 16:41 . 2008-12-01 16:41 188,416 --a------ c:\windows\system32\atipdlxx.dll

2008-12-01 16:40 . 2008-12-01 16:40 147,456 --a------ c:\windows\system32\Oemdspif.dll

2008-12-01 16:40 . 2008-12-01 16:40 143,360 --a------ c:\windows\system32\ati2evxx.dll

2008-12-01 16:40 . 2008-12-01 16:40 43,520 --a------ c:\windows\system32\ati2edxx.dll

2008-12-01 16:40 . 2008-12-01 16:40 26,112 --a------ c:\windows\system32\Ati2mdxx.exe

2008-12-01 16:38 . 2008-12-01 16:38 598,016 --a------ c:\windows\system32\ati2evxx.exe

2008-12-01 16:37 . 2008-12-01 16:37 53,248 --a------ c:\windows\system32\ATIDDC.DLL

2008-12-01 16:19 . 2008-12-01 16:19 307,200 --a------ c:\windows\system32\atiiiexx.dll

2008-12-01 16:11 . 2008-12-01 16:11 3,107,788 --a------ c:\windows\system32\ativvaxx.dat

2008-12-01 16:11 . 2008-12-01 16:11 3,107,788 --a------ c:\windows\system32\ativva5x.dat

2008-12-01 16:11 . 2008-12-01 16:11 887,724 --a------ c:\windows\system32\ativva6x.dat

2008-12-01 16:11 . 2008-12-01 16:11 69,112 --a------ c:\windows\system32\ativvaxx.cap

2008-12-01 15:57 . 2008-12-01 15:57 48,640 --a------ c:\windows\system32\amdpcom32.dll

2008-12-01 15:53 . 2008-12-01 15:53 401,408 --a------ c:\windows\system32\atikvmag.dll

2008-12-01 15:53 . 2008-12-01 15:53 45,056 --a------ c:\windows\system32\amdcalrt.dll

2008-12-01 15:53 . 2008-12-01 15:53 45,056 --a------ c:\windows\system32\amdcalcl.dll

2008-12-01 15:52 . 2008-12-01 15:52 86,016 --a------ c:\windows\system32\atiadlxx.dll

2008-12-01 15:52 . 2008-12-01 15:52 17,408 --a------ c:\windows\system32\atitvo32.dll

2008-12-01 15:51 . 2008-12-01 15:51 53,248 --a------ c:\windows\system32\drivers\ati2erec.dll

2008-12-01 15:50 . 2008-12-01 15:50 3,252,224 --a------ c:\windows\system32\Amdcaldd.dll

2008-12-01 15:50 . 2008-12-01 15:50 286,720 --a------ c:\windows\system32\atiok3x2.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-16 22:22 --------- d-----w c:\program files\LimeWire

2008-12-16 22:22 --------- d-----w c:\documents and settings\Josh Keith\Application Data\LimeWire

2008-12-16 20:48 --------- d-----w c:\program files\ATI Technologies

2008-12-16 20:44 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-16 18:55 --------- d-----w c:\program files\Common Files\Apple

2008-12-16 14:48 --------- d-----w c:\program files\Java

2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys

2008-12-01 20:51 318,464 ----a-w c:\windows\system32\ati2dvag.dll

2008-12-01 20:27 4,120,384 ----a-w c:\windows\system32\ati3duag.dll

2008-12-01 20:11 2,495,360 ----a-w c:\windows\system32\ativvaxx.dll

2008-12-01 19:45 577,536 ----a-w c:\windows\system32\ati2cqag.dll

2008-11-13 11:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-11-12 19:25 --------- d-----w c:\program files\Google

2008-11-11 02:22 202,320 ----a-w c:\windows\system32\PnkBstrB.exe

2008-11-11 02:22 138,408 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2008-11-02 17:56 --------- d-----w c:\program files\Sony

2008-11-01 19:26 --------- d-----w c:\documents and settings\Josh Keith\Application Data\InstallShield

2008-11-01 19:21 107,888 ----a-w c:\windows\system32\CmdLineExt.dll

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-21 22:14 --------- d-----w c:\program files\Microsoft Silverlight

2008-10-21 18:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe

2008-10-21 17:40 81,920 ----a-w c:\windows\system32\ATIODE.exe

2008-10-21 17:40 45,056 ----a-w c:\windows\system32\ATIODCLI.exe

2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll

2008-10-16 18:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 18:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 18:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 18:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 18:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 18:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 18:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 18:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 18:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 18:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-09-30 20:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-08-18 18:53 22,328 ----a-w c:\documents and settings\Josh Keith\Application Data\PnkBstrK.sys

2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe

.

((((((((((((((((((((((((((((( snapshot@2008-12-18_12.01.08.09 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-12-19 15:12:53 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_30c.dat

+ 2008-12-19 15:12:47 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7ac.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]

"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]

"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-22 1126400]

"WheelMouse"="c:\program files\OCZ Technology\Mouse\Amoumain.exe" [2006-12-28 196608]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-06-24 987136]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-18 28544]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-24 111184]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-06-24 20560]

R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]

R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-24 332928]

.

Contents of the 'Scheduled Tasks' folder

2008-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-20 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2008-12-20 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

.

------- Supplementary Scan -------

.

uStart Page = www.avast.com

uInternet Settings,ProxyOverride = *.local;<local>

uInternet Settings,ProxyServer = http=127.0.0.1:9090

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Josh Keith\Application Data\Mozilla\Firefox\Profiles\p0qi6nlh.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.avast.com/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 9090

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-20 07:41:10

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2008-12-20 7:41:43

ComboFix-quarantined-files.txt 2008-12-20 11:41:29

ComboFix2.txt 2008-12-20 11:38:55

ComboFix3.txt 2008-12-18 16:08:53

ComboFix4.txt 2008-12-18 16:01:32

Pre-Run: 465,934,299,136 bytes free

Post-Run: 465,922,453,504 bytes free

227 --- E O F --- 2008-12-19 14:05:39

Link to post
Share on other sites

  • Staff

That didn't show me what I was expecting.

Before we proceed, I have one question about a file:

c:\temp\8-12_xp32_dd_ccc_wdm_enu_72271.exe<<<<<--- what is this? I can't seem to find any conclusive answers.

Link to post
Share on other sites

Hi Tom,

That file is the installer for the latest version of the ATI Cataylist Control Center which is used to control the ATI video card and display.

After I ran the previous scan I did some research on the bitTorrent client, LimeWire, that my friend had installed on his computer and made the unilateral decision to un-install it. I don't know it that was how he got this virus in the first place but I will advise him that such applications are a big security risk. If he chooses to re-install anything like that I will most likely not provide assistance the next time he gets a virus or my assistance will only be in the form of a re-format and re-install of the operating system.

Thank your for your help so far!

Ken

Link to post
Share on other sites

  • Staff

OK, lets try something here.

Windows Defender may be reinserting those entries. Please uninstall it via Add\Remove control panel and then update and run MBAM again, but this time please use the 'quick scan' and post the log along with a HJT log, thanks.

Link to post
Share on other sites

I uninstalled Windows Defender, updated the MBAM database from 1520 to 1528, re-ran MBAM and then re-ran HiJackThis. The log files are below:

Malwarebytes' Anti-Malware 1.31

Database version: 1528

Windows 5.1.2600 Service Pack 3

12/21/2008 1:45:33 PM

mbam-log-2008-12-21 (13-45-25).txt

Scan type: Quick Scan

Objects scanned: 52543

Time elapsed: 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{e43b6656-814b-4839-8ff8-affde0da9a3f} (Trojan.Zlob) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{8710df42-3171-4a3b-9079-3f7d7101552b} (Trojan.Zlob) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{096cba44-4a4c-49f7-8903-1e75550abcb7} (Trojan.Zlob) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:45:58 PM, on 12/21/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\OCZ Technology\Mouse\Amoumain.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.avast.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\OCZ Technology\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')

O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1214303958468

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1214304017937

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--

End of file - 7216 bytes

Link to post
Share on other sites

  • Staff

I think I see the problem:

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

Something is preventing that from running to remove those entries. That is the run routine to remove files, registry entries what have you. Try disabling avast and run MBAM see if that gets em.

Typically a reboot gets things done with that routine, but something is preventing it.

Link to post
Share on other sites

I have been running all scans with Avast disabled and MBAM still never deletes the infected registry keys on re-boot. I am also somewhat puzzled by the MBAM dialog that reports that the keys could not be removed but will be removed on a re-boot. The last sentence of the dialog "Your computer needs to be restarted to complete the removal process. Would you like to continue?" followed by YES and NO buttons seems to imply that MBAM will automatically re-boot the computer but no matter which button is selected nothing special happens. MBAM doesn't shutdown nor is the computer automatically re-booted. Also, I don't see anything happening after a re-boot and a MBAM scan still indicates that the registry keys are infected.

I completely uninstalled Avast to make sure it was not running something at startup that prevented MBAM from deleting the registry keys but it didn't make any difference. Here are the MBAM and HiJackThis log files after I did the following:

1) Uninstalled Avast

2) Reboot

3) Updated MBAM datbase from 1528 to 1531

4) Ran MBAM quick scan which found the 3 infected keys

5) Reboot

6) Ran MBAM quick scan which found the 3 infected keys

Malwarebytes' Anti-Malware 1.31

Database version: 1531

Windows 5.1.2600 Service Pack 3

12/22/2008 5:56:30 AM

mbam-log-2008-12-22 (05-56-30).txt

Scan type: Quick Scan

Objects scanned: 52449

Time elapsed: 1 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{e43b6656-814b-4839-8ff8-affde0da9a3f} (Trojan.Zlob) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{8710df42-3171-4a3b-9079-3f7d7101552b} (Trojan.Zlob) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{096cba44-4a4c-49f7-8903-1e75550abcb7} (Trojan.Zlob) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:09:31 AM, on 12/22/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\OCZ Technology\Mouse\Amoumain.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.avast.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\OCZ Technology\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')

O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1214303958468

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1214304017937

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--

End of file - 6659 bytes

Link to post
Share on other sites

  • Staff

OK, lets try another trick, which was provided to me and then while that's going on I'm going to look thru the logs closer.

1. Unplug or turn off your DSL/cable modem.

2. Locate the router's reset button.

3. Press, and hold, the Reset button down for 30 seconds.

4. Wait for your Power, WLAN and Internet light to turn on. (On the router)

5. Plug in or turn on your modem.(if it is separate from the router)

6. Open your web browser to see if you have an internet connection. If you still don't have an internet connection you may need to restart your computer.

Link to post
Share on other sites

I have a home network which consists of 1 router (Dlink DIR-655) , 1 cable modem, 3 switches, 5 computers, 3 game consoles and the occasional guest device. The computer I am trying to clean isn't normally connected to my network and I am rather reluctant to reset my router and loose all the settings that it currently has. I have it set up so that only devices with known MAC addresses can connect and there are many other non-default settings. I think I can save the current configuration and then reload it but I have never tried that. Could you please give me an idea of the probability of a router reset fixing this problem? On a side note the power was out for several hours today so aside from a router reset my network was down and all devices powered off for much of the day. After the power was restored I re-scanned the infected computer with MBAM and the 3 infected registry keys were still there.

Link to post
Share on other sites

  • Staff

With help from some other analysts we're working on a special fix for these entries, thanks for being patient. I'd point out that there are no active malware files on the system. Those entries are harmless.

Be back soon as this has been done.

Link to post
Share on other sites

  • Staff

Sorry it's been so long for a reply.

Holiday hectic. :P

Lets see if this is a permissions problem:

Start REGEDIT and browse to the keys below one by one. When the cursor is on the key in question right click and select PERMISSIONS

If the system is Windows XP Home Edition then you might need to start in safe mode and logon with an account that has administrative rights.

Then click on Advanced and you should see an OWNER tab. Click on that tab and select the Administrators group name or a local Admin account and put a check mark in the Replace owner on subcontainers and objects . Then click Apply and OK.

HKEY_CLASSES_ROOT\CLSID\{e43b6656-814b-4839-8ff8-affde0da9a3f}HKEY_CLASSES_ROOT\CLSID\{8710df42-3171-4a3b-9079-3f7d7101552b}HKEY_CLASSES_ROOT\CLSID\{096cba44-4a4c-49f7-8903-1e75550abcb7}

Go back in and make sure the Administrative account now has FULL control, if not then select the account and check the Allow box for FULL control.

Rescan with MBAM lets see what that shows.

Link to post
Share on other sites

No need to apologize for taking a couple of days to respond. Considering the time of year I think your response time is great.

I followed your instructions and MBAM was able to delete 2 of the registry keys. However, the final registry is proving to be rather more difficult. MBAM is still reporting that it can only delete HKEY_CLASSES_ROOT\CLSID\{e43b6656-814b-4839-8ff8-affde0da9a3f} after a reboot but that never happens. I tried this in a normal windows session and in safe mode as well and no luck getting rid of that key. When I initially look at the permissions for this key in regedit there is only one entry, Everyone, with full control. I add Administrators with full control and then see something like this in the permissions dialog:

Group or user names Full Control

Administrators Full Control checked

After following your instructions and making sure that Administrators and grant full control and then run MBAM after MBAM tries to delete the file I see that the Administrators entry is granted full control

Link to post
Share on other sites

My previous post makes no sense near the end since - for some unknown reason) it was posted while I was still in the middle of composing it.

Anyway, I was trying to show the permissions for the registry key after I changed them in regedit and before I ran MBAM. Once again :

Group or user name Full Control Read Special Permissions

+++++++++++++++++++++++++++++++++++++++++++++++

Administrators Checked Checked Not checked

CREATOR OWNER Not checked Not checked Checked

Everyone Checked Checked Not checked

Power Users Checked Checked Checked

SYSTEM Checked Checked Not checked

Users Checked Checked Not checked

After I scan with MBAM and before I tell it to fix the registry key the permissions above still show up in the regedit permissions dialog. However, once I let MBAM try to fix the registry key the permissions seem to be reset back to only the one entry for Everyone :

Group or user name Full Control Read Special Permissions

+++++++++++++++++++++++++++++++++++++++++++++++

Everyone Checked Checked Not checked

and MBAM reports that it can only delete the registry key after a reboot. However, the reboot doesn't fix the problem. Here is the MBAM log:

Malwarebytes' Anti-Malware 1.31

Database version: 1550

Windows 5.1.2600 Service Pack 3

12/26/2008 11:29:47 AM

mbam-log-2008-12-26 (11-29-47).txt

Scan type: Quick Scan

Objects scanned: 53277

Time elapsed: 1 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{e43b6656-814b-4839-8ff8-affde0da9a3f} (Trojan.Zlob) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Well, we got rid of a couple of them, so little bit of progress. And it's obvious we're dealing with a permissions problem that needs to be addressed.

I'll get with the developers to see how they can work that out.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.