Malware, can't get rid of it [Solved]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

Malware, can't get rid of it [Solved]

Options

2 Pages

1 2 >

Replies (1 - 14)

Jimmy2012 View Member Profile	Apr 28 2009, 11:44 PM Post #2
Trusted Helper Posts: 6,238 From: Ohio, USA OS: Windows XP, Fedora, Ubuntu	Hello Pyetr and welcome to Geeks to go. Sorry about the delay. Since it has been a few days since posting your logs, please run another scan with OTListIt2 and post the OTListIt.txt in your next reply.

Pyetr View Member Profile	May 2 2009, 03:23 PM Post #3
New Member Posts: 9 OS: Windows XP	Ok. I should say that I haven't been using this computer much in the interim, so I don't think too much has changed. Also, the CPU is consistantly sitting at 100% now, with several instances of svchost.exe all taking up part. Thanks for any help you can provide. OTListIt logfile created on: 5/2/2009 5:16:52 PM - Run 2 OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Jake Armstrong\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.11) Locale: 00000409 \| Country: United States \| Language: ENU \| Date Format: M/d/yyyy 2.00 Gb Total Physical Memory \| 1.42 Gb Available Physical Memory \| 71.24% Memory free 3.35 Gb Paging File \| 2.89 Gb Available in Paging File \| 86.12% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072; %SystemDrive% = C: \| %SystemRoot% = C:\WINDOWS \| %ProgramFiles% = C:\Program Files Drive C: \| 229.28 Gb Total Space \| 142.37 Gb Free Space \| 62.09% Space Free \| Partition Type: NTFS Drive D: \| 543.19 Mb Total Space \| 0.00 Mb Free Space \| 0.00% Space Free \| Partition Type: CDFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: DF438N51 Current User Name: Jake Armstrong Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Output = Minimal File Age = 30 Days Company Name Whitelist: On ========== Processes (SafeList) ========== PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation) PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation) PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft) PRC - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe (Intel Corporation) PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe () PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.) PRC - c:\program files\common files\mcafee\mna\mcnasvc.exe (McAfee, Inc.) PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.) PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.) PRC - C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe (Creative Technology Ltd) PRC - C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE (Creative Technology Ltd) PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) PRC - C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd) PRC - C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE (ATI Technologies Inc.) PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft) PRC - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD) PRC - C:\WINDOWS\System32\MsPMSPSv.exe (Microsoft Corporation) PRC - C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation) PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.) PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation) PRC - C:\WINDOWS\System32\wbem\unsecapp.exe (Microsoft Corporation) PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation) PRC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD) PRC - c:\Program Files\McAfee\MSC\mcupdmgr.exe (McAfee, Inc.) PRC - C:\WINDOWS\system32\taskmgr.exe (Microsoft Corporation) PRC - C:\Documents and Settings\Jake Armstrong\Desktop\OTListIt2.exe (OldTimer Tools) ========== Win32 Services (SafeList) ========== SRV - (Apple Mobile Device [Disabled \| Stopped]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.) SRV - (aspnet_state [On_Demand \| Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation) SRV - (Ati HotKey Poller [Disabled \| Stopped]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.) SRV - (ATI Smart [Disabled \| Stopped]) -- C:\WINDOWS\SYSTEM32\ati2sgag.exe () SRV - (Bonjour Service [Disabled \| Stopped]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.) SRV - (CCALib8 [Auto \| Running]) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.) SRV - (clr_optimization_v2.0.50727_32 [On_Demand \| Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) SRV - (Creative Service for CDROM Access [Disabled \| Stopped]) -- C:\WINDOWS\System32\CTsvcCDA.exe (Creative Technology Ltd) SRV - (FontCache3.0.0.0 [On_Demand \| Stopped]) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation) SRV - (gusvc [Auto \| Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google) SRV - (helpsvc [Auto \| Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation) SRV - (IAANTMon [Auto \| Running]) -- C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe (Intel Corporation) SRV - (IDriverT [On_Demand \| Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation) SRV - (idsvc [Unknown \| Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation) SRV - (iPod Service [Disabled \| Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.) SRV - (KService [Disabled \| Stopped]) -- C:\Program Files\Kontiki\KService.exe () SRV - (Lavasoft Ad-Aware Service [Auto \| Running]) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft) SRV - (McAfee SiteAdvisor Service [Auto \| Running]) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe () SRV - (mcmscsvc [Auto \| Running]) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.) SRV - (McNASvc [Auto \| Running]) -- c:\program files\common files\mcafee\mna\mcnasvc.exe (McAfee, Inc.) SRV - (McODS [On_Demand \| Stopped]) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.) SRV - (McProxy [Auto \| Running]) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.) SRV - (McShield [Unknown \| Running]) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.) SRV - (McSysmon [Disabled \| Stopped]) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.) SRV - (NetTcpPortSharing [Disabled \| Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation) SRV - (NMSAccess [Disabled \| Stopped]) -- C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe () SRV - (twdns [Disabled \| Stopped]) -- File not found SRV - (Viewpoint Manager Service [Disabled \| Stopped]) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation) SRV - (vsmon [Auto \| Running]) -- C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD) SRV - (WinDefend [Auto \| Running]) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation) SRV - (WMDM PMSP Service [Auto \| Running]) -- C:\WINDOWS\System32\MsPMSPSv.exe (Microsoft Corporation) SRV - (WMPNetworkSvc [Auto \| Running]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (AliIde [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\aliide.sys (Acer Laboratories Inc.) DRV - (amdagp [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.) DRV - (asc [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\asc.sys (Advanced System Products, Inc.) DRV - (asc3550 [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\asc3550.sys (Advanced System Products, Inc.) DRV - (ati2mtag [On_Demand \| Running]) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.) DRV - (b57w2k [On_Demand \| Running]) -- C:\WINDOWS\System32\DRIVERS\b57xp32.sys (Broadcom Corporation) DRV - (CmdIde [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\cmdide.sys (CMD Technology, Inc.) DRV - (ctac32k [On_Demand \| Running]) -- C:\WINDOWS\System32\drivers\ctac32k.sys (Creative Technology Ltd) DRV - (ctaud2k [On_Demand \| Running]) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd) DRV - (ctdvda2k [On_Demand \| Stopped]) -- C:\WINDOWS\System32\drivers\ctdvda2k.sys (Creative Technology Ltd) DRV - (ctprxy2k [On_Demand \| Running]) -- C:\WINDOWS\System32\drivers\ctprxy2k.sys (Creative Technology Ltd) DRV - (ctsfm2k [On_Demand \| Running]) -- C:\WINDOWS\System32\drivers\ctsfm2k.sys (Creative Technology Ltd) DRV - (CVirtA [On_Demand \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\CVirtA.sys (Cisco Systems, Inc.) DRV - (dac2w2k [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys (Mylex Corporation) DRV - (drvmcdb [Boot \| Running]) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions) DRV - (drvnddm [Auto \| Running]) -- C:\WINDOWS\system32\drivers\drvnddm.sys (Sonic Solutions) DRV - (emupia [On_Demand \| Running]) -- C:\WINDOWS\System32\drivers\emupia2k.sys (Creative Technology Ltd) DRV - (ENTECH [On_Demand \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\ENTECH.SYS (EnTech Taiwan) DRV - (GEARAspiWDM [On_Demand \| Running]) -- C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.) DRV - (ha10kx2k [On_Demand \| Running]) -- C:\WINDOWS\System32\drivers\ha10kx2k.sys (Creative Technology Ltd) DRV - (hap16v2k [On_Demand \| Running]) -- C:\WINDOWS\System32\drivers\hap16v2k.sys (Creative Technology Ltd) DRV - (hap17v2k [On_Demand \| Stopped]) -- C:\WINDOWS\system32\drivers\hap17v2k.sys (Creative Technology Ltd) DRV - (itchfltr [On_Demand \| Running]) -- C:\WINDOWS\System32\Drivers\itchfltr.sys (Logitech, Inc.) DRV - (Lbd [Boot \| Running]) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB) DRV - (LCcfltr [On_Demand \| Stopped]) -- C:\WINDOWS\System32\Drivers\LCcFltr.Sys (Logitech, Inc.) DRV - (LHidUsb [On_Demand \| Running]) -- C:\WINDOWS\System32\Drivers\LHidUsb.Sys (Logitech, Inc.) DRV - (mfeavfk [On_Demand \| Running]) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.) DRV - (mfebopk [On_Demand \| Running]) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.) DRV - (mfehidk [System \| Running]) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.) DRV - (mferkdk [On_Demand \| Stopped]) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.) DRV - (mfesmfk [On_Demand \| Stopped]) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.) DRV - (MPFP [System \| Running]) -- C:\WINDOWS\System32\Drivers\Mpfp.sys (McAfee, Inc.) DRV - (mraid35x [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys (American Megatrends Inc.) DRV - (omci [System \| Running]) -- C:\WINDOWS\System32\DRIVERS\omci.sys (Dell Computer Corporation) DRV - (ossrv [On_Demand \| Running]) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.) DRV - (PfModNT [Auto \| Running]) -- C:\WINDOWS\system32\drivers\PfModNT.sys (Creative Technology Ltd.) DRV - (Ptilink [On_Demand \| Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.) DRV - (PxHelp20 [Boot \| Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions) DRV - (ql1080 [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\ql1080.sys (QLogic Corporation) DRV - (ql12160 [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\ql12160.sys (QLogic Corporation) DRV - (ql1280 [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\ql1280.sys (QLogic Corporation) DRV - (Secdrv [Auto \| Running]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) DRV - (sisagp [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation) DRV - (Sparrow [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\sparrow.sys (Adaptec, Inc.) DRV - (sptd [Boot \| Running]) -- C:\WINDOWS\System32\Drivers\sptd.sys () DRV - (srescan [Boot \| Running]) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys (Check Point Software Technologies LTD) DRV - (sscdbhk5 [System \| Running]) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys (Sonic Solutions) DRV - (ssrtln [System \| Running]) -- C:\WINDOWS\system32\drivers\ssrtln.sys (Sonic Solutions) DRV - (symc810 [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\symc810.sys (Symbios Logic Inc.) DRV - (symc8xx [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys (LSI Logic) DRV - (sym_hi [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys (LSI Logic) DRV - (sym_u3 [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys (LSI Logic) DRV - (tfsnboio [Auto \| Running]) -- C:\WINDOWS\system32\dla\tfsnboio.sys (Sonic Solutions) DRV - (tfsncofs [Auto \| Running]) -- C:\WINDOWS\system32\dla\tfsncofs.sys (Sonic Solutions) DRV - (tfsndrct [Auto \| Running]) -- C:\WINDOWS\system32\dla\tfsndrct.sys (Sonic Solutions) DRV - (tfsndres [Auto \| Running]) -- C:\WINDOWS\system32\dla\tfsndres.sys (Sonic Solutions) DRV - (tfsnifs [Auto \| Running]) -- C:\WINDOWS\system32\dla\tfsnifs.sys (Sonic Solutions) DRV - (tfsnopio [Auto \| Running]) -- C:\WINDOWS\system32\dla\tfsnopio.sys (Sonic Solutions) DRV - (tfsnpool [Auto \| Running]) -- C:\WINDOWS\system32\dla\tfsnpool.sys (Sonic Solutions) DRV - (tfsnudf [Auto \| Running]) -- C:\WINDOWS\system32\dla\tfsnudf.sys (Sonic Solutions) DRV - (tfsnudfa [Auto \| Running]) -- C:\WINDOWS\system32\dla\tfsnudfa.sys (Sonic Solutions) DRV - (ultra [Disabled \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\ultra.sys (Promise Technology, Inc.) DRV - (vsdatant [System \| Running]) -- C:\WINDOWS\System32\vsdatant.sys (Check Point Software Technologies LTD) DRV - (iaStor [Boot \| Running]) -- C:\WINDOWS\system32\drivers\iaStor.sys (Intel Corporation) DRV - (XBCD [On_Demand \| Stopped]) -- C:\WINDOWS\System32\Drivers\xbcd.sys (Redcl0ud) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/ IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/ IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "www.yahoo.com" FF - prefs.js..extensions.enabledItems: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}:2.1.018 FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:2.9 FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0 FF - prefs.js..extensions.enabledItems: enquiries@retailmenot.com:2.2 FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.28 FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.9 FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\PROGRAM FILES\MCAFEE\SITEADVISOR [2009/05/02 17:13:00 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/04/19 18:24:26 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.0.9\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/25 15:40:36 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.0.9\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/25 15:40:36 \| 00,000,000 \| ---D \| M] [2008/06/24 12:37:31 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Jake Armstrong\Application Data\mozilla\Extensions [2008/06/24 12:37:31 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Jake Armstrong\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2009/04/20 18:01:33 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Jake Armstrong\Application Data\mozilla\Firefox\Profiles\14hl56g9.default\extensions [2008/12/21 22:29:27 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Jake Armstrong\Application Data\mozilla\Firefox\Profiles\14hl56g9.default\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} [2008/12/21 22:29:29 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Jake Armstrong\Application Data\mozilla\Firefox\Profiles\14hl56g9.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696} [2008/11/28 21:47:28 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Jake Armstrong\Application Data\mozilla\Firefox\Profiles\14hl56g9.default\extensions\enquiries@retailmenot.com [2007/03/19 20:50:00 \| 00,002,386 \| ---- \| M] () -- C:\Documents and Settings\Jake Armstrong\Application Data\Mozilla\FireFox\Profiles\14hl56g9.default\searchplugins\siteadvisor.xml [2009/04/15 00:50:17 \| 00,000,000 \| ---D \| M] -- C:\Program Files\mozilla firefox\extensions [2009/04/25 15:40:31 \| 00,000,000 \| ---D \| M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2009/04/25 15:40:30 \| 00,023,032 \| ---- \| M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll [2009/04/25 15:40:30 \| 00,134,648 \| ---- \| M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll [2005/09/15 19:26:00 \| 00,044,153 \| ---- \| M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\inspector.dll [2008/05/29 10:24:14 \| 00,001,394 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml [2008/05/29 10:24:14 \| 00,002,193 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml [2008/05/29 10:24:14 \| 00,001,534 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml [2008/11/13 17:46:39 \| 00,002,343 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml [2008/05/29 10:24:14 \| 00,001,706 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml [2008/05/29 10:24:14 \| 00,001,178 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml [2008/05/29 10:24:14 \| 00,000,792 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml O1 HOSTS File: (162019 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 abcsearch.com O1 - Hosts: 127.0.0.1 admin.abcsearch.com O1 - Hosts: 127.0.0.1 www3.abcsearch.com #[Browseraid] O1 - Hosts: 127.0.0.1 www.abcsearch.com O1 - Hosts: 127.0.0.1 abc517.net #[Trojan.Mitglieder.H] O1 - Hosts: 127.0.0.1 acestats.com O1 - Hosts: 127.0.0.1 www.acestats.com O1 - Hosts: 127.0.0.1 actualnames.com #[Parasite.ActualNames] O1 - Hosts: 127.0.0.1 www.actualnames.com O1 - Hosts: 127.0.0.1 ad-up.com O1 - Hosts: 127.0.0.1 www.ad-up.com O1 - Hosts: 127.0.0.1 adatom.com O1 - Hosts: 127.0.0.1 aesp.adatom.com O1 - Hosts: 127.0.0.1 adbest.com O1 - Hosts: 127.0.0.1 adserv.adbonus.com O1 - Hosts: 127.0.0.1 www.adbonus.com O1 - Hosts: 127.0.0.1 www.adblaster2.info #[Restricted Zone site] O1 - Hosts: 127.0.0.1 ad2.adcept.net O1 - Hosts: 127.0.0.1 ad3.adcept.net O1 - Hosts: 127.0.0.1 www.adcept.net O1 - Hosts: 127.0.0.1 adcomplete.com O1 - Hosts: 127.0.0.1 www.adcomplete.com O1 - Hosts: 127.0.0.1 www.adcopy.info O1 - Hosts: 127.0.0.1 ads.adcorps.com O1 - Hosts: 4671 more lines... O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions) O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.) O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll () O2 - BHO: (ZoneAlarm Spy Blocker BHO) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL (ZoneAlarm) O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll () O3 - HKLM\..\Toolbar: (ZoneAlarm Spy Blocker) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL (ZoneAlarm) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL (ZoneAlarm) O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft) O4 - HKLM..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" () O4 - HKLM..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" (ATI Technologies, Inc.) O4 - HKLM..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE (Creative Technology Ltd) O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE (Creative Technology Ltd) O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe (Creative Technology Ltd) O4 - HKLM..\Run: [CTxfiHlp] CTXFIHLP.EXE (Creative Technology Ltd) O4 - HKLM..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey (McAfee, Inc.) O4 - HKLM..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation) O4 - HKLM..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Check Point Software Technologies LTD) O4 - HKCU..\Run: [Aim6] File not found O4 - HKCU..\Run: [Sonic RecordNow!] File not found O4 - Startup: C:\Documents and Settings\Jake Armstrong\Start Menu\Programs\Startup\Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKCU\..Trusted Sites: ([]msn in My Computer) O15 - HKCU\..Trusted Sites: ibeta.com ([]https in Trusted sites) O15 - HKCU\..Trusted Domains: 130 domain(s) and sub-domain(s) not assigned to a zone. O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative.com/su/ocx/15026/CTSUEng.cab (Creative Software AutoUpdate) O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab (McAfee.com Operating System Class) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1157669761500 (WUWebControl Class) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1189035169546 (MUWebControl Class) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab (DwnldGroupMgr Class) O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Reg Error: Key error.) O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation) O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll () O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.) O24 - Desktop Components:0 (My Current Home Page) - About:Home O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation) O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ] O32 - Autorun File - D:\AUTORUN.INF () - [ CDFS ] O33 - MountPoints2\{8f3bd13e-1a76-11de-be7f-0011114ce840}\Shell\AutoRun\command - "" = .\Encryption Tool\MaxtorEncryption.exe O34 - HKLM BootExecute: (autocheck) - File not found O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation) O34 - HKLM BootExecute: () - File not found O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe () ========== Files/Folders - Created Within 30 Days ========== [2 C:\WINDOWS\.tmp files] [2009/04/25 16:07:58 \| 00,501,248 \| ---- \| C] (OldTimer Tools) -- C:\Documents and Settings\Jake Armstrong\Desktop\OTListIt2.exe [2009/04/25 15:44:32 \| 00,000,000 \| ---D \| C] -- C:\Rooter$ [2009/04/25 15:43:02 \| 00,267,612 \| ---- \| C] () -- C:\Documents and Settings\Jake Armstrong\Desktop\Rooter.exe [2009/04/25 14:49:19 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Jake Armstrong\Desktop\Laura - April 09 Reformat Backup [2009/04/25 14:48:19 \| 00,000,736 \| ---- \| C] () -- C:\Documents and Settings\Jake Armstrong\Start Menu\Programs\Startup\Dropbox.lnk [2009/04/25 14:48:18 \| 00,000,000 \| R--D \| C] -- C:\Documents and Settings\Jake Armstrong\My Documents\My Dropbox [2009/04/25 14:47:32 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Jake Armstrong\Application Data\Dropbox [2009/04/25 14:47:22 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Dropbox [2009/04/25 14:46:56 \| 14,713,283 \| ---- \| C] () -- C:\Documents and Settings\Jake Armstrong\Desktop\Dropbox 0.6.507.exe [2009/04/19 19:07:55 \| 00,000,000 \| ---D \| C] -- C:\Program Files\AskBarDis [2009/04/19 19:05:26 \| 00,267,152 \| ---- \| C] () -- C:\Documents and Settings\Jake Armstrong\Desktop\zaSetup_en.exe [2009/04/19 18:41:03 \| 01,089,593 \| ---- \| C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat [2009/04/19 18:22:48 \| 00,000,000 \| ---D \| C] -- C:\af0ea71116de5e28b0221cd74b9f372e [2009/04/16 22:02:03 \| 00,000,000 \| ---D \| C] -- C:\ecbcda8959d90bb53614628f71 [2009/04/16 22:01:54 \| 00,000,000 \| ---D \| C] -- C:\63d08c48af2a7ec9be62d7bf [2009/04/15 01:27:31 \| 00,000,000 \| ---D \| C] -- C:\035352f31869503708554840 [2009/04/15 01:27:22 \| 00,000,000 \| ---D \| C] -- C:\7879eed859d861a24b [2009/04/15 01:26:17 \| 00,284,160 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll [2009/04/15 01:26:16 \| 00,473,600 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll [2009/04/15 01:26:16 \| 00,401,408 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll [2009/04/15 01:26:16 \| 00,110,592 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe [2009/04/15 01:26:16 \| 00,035,328 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sc.exe [2009/04/15 01:26:15 \| 00,729,088 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll [2009/04/15 01:26:15 \| 00,714,752 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll [2009/04/15 01:26:15 \| 00,617,472 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll [2009/04/15 01:26:15 \| 00,453,120 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll [2009/04/15 01:26:15 \| 00,227,840 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe [2009/04/15 01:25:49 \| 00,002,560 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll [2009/04/15 01:25:48 \| 01,203,922 \| ---- \| C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb [2009/04/15 01:25:48 \| 00,215,552 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe [2009/04/14 22:56:29 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Jake Armstrong\Application Data\Malwarebytes [2009/04/14 22:56:26 \| 00,015,504 \| ---- \| C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2009/04/14 22:56:26 \| 00,000,720 \| ---- \| C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2009/04/14 22:56:23 \| 00,038,496 \| ---- \| C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2009/04/14 22:56:22 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2009/04/14 22:56:21 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Malwarebytes' Anti-Malware [2009/04/14 22:55:50 \| 02,967,800 \| ---- \| C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jake Armstrong\Desktop\mbam-setup.exe [2009/04/14 22:55:21 \| 00,000,000 \| ---D \| C] -- C:\WINDOWS\ERDNT [2009/04/14 22:55:09 \| 00,000,000 \| ---D \| C] -- C:\Program Files\ERUNT [2009/04/14 22:54:52 \| 00,791,393 \| ---- \| C] (Lars Hederer ) -- C:\Documents and Settings\Jake Armstrong\Desktop\erunt_setup.exe [2009/04/14 22:50:47 \| 00,021,504 \| ---- \| C] (Doug Knox) -- C:\Documents and Settings\Jake Armstrong\Desktop\SysRestorePoint.exe [2008/06/16 19:12:13 \| 00,086,446 \| ---- \| C] () -- C:\WINDOWS\System32\instwdm.ini [2007/10/19 20:56:16 \| 03,596,288 \| ---- \| C] () -- C:\WINDOWS\System32\qt-dx331.dll [2007/10/19 20:54:28 \| 00,000,416 \| ---- \| C] () -- C:\WINDOWS\System32\dtu100.dll.manifest [2007/10/19 20:54:28 \| 00,000,416 \| ---- \| C] () -- C:\WINDOWS\System32\dpl100.dll.manifest [2007/10/18 05:02:34 \| 00,012,288 \| ---- \| C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll [2007/07/11 19:25:54 \| 00,685,816 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\sptd.sys [2007/05/24 00:55:39 \| 00,077,312 \| ---- \| C] () -- C:\WINDOWS\ua2.dll [2007/03/25 18:31:34 \| 00,000,029 \| ---- \| C] () -- C:\WINDOWS\atid.ini [2007/03/24 02:11:32 \| 00,000,051 \| ---- \| C] () -- C:\WINDOWS\iTouch.ini [2007/03/19 19:57:59 \| 00,003,072 \| ---- \| C] () -- C:\WINDOWS\CTXFIRES.DLL [2007/01/13 01:45:17 \| 00,000,077 \| ---- \| C] () -- C:\WINDOWS\System32\winitn.dll [2007/01/13 01:45:07 \| 00,000,001 \| ---- \| C] () -- C:\WINDOWS\sslzdlt.dll [2007/01/12 23:15:30 \| 00,000,140 \| ---- \| C] () -- C:\WINDOWS\ODBC.INI [2006/08/11 14:57:18 \| 00,037,888 \| ---- \| C] () -- C:\WINDOWS\System32\CTBURST.DLL [2006/07/14 15:43:24 \| 00,000,000 \| ---- \| C] () -- C:\WINDOWS\OpPrintServer.INI [2006/06/22 12:21:38 \| 00,796,584 \| ---- \| C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll [2006/05/23 12:40:34 \| 00,000,269 \| ---- \| C] () -- C:\WINDOWS\System32\KILL.INI [2006/01/10 15:08:05 \| 00,049,131 \| ---- \| C] () -- C:\WINDOWS\CDPLAYER.INI [2005/10/09 15:40:17 \| 00,000,252 \| ---- \| C] () -- C:\WINDOWS\CS_MD_T.ini [2005/10/04 22:16:41 \| 00,043,520 \| ---- \| C] () -- C:\WINDOWS\System32\CmdLineExt03.dll [2005/08/17 18:49:27 \| 00,006,048 \| ---- \| C] () -- C:\WINDOWS\System32\MCC16.dll [2005/08/17 18:48:47 \| 00,040,448 \| ---- \| C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll [2005/08/17 18:48:46 \| 00,086,016 \| ---- \| C] () -- C:\WINDOWS\System32\BJInstaller.dll [2005/08/11 22:14:27 \| 00,000,219 \| ---- \| C] () -- C:\WINDOWS\MugE.ini [2005/07/24 22:26:41 \| 00,000,112 \| ---- \| C] () -- C:\WINDOWS\ActiveSkin.INI [2005/07/22 18:38:00 \| 00,047,104 \| ---- \| C] () -- C:\WINDOWS\System32\KMVIDC32.DLL [2005/06/18 13:05:28 \| 00,000,275 \| ---- \| C] () -- C:\WINDOWS\mercury.ini [2005/06/16 18:17:16 \| 00,071,680 \| ---- \| C] () -- C:\WINDOWS\System32\CTMMACTL.DLL [2005/04/29 22:34:16 \| 00,000,754 \| ---- \| C] () -- C:\WINDOWS\WORDPAD.INI [2005/04/22 23:25:05 \| 00,000,019 \| ---- \| C] () -- C:\WINDOWS\info1.ini [2005/04/08 00:47:14 \| 00,049,152 \| ---- \| C] () -- C:\WINDOWS\System32\OctaneARM.dll [2005/02/08 22:18:27 \| 00,139,280 \| ---- \| C] () -- C:\WINDOWS\System32\CSGina.dll [2004/11/21 23:27:49 \| 00,021,840 \| ---- \| C] () -- C:\WINDOWS\System32\SIntfNT.dll [2004/11/21 23:27:49 \| 00,017,212 \| ---- \| C] () -- C:\WINDOWS\System32\SIntf32.dll [2004/11/21 23:27:49 \| 00,012,067 \| ---- \| C] () -- C:\WINDOWS\System32\SIntf16.dll [2004/10/26 18:39:05 \| 03,375,104 \| ---- \| C] () -- C:\WINDOWS\System32\qt-mt331.dll [2004/09/18 23:28:07 \| 00,003,972 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\PciBus.sys [2004/09/18 21:39:35 \| 00,000,104 \| RHS- \| C] () -- C:\WINDOWS\System32\F777779CAF.sys [2004/09/17 23:17:52 \| 00,001,125 \| ---- \| C] () -- C:\WINDOWS\winamp.ini [2004/09/13 12:19:31 \| 00,000,061 \| ---- \| C] () -- C:\WINDOWS\smscfg.ini [2004/09/13 12:12:36 \| 00,000,138 \| ---- \| C] () -- C:\WINDOWS\wininit.ini [2004/09/13 12:09:46 \| 00,000,231 \| ---- \| C] () -- C:\WINDOWS\AC3API.INI [2004/09/13 12:09:34 \| 00,066,807 \| ---- \| C] () -- C:\WINDOWS\System32\Aud2_Del.ini [2004/09/13 12:09:34 \| 00,000,191 \| ---- \| C] () -- C:\WINDOWS\System32\ctzapxx.ini [2004/09/13 12:09:32 \| 00,033,792 \| ---- \| C] ( ) -- C:\WINDOWS\System32\a3d.dll [2004/09/13 12:09:15 \| 00,000,136 \| ---- \| C] () -- C:\WINDOWS\SBWIN.INI [2004/09/13 11:58:18 \| 00,363,520 \| ---- \| C] () -- C:\WINDOWS\System32\psisdecd.dll [2004/09/13 11:43:54 \| 00,000,552 \| ---- \| C] () -- C:\WINDOWS\System32\OEMINFO.INI [2004/07/29 02:19:46 \| 00,237,568 \| ---- \| C] () -- C:\WINDOWS\System32\lame_enc.dll [2004/03/26 17:59:22 \| 00,000,000 \| ---- \| C] () -- C:\WINDOWS\System32\px.ini [2004/03/20 14:21:34 \| 00,000,791 \| ---- \| C] () -- C:\WINDOWS\ORUN32.INI [2004/03/20 13:58:32 \| 00,000,625 \| ---- \| C] () -- C:\WINDOWS\WIN.INI [2004/03/20 13:50:44 \| 00,000,227 \| ---- \| C] () -- C:\WINDOWS\SYSTEM.INI [2004/03/19 18:37:28 \| 00,001,793 \| ---- \| C] () -- C:\WINDOWS\System32\FXSPERF.INI [2003/06/11 09:43:48 \| 00,000,016 \| ---- \| C] () -- C:\WINDOWS\System32\tfosd.dll ========== Files - Modified Within 30 Days ========== [13 C:\WINDOWS\System32\.tmp files] [2 C:\WINDOWS\.tmp files] [2009/05/02 17:10:02 \| 00,000,330 \| -H-- \| M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job [2009/05/02 17:08:06 \| 00,350,198 \| -H-- \| M] () -- C:\WINDOWS\System32\vsconfig.xml [2009/05/02 17:07:03 \| 00,002,278 \| ---- \| M] () -- C:\WINDOWS\System32\WPA.DBL [2009/05/02 17:06:45 \| 00,000,868 \| ---- \| M] () -- C:\WINDOWS\tasks\Google Software Updater.job [2009/05/02 17:05:42 \| 00,000,006 \| -H-- \| M] () -- C:\WINDOWS\tasks\SA.DAT [2009/05/02 17:05:39 \| 00,002,048 \| --S- \| M] () -- C:\WINDOWS\BOOTSTAT.DAT [2009/04/25 17:26:10 \| 04,958,588 \| ---- \| M] () -- C:\WINDOWS\{00000004-00000000-00000001-00001102-00000004-10031102}.CDF [2009/04/25 17:26:10 \| 04,958,588 \| ---- \| M] () -- C:\WINDOWS\{00000004-00000000-00000001-00001102-00000004-10031102}.BAK [2009/04/25 16:08:49 \| 00,501,248 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Jake Armstrong\Desktop\OTListIt2.exe [2009/04/25 15:44:19 \| 00,267,612 \| ---- \| M] () -- C:\Documents and Settings\Jake Armstrong\Desktop\Rooter.exe [2009/04/25 15:21:32 \| 00,030,744 \| ---- \| M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000004-00000000-00000001-00001102-00000004-10031102}.rfx [2009/04/25 15:21:32 \| 00,030,744 \| ---- \| M] () -- C:\WINDOWS\System32\BMXState-{00000004-00000000-00000001-00001102-00000004-10031102}.rfx [2009/04/25 15:21:32 \| 00,030,120 \| ---- \| M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000004-00000000-00000001-00001102-00000004-10031102}.rfx [2009/04/25 15:21:32 \| 00,030,120 \| ---- \| M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000004-00000000-00000001-00001102-00000004-10031102}.rfx [2009/04/25 15:21:32 \| 00,011,564 \| ---- \| M] () -- C:\WINDOWS\System32\DVCState-{00000004-00000000-00000001-00001102-00000004-10031102}.rfx [2009/04/25 15:21:32 \| 00,001,080 \| ---- \| M] () -- C:\WINDOWS\System32\settingsbkup.sfm [2009/04/25 15:21:32 \| 00,001,080 \| ---- \| M] () -- C:\WINDOWS\System32\settings.sfm [2009/04/25 14:50:26 \| 00,000,720 \| ---- \| M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2009/04/25 14:48:19 \| 00,000,736 \| ---- \| M] () -- C:\Documents and Settings\Jake Armstrong\Start Menu\Programs\Startup\Dropbox.lnk [2009/04/25 14:47:16 \| 14,713,283 \| ---- \| M] () -- C:\Documents and Settings\Jake Armstrong\Desktop\Dropbox 0.6.507.exe [2009/04/19 19:07:31 \| 00,004,212 \| -H-- \| M] () -- C:\WINDOWS\System32\zllictbl.dat [2009/04/19 19:05:28 \| 00,267,152 \| ---- \| M] () -- C:\Documents and Settings\Jake Armstrong\Desktop\zaSetup_en.exe [2009/04/19 18:38:17 \| 00,000,625 \| ---- \| M] () -- C:\WINDOWS\WIN.INI [2009/04/19 18:38:17 \| 00,000,227 \| ---- \| M] () -- C:\WINDOWS\SYSTEM.INI [2009/04/19 18:38:17 \| 00,000,211 \| RHS- \| M] () -- C:\BOOT.INI [2009/04/19 18:37:09 \| 00,080,248 \| ---- \| M] () -- C:\Documents and Settings\Jake Armstrong\Local Settings\Application Data\GDIPFONTCACHEV1.DAT [2009/04/19 18:36:54 \| 00,328,296 \| ---- \| M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2009/04/19 18:26:29 \| 00,503,486 \| ---- \| M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2009/04/19 18:26:29 \| 00,442,466 \| ---- \| M] () -- C:\WINDOWS\System32\PERFH009.DAT [2009/04/19 18:26:29 \| 00,071,732 \| ---- \| M] () -- C:\WINDOWS\System32\PERFC009.DAT [2009/04/19 18:07:07 \| 00,001,374 \| ---- \| M] () -- C:\WINDOWS\imsins.BAK [2009/04/16 21:55:35 \| 00,000,962 \| ---- \| M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-732879689-3863515153-2116675926-1005.job [2009/04/15 01:00:02 \| 00,000,282 \| ---- \| M] () -- C:\WINDOWS\tasks\McDefragTask.job [2009/04/14 22:56:01 \| 02,967,800 \| ---- \| M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jake Armstrong\Desktop\mbam-setup.exe [2009/04/14 22:54:54 \| 00,791,393 \| ---- \| M] (Lars Hederer ) -- C:\Documents and Settings\Jake Armstrong\Desktop\erunt_setup.exe [2009/04/14 22:50:51 \| 00,021,504 \| ---- \| M] (Doug Knox) -- C:\Documents and Settings\Jake Armstrong\Desktop\SysRestorePoint.exe [2009/04/06 15:32:54 \| 00,038,496 \| ---- \| M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2009/04/06 15:32:46 \| 00,015,504 \| ---- \| M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2009/04/06 10:57:24 \| 24,921,544 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe < End of report >

Jimmy2012 View Member Profile	May 2 2009, 10:22 PM Post #4
Trusted Helper Posts: 6,238 From: Ohio, USA OS: Windows XP, Fedora, Ubuntu	Hello Pyetr, Please start Malwarebytes' Anti-Malware and update it. To update please do this, click Update and then click Check for Updates. It will now install any updates it finds. Once it is done updating please click Scanner and then click "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Please run a free online scan with the ESET Online Scanner *Note*: You will need to use Internet Explorer for this scan Tick the box next to YES, I accept the Terms of Use Click Start When asked, allow the ActiveX control to install Click Start Make sure that the options Remove found threats and the option Scan unwanted applications is checked Click Scan (This scan can take several hours, so please be patient) Once the scan is completed, you may close the window Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt Copy and paste that log as a reply to this topic ~~~~~~~~~~~~~~~ In your next reply please have these logs. The Malwarebytes log And the Eset log

Pyetr View Member Profile	May 3 2009, 12:51 PM Post #5
New Member Posts: 9 OS: Windows XP	Ok, Malwarebytes currently doesn't find anything, but I was unable to update it. It gave an error when I tried. Log from the run is below. I had run this before, and it did find a few things, mostly Vundo, but it looks like it got rid of them. This has not fixed the problem. I attempted to run the Eset scanner, but after running the ActiveX and installing, it tried to update. This also failed, and the scan never started. Malwarebytes' Anti-Malware 1.36 Database version: 1945 Windows 5.1.2600 Service Pack 3 5/3/2009 2:41:29 PM mbam-log-2009-05-03 (14-41-29).txt Scan type: Quick Scan Objects scanned: 79610 Time elapsed: 6 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Jimmy2012 View Member Profile	May 3 2009, 02:06 PM Post #6
Trusted Helper Posts: 6,238 From: Ohio, USA OS: Windows XP, Fedora, Ubuntu	Hello Pyetr, Please run the following program. Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt** in your next reply.

Pyetr View Member Profile	May 3 2009, 02:39 PM Post #7
New Member Posts: 9 OS: Windows XP	Ok, done. It actually gave me a blue screen (Bad_Pool_Caller) when I tried to run the first time, but it worked the second time. Log below: ComboFix 09-05-03.1 - Jake Armstrong 05/03/2009 16:30.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1503 [GMT -4:00] Running from: c:\documents and settings\Jake Armstrong\Desktop\ComboFix.exe AV: McAfee VirusScan On-access scanning disabled (Updated) FW: ZoneAlarm Firewall enabled . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\SYSTEM\ntp2.ini . ((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 ))))))))))))))))))))))))))))))) . 2009-05-03 18:44 . 2009-05-03 18:44 -------- d-----w c:\program files\EsetOnlineScanner 2009-04-25 19:44 . 2009-04-25 19:46 -------- d-----w C:\Rooter$ 2009-04-25 19:41 . 2009-04-25 19:41 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore 2009-04-25 18:47 . 2009-05-03 20:20 -------- d-----w c:\documents and settings\Jake Armstrong\Application Data\Dropbox 2009-04-25 18:47 . 2009-05-03 18:28 -------- d-----w c:\program files\Dropbox 2009-04-19 23:07 . 2009-04-19 23:07 -------- d-----w c:\program files\AskBarDis 2009-04-19 22:22 . 2009-04-19 22:23 -------- d-----w C:\af0ea71116de5e28b0221cd74b9f372e 2009-04-17 02:02 . 2009-04-17 02:02 -------- d-----w C:\ecbcda8959d90bb53614628f71 2009-04-17 02:01 . 2009-04-17 03:03 -------- d-----w C:\63d08c48af2a7ec9be62d7bf 2009-04-15 05:27 . 2009-04-15 05:27 -------- d-----w C:\035352f31869503708554840 2009-04-15 05:27 . 2009-04-15 06:11 -------- d-----w C:\7879eed859d861a24b 2009-04-15 05:26 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll 2009-04-15 05:26 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe 2009-04-15 05:26 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 05:26 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe 2009-04-15 05:26 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 05:26 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 05:26 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 05:26 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 05:26 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 05:26 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 05:25 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 05:25 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe 2009-04-15 02:56 . 2009-04-15 02:56 -------- d-----w c:\documents and settings\Jake Armstrong\Application Data\Malwarebytes 2009-04-15 02:56 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-15 02:56 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-15 02:56 . 2009-04-15 02:56 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-15 02:56 . 2009-04-15 05:03 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-15 02:55 . 2009-04-15 02:55 -------- d-----w c:\program files\ERUNT . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-03 20:32 . 2006-12-08 01:15 330 ---ha-w c:\windows\Tasks\MP Scheduled Scan.job 2009-05-03 20:26 . 2004-09-13 15:59 6 ---ha-w c:\windows\Tasks\SA.DAT 2009-05-03 20:20 . 2009-03-24 20:08 868 ----a-w c:\windows\Tasks\Google Software Updater.job 2009-05-03 20:18 . 2009-05-03 20:22 3171840 ----a-w c:\windows\Internet Logs\xDB8E.tmp 2009-04-25 19:19 . 2006-08-04 13:56 -------- d-----w c:\program files\McAfee 2009-04-25 18:56 . 2005-11-06 21:02 -------- d-----w c:\program files\World of Warcraft 2009-04-20 22:36 . 2007-05-23 22:43 -------- d-----w c:\program files\Security Task Manager 2009-04-19 23:07 . 2004-09-18 02:17 4212 ---ha-w c:\windows\system32\zllictbl.dat 2009-04-19 22:37 . 2004-09-18 02:46 80248 ----a-w c:\documents and settings\Jake Armstrong\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-19 21:54 . 2004-09-18 04:31 -------- d-----w c:\program files\BOINC 2009-04-17 01:55 . 2009-03-29 16:15 962 ----a-w c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-732879689-3863515153-2116675926-1005.job 2009-04-15 05:00 . 2006-08-04 13:57 282 ----a-w c:\windows\Tasks\McDefragTask.job 2009-04-15 02:52 . 2004-09-13 16:06 -------- d-----w c:\program files\Java 2009-03-31 04:47 . 2004-09-18 03:24 -------- d-----w c:\program files\Lavasoft 2009-03-31 04:41 . 2009-03-31 04:41 -------- d-----w c:\program files\Trend Micro 2009-03-30 22:20 . 2009-03-28 22:19 472 ----a-w c:\windows\Tasks\Ad-Aware Update (Weekly).job 2009-03-29 01:47 . 2008-08-19 01:02 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job 2009-03-27 21:15 . 2005-10-22 16:44 408 ----a-w c:\windows\Tasks\1-Click Maintenance.job 2009-03-20 23:46 . 2005-10-15 07:06 51858060 ----a-w c:\windows\Internet Logs\tvDebug.zip 2009-03-09 19:06 . 2009-03-28 23:48 15688 ----a-w c:\windows\system32\lsdelete.exe 2009-03-09 19:06 . 2009-03-28 22:20 64160 ----a-w c:\windows\system32\drivers\Lbd.sys 2009-03-08 01:32 . 2007-09-12 23:00 -------- d-----w c:\program files\Steam 2009-03-06 14:22 . 2004-03-19 22:41 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-03 00:18 . 2004-02-06 23:05 826368 ----a-w c:\windows\system32\wininet.dll 2009-03-01 06:00 . 2006-08-04 13:57 374 ----a-w c:\windows\Tasks\McQcTask.job 2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll 2009-02-17 21:09 . 2008-09-17 03:29 129 ---ha-w c:\documents and settings\Jake Armstrong\Application Data\lakerda1967.sys 2009-02-16 04:10 . 2008-12-22 01:46 1221512 ----a-w c:\windows\system32\zpeng25.dll 2009-02-09 12:10 . 2004-03-30 01:48 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2004-03-19 22:33 617472 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 12:10 . 2004-03-06 02:16 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 12:10 . 2003-05-01 16:56 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 11:13 . 2003-09-25 14:35 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-06 11:11 . 2004-03-19 22:42 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 11:06 . 1980-01-01 05:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 10:39 . 2004-03-19 22:42 35328 ----a-w c:\windows\system32\sc.exe 2009-02-06 10:32 . 1980-01-01 05:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-03 19:59 . 2004-03-19 22:42 56832 ----a-w c:\windows\system32\secur32.dll 2005-09-15 23:26 . 2004-11-10 00:23 44153 ----a-w c:\program files\mozilla firefox\components\inspector.dll 1999-04-23 22:22 . 1999-04-23 22:22 12 --sha-w c:\windows\SYSTEM\WININETICMP32.drv 2005-05-07 20:24 . 2004-09-19 01:39 104 --sh--r c:\windows\SYSTEM32\F777779CAF.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2009-04-01 08:14 1163264 ----a-w c:\program files\Dropbox\DropboxExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2009-04-01 08:14 1163264 ----a-w c:\program files\Dropbox\DropboxExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2009-04-01 08:14 1163264 ----a-w c:\program files\Dropbox\DropboxExt.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152] "CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-15 344064] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384] "CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920] "CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\SYSTEM32\CTXFIHLP.EXE [2006-08-11 18944] c:\documents and settings\Jake Armstrong\Start Menu\Programs\Startup\ Dropbox.lnk - c:\program files\Dropbox\Dropbox.exe [2009-4-8 25598505] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^Jake Armstrong^Start Menu^Programs^Startup^BOINC Manager.lnk] path=c:\documents and settings\Jake Armstrong\Start Menu\Programs\Startup\BOINC Manager.lnk backup=c:\windows\pss\BOINC Manager.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Kontiki\\KService.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"= "c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"= "c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216] R2 X4HS32;X4HS32; [x] R3 jnv4_mib;jnv4_mib; [x] R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\Drivers\LCcFltr.Sys [2003-11-07 14092] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-04-06 38496] R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f3bd13e-1a76-11de-be7f-0011114ce840}] \Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe . Contents of the 'Scheduled Tasks' folder 2009-03-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06] 2009-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34] 2009-05-03 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-22 20:08] 2009-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-732879689-3863515153-2116675926-1005.job - c:\documents and settings\Jake Armstrong\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-29 16:15] 2009-04-15 c:\windows\Tasks\McDefragTask.job - c:\windows\system32\defrag.exe [2004-03-19 00:12] 2009-03-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2006-08-04 14:53] 2009-05-03 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Sonic RecordNow! - (no file) HKCU-Run-Aim6 - (no file) . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s Trusted Zone: ibeta.com FF - ProfilePath - c:\documents and settings\Jake Armstrong\Application Data\Mozilla\Firefox\Profiles\14hl56g9.default\ FF - prefs.js: browser.startup.homepage - www.yahoo.com FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll FF - plugin: c:\documents and settings\Jake Armstrong\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-03 16:32 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing] @Denied: (2) (Administrators) "Policy"=hex:00,00,00,00 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(800) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-05-03 16:35 ComboFix-quarantined-files.txt 2009-05-03 20:34 Pre-Run: 152,663,031,808 bytes free Post-Run: 152,825,065,472 bytes free Current=1 Default=1 Failed=0 LastKnownGood=3 Sets=1,2,3,4 217 --- E O F --- 2009-05-03 18:29

Jimmy2012 View Member Profile	May 3 2009, 08:08 PM Post #8
Trusted Helper Posts: 6,238 From: Ohio, USA OS: Windows XP, Fedora, Ubuntu	Hello Pyetr, Make sure to use Internet Explorer for this Please go to VirSCAN.org FREE on-line scan service Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page: c:\windows\SYSTEM32\F777779CAF.sys Click on the Upload button Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard. Paste the contents of the Clipboard in your next reply.

Pyetr View Member Profile	May 3 2009, 09:04 PM Post #9
New Member Posts: 9 OS: Windows XP	Ok, copied below. It doesn't look like that's a virus. The good news is that something I did in here seems like it may have worked, systems appear to be back to normal. VirSCAN.org Scanned Report : Scanned time : 2009/05/03 22:54:21 (EDT) Scanner results: All Scanners reported not find malware! File Name : F777779CAF.sys File Size : 104 byte File Type : data MD5 : 0a55c0a9dd13656763e4b66fe32ebf63 SHA1 : 08f00b3abcd783ce914c565a8292990f0690c47d Online report : http://virscan.org/report/088573e02ebe221f...255454cd0a.html Scanner Engine Ver Sig Ver Sig Date Time Scan result a-squared 4.0.0.32 20090504063155 2009-05-04 1.88 - AhnLab V3 2009.05.03.00 2009.05.03 2009-05-03 0.69 - AntiVir 7.9.0.160 7.1.3.143 2009-05-03 2.02 - Antiy 2.0.18 20090503.2333071 2009-05-03 0.02 - Arcavir 2009 200905021130 2009-05-02 0.01 - Authentium 5.1.1 200905032011 2009-05-03 1.10 - AVAST! 3.0.1 090503-0 2009-05-03 0.00 - AVG 7.5.52.442 270.12.11/2089 2009-04-30 2.03 - BitDefender 7.81008.2901664 7.25181 2009-05-04 2.68 - CA (VET) 9.0.0.143 31.6.6486 2009-05-02 8.73 - ClamAV 0.95 9320 2009-05-03 0.00 - Comodo 3.8 1149 2009-05-03 0.66 - CP Secure 1.1.0.715 2009.05.03 2009-05-03 8.78 - Dr.Web 4.44.0.9170 2009.05.03 2009-05-03 4.50 - F-Prot 4.4.4.56 20090503 2009-05-03 1.14 - F-Secure 5.51.6100 2009.05.03.03 2009-05-03 0.03 - Fortinet 2.81-3.117 10.348 2009-05-03 0.45 - GData 19.5010/19.318 20090504 2009-05-04 10.16 - ViRobot 20090501 2009.05.01 2009-05-01 0.62 - Ikarus T3.1.01.49 2009.05.03.72666 2009-05-03 2.77 - JiangMin 11.0.706 2009.05.03 2009-05-03 4.86 - Kaspersky 5.5.10 2009.05.04 2009-05-04 0.02 - KingSoft 2009.2.5.15 2009.5.4.7 2009-05-04 0.41 - McAfee 5.3.00 5604 2009-05-03 2.80 - Microsoft 1.4602 2009.05.04 2009-05-04 12.27 - mks_vir 2.01 2009.05.03 2009-05-03 2.75 - Norman 6.00.06 6.00.00 2009-04-28 10.01 - Panda 9.05.01 2009.05.02 2009-05-02 5.81 - Trend Micro 8.700-1004 6.104.40 2009-05-03 0.02 - Quick Heal 10.00 2009.05.02 2009-05-02 2.24 - Rising 20.0 21.27.41.00 2009-05-01 1.65 - Sophos 2.86.0 4.41 2009-05-04 2.19 - Sunbelt 5119 5119 2009-05-03 0.97 - Symantec 1.3.0.24 20090503.003 2009-05-03 0.23 - nProtect 20090501.01 3562396 2009-05-01 38.31 - The Hacker 6.3.4.1 v00318 2009-05-03 2.39 - VBA32 3.12.10.4 20090503.1052 2009-05-03 1.71 - VirusBuster 4.5.11.10 10.105.14/1315222 2009-05-03 3.12 -

Jimmy2012 View Member Profile	May 4 2009, 04:06 PM Post #10
Trusted Helper Posts: 6,238 From: Ohio, USA OS: Windows XP, Fedora, Ubuntu	Hello Pyetr, That's good to hear. Please try to run the following scan. Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, in the menu, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Please post the log from Dr.Web Cureit in your next reply.

Pyetr View Member Profile	May 5 2009, 06:06 PM Post #11
New Member Posts: 9 OS: Windows XP	Ok, report is: inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;; ocpinst.exe\data529;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\ocpinst.exe;Probably BACKDOOR.Trojan;; ocpinst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Archive contains infected objects;; ComboFix.exe/data002\32788R22FWJFW\FIND3M.bat;C:\Documents and Settings\Jake Armstrong\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;; ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Jake Armstrong\Desktop\ComboFix.exe/data002;Program.PsExec.171;; data002;C:\Documents and Settings\Jake Armstrong\Desktop;Archive contains infected objects;; ComboFix.exe;C:\Documents and Settings\Jake Armstrong\Desktop;Container contains infected objects;; InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably MULDROP.Trojan;; cleaner.log;C:\Program Files\Microsoft AntiSpyware;Probably SCRIPT.Virus;; nppopcaploader.dll;C:\Program Files\Mozilla Firefox\plugins;Program.PopcapLoader.origin;; A0433312.bat;C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1048;Probably BATCH.Virus;; A0433377.bat;C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1048;Probably BATCH.Virus;; A0433457.bat;C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1048;Probably BATCH.Virus;;

Jimmy2012 View Member Profile	May 6 2009, 11:39 AM Post #12
Trusted Helper Posts: 6,238 From: Ohio, USA OS: Windows XP, Fedora, Ubuntu	Hello Pyetr, How is your computer running now?

Pyetr View Member Profile	May 7 2009, 05:58 PM Post #13
New Member Posts: 9 OS: Windows XP	It seems to be running more or less ok, but I was worried about the Cureit log, since it had some potential trojans and such. Does it look like those are false alarms?

Jimmy2012 View Member Profile	May 8 2009, 03:55 PM Post #14
Trusted Helper Posts: 6,238 From: Ohio, USA OS: Windows XP, Fedora, Ubuntu	Hello Pyetr, Some of them were false alarms, but the ones that needed to go, Dr.Web removed them. Your logs look clean, just a few more things to do. You are using a old version of Adobe Acrobat Reader, please update it here. Please download OTCleanIt and save it to your Desktop. Double-click OTCleanIt.exe Click the CleanUp! button to begin removing tools used to clean your computer If you are prompted to Reboot during the cleanup, please select Yes Please remove any leftover tools used to clean your computer. Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected) 1. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Restart your computer. 3. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check Turn off System Restore. Click Apply, and then click OK. System Restore will now be active again. The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. 1. Spywareguard: Is realtime protection from spyware. 2. Spywareblaster: Helps protect against any bad ActiveX from installing on your computer. 3. SuperAntiSpyware: Use this program to help remove any spyware that may have gotten on your computer. 4. FireFox: This is a great alternate browser over Internet Explorer. Firefox is much more secure then Internet Explorer and also has a bulilt in pop up blocker. 5. ATF Cleaner: This program cleans out your temporary files. This is a great tool that can help speed your computer up. 6. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) 7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Pyetr View Member Profile	May 10 2009, 08:56 PM Post #15
New Member Posts: 9 OS: Windows XP	Ok, done and done. Thanks so much for your help.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Malware Found in ThreatFire Can't Get Rid of It [RESOLVED]	10 / 2,040	23rd June 2008 - 09:49 AM VidenTheColdOne started - last by Rorschach112
Virus, Spyware and Trojan Removal AntispywareXP 2009 Infection, Can't get rid of it!	1 / 278	7th April 2009 - 06:55 PM Kujo II started - last by Kujo II
Virus, Spyware and Trojan Removal Troj/Virtum-Gen...can't get rid of it	0 / 186	18th April 2009 - 12:44 AM ilovepink started - last by ilovepink
Virus, Spyware and Trojan Removal Operating memory - Win32/Olmarik Troyan. Can't get rid of it.	2 / 124	2nd February 2010 - 06:20 AM fedlerner started - last by Rorschach112