Buckman Posted June 16, 2010 Posted June 16, 2010 I am a very experienced computer user, but came home to find that my wife had gotten into a bit of trouble. She states that when she was looking for recipes, something took over the browser and opened about 40 windows. It locked up the computer and she had to reboot. Since then, all browsers have obviously been hijacked. I successfully fought off one of these at work a couple of weeks ago and dove right in. However, I am over my head. The Machine: Dell Model with XP Media Center Edition SP3 updated regularly Virus Package: PC-Cillan updated regularly The Symptoms: When I got home it was showing a few popups for a program called "AV Virus Protection" and a few variants on that name. A shield icon in the system tray gave me a balloon saying that I was unprotected and needed an update, and there were various popups. My attempts to fix: I managed to boot in safe mode and check the start-up and the registry for anything out of the ordinary. I found a tutorial on the web that told me what to look for with the "AV Virus Protection" but found none of the files they suggested might be there. I did a full scan with PC-Cillan and found nothing. I did a full scan with Microsoft Malicious Software Removal Tool and it found nothing. So I managed to roll back Windows to a few days before the event with the recovery tool. After this, I thought I had made some headway. That is until I tried to use Google. Google specifically seems to be hijacked in any browser that I chose. It will give me various errors when I search and attempt to take me to fake mockups of pages. So I dug deeper. I ran a scan with MBAM and it did find a few issues. Mostly cookies, but a few of the things looked like they might be the culprit. They were successfully removed by MBAM, so I continued. I downloaded another common malware detection program. It too found many problems and successfully removed them. But still the problems with Google persisted. And IE just suddenly brought up a page for "Car and Driver Magazine" for no reason without warning. I have spent quite a bit of time on this already and I am stumped. I ran OTL figuring you would need the results: OTL.TXT --------------------------------------------- OTL logfile created on: 6/15/2010 5:40:48 PM - Run 1 OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Lori\Desktop Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 51.00% Memory free 2.00 Gb Paging File | 1.00 Gb Available in Paging File | 57.00% Paging File free Paging file location(s): [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 461.06 Gb Total Space | 252.50 Gb Free Space | 54.76% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: POWERWAGON Current User Name: Lori Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Lori\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com) PRC - C:\Program Files\Steam\Steam.exe (Valve Corporation) PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\WINDOWS\system32\Wacom_Tablet.exe (Wacom Technology, Corp.) PRC - C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe (Wacom Technology, Corp.) PRC - C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd) PRC - C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe (Trend Micro Inc.) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.) PRC - C:\Program Files\Creative\Shared Files\CTDevSrv.exe (Creative Technology Ltd) PRC - C:\WINDOWS\system32\PSIService.exe () PRC - C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe (Trend Micro Inc.) PRC - C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe (Trend Micro Inc.) PRC - C:\Program Files\Trend Micro\Internet Security 14\TmPfw.exe (Trend Micro Inc.) PRC - C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe (Trend Micro Inc.) PRC - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation) PRC - C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.) PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation) PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation) PRC - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe (Intel Corporation) PRC - C:\WINDOWS\system32\CTXFIHLP.EXE (Creative Technology Ltd) PRC - C:\WINDOWS\system32\CTXFISPI.EXE (Creative Technology Ltd) PRC - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe (Matsu****a Electric Industrial Co., Ltd.) PRC - C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd) PRC - C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe (Creative Technology Ltd.) PRC - C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe (Creative Technology Ltd) PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions) PRC - C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation) PRC - C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe (Creative Technology Ltd) PRC - C:\WINDOWS\system32\devldr32.exe (Creative Technology Ltd.) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\Lori\Desktop\OTL.exe (OldTimer Tools) MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation) MOD - C:\WINDOWS\system32\CTAGENT.DLL (Creative Technology Ltd) ========== Win32 Services (SafeList) ========== SRV - (RoxLiveShare9) -- File not found SRV - (getPlusHelper) getPlus® -- C:\Program Files\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.) SRV - (TabletServiceWacom) -- C:\WINDOWS\system32\Wacom_Tablet.exe (Wacom Technology, Corp.) SRV - (PcCtlCom) -- C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe (Trend Micro Inc.) SRV - (CTDevice_Srv) -- C:\Program Files\Creative\Shared Files\CTDevSrv.exe (Creative Technology Ltd) SRV - (ProtexisLicensing) -- C:\WINDOWS\system32\PSIService.exe () SRV - (tmproxy) -- C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe (Trend Micro Inc.) SRV - (TmPfw) -- C:\Program Files\Trend Micro\Internet Security 14\TmPfw.exe (Trend Micro Inc.) SRV - (Tmntsrv) -- C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe (Trend Micro Inc.) SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation) SRV - (ELService) Intel® -- C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe (Intel Corporation) SRV - (Imapi Helper) -- C:\Program Files\ISO Recorder\ImapiHelper.exe (Alex Feinman) ========== Driver Services (SafeList) ========== DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (vmm) -- C:\WINDOWS\system32\drivers\VMM.sys (Microsoft Corporation) DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (wacmoumonitor) -- C:\WINDOWS\system32\drivers\wacmoumonitor.sys (Wacom Technology) DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys () DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation) DRV - (wacomvhid) -- C:\WINDOWS\system32\drivers\wacomvhid.sys (Wacom Technology) DRV - (tmxpflt) -- C:\WINDOWS\system32\drivers\tmxpflt.sys (Trend Micro Inc.) DRV - (tmpreflt) -- C:\WINDOWS\system32\drivers\tmpreflt.sys (Trend Micro Inc.) DRV - (vsapint) -- C:\WINDOWS\system32\drivers\vsapint.sys (Trend Micro Inc.) DRV - (RDPVDD) -- C:\WINDOWS\system32\drivers\rdpvmp.sys (Microsoft Corporation) DRV - (RDPDISPM) -- C:\WINDOWS\system32\drivers\rdpdispm.sys (Microsoft Corporation) DRV - (truecrypt) -- C:\WINDOWS\system32\drivers\truecrypt.sys (TrueCrypt Foundation) DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation) DRV - (IrBus) -- C:\WINDOWS\system32\drivers\irbus.sys (Microsoft Corporation) DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation) DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.) DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation) DRV - (wacommousefilter) -- C:\WINDOWS\system32\drivers\wacommousefilter.sys (Wacom Technology) DRV - (VPCNetS2) -- C:\WINDOWS\system32\drivers\VMNetSrv.sys (Microsoft Corporation) DRV - (tmcfw) -- C:\WINDOWS\system32\drivers\TM_CFW.sys (Trend Micro Inc.) DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.) DRV - (e1express) Intel® -- C:\WINDOWS\system32\drivers\e1e5132.sys (Intel Corporation) DRV - (iaStor) -- C:\WINDOWS\system32\drivers\iaStor.sys (Intel Corporation) DRV - (NAL) -- C:\WINDOWS\system32\drivers\iqvw32.sys (Intel Corporation ) DRV - (ELacpi) -- C:\WINDOWS\system32\drivers\ELacpi.sys (Intel Corporation) DRV - (ELmon) -- C:\WINDOWS\system32\drivers\Elmon.sys (Intel Corporation) DRV - (ELkbd) -- C:\WINDOWS\system32\drivers\Elkbd.sys (Intel Corporation) DRV - (ELmou) -- C:\WINDOWS\system32\drivers\Elmou.sys (Intel Corporation) DRV - (ELhid) -- C:\WINDOWS\system32\drivers\Elhid.sys (Intel Corporation) DRV - (ha20x2k) -- C:\WINDOWS\system32\drivers\ha20x2k.sys (Creative Technology Ltd) DRV - (Angel2) -- C:\WINDOWS\system32\drivers\Angel2.sys (Lumanate, Inc.) DRV - (ctaud2k) Creative Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd) DRV - (ctprxy2k) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys (Creative Technology Ltd) DRV - (ossrv) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.) DRV - (ctsfm2k) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys (Creative Technology Ltd) DRV - (emupia) -- C:\WINDOWS\system32\drivers\emupia2k.sys (Creative Technology Ltd) DRV - (ctac32k) -- C:\WINDOWS\system32\drivers\ctac32k.sys (Creative Technology Ltd) DRV - (FileDisk) -- C:\WINDOWS\system32\drivers\filedisk.sys (Bo Brantén) DRV - (DRVMCDB) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions) DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions) DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions) DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions) DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions) DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions) DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions) DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions) DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions) DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions) DRV - (DRVNDDM) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Sonic Solutions) DRV - (ctdvda2k) -- C:\WINDOWS\system32\drivers\ctdvda2k.sys (Creative Technology Ltd) DRV - (SDDMI2) -- C:\WINDOWS\system32\DDMI2.sys (Gteko Ltd.) DRV - (Aspi32) -- C:\WINDOWS\system32\drivers\ASPI32.SYS (Adaptec) DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.) DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic) DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic) DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic) DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.) DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.) DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation) DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation) DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation) DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation) DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.) DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.) DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.) DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.) DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.) DRV - (MODEMCSA) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation) DRV - (sfman) Creative SoundFont Manager Driver (WDM) -- C:\WINDOWS\system32\drivers\sfmanm.sys (Creative Technology Ltd.) DRV - (emu10k1) Creative Interface Manager Driver (WDM) -- C:\WINDOWS\system32\drivers\ctlfacem.sys (Creative Technology Ltd.) DRV - (emu10k) Creative SB Live! (WDM) -- C:\WINDOWS\system32\drivers\emu10k1m.sys (Creative Technology Ltd.) DRV - (nuvvid2) -- C:\WINDOWS\system32\drivers\nuvvid2.sys (Nogatech Ltd.) DRV - (nuvaud2) -- C:\WINDOWS\system32\drivers\nuvaud2.sys (Nogatech Ltd.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = Dell Start Page IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = Dell Start Page IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = Dell Start Page IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Google IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "Google" FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.87 FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63 FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Components: M:\Mozilla Firefox\components FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Plugins: M:\Mozilla Firefox\plugins FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/15 11:25:36 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/15 11:36:08 | 000,000,000 | ---D | M] [2010/06/15 11:25:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Mozilla\Extensions [2009/06/04 19:49:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Mozilla\Extensions\contact@callgraph.in [2010/06/15 15:14:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions [2010/06/15 11:27:54 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010/06/15 11:27:55 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} [2010/06/15 11:36:06 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7} [2010/06/15 11:25:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions O1 HOSTS File: ([2010/06/15 00:20:13 | 000,000,765 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 us.search.yahoo.com O1 - Hosts: 84.16.244.58 uk.search.yahoo.com O1 - Hosts: 84.16.244.58 search.yahoo.com O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 2 more lines... O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions) O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - No CLSID value found. O4 - HKLM..\Run: [AudioDrvEmulator] C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe (Creative Technology Ltd.) O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE (Creative Technology Ltd) O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd) O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\CTXFIHLP.EXE (Creative Technology Ltd) O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions) O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation) O4 - HKLM..\Run: [intelliPoint] C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation) O4 - HKLM..\Run: [iSUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation) O4 - HKLM..\Run: [iSUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation) O4 - HKLM..\Run: [MFP1815_S2P] C:\Program Files\Dell\Dell Laser MFP 1815\PSU\Scan2pc.exe () O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NWEReboot] File not found O4 - HKLM..\Run: [nwiz] File not found O4 - HKLM..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe (Trend Micro Inc.) O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.) O4 - HKLM..\Run: [updReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.) O4 - HKLM..\Run: [userFaultCheck] File not found O4 - HKLM..\Run: [VolPanel] C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe (Creative Technology Ltd) O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd) O4 - HKCU..\Run: [iSUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation) O4 - HKCU..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.) O4 - HKCU..\Run: [steam] C:\Program Files\Steam\Steam.exe (Valve Corporation) O4 - HKCU..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com) O4 - HKCU..\RunOnce: [shockwave Updater] C:\WINDOWS\System32\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\4.0; File not found O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk = C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe (Matsu****a Electric Industrial Co., Ltd.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme () O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.) O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class) O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} Seite nicht gefunden (Facebook Photo Uploader 5 Control) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} https://accounting.quickbooks.com/c1/v16.561/qboax9.cab (Reg Error: Key error.) O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab (DLM Control) O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab (Creative Software AutoUpdate) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166037347859 (MUWebControl Class) O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://webgames.d.tmsrv.com/c=223ca9156990d74223a5e0efb4d55836/aff=trygames_wg/p/release/mumbo/wg_luxor2/luxor2/mjolauncher.cab (MJLauncherCtrl Class) O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} https://accounting.quickbooks.com/c1/v16.608/qboax10.cab (QuickBooks Online Edition Utilities Class v10) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586.cab (Java Plug-in 1.6.0_05) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} https://www.mesh.com/0.9.3103.13/TSWeb.cab (Reg Error: Value error.) O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} http://aolsvc.aol.com/onlinegames/free-trial-zenerchi/ZenerchiWeb.1.0.0.10.cab (CPlayFirstzenerchiControl Object) O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab (EPUImageControl Class) O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} http://www.yoyogames.com/downloads/activex/YoYo.cab (YYGInstantPlay Control) O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Reg Error: Key error.) O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe (Virtools WebPlayer Class) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class) O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15111/CTPID.cab (Creative Software AutoUpdate Support Package) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com) O24 - Desktop WallPaper: C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2005/08/16 06:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell\AutoRun\command - "" = J:\WINDOWS\IronKey.exe -- File not found O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell\AutoRun\command - "" = I:\WINDOWS\IronKey.exe -- File not found O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell\AutoRun\command - "" = I:\IronKey.exe -- File not found O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell\AutoRun\command - "" = J:\IronKey.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/08/16 06:22:48 | 000,000,000 | ---D | M] NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found MsConfig - State: "system.ini" - 0 MsConfig - State: "win.ini" - 0 MsConfig - State: "bootini" - 0 MsConfig - State: "services" - 0 MsConfig - State: "startup" - 0 CREATERESTOREPOINT Restore point Set: OTL Restore Point (69256455022182400) ========== Files/Folders - Created Within 30 Days ========== [2010/06/15 17:39:17 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lori\Desktop\OTL.exe [2010/06/15 16:28:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\SUPERAntiSpyware.com [2010/06/15 16:28:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com [2010/06/15 16:28:20 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware [2010/06/15 16:18:03 | 000,000,000 | ---D | C] -- C:\Avenger [2010/06/15 14:38:49 | 000,000,000 | ---D | C] -- C:\Program Files\EraserPortable [2010/06/15 12:29:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\Malwarebytes [2010/06/15 12:29:42 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/06/15 12:29:41 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/06/15 12:29:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2010/06/15 12:29:40 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/06/15 12:22:29 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Lori\Desktop\ATF-Cleaner.exe [2010/06/15 11:39:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR [2010/06/15 11:37:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe [2010/06/15 11:25:23 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2010/06/15 10:24:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss [2010/06/15 00:21:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia [2010/06/15 00:21:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe [2010/06/14 23:58:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\Sky-Banners [2010/06/14 03:22:21 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll [2010/06/10 18:25:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\TuxPaint [2010/06/10 18:24:34 | 000,000,000 | ---D | C] -- C:\Program Files\TuxPaint [2010/05/26 01:10:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\gtk-2.0 [2010/05/25 20:40:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\.gimp-2.6 [2010/05/25 20:40:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\My Documents\gegl-0.0 [2010/05/25 20:40:04 | 000,000,000 | ---D | C] -- C:\Program Files\GIMP-2.0 [2010/05/25 20:28:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\WTablet [2010/05/25 20:27:57 | 000,000,000 | ---D | C] -- C:\Program Files\TabletPlugins [2010/05/25 20:27:56 | 007,773,040 | ---- | C] (Wacom Technology, Corp.) -- C:\WINDOWS\System32\WacomTablet.cpl [2010/05/25 20:26:30 | 000,011,312 | ---- | C] (Wacom Technology) -- C:\WINDOWS\System32\drivers\wacommousefilter.sys [2010/05/25 20:26:28 | 000,014,120 | ---- | C] (Wacom Technology) -- C:\WINDOWS\System32\drivers\wacomvhid.sys [2010/05/25 20:26:26 | 000,016,168 | ---- | C] (Wacom Technology) -- C:\WINDOWS\System32\drivers\wacmoumonitor.sys [2010/05/25 20:26:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\WTablet [2010/05/25 20:26:24 | 005,010,288 | ---- | C] (Wacom Technology, Corp.) -- C:\WINDOWS\System32\Wacom_Tablet.exe [2010/05/25 20:26:24 | 000,415,600 | ---- | C] (Wacom Technology, Corp.) -- C:\WINDOWS\System32\Wacom_Tablet.dll [2010/05/25 20:26:24 | 000,294,400 | ---- | C] (Wacom Technology, Corp.) -- C:\WINDOWS\System32\Wintab32.dll [2010/05/25 20:26:22 | 000,000,000 | ---D | C] -- C:\Program Files\Tablet [2010/05/25 18:25:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\WTablet [2010/05/24 19:04:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\.thumbnails [2010/05/17 15:57:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Desktop\art [2006/12/13 12:50:56 | 000,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\lexlog.dll [2006/12/08 12:17:55 | 000,033,792 | R--- | C] ( ) -- C:\WINDOWS\System32\a3d.dll [8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\*.tmp files -> C:\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/06/15 17:39:22 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lori\Desktop\OTL.exe [2010/06/15 17:32:56 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/06/15 17:31:02 | 000,264,653 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml [2010/06/15 17:30:10 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/06/15 17:30:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/06/15 17:29:54 | 2145,300,480 | -HS- | M] () -- C:\hiberfil.sys [2010/06/15 17:28:35 | 011,272,192 | ---- | M] () -- C:\Documents and Settings\Lori\ntuser.dat [2010/06/15 17:28:35 | 000,064,980 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000004-00000000-00000004-00001102-00000005-10031102}.rfx [2010/06/15 17:28:35 | 000,055,172 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000004-00000000-00000004-00001102-00000005-10031102}.rfx [2010/06/15 17:28:35 | 000,055,172 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000004-00000000-00000004-00001102-00000005-10031102}.rfx [2010/06/15 17:28:35 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm [2010/06/15 17:28:35 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm [2010/06/15 16:58:00 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\Updater.job [2010/06/15 16:28:25 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk [2010/06/15 15:31:19 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{205FFA7B-8B8E-4420-A4D9-7DD7D87A6636}.job [2010/06/15 15:19:26 | 000,001,316 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys [2010/06/15 14:47:53 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\EraserPortable.exe.lnk [2010/06/15 12:29:45 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/06/15 12:22:29 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Lori\Desktop\ATF-Cleaner.exe [2010/06/15 12:02:50 | 109,456,774 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\reg_backup.reg [2010/06/15 11:25:28 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2010/06/15 10:58:03 | 000,372,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010/06/15 10:53:15 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2010/06/15 10:47:11 | 000,553,312 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010/06/15 10:47:11 | 000,477,622 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010/06/15 10:47:11 | 000,085,804 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010/06/15 10:35:22 | 000,000,821 | ---- | M] () -- C:\WINDOWS\win.ini [2010/06/15 10:35:22 | 000,000,259 | ---- | M] () -- C:\WINDOWS\system.ini [2010/06/15 10:35:22 | 000,000,209 | -HS- | M] () -- C:\boot.ini [2010/06/15 04:07:51 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat [2010/06/15 00:16:19 | 000,000,312 | ---- | M] () -- C:\WINDOWS\popcinfot.dat [2010/06/15 00:06:41 | 002,109,342 | -H-- | M] () -- C:\Documents and Settings\Lori\Local Settings\Application Data\IconCache.db [2010/06/13 18:00:00 | 000,000,404 | ---- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for Zoe.job [2010/06/12 17:45:12 | 000,004,041 | ---- | M] () -- C:\Documents and Settings\Lori\.recently-used.xbel [2010/06/12 16:55:12 | 000,000,297 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\Zoe Land.url [2010/06/10 18:24:42 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\Tux Paint.lnk [2010/06/08 13:25:35 | 000,150,016 | ---- | M] () -- C:\Documents and Settings\Lori\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/06/05 10:29:47 | 000,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Cosmic Bugs.lnk [2010/05/28 00:08:42 | 000,000,023 | ---- | M] () -- C:\WINDOWS\BlendSettings.ini [2010/05/26 16:04:23 | 000,000,117 | -H-- | M] () -- C:\WINDOWS\popcreg.dat [2010/05/25 20:40:32 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GIMP 2.lnk [2010/05/25 20:00:48 | 000,113,863 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\Superman.xcf [2010/05/25 17:49:41 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Lori\ntuser.ini [2010/05/24 18:01:37 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\June 2010.xls [2010/05/22 07:36:29 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\may 2010.xls [2010/05/18 21:39:49 | 386,478,079 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\FANTASTIC_MR_FOX.ISO [8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\*.tmp files -> C:\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/06/15 16:28:25 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk [2010/06/15 14:47:23 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\EraserPortable.exe.lnk [2010/06/15 12:29:45 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/06/15 12:02:43 | 109,456,774 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\reg_backup.reg [2010/06/15 11:25:28 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2010/06/15 10:37:33 | 2145,300,480 | -HS- | C] () -- C:\hiberfil.sys [2010/06/15 00:41:44 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat [2010/06/14 23:58:05 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\Updater.job [2010/06/12 17:45:12 | 000,004,041 | ---- | C] () -- C:\Documents and Settings\Lori\.recently-used.xbel [2010/06/11 17:41:10 | 011,272,192 | ---- | C] () -- C:\Documents and Settings\Lori\ntuser.dat [2010/06/10 18:26:18 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\Tux Paint.lnk [2010/06/05 10:29:47 | 000,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Cosmic Bugs.lnk [2010/05/25 20:40:32 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GIMP 2.lnk [2010/05/25 20:27:56 | 001,746,986 | ---- | C] () -- C:\WINDOWS\System32\WacomTablet.znc [2010/05/25 20:00:48 | 000,113,863 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\Superman.xcf [2010/05/22 07:36:51 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\June 2010.xls [2010/05/22 07:36:29 | 000,025,600 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\may 2010.xls [2010/05/18 21:32:01 | 386,478,079 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\FANTASTIC_MR_FOX.ISO [2010/02/09 09:54:18 | 000,000,183 | ---- | C] () -- C:\WINDOWS\civ.ini [2009/09/13 14:58:31 | 000,000,033 | ---- | C] () -- C:\WINDOWS\Eraser.INI [2009/07/20 15:26:01 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini [2009/04/22 00:19:06 | 000,172,173 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat [2008/09/17 13:49:52 | 000,000,037 | ---- | C] () -- C:\WINDOWS\C30Tbo.INI [2008/09/04 22:28:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI [2008/06/29 14:46:38 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI [2008/05/12 13:03:30 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini [2008/02/01 02:52:26 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2008/01/26 22:55:42 | 001,936,528 | ---- | C] () -- C:\WINDOWS\System32\ltmm15.dll [2008/01/05 18:35:18 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll [2007/12/23 23:26:48 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll [2007/12/23 23:26:48 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll [2007/12/23 23:26:48 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll [2007/12/14 23:32:10 | 000,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini [2007/11/15 11:54:51 | 000,000,605 | ---- | C] () -- C:\WINDOWS\hegames.ini [2007/10/14 17:01:27 | 000,000,165 | ---- | C] () -- C:\WINDOWS\BluesCluesPreschool.ini [2007/09/29 16:01:39 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini [2007/09/17 01:07:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll [2007/06/22 13:01:57 | 000,691,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys [2007/05/26 23:00:08 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll [2007/04/05 22:09:03 | 000,000,600 | ---- | C] () -- C:\WINDOWS\Rtcw.INI [2007/01/14 18:47:18 | 000,094,208 | R--- | C] () -- C:\WINDOWS\System32\WIAIPH.dll [2007/01/14 18:47:18 | 000,086,016 | R--- | C] () -- C:\WINDOWS\System32\WIAEH.dll [2007/01/14 18:47:18 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\WIASTIIO.dll [2007/01/14 18:47:18 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\Sswiadrv.dll [2007/01/07 00:08:02 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\SVSetup.dll [2007/01/07 00:08:01 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\DELG1CI.dll [2007/01/07 00:08:01 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\d1815ci.dll [2007/01/07 00:08:01 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\VdSetup.dll [2007/01/07 00:08:01 | 000,022,663 | ---- | C] () -- C:\WINDOWS\System32\DELG1LMK.DLL [2006/12/29 16:15:24 | 000,000,749 | ---- | C] () -- C:\WINDOWS\cdplayer.ini [2006/12/13 13:41:58 | 000,155,648 | R--- | C] () -- C:\WINDOWS\System32\gencoin.dll [2006/12/13 13:41:58 | 000,102,400 | R--- | C] () -- C:\WINDOWS\System32\softcoin.dll [2006/12/13 12:51:06 | 000,000,507 | ---- | C] () -- C:\WINDOWS\DKAAY2DD.ini [2006/12/12 00:43:17 | 000,000,072 | ---- | C] () -- C:\WINDOWS\sbwin.ini [2006/12/11 21:24:50 | 000,001,316 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys [2006/12/08 12:48:50 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2006/12/08 12:42:44 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2006/12/08 12:39:24 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini [2006/12/08 12:12:46 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL [2006/12/08 12:12:46 | 000,000,194 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI [2006/12/08 12:12:46 | 000,000,053 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini [2006/12/08 12:12:45 | 000,050,432 | ---- | C] () -- C:\WINDOWS\System32\claptn.ini [2006/12/08 12:11:43 | 000,102,480 | ---- | C] () -- C:\WINDOWS\System32\EzRating.dll [2006/12/08 12:11:43 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\EzdCoIns.dll [2006/12/08 12:10:44 | 000,000,393 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI [2006/09/27 07:19:25 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\C30coi.dll [2005/11/10 03:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini [2005/08/16 06:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini [2005/08/16 06:18:33 | 001,291,776 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll [2005/08/05 16:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll [2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI ========== LOP Check ========== [2010/05/25 16:32:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Astroburn Lite [2010/05/25 16:30:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Astroburn Pro [2009/06/19 21:09:48 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix [2009/12/12 12:35:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite [2009/02/08 19:25:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fallout3 [2010/04/30 00:18:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Friends Games [2007/04/30 20:35:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iWin Games [2008/02/26 17:32:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\JollyBear [2007/11/07 16:16:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo [2007/05/03 12:43:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Palo Alto Software [2007/04/14 11:17:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst [2007/10/31 12:28:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap [2009/01/17 01:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games [2010/01/22 16:16:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCapv1005 [2007/04/13 11:48:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games [2007/05/03 12:07:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScreenSeven [2008/05/14 15:45:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpinTop Games [2010/04/03 23:29:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2009/09/16 15:44:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Thomson.ResearchSoft.Installers [2010/05/25 17:03:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint [2010/01/16 19:34:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YoYoGames [2010/03/11 00:24:12 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{7A246771-272C-415B-B2AB-AE698ADB7EEB} [2007/05/10 10:45:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\7Wonders [2010/05/25 16:54:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Amazon [2008/01/04 20:12:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Arduino [2010/02/09 10:14:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Astroburn Lite [2010/02/13 19:07:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Astroburn Pro [2009/11/24 11:22:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Bioshock [2008/02/08 23:12:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\DAEMON Tools [2010/01/16 19:34:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\DAEMON Tools Lite [2009/09/16 19:39:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\EndNote [2009/12/14 11:41:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\FileZilla [2008/05/30 19:00:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Flickr [2008/01/26 22:55:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\GetRightToGo [2010/05/25 20:00:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\gtk-2.0 [2008/03/22 14:45:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\ImgBurn [2009/08/21 14:58:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\IronKey [2007/05/19 11:39:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\iWin [2008/01/21 22:38:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\JungleDisk [2007/03/28 13:28:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Leadertech [2007/05/06 12:37:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Magic Academy [2007/04/09 14:02:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Magic Match [2008/11/24 11:53:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\MITSTN [2008/06/12 14:44:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\MSNInstaller [2009/01/17 02:55:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\My Battle for Middle-earth Files [2009/01/25 05:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\NetMedia Providers [2009/10/31 01:08:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Notepad++ [2006/12/13 15:10:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\OfficeUpdate12 [2007/05/03 12:45:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Palo Alto Software [2008/05/12 13:06:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Panasonic [2008/04/09 20:49:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\PlayFirst [2010/04/26 21:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\PopCapv1001 [2009/12/08 18:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\PopCapv1002 [2008/07/28 21:57:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\PopCapv1005 [2009/01/25 05:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Publish Providers [2008/08/09 18:08:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\REAPER [2010/06/14 23:58:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Sky-Banners [2008/02/16 20:04:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Smart Recorder [2009/01/25 05:29:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Sony [2008/02/11 17:16:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Stamps.com Internet Postage [2007/02/19 12:27:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Template [2008/03/21 02:04:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Thunderbird [2008/07/13 20:13:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\TrueCrypt [2010/06/10 18:27:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\TuxPaint [2009/04/21 10:41:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1 [2009/09/18 19:05:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Unity [2007/11/28 23:30:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\URSE Games [2007/08/13 11:32:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\yoclient [2010/06/15 16:58:00 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\Updater.job [2010/06/15 15:31:19 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{205FFA7B-8B8E-4420-A4D9-7DD7D87A6636}.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS > [2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys [2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys [2008/08/29 10:47:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys [2008/08/29 10:47:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys [2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys [2004/08/04 01:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS [2004/08/04 01:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys < MD5 for: ATAPI.SYS > [2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys [2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys [2008/08/29 10:47:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys [2008/08/29 10:47:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys [2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys [2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys < MD5 for: EVENTLOG.DLL > [2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll [2004/08/10 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll [2004/08/10 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll < MD5 for: IASTOR.SYS > [2006/10/10 15:03:48 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\drivers\storage\R130118\iastor.sys [2006/07/06 08:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\i386\iaStor.sys [2006/07/06 08:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys [2006/07/06 08:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\system32\drivers\iaStor.sys [2006/10/10 15:03:48 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\iaStor.sys [2006/07/06 09:01:32 | 000,484,864 | ---- | M] (Intel Corporation) MD5=6A3C354BFC163B81F6EF2FC421280DB5 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys < MD5 for: NETLOGON.DLL > [2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll [2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll [2004/08/10 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll [2004/08/10 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll < MD5 for: SCECLI.DLL > [2004/08/10 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll [2004/08/10 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll [2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > [2008/04/13 20:11:51 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll [8 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ] < %systemroot%\Tasks\*.job /lockedfiles > < %systemroot%\system32\drivers\*.sys /lockedfiles > [2009/12/12 12:35:48 | 000,691,696 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys ========== Alternate Data Streams ========== @Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:72E6616C @Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8643C5BE @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:756C8543 @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B203B914 @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:69D94DFA @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8E3D07DE @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:411E1BE2 @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:359B3BDA @Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4E1E5A60 @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C24B973A < End of report > -------------------------- Thanks in advance for any help you can give me. I am usually the person people come to for help, but this has me stumped. There are some cowboys in here... Quote
Buckman Posted June 16, 2010 Author Posted June 16, 2010 Adding the OTL Extras...too big for one post. ------------------------------------------------- OTL EXTRAS RESULTS OTL Extras logfile created on: 6/15/2010 5:40:48 PM - Run 1 OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Lori\Desktop Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 51.00% Memory free 2.00 Gb Paging File | 1.00 Gb Available in Paging File | 57.00% Paging File free Paging file location(s): [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 461.06 Gb Total Space | 252.50 Gb Free Space | 54.76% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: POWERWAGON Current User Name: Lori Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation) htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [MediaMonkey.1Play] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.) Directory [MediaMonkey.2PlayNext] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.) Directory [MediaMonkey.3Enqueue] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 0 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found "C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found "C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe" = C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9 -- File not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found "C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found "C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main -- File not found "C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD -- File not found "C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater -- File not found "C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server -- File not found "C:\Program Files\Steam\SteamApps\loriferis\half-life 2 deathmatch\hl2.exe" = C:\Program Files\Steam\SteamApps\loriferis\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2 -- () "C:\Program Files\Fox\No One Lives Forever\eReg\NAVBrowser.exe" = C:\Program Files\Fox\No One Lives Forever\eReg\NAVBrowser.exe:*:Enabled:NAVBrowser -- File not found "C:\Program Files\LucasArts\SWKotOR2\swupdate.exe" = C:\Program Files\LucasArts\SWKotOR2\swupdate.exe:*:Enabled:Star Wars: Knights of the Old Republic II: The Sith Lords Update Program -- File not found "C:\Documents and Settings\Lori\Desktop\wowclient-downloader.exe" = C:\Documents and Settings\Lori\Desktop\wowclient-downloader.exe:*:Enabled:Blizzard Downloader -- File not found "C:\Program Files\World of Warcraft\BackgroundDownloader.exe" = C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment) "C:\Program Files\Atari-Infogrames\Roller Coaster Tycoon 2\rct2.exe" = C:\Program Files\Atari-Infogrames\Roller Coaster Tycoon 2\rct2.exe:*:Enabled:rct2 -- File not found "C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation) "C:\Program Files\EA GAMES\The Battle for Middle-earth \game.dat" = C:\Program Files\EA GAMES\The Battle for Middle-earth \game.dat:*:Enabled:The Battle for Middle-earth -- File not found "C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- File not found "C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found "C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- File not found "C:\Program Files\JungleDisk\junglediskmonitor.exe" = C:\Program Files\JungleDisk\junglediskmonitor.exe:*:Enabled:Jungle Disk Monitor -- File not found "C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation) "C:\Program Files\QuickTime\QuickTimePlayer.exe" = C:\Program Files\QuickTime\QuickTimePlayer.exe:*:Enabled:QuickTime Player -- (Apple Inc.) "C:\xampplite\mysql\bin\mysqld.exe" = C:\xampplite\mysql\bin\mysqld.exe:*:Enabled:mysqld -- () "C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe" = C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9 -- File not found "C:\Program Files\xampp\mysql\bin\mysqld.exe" = C:\Program Files\xampp\mysql\bin\mysqld.exe:*:Enabled:mysqld -- File not found "C:\Program Files\xampp\apache\bin\apache.exe" = C:\Program Files\xampp\apache\bin\apache.exe:LocalSubNet:Disabled:apache.exe -- File not found "C:\Program Files\Zero Hour\Zero Hour\Binaries\ZeroHour.exe" = C:\Program Files\Zero Hour\Zero Hour\Binaries\ZeroHour.exe:*:Enabled:ZeroHour -- File not found "C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe" = C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe:*:Enabled:Live Mesh -- File not found ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam "{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}" = Microsoft Games for Windows - LIVE Redistributable "{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data "{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}" = Intel® PRO Network Connections "{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE "{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA "{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime "{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}" = Sound Blaster X-Fi "{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE "{2CDCCE7E-55D5-40CC-AEA0-ABA54713501F}" = LUMIX Simple Viewer "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager "{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5 "{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10 "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion "{46C73DE4-E96D-4F7C-8371-F28052183B12}" = Advanced Decoder Patch "{49132408-7784-4FD7-8382-B3AF58CA0EAA}" = Internet Explorer Administration Kit 7 "{4D243BA7-9AC4-46D1-90E5-EEB88974F501}" = Microsoft Games for Windows - LIVE "{4E868D3D-6EEB-4273-926C-2287236B5B79}" = 3DVIA player 4.1 "{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool "{5A847475-157F-45AD-9919-CD40D344B8B1}" = QBFC3.0 "{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module "{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon "{64635543-70E7-436D-8D6D-4A721595029E}" = Microsoft IntelliPoint 5.2 "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin "{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works "{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer "{6FF543AB-99B3-4120-902C-70A38314ABD8}" = Norton Security Scan "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{7EAB1D85-7BA3-47C1-BBF7-A0EBC241DB94}" = Intel® Viiv™ Software "{86604C06-DA30-425E-AECE-47304FE81C45}" = Creative Software Update "{86B3F2D6-AC2B-4E88-8AE1-F2F77F781B0C}" = EndNote X3 "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8A7CAA24-7B23-410B-A7C3-F994B0944160}" = Microsoft Virtual PC 2007 "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager "{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003 "{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003 "{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3 "{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders "{994AC11F-0549-4D26-B8AC-6F2DB14FF071}" = Preparing for Kindergarten "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable "{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3 "{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher "{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy "{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR "{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation "{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1 "{DFC6573E-124D-4026-BFA4-B433C9D3FF21}" = ISO Recorder "{E1C7EF5E-3A7B-4ED4-A48B-F70F1B36EAB4}" = Corel Paint Shop Pro Photo XI "{E280923D-C5D9-4728-8C79-AC9A0DC75875}" = BioShock "{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager "{EA8C73AA-3D75-44C9-87A2-8E945FC5FEE6}" = Trend Micro PC-cillin Internet Security 14 "{FF70923C-8A51-47F4-A7E9-893C6D54EB68}" = TES Construction Set "Adobe AIR" = Adobe AIR "Adobe Shockwave Player" = Adobe Shockwave Player 11.5 "Audacity_is1" = Audacity 1.2.6 "B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto "Blue's Art Time Activities" = Blue's Art Time Activities "BluesCluesPreschoolDKey" = Blue's Preschool "Bone - The Great Cowrace" = Bone - The Great Cowrace 2.0 "BookSmart™ 1.9.5 1.9.5" = BookSmart™ 1.9.5 1.9.5 "Cosmic Bugs 1.05" = Cosmic Bugs 1.05 "Creative Media Lite" = Creative Media Lite "Dell Laser MFP 1815" = Dell Laser MFP 1815 Software Uninstall "Dell_HostCD" = Dell Software Uninstall "DVD Shrink_is1" = DVD Shrink 3.2 "EL" = Intel® Quick Resume Technology Drivers "EmeraldQFE2" = Windows Media Player 10 Hotfix [see EmeraldQFE2 for more information] "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "ie8" = Windows Internet Explorer 8 "ImgBurn" = ImgBurn "LucasArts' Curse of Monkey Island" = LucasArts' Curse of Monkey Island "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "MediaMonkey_is1" = MediaMonkey 3.1 "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Mozilla Firefox (2.0.0.20)" = Mozilla Firefox (2.0.0.20) "Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3) "Mozilla Thunderbird (2.0.0.19)" = Mozilla Thunderbird (2.0.0.19) "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "Notepad++" = Notepad++ "NVIDIA Display Control Panel" = NVIDIA Display Control Panel "NVIDIA Drivers" = NVIDIA Drivers "NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager "Peggle Deluxe 1.0" = Peggle Deluxe 1.0 "Plants vs. Zombies" = Plants vs. Zombies "PopCap Browser Plugin" = PopCap Browser Plugin "ResearchSoft Direct Export Helper" = ResearchSoft Direct Export Helper "Revo Uninstaller" = Revo Uninstaller 1.88 "RollerCoaster Tycoon Setup" = Roll "SearchAssist" = SearchAssist "Steam App 420" = Half-Life 2: Episode Two "TmPcc" = Trend Micro PC-cillin Internet Security 14 "TrueCrypt" = TrueCrypt "Tux Paint_is1" = Tux Paint 0.9.21 "UnityWebPlayer" = Unity Web Player "Wacom Tablet Driver" = Wacom Tablet "Wacom WebTabletPlugin for IE" = WebTablet IE Plugin "Wacom WebTabletPlugin for Netscape" = WebTablet Netscape Plugin "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinGimp-2.0_is1" = GIMP 2.6.8 "WinRAR archiver" = WinRAR archiver "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "World of Warcraft" = World of Warcraft "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 "XpsEPSC" = XML Paper Specification Shared Components Pack 1.0 "ZENStoneUG" = Creative ZEN Stone User's Guide ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 6/15/2010 10:20:05 AM | Computer Name = POWERWAGON | Source = LoadPerf | ID = 3011 Description = Unloading the performance counter strings for service aspnet_state (ASP.NET State Service) failed. The Error code is the first DWORD in Data section. Error - 6/15/2010 10:20:06 AM | Computer Name = POWERWAGON | Source = LoadPerf | ID = 3001 Description = The performance counter name string value in the registry is incorrectly formatted. The bogus string is 8528, the bogus index value is the first DWORD in Data section while the last valid index values are the second and third DWORD in Data section. Error - 6/15/2010 10:20:06 AM | Computer Name = POWERWAGON | Source = MsiInstaller | ID = 11500 Description = Product: Java 6 Update 20 -- Error 1500.Another installation is in progress. You must complete that installation before continuing this one. Error - 6/15/2010 10:20:07 AM | Computer Name = POWERWAGON | Source = MsiInstaller | ID = 11500 Description = Product: Java 6 Update 20 -- Error 1500.Another installation is in progress. You must complete that installation before continuing this one. Error - 6/15/2010 12:11:30 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally Error - 6/15/2010 12:11:31 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist. Error - 6/15/2010 2:36:27 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally Error - 6/15/2010 2:36:28 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist. Error - 6/15/2010 5:33:39 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally Error - 6/15/2010 5:33:39 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist. [ System Events ] Error - 6/15/2010 10:59:55 AM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The DgiVecp service failed to start due to the following error: %%2 Error - 6/15/2010 11:18:09 AM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The DgiVecp service failed to start due to the following error: %%2 Error - 6/15/2010 11:18:09 AM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The TLRecAgent service failed to start due to the following error: %%2 Error - 6/15/2010 11:19:25 AM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The DgiVecp service failed to start due to the following error: %%2 Error - 6/15/2010 4:24:43 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The DgiVecp service failed to start due to the following error: %%2 Error - 6/15/2010 4:24:43 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The TLRecAgent service failed to start due to the following error: %%2 Error - 6/15/2010 4:26:12 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The DgiVecp service failed to start due to the following error: %%2 Error - 6/15/2010 5:30:29 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The DgiVecp service failed to start due to the following error: %%2 Error - 6/15/2010 5:30:29 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The TLRecAgent service failed to start due to the following error: %%2 Error - 6/15/2010 5:32:14 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The DgiVecp service failed to start due to the following error: %%2 < End of report > ------------------------------------------------------- Quote
Starbuck Posted June 16, 2010 Posted June 16, 2010 Hi Buckman and welcome to FPCH. The main problem with Google would seem to be that although the infection may have been removed.... your Hosts file needs resetting. Let's clean up some reg entries and get the Hosts file replaced. Then we'll get an online scan done to see if there's any leftovers. Step 1 Double click on OTL.exe to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :Otl O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - No CLSID value found. O4 - HKLM..\Run: [NWEReboot] File not found O4 - HKLM..\Run: [nwiz] File not found O4 - HKLM..\Run: [userFaultCheck] File not found O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} https://accounting.quickbooks.com/c1/v16.561/qboax9.cab (Reg Error: Key error.) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.) O16 - DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} https://www.mesh.com/0.9.3103.13/TSWeb.cab (Reg Error: Value error.) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/ge...sh/swflash.cab (Reg Error: Key error.) O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell\AutoRun\command - "" = J:\WINDOWS\IronKey.exe -- File not found O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell\AutoRun\command - "" = I:\WINDOWS\IronKey.exe -- File not found O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell\AutoRun\command - "" = I:\IronKey.exe -- File not found O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell\AutoRun\command - "" = J:\IronKey.exe -- File not found @Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:72E6616C @Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8643C5BE @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:756C8543 @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B203B914 @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:69D94DFA @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8E3D07DE @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:411E1BE2 @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:359B3BDA @Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4E1E5A60 @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C24B973A :commands [emptytemp] [purity] [RESETHOSTS] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. if you lose the report, there will be a copy here: C:\_OTL\MovedFiles Step 2 I'd like you to do an ESET OnlineScan You may find it beneficial to close your resident AV program before running the scan. Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. [*]Accept any security warnings from your browser. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png [*]Click the Start button. [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. [*]When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt In your next reply, please submit: Otl fix report Eset scan report also let me know how the system is running now. Thanks. Quote Member of:UNITE
Buckman Posted June 19, 2010 Author Posted June 19, 2010 Thanks so much for the excellent help. I have learned a lot in the past couple of hours, and I appreciate what you are doing here. Unfortunately, things are still being found. You asked me to report how the computer is acting though. I just had my browser open up a new window without any prompt from me...so something is still lurking. I can use Google as I would normally now. I have done comparrison searches on different machines and it seems fine. One thing of note though...this machine doesn't have the green checks by google links as my other computers do. I have to admit I have never looked into what those green checks mean... You asked me to post results. So here they are. Hopefully you will be able to tell what still lurks in the machine. --------------------------------- OTL RESULTS: All processes killed ========== OTL ========== Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{32099AAC-C132-4136-9E9A-4E364A424E17} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ not found. Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found. Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{981FE6A8-260C-4930-960F-C3BC82746CB0} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{981FE6A8-260C-4930-960F-C3BC82746CB0}\ not found. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NWEReboot deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\nwiz deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck deleted successfully. Starting removal of ActiveX control {40F8967E-34A6-474A-837A-CEC1E7DAC54C} Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}\DownloadInformation\\INF . Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}\ not found. Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found. Starting removal of ActiveX control {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} C:\WINDOWS\Downloaded Program Files\TSWeb.inf moved successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}\ not found. Starting removal of ActiveX control {D27CDB6E-AE6D-11CF-96B8-444553540000} C:\WINDOWS\Downloaded Program Files\swflash.inf moved successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1a58ec34-e83f-11de-b649-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1a58ec34-e83f-11de-b649-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1a58ec34-e83f-11de-b649-001676b674e2}\ not found. File J:\WINDOWS\IronKey.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found. File E:\setup.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58a3a095-2045-11dd-b5c7-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58a3a095-2045-11dd-b5c7-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58a3a095-2045-11dd-b5c7-001676b674e2}\ not found. File I:\WINDOWS\IronKey.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7144ff19-69a4-11de-b622-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7144ff19-69a4-11de-b622-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7144ff19-69a4-11de-b622-001676b674e2}\ not found. File I:\IronKey.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{978b5df5-1f17-11df-9e68-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{978b5df5-1f17-11df-9e68-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{978b5df5-1f17-11df-9e68-001676b674e2}\ not found. File I:\LaunchU3.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ not found. File J:\IronKey.exe not found. ADS C:\Documents and Settings\All Users\Application Data\TEMP:72E6616C deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:8643C5BE deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:756C8543 deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:B203B914 deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:69D94DFA deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:8E3D07DE deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:411E1BE2 deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:359B3BDA deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:4E1E5A60 deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:C24B973A deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 16384 bytes ->Temporary Internet Files folder emptied: 67 bytes User: All Users User: Buck ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Java cache emptied: 84332 bytes ->FireFox cache emptied: 3895328 bytes ->Flash cache emptied: 53660 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Flash cache emptied: 56504 bytes User: LocalService ->Temp folder emptied: 66016 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Lori ->Temp folder emptied: 5692590 bytes ->Temporary Internet Files folder emptied: 44080767 bytes ->Java cache emptied: 76845590 bytes ->FireFox cache emptied: 34971752 bytes ->Flash cache emptied: 2228095 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 10258275 bytes ->Flash cache emptied: 11935 bytes User: Zoe ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Java cache emptied: 7618415 bytes ->FireFox cache emptied: 55339254 bytes ->Flash cache emptied: 8677 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 19569 bytes %systemroot%\System32 .tmp files removed: 5308945 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 325857 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 47622620 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes RecycleBin emptied: 10751648 bytes Total Files Cleaned = 291.00 mb C:\WINDOWS\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully [EMPTYFLASH] User: Administrator User: All Users User: Buck ->Flash cache emptied: 0 bytes User: Default User ->Flash cache emptied: 0 bytes User: LocalService User: Lori ->Flash cache emptied: 0 bytes User: NetworkService ->Flash cache emptied: 0 bytes User: Zoe ->Flash cache emptied: 0 bytes Total Flash Files Cleaned = 0.00 mb OTL by OldTimer - Version 3.2.6.0 log created on 06192010_145859 Files\Folders moved on Reboot... File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9C22.tmp not found! File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9C2D.tmp not found! File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9C8A.tmp not found! File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9C95.tmp not found! File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9CD5.tmp not found! File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9CE0.tmp not found! C:\Documents and Settings\Lori\Local Settings\Temporary Internet Files\Content.IE5\MKQ3UN4H\ads[3].htm moved successfully. C:\Documents and Settings\Lori\Local Settings\Temporary Internet Files\Content.IE5\FCPDGBLK\9912-hijacked-malware-virus[1].html moved successfully. C:\Documents and Settings\Lori\Local Settings\Temporary Internet Files\Content.IE5\9H2YHU00\ads[3].htm moved successfully. C:\Documents and Settings\Lori\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C5IA4O29\140153_21dating_1[1].flv moved successfully. C:\WINDOWS\temp\fla4D.tmp moved successfully. Registry entries deleted on Reboot... --------------------------------------- ESET Results: C:\RECYCLER\S-1-5-21-3398107660-505966276-2709992435-1008\Dc1.exe multiple threats deleted - quarantined Quote
Starbuck Posted June 19, 2010 Posted June 19, 2010 Hi Buckman, Thanks for explanation, let's look a little deeper then: Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v708/starbuck50/cf1.png Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Thanks Quote Member of:UNITE
Buckman Posted June 23, 2010 Author Posted June 23, 2010 It said that it detected rootkit activity. Crap...I have read about rootkits, but this is the first one I have encountered. I have done some reading about this particular one as well and it is suggested that this one downloads other viruses constantly to your machine. Nice. Here is the log: ComboFix 10-06-22.03 - Lori 06/23/2010 12:59:02.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1172 [GMT -4:00] Running from: c:\documents and settings\Lori\Desktop\Combo-Fix.exe AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Lori\Application Data\Sky-Banners c:\documents and settings\Lori\Application Data\Sky-Banners\skb\log.xml c:\windows\bobsaver.exe c:\windows\bobsaver.scr c:\windows\Downloaded Program Files\popcaploader.inf c:\windows\xpsp1hfm.log Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected Restored copy from - Kitty had a snack :p . ((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 ))))))))))))))))))))))))))))))) . 2010-06-19 18:58 . 2010-06-19 18:58 -------- d-----w- C:\_OTL 2010-06-15 22:10 . 2010-06-19 19:10 -------- d-----w- c:\windows\system32\MpEngineStore 2010-06-15 20:29 . 2010-06-15 20:29 63488 ----a-w- c:\documents and settings\Lori\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-06-15 20:29 . 2010-06-15 20:29 52224 ----a-w- c:\documents and settings\Lori\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-06-15 20:29 . 2010-06-15 20:29 117760 ----a-w- c:\documents and settings\Lori\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\documents and settings\Lori\Application Data\SUPERAntiSpyware.com 2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-06-15 18:38 . 2010-06-15 18:38 -------- d-----w- c:\program files\EraserPortable 2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\documents and settings\Lori\Application Data\Malwarebytes 2010-06-15 16:29 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-06-15 16:29 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-15 15:39 . 2010-06-15 15:39 -------- d-----w- c:\program files\Common Files\Adobe AIR 2010-06-15 15:37 . 2010-06-15 15:37 -------- d-----w- c:\windows\system32\Adobe 2010-06-15 15:36 . 2010-03-29 12:53 32576 ----a-w- c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll 2010-06-15 15:36 . 2010-03-29 12:53 29984 ----a-w- c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe 2010-06-15 14:06 . 2010-06-15 14:06 -------- d-----w- c:\windows\system32\wbem\Repository 2010-06-15 14:04 . 2010-06-15 14:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2010-06-15 04:41 . 2010-06-19 12:58 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-06-15 04:22 . 2010-06-15 04:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-06-14 07:22 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll 2010-06-10 22:25 . 2010-06-10 22:27 -------- d-----w- c:\documents and settings\Lori\Application Data\TuxPaint 2010-06-10 22:24 . 2010-06-12 20:25 -------- d-----w- c:\program files\TuxPaint 2010-05-26 05:10 . 2010-05-26 00:00 -------- d-----w- c:\documents and settings\Lori\Application Data\gtk-2.0 2010-05-26 00:40 . 2010-06-12 21:45 -------- d-----w- c:\documents and settings\Lori\.gimp-2.6 2010-05-26 00:40 . 2010-05-26 00:40 -------- d-----w- c:\program files\GIMP-2.0 2010-05-26 00:28 . 2010-06-23 16:54 -------- d-----w- c:\documents and settings\Lori\Application Data\WTablet 2010-05-26 00:27 . 2010-05-26 00:27 -------- d-----w- c:\program files\TabletPlugins 2010-05-26 00:26 . 2007-02-16 14:12 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys 2010-05-26 00:26 . 2009-09-21 19:29 14120 ----a-w- c:\windows\system32\drivers\wacomvhid.sys 2010-05-26 00:26 . 2010-05-26 00:26 -------- d-----w- c:\windows\system32\WTablet 2010-05-26 00:26 . 2010-01-24 18:32 16168 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys 2010-05-26 00:26 . 2010-03-08 19:47 5010288 ----a-w- c:\windows\system32\Wacom_Tablet.exe 2010-05-26 00:26 . 2010-03-08 19:47 415600 ----a-w- c:\windows\system32\Wacom_Tablet.dll 2010-05-26 00:26 . 2010-03-08 19:40 294400 ----a-w- c:\windows\system32\Wintab32.dll 2010-05-26 00:26 . 2010-05-26 00:26 -------- d-----w- c:\program files\Tablet 2010-05-25 22:25 . 2010-06-15 14:56 -------- d-----w- c:\documents and settings\Buck\Application Data\WTablet 2010-05-25 22:25 . 2010-06-23 16:53 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet 2010-05-24 23:04 . 2010-05-24 23:04 -------- d-----w- c:\documents and settings\Lori\.thumbnails . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-23 16:56 . 2006-12-12 04:34 -------- d-----w- c:\program files\Steam 2010-06-19 04:54 . 2009-02-02 01:20 117 ---h--w- c:\windows\popcreg.dat 2010-06-19 04:54 . 2009-01-17 05:06 312 ----a-w- c:\windows\popcinfot.dat 2010-06-15 19:19 . 2006-12-12 01:24 -------- d-----w- c:\documents and settings\Lori\Application Data\Corel 2010-06-15 19:19 . 2006-12-12 01:24 1316 --sha-w- c:\windows\system32\KGyGaAvL.sys 2010-06-15 16:20 . 2008-01-26 17:36 -------- d-----w- c:\program files\YouTube Downloader 2010-06-15 15:36 . 2009-12-14 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2010-06-15 15:36 . 2010-01-16 23:35 -------- d-----w- c:\program files\NOS 2010-06-15 15:34 . 2006-12-08 16:41 -------- d-----w- c:\program files\Common Files\Adobe 2010-06-15 14:57 . 2008-03-16 06:12 -------- d-----w- c:\program files\Microsoft Silverlight 2010-06-05 14:29 . 2007-01-14 23:31 -------- d-----w- c:\program files\PopCap Games 2010-05-25 21:10 . 2010-03-22 13:03 -------- d-----w- c:\program files\Pando Networks 2010-05-25 21:03 . 2006-12-08 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2010-05-25 21:00 . 2006-12-08 16:32 -------- d-----w- c:\program files\Dell 2010-05-25 20:54 . 2008-04-05 17:53 -------- d-----w- c:\documents and settings\Lori\Application Data\Amazon 2010-05-25 20:54 . 2008-04-05 17:50 -------- d-----w- c:\program files\Amazon 2010-05-25 20:49 . 2006-12-08 16:40 -------- d-----w- c:\program files\Google 2010-05-25 20:47 . 2010-03-22 12:08 -------- d-----w- c:\program files\Turbine 2010-05-25 20:32 . 2010-02-09 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Astroburn Lite 2010-05-25 20:30 . 2010-02-13 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Astroburn Pro 2010-05-19 01:32 . 2008-02-01 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink 2010-05-06 10:41 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-02 05:22 . 2005-08-16 10:18 1851264 ----a-w- c:\windows\system32\win32k.sys 2010-04-30 04:18 . 2007-07-16 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Friends Games 2010-04-27 01:05 . 2010-04-27 01:05 -------- d-----w- c:\documents and settings\Lori\Application Data\PopCapv1001 2010-04-20 05:30 . 2005-08-16 10:18 285696 ----a-w- c:\windows\system32\atmfd.dll 2008-02-26 21:26 . 2008-02-26 21:26 0 ----a-w- c:\program files\temp01 . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040] "Steam"="c:\program files\Steam\Steam.exe" [2010-05-24 1238352] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-07 2403568] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880] "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152] "pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "MFP1815_S2P"="c:\program files\DELL\DELL LASER MFP 1815\PSU\Scan2Pc.exe" [2006-04-13 258048] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944] "CTHelper"="CTHELPER.EXE" [2005-11-08 16384] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672] c:\documents and settings\All Users\Start Menu\Programs\Startup\ LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2008-5-12 57344] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Steam\\SteamApps\\loriferis\\half-life 2 deathmatch\\hl2.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"= "c:\\xampplite\\mysql\\bin\\mysqld.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656] R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [5/25/2010 8:26 PM 5010288] R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 9:10 AM 345696] R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 9:10 AM 923216] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/25/2006 9:10 AM 36368] R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 9:10 AM 566872] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/25/2006 9:10 AM 280392] S0 qxmofyba;qxmofyba;c:\windows\system32\drivers\fwkcquxy.sys --> c:\windows\system32\drivers\fwkcquxy.sys [?] S2 TLRecAgent;TLRecAgent;\??\c:\windows\system32\drivers\TLRecAgent.sys --> c:\windows\system32\drivers\TLRecAgent.sys [?] S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [8/29/2008 1:03 PM 12288] S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [8/29/2008 1:03 PM 22656] S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [5/25/2010 8:26 PM 16168] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/22/2007 1:01 PM 691696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-06-16 c:\windows\Tasks\Norton Security Scan for Zoe.job - c:\program files\Norton Security Scan\Nss.exe [2009-03-13 23:01] 2010-06-23 c:\windows\Tasks\User_Feed_Synchronization-{205FFA7B-8B8E-4420-A4D9-7DD7D87A6636}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 TCP: {17D76292-E8C2-493A-A751-23627903614D} = 74.128.17.114,74.128.19.102 DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab FF - ProfilePath - c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\ FF - prefs.js: browser.startup.homepage - hxxp://google.com FF - plugin: c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll FF - plugin: c:\program files\TabletPlugins\npwacom.dll FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . - - - - ORPHANS REMOVED - - - - HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe AddRemove-LucasArts' Curse of Monkey Island - c:\program files\LucasArts\Curse\DeIsL1.isu AddRemove-Mozilla Firefox (2.0.0.20) - m:\mozilla firefox\uninstall\helper.exe AddRemove-Mozilla Thunderbird (2.0.0.19) - k:\programs files\ThunderbirdPortable\App\thunderbird\uninstall\helper.exe AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2010-06-23 13:11 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x87C9EEC5]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28 \Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8 \Driver\iaStor -> iaStor.sys @ 0xb7e74f80 IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: Intel® 82566DC Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb7d68bb0 PacketIndicateHandler -> NDIS.sys @ 0xb7d75a21 SendHandler -> NDIS.sys @ 0xb7d5387b user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3398107660-505966276-2709992435-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:8e,7b,dd,27,d1,28,f3,3b,92,d6,6d,64,ec,32,e4,25,b2,f5,0d,d9,d2,f5,30, 91,6c,ec,8a,92,aa,30,f6,14,d3,d8,d5,b3,22,72,31,56,26,0b,a7,6e,67,68,8b,4a,\ "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22 [HKEY_USERS\S-1-5-21-3398107660-505966276-2709992435-1006\Software\SecuROM\License information*] "datasecu"=hex:9e,c7,9a,40,c3,5a,8f,ee,42,cd,6b,4a,f4,f6,6a,a5,a2,a6,4f,82,0f, ed,39,2e,29,3a,d7,f2,eb,ff,10,dc,bc,aa,06,4d,ce,ed,2d,1b,48,e4,2f,00,eb,6a,\ "rkeysecu"=hex:71,40,0f,1b,00,e9,54,d3,84,98,d5,e3,d9,48,f4,35 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1412) c:\windows\system32\WININET.dll c:\program files\SUPERAntiSpyware\SASWINLO.DLL - - - - - - - > 'lsass.exe'(1472) c:\windows\system32\WININET.dll . Completion time: 2010-06-23 13:16:31 ComboFix-quarantined-files.txt 2010-06-23 17:16 Pre-Run: 271,179,919,360 bytes free Post-Run: 271,170,846,720 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect - - End Of File - - 8577CD089B482AD0BEBE13A0A97DB5BB Quote
Buckman Posted June 23, 2010 Author Posted June 23, 2010 And there wasn't any sort of big fanfare saying that anything had been removed. I am not encouraged by that... Quote
Starbuck Posted June 23, 2010 Posted June 23, 2010 Hi Buckman, And there wasn't any sort of big fanfare saying that anything had been removed. I am not encouraged by that... This is what CF removed: ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Lori\Application Data\Sky-Banners c:\documents and settings\Lori\Application Data\Sky-Banners\skb\log.xml c:\windows\bobsaver.exe c:\windows\bobsaver.scr c:\windows\Downloaded Program Files\popcaploader.inf c:\windows\xpsp1hfm.log Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected Restored copy from - Kitty had a snack It not only removed some files, it also replaced an infected file for you. The report is showing there's a few more things for us to address: Close any open browsers. Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix: Open Notepad - it must be Notepad, not Wordpad. Copy the text below in the code box by highlighting all the text and pressing Ctrl+C File:: c:\program files\temp01 c:\windows\system32\drivers\fwkcquxy.sys Driver:: qxmofyba Go to the Notepad window and click Edit >> Paste Then click File >> Save Name the file "CFScript.txt" (including the quotes) Save the file to your Desktop Let me have the new Combofix.txt after the fix. Thanks The main ComboFix.exe program should be on your Desktop Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon as below. http://i275.photobucket.com/albums/jj285/Bleeping/Combofix/cf.gif Now please wait for ComboFix to finish running. Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash Quote Member of:UNITE
Buckman Posted June 24, 2010 Author Posted June 24, 2010 okay, so here is the results of the next scan. BTW it started by saying it detected root kit activity. But it did appear to catch and remove something. I must learn how to use this software myself... ComboFix 10-06-22.03 - Lori 06/23/2010 19:08:27.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1389 [GMT -4:00] Running from: c:\documents and settings\Lori\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Lori\Desktop\CFScript.txt AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} FILE :: "c:\program files\temp01" "c:\windows\system32\drivers\fwkcquxy.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\temp01 Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected Restored copy from - Kitty had a snack :p . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_qxmofyba ((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 ))))))))))))))))))))))))))))))) . 2010-06-23 16:31 . 2010-06-23 17:16 -------- d-----w- C:\Combo-Fix 2010-06-19 18:58 . 2010-06-19 18:58 -------- d-----w- C:\_OTL 2010-06-15 22:10 . 2010-06-19 19:10 -------- d-----w- c:\windows\system32\MpEngineStore 2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\documents and settings\Lori\Application Data\SUPERAntiSpyware.com 2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-06-15 18:38 . 2010-06-15 18:38 -------- d-----w- c:\program files\EraserPortable 2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\documents and settings\Lori\Application Data\Malwarebytes 2010-06-15 16:29 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-06-15 16:29 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-15 15:39 . 2010-06-15 15:39 -------- d-----w- c:\program files\Common Files\Adobe AIR 2010-06-15 15:37 . 2010-06-15 15:37 -------- d-----w- c:\windows\system32\Adobe 2010-06-15 14:06 . 2010-06-15 14:06 -------- d-----w- c:\windows\system32\wbem\Repository 2010-06-15 14:04 . 2010-06-15 14:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2010-06-15 04:41 . 2010-06-19 12:58 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-06-15 04:22 . 2010-06-15 04:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-06-14 07:22 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll 2010-06-10 22:25 . 2010-06-10 22:27 -------- d-----w- c:\documents and settings\Lori\Application Data\TuxPaint 2010-06-10 22:24 . 2010-06-12 20:25 -------- d-----w- c:\program files\TuxPaint 2010-05-26 05:10 . 2010-05-26 00:00 -------- d-----w- c:\documents and settings\Lori\Application Data\gtk-2.0 2010-05-26 00:40 . 2010-06-12 21:45 -------- d-----w- c:\documents and settings\Lori\.gimp-2.6 2010-05-26 00:40 . 2010-05-26 00:40 -------- d-----w- c:\program files\GIMP-2.0 2010-05-26 00:28 . 2010-06-24 00:20 -------- d-----w- c:\documents and settings\Lori\Application Data\WTablet 2010-05-26 00:27 . 2010-05-26 00:27 -------- d-----w- c:\program files\TabletPlugins 2010-05-26 00:26 . 2007-02-16 14:12 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys 2010-05-26 00:26 . 2009-09-21 19:29 14120 ----a-w- c:\windows\system32\drivers\wacomvhid.sys 2010-05-26 00:26 . 2010-05-26 00:26 -------- d-----w- c:\windows\system32\WTablet 2010-05-26 00:26 . 2010-01-24 18:32 16168 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys 2010-05-26 00:26 . 2010-03-08 19:47 5010288 ----a-w- c:\windows\system32\Wacom_Tablet.exe 2010-05-26 00:26 . 2010-03-08 19:47 415600 ----a-w- c:\windows\system32\Wacom_Tablet.dll 2010-05-26 00:26 . 2010-03-08 19:40 294400 ----a-w- c:\windows\system32\Wintab32.dll 2010-05-26 00:26 . 2010-05-26 00:26 -------- d-----w- c:\program files\Tablet 2010-05-25 22:25 . 2010-06-15 14:56 -------- d-----w- c:\documents and settings\Buck\Application Data\WTablet 2010-05-25 22:25 . 2010-06-23 23:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-24 00:22 . 2006-12-12 04:34 -------- d-----w- c:\program files\Steam 2010-06-19 04:54 . 2009-02-02 01:20 117 ---h--w- c:\windows\popcreg.dat 2010-06-19 04:54 . 2009-01-17 05:06 312 ----a-w- c:\windows\popcinfot.dat 2010-06-15 19:19 . 2006-12-12 01:24 -------- d-----w- c:\documents and settings\Lori\Application Data\Corel 2010-06-15 19:19 . 2006-12-12 01:24 1316 --sha-w- c:\windows\system32\KGyGaAvL.sys 2010-06-15 16:20 . 2008-01-26 17:36 -------- d-----w- c:\program files\YouTube Downloader 2010-06-15 15:36 . 2009-12-14 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2010-06-15 15:36 . 2010-01-16 23:35 -------- d-----w- c:\program files\NOS 2010-06-15 15:34 . 2006-12-08 16:41 -------- d-----w- c:\program files\Common Files\Adobe 2010-06-15 14:57 . 2008-03-16 06:12 -------- d-----w- c:\program files\Microsoft Silverlight 2010-06-05 14:29 . 2007-01-14 23:31 -------- d-----w- c:\program files\PopCap Games 2010-05-25 21:10 . 2010-03-22 13:03 -------- d-----w- c:\program files\Pando Networks 2010-05-25 21:03 . 2006-12-08 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2010-05-25 21:00 . 2006-12-08 16:32 -------- d-----w- c:\program files\Dell 2010-05-25 20:54 . 2008-04-05 17:53 -------- d-----w- c:\documents and settings\Lori\Application Data\Amazon 2010-05-25 20:54 . 2008-04-05 17:50 -------- d-----w- c:\program files\Amazon 2010-05-25 20:49 . 2006-12-08 16:40 -------- d-----w- c:\program files\Google 2010-05-25 20:47 . 2010-03-22 12:08 -------- d-----w- c:\program files\Turbine 2010-05-25 20:32 . 2010-02-09 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Astroburn Lite 2010-05-25 20:30 . 2010-02-13 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Astroburn Pro 2010-05-19 01:32 . 2008-02-01 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink 2010-05-06 10:41 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-02 05:22 . 2005-08-16 10:18 1851264 ----a-w- c:\windows\system32\win32k.sys 2010-04-30 04:18 . 2007-07-16 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Friends Games 2010-04-27 01:05 . 2010-04-27 01:05 -------- d-----w- c:\documents and settings\Lori\Application Data\PopCapv1001 2010-04-20 05:30 . 2005-08-16 10:18 285696 ----a-w- c:\windows\system32\atmfd.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040] "Steam"="c:\program files\Steam\Steam.exe" [2010-05-24 1238352] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-07 2403568] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880] "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152] "pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "MFP1815_S2P"="c:\program files\DELL\DELL LASER MFP 1815\PSU\Scan2Pc.exe" [2006-04-13 258048] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944] "CTHelper"="CTHELPER.EXE" [2005-11-08 16384] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672] c:\documents and settings\All Users\Start Menu\Programs\Startup\ LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2008-5-12 57344] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Steam\\SteamApps\\loriferis\\half-life 2 deathmatch\\hl2.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"= "c:\\xampplite\\mysql\\bin\\mysqld.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656] R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [5/25/2010 8:26 PM 5010288] R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 9:10 AM 345696] R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 9:10 AM 923216] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/25/2006 9:10 AM 36368] R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 9:10 AM 566872] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/25/2006 9:10 AM 280392] S2 TLRecAgent;TLRecAgent;\??\c:\windows\system32\drivers\TLRecAgent.sys --> c:\windows\system32\drivers\TLRecAgent.sys [?] S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [8/29/2008 1:03 PM 12288] S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [8/29/2008 1:03 PM 22656] S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [5/25/2010 8:26 PM 16168] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/22/2007 1:01 PM 691696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-06-23 c:\windows\Tasks\Norton Security Scan for Zoe.job - c:\program files\Norton Security Scan\Nss.exe [2009-03-13 23:01] 2010-06-23 c:\windows\Tasks\User_Feed_Synchronization-{205FFA7B-8B8E-4420-A4D9-7DD7D87A6636}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 TCP: {17D76292-E8C2-493A-A751-23627903614D} = 74.128.17.114,74.128.19.102 DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab FF - ProfilePath - c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\ FF - prefs.js: browser.startup.homepage - hxxp://google.com FF - plugin: c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll FF - plugin: c:\program files\TabletPlugins\npwacom.dll FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2010-06-23 20:21 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87967EC5]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28 \Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8 \Driver\iaStor -> iaStor.sys @ 0xb7e74f80 IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: Intel® 82566DC Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb7d68bb0 PacketIndicateHandler -> NDIS.sys @ 0xb7d75a21 SendHandler -> NDIS.sys @ 0xb7d5387b user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3398107660-505966276-2709992435-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:8e,7b,dd,27,d1,28,f3,3b,92,d6,6d,64,ec,32,e4,25,b2,f5,0d,d9,d2,f5,30, 91,6c,ec,8a,92,aa,30,f6,14,d3,d8,d5,b3,22,72,31,56,26,0b,a7,6e,67,68,8b,4a,\ "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22 [HKEY_USERS\S-1-5-21-3398107660-505966276-2709992435-1006\Software\SecuROM\License information*] "datasecu"=hex:9e,c7,9a,40,c3,5a,8f,ee,42,cd,6b,4a,f4,f6,6a,a5,a2,a6,4f,82,0f, ed,39,2e,29,3a,d7,f2,eb,ff,10,dc,bc,aa,06,4d,ce,ed,2d,1b,48,e4,2f,00,eb,6a,\ "rkeysecu"=hex:71,40,0f,1b,00,e9,54,d3,84,98,d5,e3,d9,48,f4,35 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1416) c:\windows\system32\WININET.dll c:\program files\SUPERAntiSpyware\SASWINLO.DLL - - - - - - - > 'lsass.exe'(1476) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(3940) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Microsoft Virtual PC\VPCShExH.DLL c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\windows\system32\CTsvcCDA.exe c:\program files\Creative\Shared Files\CTDevSrv.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe c:\windows\system32\PSIService.exe c:\windows\ehome\mcrdsvc.exe c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe c:\windows\system32\dllhost.exe c:\windows\system32\WTablet\Wacom_TabletUser.exe c:\windows\system32\RUNDLL32.EXE c:\windows\eHome\ehmsas.exe c:\windows\SYSTEM32\CTXFISPI.EXE c:\windows\system32\devldr32.exe . ************************************************************************** . Completion time: 2010-06-23 20:32:29 - machine was rebooted ComboFix-quarantined-files.txt 2010-06-24 00:32 ComboFix2.txt 2010-06-23 17:16 Pre-Run: 271,190,323,200 bytes free Post-Run: 271,286,239,232 bytes free - - End Of File - - B7A9A51F50658AC4B91BAE9518B06491 Quote
Buckman Posted June 24, 2010 Author Posted June 24, 2010 Oh and one more question. Just before I ran this scan I got yet another popup, but this one may be legit. Does your site have a popup for Install Registry Defender 2010? Registry Defender (Official Site) Just checking. If your site does not, then I hope this last round of scanning did the trick. Quote
Buckman Posted June 24, 2010 Author Posted June 24, 2010 Oops, scratch that. I'm still infected. A lottery popup came up. Question...is this a lost cause? Do I need to reformat and reinstall Windows? This is looking pretty grim. Thanks for the help. Quote
RandyL Posted June 24, 2010 Posted June 24, 2010 Starbuck and Buckman there is a chance that the popup is forum related and is not a problem with the computer. I'm going to look into it. Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
Buckman Posted June 24, 2010 Author Posted June 24, 2010 Thanks, but I am pretty sure that those popups have nothing to do with your site. I have kind of become a fan here and I lurk around a bit. I can think of four different Windows PC's that I use to access this site. My infected computer is at home, and whenever I have the energy, I sit down and try to repair this rootkit. I get a popup about once every 15 minutes or so. On that computer your site is the ONLY one I access, since it is not in regular use and the only reason I turn it on is to work on the infection. But I have NEVER gotten a popup on the other machines I use to access this site. I am here right now and there are no popups for instance... Quote
Starbuck Posted June 24, 2010 Posted June 24, 2010 Hi Buckman, Question...is this a lost cause? Do I need to reformat and reinstall Windows? This is looking pretty grim. We'll do our best, a reformat is always the last resort..... and we haven't got to that yet :) Step 1 Please download DeFogger to your desktop. Double click DeFogger to run the tool. The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OK IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop. Do not re-enable these drivers until otherwise instructed. this step will help get a better report from the next step. Step 2 Please download GMER from one of the following locations and save it to your desktop:Main Mirror This version will download a randomly named file (Recommended) Zipped Mirror This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe. http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO. Now click the Scan button. If you see a rootkit warning window, click OK. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log. Click the Copy button and paste the results into your next reply. Exit GMER and re-enable all active protection when done. -- If you encounter any problems, try running GMER in Safe Mode. Thanks Quote Member of:UNITE
Buckman Posted June 26, 2010 Author Posted June 26, 2010 I had a little trouble with this. I was trying to shut off my network connection and I couldn't. Not even after rebooting. So I got nasty about it and booted in safe mode WITHOUT networking and unplugged the CAT5 cable. So as the directions instructed, I was definitely off the internet. If my extreme measures messed up the scan, please let me know. And BTW, thanks for all this. What have we tried by now, 10 different programs? Defogger did put something out: defogger_disable by jpshortstuff (23.02.10.1) Log created at 16:30 on 25/06/2010 (Lori) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... SPTD -> Already disabled -=E.O.F=- -------------------------------------------------- Here is the GMER output: GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover Rootkit scan 2010-06-25 21:14:22 Windows 5.1.2600 Service Pack 3 Running: yzwmhzd1.exe; Driver: C:\DOCUME~1\Lori\LOCALS~1\Temp\kwryipow.sys ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Elkbd.sys (Intel Corporation) Device \FileSystem\Fastfat \Fat B7C14D20 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0xBE 0xE6 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x33 0x31 0x46 0x65 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x80 0x61 0x2A 0x7E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE9 0x5D 0x8D 0x09 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x48 0x95 0xC7 0x79 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3F 0xA7 0x98 0xCB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1D 0xBA 0x47 0x7D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0xBE 0xE6 0x2D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x33 0x31 0x46 0x65 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x80 0x61 0x2A 0x7E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE9 0x5D 0x8D 0x09 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x48 0x95 0xC7 0x79 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3F 0xA7 0x98 0xCB ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1D 0xBA 0x47 0x7D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8E 0x44 0x8C 0x0F ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x2C 0xBB 0xD2 0x6D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x88 0x73 0x13 0x22 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x48 0x95 0xC7 0x79 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3F 0xA7 0x98 0xCB ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1D 0xBA 0x47 0x7D ... ---- EOF - GMER 1.0.15 ---- Quote
Starbuck Posted June 27, 2010 Posted June 27, 2010 Hi Buckman, I get a popup about once every 15 minutes or so. any chance you can get a screenshot of the popup? Quote Member of:UNITE
Buckman Posted June 28, 2010 Author Posted June 28, 2010 I will attempt to get a screen shot of the popup, but it is the least of my worries right now. Google is back to serving up pages that I did not click on. Just for a test I searched for 'Star Trek.' The results seemed logical. There was the official site, the IMDB page and other things. But clicking any of these took me to 'caranddriver.com' and 'marthastewart.com.' I have been trying to read up on GMER. It listed a few things though and nothing came up in red. Combofix still says I have rootkit activity. Any thoughts on this? Or am I nuking the hard drive? Quote
Buckman Posted June 28, 2010 Author Posted June 28, 2010 A window saying "security warning" has popped up telling me that "Application cannot be executed. The file svchost.exe is infected. Do you want to activate your antivirus software now?" I am given 'yes' and 'no' buttons. And of course my antivirus software is running. I tried to 'CNTL-ALT-DEL' out of this, but this program is blocking it. The task manager will only remain open for a split second. I am affraid this is a lost cause. If the scan turned up anything I can manually fix, please let me know. But I need this computer back and I think a reformat is the only thing that may work. Quote
Buckman Posted June 28, 2010 Author Posted June 28, 2010 The computer is reinfected as it originally was. I got a good look at it this time. (Wasn't able to because this originally happened to my wife.) A window pops up with a big green shield with a diagonal line through it. The program calls itself 'AV Protection Suite' with a little slogan that says, 'Innovative protection for your PC.' This is accompanied by a green shield in the icon tray. It acts as if it is doing a scan of your PC, has a little counter that goes slowly to 100%. Meanwhile it tells you that you are infected and the icon throws up balloons telling you the same. I was able to start the task manager and two programs were running: 'AV Security Suite Demo' and something else that corresponded to a warning window that was warning me about infection as well. This may give you some help trying to locate it. I am going to read up on this specifically. Quite the tenacious little infection. Hats off to the little bugger who wrote this thing. BTW...this was not the popup that comes with the site every 15 minutes which I am now starting to think is legit. But...it is similar. This could be dangerous on a site that helps people try to rid themselves of infection. I tried to get screen shots, but no other program would run until I shut down the demo in the task manager. Sorry. Quote
Starbuck Posted June 28, 2010 Posted June 28, 2010 Hi Buckman, There is definitely something hiding, we could run more scans and try to find out what it is.... But if you need the pc back up and running and don't have much spare time, then by all means go for the reformat/reinstall. It will sort the m/c out once and for all. I'll wait for your reply. Quote Member of:UNITE
Starbuck Posted June 28, 2010 Posted June 28, 2010 Hi A window pops up with a big green shield with a diagonal line through it. The program calls itself 'AV Protection Suite' with a little slogan that says, 'Innovative protection for your PC.' Anything like this? http://img.photobucket.com/albums/v708/starbuck50/avsecurity.png Before we tackle this, i need to point out one small thing..... ESET Results: C:\RECYCLER\S-1-5-21-3398107660-505966276-2709992435-1008\Dc1.exe multiple threats deleted - quarantined this relates to malware that can transfer itself using a usb stick. Have you been using any usb sticks? It could be that you are transferring the malware to the pc each time you plug it in. Let's tackle this AV security suite: Step 1 Please reboot your computer in Safe Mode with Networking by doing the following : * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, a menu with options should appear; You will need to use the 'keyboard arrow keys' to navigate on this menu. * Select the option, to run Windows in Safe Mode with Networking, then press "Enter". * Then choose your usual account. Step 2 Start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options Click on the Connections tab Click on the Lan Settings button Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen Then press the OK button to close the Internet Options screen. Internet Explorer should now work. Or you can use Firefox to complete the next few steps. Step 3 Please download: Rkill and save it to your Desktop. Run the tool by clicking on it. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Antivirus Soft when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Antivirus Soft . If the malware is persistant, you may have to RKill a number of times. When it has finished, the black window will automatically close and you can continue with the next step. Note Please do not reboot your system until you have completed the following step, or the Malware will restart itself: Step 4 If you still have MBAM on your system, update it and run a full scan. If you have removed it, please use these instructions: Please download Malwarebytes Anti-Malware and save it to your desktop. Make sure you are connected to the Internet. Double-click on Download_mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware [*]Then click Finish. [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. [*]On the Scanner tab:Make sure the "Perform Full Scan" option is selected. Then click on the Scan button. [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". [*]Click OK to close the message box and continue with the removal process. [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. [*]Make sure that everything is checked, and click Remove Selected. [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. [*]Copy and paste the contents of that report in your next reply and exit MBAM.Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. In your next reply, please submit: MBAM scan report and let me know if the proxy setting was enabled when you checked. Thanks. Quote Member of:UNITE
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.