Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!
Recovering from virus and malware infection [Solved]
NuttySquirrel
post Apr 7 2009, 07:12 AM
Post #1


Member
**
Posts: 39
OS: Windows XP
Hey all,
I am just recently cleaning up after a virus and malware infection. I have gone through the Malware and Spyware Cleaning Guide at the top of the forum. I have run an Avast scan and a Malwarebytes' Anti-Malware scan and have removed multiple infections that were found. I haven't connected it to the internet just yet since I'm not sure if the system is completely clean.

Would someone mind taking a look at my Rooter Rootkit Detector and Old Timer List It 2 logs to see if any additional cleaning needs to be done? Also was wondering, do these scans need to be performed under each user account?

Thank you, I sure do appreciate the assistance!


Rooter Rootkit Detector log:
CODE
Microsoft Windows XP Home Edition (5.1.2600) Service Pack 2

C:\ [Fixed] - NTFS - (Total:146866 Mo/Free:1147 Mo)
D:\ [Fixed] - FAT32 - (Total:5739 Mo/Free:322 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [Removable] (Total:0 Mo/Free:0 Mo)
G:\ [Removable] (Total:0 Mo/Free:0 Mo)
H:\ [Removable] (Total:0 Mo/Free:0 Mo)
I:\ [Removable] (Total:0 Mo/Free:0 Mo)
J:\ [Removable] (Total:1919 Mo/Free:1403 Mo)

Tue 04/07/2009| 8:51

----------------------\\  Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
---------- C:\Program Files\Alwil Software\Avast4\ashServ.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\WINDOWS\system32\cisvc.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
---------- C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
---------- C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
---------- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
---------- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\wscntfy.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
---------- C:\Program Files\AIM6\aim6.exe
---------- C:\Program Files\LimeWire\LimeWire.exe
---------- C:\Program Files\Common Files\AOL\Loader\aolload.exe
---------- C:\Program Files\AIM6\aolsoftware.exe
---------- C:\WINDOWS\system32\cidaemon.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\  Search..

[b]==> VUNDO <==[/b]

----------------------\\  ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Tue 04/07/2009| 8:52

----------------------\\  Scan completed at  8:52



OTListIt log:
CODE
OTListIt logfile created on: 4/7/2009 8:54:10 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.12.1     Folder = J:\Utilities\Geeks To Go
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.48 Mb Total Physical Memory | 79.54 Mb Available Physical Memory | 17.82% Memory free
1.03 Gb Paging File | 0.65 Gb Available in Paging File | 62.94% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.42 Gb Total Space | 97.12 Gb Free Space | 67.72% Space Free | Partition Type: NTFS
Drive D: | 5.61 Gb Total Space | 0.31 Gb Free Space | 5.61% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 1.87 Gb Total Space | 1.37 Gb Free Space | 73.09% Space Free | Partition Type: FAT

Computer Name: DEVINS-COMPUTER
Current User Name: Casey
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

[color=orange]========== Processes (SafeList) ==========[/color]

PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
PRC - C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe (Sunbelt Software)
PRC - C:\Program Files\Avanquest\SystemSuite\MXTask.exe (Avanquest North America, Inc.)
PRC - C:\Program Files\Avanquest\SystemSuite\MXTask.exe (Avanquest North America, Inc.)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\AIM6\aim6.exe (AOL LLC)
PRC - C:\Program Files\LimeWire\LimeWire.exe (Lime Wire, LLC)
PRC - C:\Program Files\Common Files\AOL\Loader\aolload.exe (AOL LLC)
PRC - C:\Program Files\AIM6\aolsoftware.exe (AOL LLC)
PRC - C:\WINDOWS\system32\cidaemon.exe (Microsoft Corporation)
PRC - J:\Utilities\Geeks To Go\OTListIt2.exe (OldTimer Tools)

[color=orange]========== Win32 Services (SafeList) ==========[/color]

SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (aswUpdSv [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (avast! Antivirus [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner [On_Demand | Running]) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner [On_Demand | Running]) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (Bonjour Service [Disabled | Stopped]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (Pml Driver HPZ12 [Disabled | Stopped]) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (sbamsvc [Auto | Running]) -- C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe (Sunbelt Software)
SRV - (SupportSoft RemoteAssist [Disabled | Stopped]) -- C:\Program Files\Common Files\supportsoft\bin\ssrc.exe (SupportSoft, Inc.)
SRV - (systemsuite task manager [Auto | Running]) -- C:\Program Files\Avanquest\SystemSuite\MXTask.exe (Avanquest North America, Inc.)
SRV - (Viewpoint Manager Service [Disabled | Stopped]) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

[color=orange]========== Driver Services (SafeList) ==========[/color]

DRV - (Aavmker4 [System | Running]) -- C:\WINDOWS\System32\drivers\aavmker4.sys (ALWIL Software)
DRV - (AgereSoftModem [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\AGRSM.sys (Agere Systems)
DRV - (ALCXWDM [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (AmdK8 [System | Running]) -- C:\WINDOWS\system32\DRIVERS\AmdK8.sys (Advanced Micro Devices)
DRV - (aswFsBlk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys (ALWIL Software)
DRV - (aswMon2 [Auto | Running]) -- C:\WINDOWS\System32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswRdr [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\aswRdr.sys (ALWIL Software)
DRV - (aswSP [System | Running]) -- C:\WINDOWS\System32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswTdi [System | Running]) -- C:\WINDOWS\System32\drivers\aswTdi.sys (ALWIL Software)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (atwpkt2 [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ATWPKT2.SYS (America Online)
DRV - (bb-run [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\bb-run.sys (Promise Technology, Inc.)
DRV - (ftsata2 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ftsata2.sys (Promise Technology, Inc.)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HPZid412 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys (HP)
DRV - (HPZipr12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (HP)
DRV - (HPZius12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys (HP)
DRV - (iaStor [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (kfilter [On_Demand | Running]) -- C:\Program Files\Avanquest\SystemSuite\KFilter.sys (Avanquest North America, Inc.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (RTL8023xp [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys (Realtek Semiconductor Corporation                           )
DRV - (rtl8139 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\RTL8139.SYS (Realtek Semiconductor Corporation)
DRV - (sbaphd [System | Running]) -- C:\WINDOWS\system32\drivers\sbaphd.sys (Sunbelt Software)
DRV - (sbapifs [Auto | Running]) -- C:\WINDOWS\system32\drivers\sbapifs.sys (Sunbelt Software)
DRV - (sbre [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\SBREdrv.sys (Sunbelt Software)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SISNIC [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sisnic.sys (SiS Corporation)
DRV - (tfilter [On_Demand | Running]) -- C:\Program Files\Avanquest\SystemSuite\TFilter.sys (Avanquest North America, Inc.)
DRV - (USBAAPL [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple, Inc.)
DRV - (usbbus [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\lgusbbus.sys (LG Electronics Inc.)
DRV - (UsbDiag [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys (LG Electronics Inc.)
DRV - (USBModem [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys (LG Electronics Inc.)
DRV - (wanatw [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\wanatw4.sys (America Online, Inc.)
DRV - (wceusbsh [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\wceusbsh.sys (Microsoft Corporation)
DRV - (xnacc [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\xnacc.sys (Microsoft Corporation)

[color=orange]========== Standard Registry (SafeList) ==========[/color]


[color=orange]========== Internet Explorer ==========[/color]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\PROGRAM FILES\AVANQUEST\SYSTEMSUITE\FIREFOX [2009/03/21 16:33:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\firefox\extensions\\{CD11E80D-6FBD-460B-B239-A9813A1FC28D}: C:\DOCUMENTS AND SETTINGS\CASEY.DEVINS-COMPUTER\LOCAL SETTINGS\APPLICATION DATA\{CD11E80D-6FBD-460B-B239-A9813A1FC28D} [2009/03/21 16:47:09 | 00,000,000 | ---D | M]


O1 HOSTS File: (736 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (XPL LinkScannerIE) - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\Avanquest\SystemSuite\LinkScannerIE.dll (Exploit Prevention Labs, Inc.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (DataVault Object) - {8373adc0-6330-11dd-9d77-22c856d89593} - C:\Program Files\Avanquest\SystemSuite\IE_ContextMenu_Vault.dll (Avanquest North America, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKCU..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (AOL LLC)
O4 - HKCU..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b (America Online, Inc.)
O4 - Startup: C:\Documents and Settings\Casey.DEVINS-COMPUTER\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (Lime Wire, LLC)
O4 - Startup: C:\Documents and Settings\Casey.DEVINS-COMPUTER\Start Menu\Programs\Startup\PowerReg Scheduler.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BackupNoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [NWLink IPX/SPX/NetBIOS Compatible Transport Protocol] - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab (Support.com Configuration Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/FacebookPhotoUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebook.com/controls/FacebookPhotoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab (Verizon Wireless Media Upload)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab (Java Plug-in 1.5.0)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab (Facebook Photo Uploader 4)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O32 - Autorun File - D:\AUTOEXEC.BAT () - [ FAT32 ]
O33 - MountPoints2\{28e26798-02ad-11da-8aef-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{28e26798-02ad-11da-8aef-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}\Shell - "" = AutoRun
O33 - MountPoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found

[color=orange]========== Files/Folders - Created Within 30 Days ==========[/color]

[2009/04/07 08:32:25 | 46,824,2432 | -HS- | C] () -- C:\hiberfil.sys
[2009/04/03 15:09:31 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/01 08:53:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Casey.DEVINS-COMPUTER\Application Data\Malwarebytes
[2009/04/01 08:53:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/01 08:40:31 | 00,023,152 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/04/01 08:40:30 | 00,051,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/04/01 08:40:29 | 00,026,944 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/04/01 08:40:28 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/04/01 08:40:28 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2009/04/01 08:40:28 | 00,094,032 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/04/01 08:40:28 | 00,093,296 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/04/01 08:40:28 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/04/01 08:40:11 | 01,256,296 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/04/01 08:40:11 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2009/03/31 12:47:50 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\userinit.exe
[2009/03/31 10:36:13 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2009/03/31 10:20:28 | 00,000,000 | ---D | C] -- C:\Program Files\MSECACHE
[2009/03/22 19:17:36 | 00,182,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ndis.sys
[2009/03/22 19:17:36 | 00,182,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndis.sys
[2009/03/21 22:00:22 | 00,000,000 | ---D | C] -- C:\DOCUME~1\CASEY~1.DEV\Desktop\Unused Desktop Shortcuts
[2009/03/21 17:33:42 | 01,791,169 | -HS- | C] () -- C:\WINDOWS\System32\uduhajip.ini2
[2009/03/21 16:47:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Casey.DEVINS-COMPUTER\Local Settings\Application Data\{CD11E80D-6FBD-460B-B239-A9813A1FC28D}
[2009/03/21 16:42:26 | 00,068,912 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\sbapifs.sys
[2009/03/21 16:42:25 | 00,013,360 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\sbaphd.sys
[2009/03/21 16:40:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avanquest
[2009/03/21 16:40:33 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ALLUSE~1\Documents\BVRP Software
[2009/03/21 16:39:46 | 00,000,000 | RHSD | C] -- C:\_Backup.RC
[2009/03/21 16:35:53 | 00,000,000 | -H-D | C] -- C:\_Backup
[2009/03/21 16:35:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Casey.DEVINS-COMPUTER\Application Data\Avanquest
[2009/03/21 16:35:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Casey.DEVINS-COMPUTER\Application Data\InstallShield
[2009/03/21 16:34:40 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\AntiVirus
[2009/03/21 16:33:19 | 00,000,000 | ---D | C] -- C:\Program Files\Avanquest
[2009/03/21 16:18:11 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/03/21 14:42:36 | 00,000,001 | ---- | C] () -- C:\WINDOWS\System32\uniq.tll
[2009/03/21 14:42:16 | 00,000,002 | ---- | C] () -- C:\1409495341
[2009/03/21 02:42:12 | 01,791,178 | -HS- | C] () -- C:\WINDOWS\System32\uduhajip.ini
[2009/03/20 14:41:48 | 01,789,373 | -HS- | C] () -- C:\WINDOWS\System32\uyekupiv.ini
[2009/03/20 09:42:22 | 01,789,373 | -HS- | C] () -- C:\WINDOWS\System32\ihizobem.ini
[2009/03/19 20:07:29 | 01,797,798 | -HS- | C] () -- C:\WINDOWS\System32\arotisit.ini2
[2009/03/19 14:53:50 | 01,797,794 | -HS- | C] () -- C:\WINDOWS\System32\arotisit.ini
[2009/03/18 20:57:26 | 00,025,136 | R--- | C] (America Online) -- C:\WINDOWS\System32\drivers\ATWPKT2.SYS
[2009/03/18 20:52:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Casey.DEVINS-COMPUTER\Application Data\AOL
[2009/03/18 20:05:56 | 01,746,157 | -HS- | C] () -- C:\WINDOWS\System32\iwowebog.ini
[2009/03/18 08:05:30 | 01,746,157 | -HS- | C] () -- C:\WINDOWS\System32\atidimah.ini
[2009/03/17 20:05:14 | 01,742,200 | -HS- | C] () -- C:\WINDOWS\System32\uwenigas.ini
[2009/03/17 19:33:31 | 01,742,200 | -HS- | C] () -- C:\WINDOWS\System32\etupepar.ini
[2009/03/16 20:04:40 | 01,719,137 | -HS- | C] () -- C:\WINDOWS\System32\isebihos.ini
[2008/08/15 12:20:52 | 00,000,026 | ---- | C] () -- C:\WINDOWS\tdor.ini
[2008/07/23 12:50:52 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/07/23 12:47:34 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/07/23 12:47:34 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/07/23 12:46:38 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/10/11 21:18:29 | 00,000,000 | ---- | C] () -- C:\WINDOWS\WB.ini
[2007/09/10 06:48:18 | 00,000,355 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2007/06/20 02:55:52 | 00,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2007/04/10 17:38:47 | 00,000,081 | ---- | C] () -- C:\WINDOWS\Setup8a.ini
[2007/03/08 21:12:07 | 00,000,000 | ---- | C] () -- C:\WINDOWS\MSDraw.ini
[2007/02/28 23:28:57 | 00,000,067 | ---- | C] () -- C:\WINDOWS\Easy Video to DVD.INI
[2007/02/25 23:34:34 | 00,000,067 | ---- | C] () -- C:\WINDOWS\Apollo DVD Copy.INI
[2007/02/14 19:56:17 | 00,002,037 | ---- | C] () -- C:\WINDOWS\TalkingTimeKeeper.INI
[2007/01/26 03:00:28 | 00,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
[2007/01/26 02:43:30 | 00,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/10/15 21:42:01 | 00,000,763 | ---- | C] () -- C:\WINDOWS\dialerexe.ini
[2006/05/21 21:43:52 | 00,000,018 | ---- | C] () -- C:\WINDOWS\upst.ini
[2006/01/12 21:46:46 | 00,000,403 | ---- | C] () -- C:\WINDOWS\2XStars.ini
[2006/01/12 19:33:38 | 00,000,099 | ---- | C] () -- C:\WINDOWS\Ultisoft.ini
[2006/01/12 19:33:38 | 00,000,009 | ---- | C] () -- C:\WINDOWS\Collida.ini
[2006/01/12 19:33:38 | 00,000,009 | ---- | C] () -- C:\WINDOWS\Brick.ini
[2006/01/09 23:20:36 | 00,000,000 | ---- | C] () -- C:\WINDOWS\pcf.INI
[2006/01/09 16:35:57 | 00,000,036 | ---- | C] () -- C:\WINDOWS\Pt.dll
[2005/12/27 22:34:14 | 00,000,768 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2005/12/27 16:40:50 | 00,017,393 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/12/27 01:58:05 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PCFriend.INI
[2005/12/27 01:33:35 | 00,000,145 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2005/12/25 11:34:26 | 00,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini
[2005/08/11 03:49:20 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/08/11 03:20:32 | 00,012,994 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2005/08/11 03:20:22 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2005/08/11 03:13:15 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/08/11 03:06:38 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/08/11 03:06:38 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/08/11 03:06:38 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/08/11 03:06:38 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/08/11 03:06:38 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/08/11 03:06:38 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/08/11 02:59:27 | 00,000,056 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/08/11 02:54:36 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/11 02:40:43 | 00,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/08/02 02:59:16 | 00,323,584 | ---- | C] () -- C:\WINDOWS\System32\pythoncom22.dll
[2005/08/02 02:59:16 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\pywintypes22.dll
[2005/08/02 02:58:50 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2005/06/25 08:32:00 | 00,000,854 | ---- | C] () -- C:\WINDOWS\win.ini
[2005/06/25 01:26:26 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2005/05/10 02:52:32 | 00,022,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2005/04/27 14:38:00 | 00,372,736 | ---- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2004/06/16 08:38:02 | 00,000,592 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[1900/01/01 12:00:00 | 00,086,016 | -HS- | C] () -- C:\WINDOWS\System32\sasipura.dll
[1900/01/01 12:00:00 | 00,086,016 | -HS- | C] () -- C:\WINDOWS\System32\feduyizo.dll

[color=orange]========== Files - Modified Within 30 Days ==========[/color]

[10 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/04/07 08:32:34 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/07 08:32:27 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/07 08:32:25 | 46,824,2432 | -HS- | M] () -- C:\hiberfil.sys
[2009/04/06 08:33:33 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/03 16:34:00 | 04,318,296 | -H-- | M] () -- C:\Documents and Settings\Casey.DEVINS-COMPUTER\Local Settings\Application Data\IconCache.db
[2009/04/03 15:04:44 | 00,000,854 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/04/03 15:04:44 | 00,000,425 | RHS- | M] () -- C:\boot.ini
[2009/04/03 15:04:44 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/04/03 14:54:42 | 00,000,736 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/04/01 08:58:37 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/03/31 11:04:43 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\rijigame
[2009/03/22 20:32:27 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\svchost.exe
[2009/03/22 20:32:27 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\svchost.exe
[2009/03/22 20:25:39 | 01,791,169 | -HS- | M] () -- C:\WINDOWS\System32\uduhajip.ini2
[2009/03/21 18:18:37 | 00,000,246 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2009/03/21 15:03:45 | 01,791,178 | -HS- | M] () -- C:\WINDOWS\System32\uduhajip.ini
[2009/03/21 14:42:36 | 00,000,001 | ---- | M] () -- C:\WINDOWS\System32\uniq.tll
[2009/03/21 14:42:17 | 00,000,002 | ---- | M] () -- C:\1409495341
[2009/03/21 14:42:16 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2009/03/20 20:00:00 | 00,000,544 | ---- | M] () -- C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job
[2009/03/20 14:42:05 | 01,789,373 | -HS- | M] () -- C:\WINDOWS\System32\uyekupiv.ini
[2009/03/20 14:41:30 | 00,086,016 | -HS- | M] () -- C:\WINDOWS\System32\sasipura.dll
[2009/03/20 12:08:32 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/03/20 10:04:22 | 01,789,373 | -HS- | M] () -- C:\WINDOWS\System32\ihizobem.ini
[2009/03/19 20:16:48 | 01,797,798 | -HS- | M] () -- C:\WINDOWS\System32\arotisit.ini2
[2009/03/19 19:33:14 | 00,000,768 | ---- | M] () -- C:\WINDOWS\hegames.ini
[2009/03/19 15:15:11 | 01,797,794 | -HS- | M] () -- C:\WINDOWS\System32\arotisit.ini
[2009/03/19 14:41:18 | 00,086,016 | -HS- | M] () -- C:\WINDOWS\System32\feduyizo.dll
[2009/03/18 20:28:00 | 01,746,157 | -HS- | M] () -- C:\WINDOWS\System32\iwowebog.ini
[2009/03/18 20:24:03 | 00,002,137 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\iTunes.lnk
[2009/03/18 14:38:28 | 01,746,157 | -HS- | M] () -- C:\WINDOWS\System32\atidimah.ini
[2009/03/17 20:26:48 | 01,742,200 | -HS- | M] () -- C:\WINDOWS\System32\uwenigas.ini
[2009/03/17 19:54:58 | 01,742,200 | -HS- | M] () -- C:\WINDOWS\System32\etupepar.ini
[2009/03/17 19:31:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/03/16 20:28:57 | 01,719,137 | -HS- | M] () -- C:\WINDOWS\System32\isebihos.ini
[2009/03/16 19:34:14 | 00,525,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/16 19:34:14 | 00,443,934 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/16 19:34:14 | 00,072,504 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/16 12:00:00 | 00,000,306 | ---- | M] () -- C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
[2009/03/12 21:20:38 | 00,205,712 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/12 20:58:18 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
< End of report >



OTListIt Extras log:
CODE
OTListIt Extras logfile created on: 4/7/2009 8:54:10 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.12.1     Folder = J:\Utilities\Geeks To Go
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.48 Mb Total Physical Memory | 79.54 Mb Available Physical Memory | 17.82% Memory free
1.03 Gb Paging File | 0.65 Gb Available in Paging File | 62.94% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.42 Gb Total Space | 97.12 Gb Free Space | 67.72% Space Free | Partition Type: NTFS
Drive D: | 5.61 Gb Total Space | 0.31 Gb Free Space | 5.61% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 1.87 Gb Total Space | 1.37 Gb Free Space | 73.09% Space Free | Partition Type: FAT

Computer Name: DEVINS-COMPUTER
Current User Name: Casey
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

[color=orange]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[color=orange]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[color=orange]========== Authorized Applications List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
%ProgramFiles%\iTunes\iTunes.exe:*:enabled:iTunes (Apple Inc.)
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe:*:Enabled:Compaq Connections (Hewlett-Packard)
C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager (Microsoft Corporation)
C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager (Microsoft Corporation)
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe:*:Enabled:Compaq Connections (Hewlett-Packard)
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink File not found
C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader (AOL LLC)
C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM (AOL LLC)
C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger File not found
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger (Yahoo! Inc.)
C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server File not found
C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager (Microsoft Corporation)
C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager (Microsoft Corporation)
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application (Microsoft Corporation)
C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour (Apple Inc.)
C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes (Apple Inc.)
C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire (Lime Wire, LLC)
C:\WINDOWS\explorer.exe:*:Enabled:Explorer (Microsoft Corporation)
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe:*:Enabled:atiptaxx (ATI Technologies, Inc.)
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe:*:Enabled:AppleMobileDeviceService (Apple Inc.)
C:\WINDOWS\system32\wbem\wmiprvse.exe:*:Enabled:wmiprvse (Microsoft Corporation)
C:\Program Files\Avanquest\SystemSuite\MXTask.exe:*:Enabled:MXTask (Avanquest North America, Inc.)

[color=orange]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{3248F0A8-6813-11D6-A77B-00B0D0150000}" = J2SE Runtime Environment 5.0
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3912A629-0020-0005-3757-2FBA74D4DF0A}" = InterVideo WinDVD Player
"{3BA95526-6AE0-4B87-A62D-17187EF565FC}" = HP Boot Optimizer
"{3C0BAFCA-BDB8-492B-8845-DC0A4B4C1823}" = HPDeskjet5400Series
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{582D2A53-F426-4C5E-A2E6-43C1AB36B907}" = Safari
"{5B622B7A-60FB-4630-B11D-F121D20BCCD6}" = MarketResearch
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6994491D-D491-48F1-AE1F-E179C1FFFC2F}" = HP Photosmart Essential
"{6a615007-721d-4063-b226-ea41eb6604b9}" = SystemSuite 9 Professional
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation
"{800547BD-FBE0-4DAA-A126-7263FA87D87D}" = Combat Medic
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD Player
"{924EB80F-C2BB-4B9F-8412-88BBA937393F}" = MobileMe Control Panel
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{9DE9E293-5D7B-4312-88C2-BDFAEC5310AE}" = Microsoft .NET Framework 3.0
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB61A692-5543-4C48-979B-8CEA1C52FE9C}" = PC-Doctor 5 for Windows
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{EB57A16E-500D-43d7-85B9-FBE279EBBA6E}" = HP Deskjet 5400 series
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{F8722041-B63A-47FB-82A8-5F0977E1CF45}" = TWC Customer Controls
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"AIM_6" = AIM 6
"ATI Display Driver" = ATI Display Driver
"avast!" = avast! Antivirus
"Backyard Soccer MLS Edition" = Backyard Soccer MLS Edition
"HP Imaging Device Functions" = HP Imaging Device Functions 5.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.0
"HPExtendedCapabilities" = HP Extended Capabilities 5.0
"HPOOVClient-5577497 Uninstaller" = Compaq Connections (remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{800547BD-FBE0-4DAA-A126-7263FA87D87D}" = Combat Medic
"InstallShield_{AB61A692-5543-4C48-979B-8CEA1C52FE9C}" = PC-Doctor 5 for Windows
"LimeWire" = LimeWire 4.18.8
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.0" = Microsoft .NET Framework 3.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Network Play System (Patching)" = Network Play System (Patching)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhoTagsExpress" = PhoTags Express
"Python 2.2.3" = Python 2.2.3
"pywin32-py2.2" = Python 2.2 pywin32 extensions (build 203)
"RealPlayer 6.0" = RealPlayer
"ViewpointMediaPlayer" = Viewpoint Media Player
"WIC" = Windows Imaging Component
"WildTangent CDA" = WildTangent Web Driver
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xbox_360_CC_Driver" = Xbox 360 Controller for Windows
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger

[color=orange]========== Last 10 Event Log Errors ==========[/color]

[ Application Events ]
Error - 4/3/2009 8:28:42 AM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 12:27:13 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 12:28:03 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1004
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 12:30:37 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1004
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 3:16:06 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 3:41:35 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 3:50:53 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 3:52:19 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1004
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 4:34:10 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 4:55:59 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

[ Application Events ]
Error - 4/3/2009 8:28:42 AM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 12:27:13 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 12:28:03 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1004
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 12:30:37 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1004
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 3:16:06 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 3:41:35 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 3:50:53 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 3:52:19 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1004
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 4:34:10 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

Error - 4/3/2009 4:55:59 PM | Computer Name = DEVINS-COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application MXTask.exe, version 9.0.1.1, faulting module
SunbeltConnector.dll, version 9.0.1.1, fault address 0x00006ba6.

[ System Events ]
Error - 4/6/2009 8:34:29 AM | Computer Name = DEVINS-COMPUTER | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error:   %%31

Error - 4/6/2009 8:34:29 AM | Computer Name = DEVINS-COMPUTER | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error:   %%31

Error - 4/6/2009 8:35:22 AM | Computer Name = DEVINS-COMPUTER | Source = Service Control Manager | ID = 7022
Description = The Sunbelt VIPRE Antivirus Service service hung on starting.

Error - 4/6/2009 8:35:22 AM | Computer Name = DEVINS-COMPUTER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
   Aavmker4  AFD  AmdK8  aswSP  aswTdi  Fips  IPSec  MRxSmb  NetBIOS  NetBT  RasAcd  Rdbss  sbaphd  Tcpip  WS2IFSL

Error - 4/6/2009 8:35:25 AM | Computer Name = DEVINS-COMPUTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments ""  in order to run the server:  {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/6/2009 8:35:39 AM | Computer Name = DEVINS-COMPUTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments ""  in order to run the server:  {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 4/6/2009 8:36:41 AM | Computer Name = DEVINS-COMPUTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/7/2009 8:31:06 AM | Computer Name = DEVINS-COMPUTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments ""  in order to run the server:  {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/7/2009 8:32:42 AM | Computer Name = DEVINS-COMPUTER | Source = Service Control Manager | ID = 7000
Description = The Background Intelligent Transfer Service service failed to start
due to the following error:   %%2

Error - 4/7/2009 8:32:42 AM | Computer Name = DEVINS-COMPUTER | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error:   %%2


< End of report >
Go to the top of the page
 
+Quote Post
2 Pages V   1 2 >  
 Start new topic
Replies (1 - 14)
andrewuk
post Apr 10 2009, 01:16 PM
Post #2


Trusted Helper
Group Icon
Posts: 4,598
From: London, UK
OS: XP
Hello vanmash

welcome to geekstogo smile.gif and sorry to keep you waiting.

appears to still be some infections on your machine.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

also:

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

andrewuk
Go to the top of the page
 
+Quote Post
NuttySquirrel
post Apr 13 2009, 07:24 AM
Post #3


Member
**
Posts: 39
OS: Windows XP
Hello andrewuk, and thank you for your help. Below are both the ComboFix and HijackThis logs:

CODE
ComboFix 09-04-13.A2 - Casey 2009-04-13  8:49.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.446.91 [GMT -4:00]
Running from: c:\documents and settings\Casey.DEVINS-COMPUTER\Desktop\ComboFix.exe
AV: Avanquest SystemSuite *On-access scanning disabled* (Outdated)
AV: avast! antivirus 4.8.1335 [VPS 090331-0] *On-access scanning disabled* (Outdated)
FW: Avanquest NetDefense Firewall *enabled*
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\alexa toolbar
c:\windows\dialerexe.ini
c:\windows\system32\arotisit.ini
c:\windows\system32\arotisit.ini2
c:\windows\system32\arotisit.tmp
c:\windows\system32\atidimah.ini
c:\windows\system32\etupepar.ini
c:\windows\system32\feduyizo.dll
c:\windows\system32\ihizobem.ini
c:\windows\system32\isebihos.ini
c:\windows\system32\iwowebog.ini
c:\windows\system32\sasipura.dll
c:\windows\system32\uduhajip.ini
c:\windows\system32\uduhajip.ini2
c:\windows\system32\uduhajip.tmp
c:\windows\system32\uniq.tll
c:\windows\system32\uwenigas.ini
c:\windows\system32\uyekupiv.ini

.
(((((((((((((((((((((((((   Files Created from 2009-03-13 to 2009-04-13  )))))))))))))))))))))))))))))))
.

2009-04-06 12:36 . 2009-04-06 12:36    --------    d-----w    c:\documents and settings\Administrator\Application Data\Avanquest
2009-04-03 20:00 . 2009-04-03 20:00    --------    d-----w    c:\documents and settings\LocalService\Application Data\Avanquest
2009-04-03 19:09 . 2009-04-03 19:09    --------    d-----w    c:\program files\Trend Micro
2009-04-03 16:31 . 2009-04-03 16:31    --------    d-----w    c:\documents and settings\Mary.DEVINS-COMPUTER\Application Data\Malwarebytes
2009-04-01 12:53 . 2009-04-01 12:53    --------    d-----w    c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\Malwarebytes
2009-04-01 12:53 . 2009-04-01 12:53    --------    d-----w    c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-31 16:47 . 2004-08-04 00:56    24576    ----a-w    c:\windows\system32\userinit.exe
2009-03-31 14:36 . 2009-03-31 14:36    --------    d-----w    c:\program files\Alwil Software
2009-03-31 14:20 . 2009-03-31 14:23    --------    d-----w    c:\program files\MSECACHE
2009-03-22 23:17 . 2004-08-04 05:00    182912    ----a-w    c:\windows\system32\drivers\ndis.sys
2009-03-22 23:17 . 2004-08-04 05:00    182912    ----a-w    c:\windows\system32\dllcache\ndis.sys
2009-03-21 21:35 . 2009-03-21 21:35    --------    d-----w    c:\documents and settings\Mary.DEVINS-COMPUTER\Application Data\Avanquest
2009-03-21 20:58 . 2009-03-21 20:58    --------    d-----w    c:\documents and settings\Mary.DEVINS-COMPUTER\Local Settings\Application Data\{D7580E61-F1FF-4657-9774-66828F2FEA71}
2009-03-21 20:47 . 2009-03-21 20:47    --------    d-----w    c:\documents and settings\Casey.DEVINS-COMPUTER\Local Settings\Application Data\{CD11E80D-6FBD-460B-B239-A9813A1FC28D}
2009-03-21 20:42 . 2008-07-18 05:26    68912    ----a-w    c:\windows\system32\drivers\sbapifs.sys
2009-03-21 20:42 . 2008-07-18 05:26    13360    ----a-w    c:\windows\system32\drivers\sbaphd.sys
2009-03-21 20:40 . 2009-03-21 20:41    --------    d-----w    c:\documents and settings\All Users\Application Data\Avanquest
2009-03-21 20:39 . 2009-03-21 20:39    --------    d-sh--r    C:\_Backup.RC
2009-03-21 20:35 . 2009-04-13 13:11    --------    d--h--w    C:\_Backup
2009-03-21 20:35 . 2009-03-21 21:05    --------    d-----w    c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\Avanquest
2009-03-21 20:35 . 2009-03-21 20:35    --------    d-----w    c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\InstallShield
2009-03-21 20:34 . 2009-03-21 20:41    --------    d-----w    c:\program files\Common Files\AntiVirus
2009-03-21 20:33 . 2009-03-21 20:33    --------    d-----w    c:\program files\Avanquest
2009-03-21 20:18 . 2009-03-21 20:18    --------    d-----w    c:\program files\Common Files\Wise Installation Wizard
2009-03-21 18:42 . 2009-03-21 18:42    2    ----a-w    C:\1409495341
2009-03-19 00:57 . 2007-04-13 17:30    25136    ----a-r    c:\windows\system32\drivers\ATWPKT2.SYS
2009-03-19 00:53 . 2003-01-10 21:13    33588    ----a-r    c:\windows\system32\drivers\wanatw4.sys
2009-03-19 00:52 . 2009-03-19 00:52    --------    d-----w    c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\AOL
2009-03-18 23:47 . 2009-03-18 23:47    --------    d-----w    c:\documents and settings\Mary.DEVINS-COMPUTER\Local Settings\Application Data\Wildtangent
2009-03-18 23:46 . 2009-03-18 23:46    1746157    --sh--w    c:\windows\system32\atidimah.tmp

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 12:38 . 2009-01-26 23:09    --------    d-----w    c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\LimeWire
2009-04-07 12:52 . 2009-04-07 12:52    2495    ----a-w    C:\Rooter.txt
2009-04-03 18:54 . 2009-04-03 18:36    135    ----a-w    C:\VundoFix.txt
2009-03-23 00:32 . 2005-08-02 05:33    14336    ----a-w    c:\windows\system32\svchost.exe
2009-03-23 00:32 . 2005-08-02 05:33    14336    ----a-w    c:\windows\system32\dllcache\svchost.exe
2009-03-22 22:06 . 2005-08-11 07:14    --------    d-----w    c:\program files\iTunes
2009-03-22 22:06 . 2005-08-11 07:14    --------    d-----w    c:\program files\QuickTime
2009-03-21 22:46 . 2005-12-25 15:14    --------    d-----w    c:\program files\America Online 9.0b
2009-03-20 00:00 . 2007-02-08 16:36    --------    d-----w    c:\program files\Verizon
2009-03-19 23:52 . 2008-03-14 22:25    502    ----a-w    c:\documents and settings\Mary.DEVINS-COMPUTER\Application Data\wklnhst.dat
2009-03-19 00:20 . 2005-12-28 02:00    --------    d-----w    c:\program files\ValuSoft
2009-03-19 00:19 . 2005-08-11 06:50    --------    d-----w    c:\program files\Common Files\InstallShield
2009-03-19 00:16 . 2007-06-26 02:34    --------    d-----w    c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\Apple Computer
2009-03-19 00:11 . 2005-12-27 20:26    --------    d-----w    c:\program files\Bird Hunter Wild Wings Edition
2009-03-18 23:08 . 2006-01-27 21:52    --------    d-----w    c:\program files\LimeWire
2009-03-08 20:39 . 2009-03-08 20:39    --------    d-----w    c:\documents and settings\Guest.DEVINS-COMPUTER\Application Data\Yahoo!
2009-02-09 10:19 . 2005-08-02 05:35    1846272    ----a-w    c:\windows\system32\win32k.sys
2009-02-09 10:19 . 2005-08-02 05:35    1846272    ----a-w    c:\windows\system32\dllcache\win32k.sys
2009-01-26 23:14 . 2009-01-26 23:14    47680    -c--a-w    c:\documents and settings\Casey.DEVINS-COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-17 02:35 . 2005-08-02 12:31    3594752    ------w    c:\windows\system32\dllcache\mshtml.dll
2008-10-19 14:02 . 2008-10-19 14:02    47680    -c--a-w    c:\documents and settings\Mary.DEVINS-COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-10-15 02:47 . 2007-10-15 02:47    121904    -c--a-w    c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2007-03-24 15:16 . 2007-03-24 15:16    40568    -c--a-w    c:\documents and settings\Mary\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-03-24 13:36 . 2007-03-24 13:34    40568    -c--a-w    c:\documents and settings\Casey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-03-17 22:08 . 2007-03-17 22:08    40568    -c--a-w    c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-05-29 50528]
"AOL Fast Start"="c:\program files\America Online 9.0b\AOL.EXE" [2005-07-25 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

c:\documents and settings\Casey.DEVINS-COMPUTER\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-02-05 256000]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sbamsvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Avanquest\\SystemSuite\\MXTask.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 sbre;sbre;c:\windows\system32\drivers\SBREdrv.sys [2007-11-06 87848]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S1 aswSP;avast! Self Protection; [x]
S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-07-18 13360]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 sbamsvc;Sunbelt VIPRE Antivirus Service;c:\program files\Common Files\AntiVirus\SBAMSvc.exe [2008-08-05 849192]
S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-07-18 68912]
S3 kfilter;kfilter;c:\progra~1\AVANQU~1\SYSTEM~1\KFilter.sys [2008-08-10 54865]
S3 tfilter;tfilter;c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys [2008-08-10 20225]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28e26798-02ad-11da-8aef-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-21 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job
- c:\progra~1\NORTON~3\Navw32.exe [2006-09-07 02:38]

2009-03-16 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2006-11-16 15:51]

2007-10-25 c:\windows\Tasks\SAT Scores.job
- c:\progra~1\INTERN~1\iexplore.exe [2008-12-19 01:25]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 09:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(444)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2432)
c:\progra~1\AVANQU~1\SYSTEM~1\WinHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVANQU~1\SYSTEM~1\MXTask.exe
c:\progra~1\AVANQU~1\SYSTEM~1\MXTask.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\AOL\Loader\aolload.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-04-13  9:14 - machine was rebooted [Casey]
ComboFix-quarantined-files.txt  2009-04-13 13:14

Pre-Run: 104,425,574,400 bytes free
Post-Run: 104,344,354,816 bytes free

203    --- E O F ---    2009-03-14 07:01


CODE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:02 AM, on 4/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\SSuite.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\Avanquest\SystemSuite\LinkScannerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Data Vault - {8373adc0-6330-11dd-9d77-22c856d89593} - C:\Program Files\Avanquest\SystemSuite\IE_ContextMenu_Vault.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt VIPRE Antivirus Service (sbamsvc) - Sunbelt Software - C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
O23 - Service: SystemSuite Task Manager (systemsuite task manager) - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe

--
End of file - 6647 bytes
Go to the top of the page
 
+Quote Post
andrewuk
post Apr 14 2009, 02:02 PM
Post #4


Trusted Helper
Group Icon
Posts: 4,598
From: London, UK
OS: XP
looks like that run cleared out several infected files.

what antivirus programs do you have running? i can see avast, and perhaps Avanquest. we need to get it down to one antivirus program only. if you have more than one, could you uninstall all but one, and let me know which one you kept on your machine.

also, if they are out of date, let me know and we can get a perfectly good free antivirus program on your machine.


====STEP 1====
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
File::
c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job
c:\windows\Tasks\Norton SystemWorks One Button Checkup.job

Folder::
c:\program files\Norton SystemWorks

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28e26798-02ad-11da-8aef-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



====STEP 2====
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • c:\windows\system32\atidimah.tmp

  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply (you will need to paste the link onto a notepad before you do the other scans below, else the contents of your clipboard will be written over with the new links).

In your next reply could i see:
1. the answer to the antivirus question
2. the combofix log
3. a new hijackthis log
4. the virscan log or link

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
Go to the top of the page
 
+Quote Post
NuttySquirrel
post Apr 15 2009, 07:49 AM
Post #5


Member
**
Posts: 39
OS: Windows XP
1) I removed Avanquest from the machine so now only Avast is on there

2) Here is the CombFix log:
CODE
ComboFix 09-04-13.A2 - Casey 2009-04-15  9:20.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.446.129 [GMT -4:00]
Running from: c:\documents and settings\Casey.DEVINS-COMPUTER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Casey.DEVINS-COMPUTER\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090331-0] *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job
c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Norton SystemWorks
c:\program files\Norton SystemWorks\AlertRes.dll
c:\program files\Norton SystemWorks\ccL60.dll
c:\program files\Norton SystemWorks\ccL60U.dll
c:\program files\Norton SystemWorks\cfgwiz.dat
c:\program files\Norton SystemWorks\CfgWzRes.dll
c:\program files\Norton SystemWorks\CKA\CKA.exe
c:\program files\Norton SystemWorks\CLTVault.dll
c:\program files\Norton SystemWorks\comms.txt
c:\program files\Norton SystemWorks\DJSMAR00.dll
c:\program files\Norton SystemWorks\DJSMAR00.ini
c:\program files\Norton SystemWorks\EULA.txt
c:\program files\Norton SystemWorks\Norton AntiVirus\IWP\rcSymFwA.dll
c:\program files\Norton SystemWorks\Norton Cleanup\AXPlugin.config
c:\program files\Norton SystemWorks\Norton Cleanup\AXPlugin.dll
c:\program files\Norton SystemWorks\Norton Cleanup\cuFtPxy.dll
c:\program files\Norton SystemWorks\Norton Cleanup\cuFtPxy.ini
c:\program files\Norton SystemWorks\Norton Cleanup\GDIPlus.dll
c:\program files\Norton SystemWorks\Norton Cleanup\iePlugin.config
c:\program files\Norton SystemWorks\Norton Cleanup\IEPlugIn.dll
c:\program files\Norton SystemWorks\Norton Cleanup\MRUPlugin.config
c:\program files\Norton SystemWorks\Norton Cleanup\MRUPlugin.dll
c:\program files\Norton SystemWorks\Norton Cleanup\NCU.Config
c:\program files\Norton SystemWorks\Norton Cleanup\NCUNSC.dll
c:\program files\Norton SystemWorks\Norton Cleanup\NCUUser.config
c:\program files\Norton SystemWorks\Norton Cleanup\NCXpress.exe
c:\program files\Norton SystemWorks\Norton Cleanup\NCXRes.dll
c:\program files\Norton SystemWorks\Norton Cleanup\NSPlugin.config
c:\program files\Norton SystemWorks\Norton Cleanup\NSPlugin.dll
c:\program files\Norton SystemWorks\Norton Cleanup\Qdcsint2.dll
c:\program files\Norton SystemWorks\Norton Cleanup\SymXML.dll
c:\program files\Norton SystemWorks\Norton Cleanup\TFPlugin.config
c:\program files\Norton SystemWorks\Norton Cleanup\TFPlugin.dll
c:\program files\Norton SystemWorks\Norton Cleanup\WCEngine.dll
c:\program files\Norton SystemWorks\Norton Cleanup\wcIntro.dll
c:\program files\Norton SystemWorks\Norton Cleanup\WCOptions.dll
c:\program files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
c:\program files\Norton SystemWorks\Norton Cleanup\WCViewer.exe
c:\program files\Norton SystemWorks\Norton Cleanup\WTLIC.dll
c:\program files\Norton SystemWorks\Norton Cleanup\WTPlug.dll
c:\program files\Norton SystemWorks\Norton Cleanup\wtplug.nsi
c:\program files\Norton SystemWorks\Norton Utilities\ACTEXT.DLL
c:\program files\Norton SystemWorks\Norton Utilities\ALARM.DLL
c:\program files\Norton SystemWorks\Norton Utilities\BACKLOG.EXE
c:\program files\Norton SystemWorks\Norton Utilities\BLUEROCK.BMP
c:\program files\Norton SystemWorks\Norton Utilities\CLOUDS.BMP
c:\program files\Norton SystemWorks\Norton Utilities\COFRGTST.DLL
c:\program files\Norton SystemWorks\Norton Utilities\COFSTST.DLL
c:\program files\Norton SystemWorks\Norton Utilities\CONDDTST.DLL
c:\program files\Norton SystemWorks\Norton Utilities\CORSCTST.DLL
c:\program files\Norton SystemWorks\Norton Utilities\CSH.DLL
c:\program files\Norton SystemWorks\Norton Utilities\DDENGSC.DLL
c:\program files\Norton SystemWorks\Norton Utilities\DSCANATL.DLL
c:\program files\Norton SystemWorks\Norton Utilities\EVENTLG.DLL
c:\program files\Norton SystemWorks\Norton Utilities\EXCLUDE.REG
c:\program files\Norton SystemWorks\Norton Utilities\IraVcObj.dll
c:\program files\Norton SystemWorks\Norton Utilities\MAG256.BMP
c:\program files\Norton SystemWorks\Norton Utilities\MARBLE_B.BMP
c:\program files\Norton SystemWorks\Norton Utilities\markerNT.txt
c:\program files\Norton SystemWorks\Norton Utilities\METAL_A.BMP
c:\program files\Norton SystemWorks\Norton Utilities\METAL_P.BMP
c:\program files\Norton SystemWorks\Norton Utilities\MOONROCK.BMP
c:\program files\Norton SystemWorks\Norton Utilities\MYSTERY.BMP
c:\program files\Norton SystemWorks\Norton Utilities\N32DLIST.DLL
c:\program files\Norton SystemWorks\Norton Utilities\N32DLSTU.DLL
c:\program files\Norton SystemWorks\Norton Utilities\N32USERL.DLL
c:\program files\Norton SystemWorks\Norton Utilities\NDD32.EXE
c:\program files\Norton SystemWorks\Norton Utilities\NDD32.HLP
c:\program files\Norton SystemWorks\Norton Utilities\NDDENG.DLL
c:\program files\Norton SystemWorks\Norton Utilities\NDDENGNT.DLL
c:\program files\Norton SystemWorks\Norton Utilities\NDRVEX.DLL
c:\program files\Norton SystemWorks\Norton Utilities\NINTROBJ.DLL
c:\program files\Norton SystemWorks\Norton Utilities\NORTON.EXE
c:\program files\Norton SystemWorks\Norton Utilities\NPComSvr.DLL
c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
c:\program files\Norton SystemWorks\Norton Utilities\NSMPLOGR.DLL
c:\program files\Norton SystemWorks\Norton Utilities\NTABSHT.DLL
c:\program files\Norton SystemWorks\Norton Utilities\NU.HLP
c:\program files\Norton SystemWorks\Norton Utilities\NUABOUT.DLL
c:\program files\Norton SystemWorks\Norton Utilities\NUFONT.DLL
c:\program files\Norton SystemWorks\Norton Utilities\nuFtPxy.dll
c:\program files\Norton SystemWorks\Norton Utilities\nuFtPxy.ini
c:\program files\Norton SystemWorks\Norton Utilities\NUINTRO.DLL
c:\program files\Norton SystemWorks\Norton Utilities\NULIC.DLL
c:\program files\Norton SystemWorks\Norton Utilities\NULIVE.DLL
c:\program files\Norton SystemWorks\Norton Utilities\NULuReg.dll
c:\program files\Norton SystemWorks\Norton Utilities\NUMISC.DLL
c:\program files\Norton SystemWorks\Norton Utilities\NUNSC.dll
c:\program files\Norton SystemWorks\Norton Utilities\NUOptWrapper.exe
c:\program files\Norton SystemWorks\Norton Utilities\NUPLUGIN.DLL
c:\program files\Norton SystemWorks\Norton Utilities\NUPLUGIN.NSI
c:\program files\Norton SystemWorks\Norton Utilities\NUSPLASH.DLL
c:\program files\Norton SystemWorks\Norton Utilities\NUSPLOBJ.DLL
c:\program files\Norton SystemWorks\Norton Utilities\OAK.BMP
c:\program files\Norton SystemWorks\Norton Utilities\PAPER_G.BMP
c:\program files\Norton SystemWorks\Norton Utilities\REGWDOC.EXE
c:\program files\Norton SystemWorks\Norton Utilities\S32DMAPL.DLL
c:\program files\Norton SystemWorks\Norton Utilities\S32FATL.DLL
c:\program files\Norton SystemWorks\Norton Utilities\S32GUIL.DLL
c:\program files\Norton SystemWorks\Norton Utilities\S32KRNLL.DLL
c:\program files\Norton SystemWorks\Norton Utilities\S32MAILL.DLL
c:\program files\Norton SystemWorks\Norton Utilities\S32MTHKL.DLL
c:\program files\Norton SystemWorks\Norton Utilities\S32NPTL.DLL
c:\program files\Norton SystemWorks\Norton Utilities\S32SYSL.DLL
c:\program files\Norton SystemWorks\Norton Utilities\S32UTILL.DLL
c:\program files\Norton SystemWorks\Norton Utilities\SENSOR32.DLL
c:\program files\Norton SystemWorks\Norton Utilities\SIREGIST.EXE
c:\program files\Norton SystemWorks\Norton Utilities\sku.reg
c:\program files\Norton SystemWorks\Norton Utilities\SLATE.BMP
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\_ISSD.dll
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\AnalysisSI.DLL
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\BlkMap.DLL
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\DrvList.dll
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\MapViewSnapin.DLL
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\Message.dll
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\N32UserL.dll
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\NAVRPC.DLL
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\Nevent.dll
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\NIPDB.dll
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\NOPDB.exe
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\NOPDBInit.exe
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\Nsdsess.txt
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\OptionsViewSnapin.DLL
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\ScheduleSI.dll
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\SDAbout.dll
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\SDDocSnapin.DLL
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\SdEng.dll
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\SDException.dll
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\sdlive.dll
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\SDNT.HLP
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\SDNTC.EXE
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\sdntdolu.exe
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\sdntdrv.dll
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\sdntrun.exe
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\SDOptions.dll
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\SDResults.dll
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\SDUIUtil.dll
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\Services.ini
c:\program files\Norton SystemWorks\Norton Utilities\Speed Disk\VolumeS.dll
c:\program files\Norton SystemWorks\Norton Utilities\STONE_G.BMP
c:\program files\Norton SystemWorks\Norton Utilities\SUNSET.BMP
c:\program files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
c:\program files\Norton SystemWorks\Norton Utilities\SYSDOC32.HLP
c:\program files\Norton SystemWorks\Norton Utilities\UE32.EXE
c:\program files\Norton SystemWorks\Norton Utilities\UE32.HLP
c:\program files\Norton SystemWorks\Norton Utilities\UEBMP32.DLL
c:\program files\Norton SystemWorks\Norton Utilities\USHELLEX.DLL
c:\program files\Norton SystemWorks\Norton Utilities\WALNUT.BMP
c:\program files\Norton SystemWorks\Norton Utilities\WATERFAL.BMP
c:\program files\Norton SystemWorks\Norton Utilities\WDSCAN.EXE
c:\program files\Norton SystemWorks\Norton Utilities\WDUndo.IDX
c:\program files\Norton SystemWorks\Norton Utilities\WDUndo.LOG
c:\program files\Norton SystemWorks\Norton Utilities\WINDOC.EXE
c:\program files\Norton SystemWorks\Norton Utilities\WINDOC.HLP
c:\program files\Norton SystemWorks\Norton Utilities\WIPINFNT.EXE
c:\program files\Norton SystemWorks\Norton Utilities\WIPINFNT.HLP
c:\program files\Norton SystemWorks\nsw.dat
c:\program files\Norton SystemWorks\NSWAlert.dll
c:\program files\Norton SystemWorks\NSWBTPlg.dll
c:\program files\Norton SystemWorks\nswcfg.dat
c:\program files\Norton SystemWorks\NSWCfgWz.dll
c:\program files\Norton SystemWorks\NSWProd.dll
c:\program files\Norton SystemWorks\NSWRES.dll
c:\program files\Norton SystemWorks\NSWSTE.dll
c:\program files\Norton SystemWorks\NswVer.dat
c:\program files\Norton SystemWorks\OBC.exe
c:\program files\Norton SystemWorks\OBCMgr.dll
c:\program files\Norton SystemWorks\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\ActComp.Loc
c:\program files\Norton SystemWorks\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.loc
c:\program files\Norton SystemWorks\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CUWShr.Loc
c:\program files\Norton SystemWorks\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CUWUtils.Loc
c:\program files\Norton SystemWorks\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\EULAComp.Loc
c:\program files\Norton SystemWorks\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\ewoc.loc
c:\program files\Norton SystemWorks\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\LicPlug.loc
c:\program files\Norton SystemWorks\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\ProdKey.htm
c:\program files\Norton SystemWorks\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SubComp.Loc
c:\program files\Norton SystemWorks\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SubStats.loc
c:\program files\Norton SystemWorks\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCUW.loc
c:\program files\Norton SystemWorks\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymSubWz.loc
c:\program files\Norton SystemWorks\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymUIRes.loc
c:\program files\Norton SystemWorks\Process Viewer\GraphControl.dll
c:\program files\Norton SystemWorks\Process Viewer\PrcMon.dll
c:\program files\Norton SystemWorks\Process Viewer\PrcView.exe
c:\program files\Norton SystemWorks\Process Viewer\Prcview.hlp
c:\program files\Norton SystemWorks\PtchInst.dll
c:\program files\Norton SystemWorks\readme.txt
c:\program files\Norton SystemWorks\Shop.url
c:\program files\Norton SystemWorks\STEHlpr.dll
c:\program files\Norton SystemWorks\support.url
c:\program files\Norton SystemWorks\SWAbout.dll
c:\program files\Norton SystemWorks\SWDataCl.dll
c:\program files\Norton SystemWorks\swlureg.dll
c:\program files\Norton SystemWorks\SWPlugin.dll
c:\program files\Norton SystemWorks\swplugin.nsi
c:\program files\Norton SystemWorks\SWPrdCtl.dll
c:\program files\Norton SystemWorks\swRes.dll
c:\program files\Norton SystemWorks\swStatus.dll
c:\program files\Norton SystemWorks\swStatus.loc
c:\program files\Norton SystemWorks\swSymUI.dll
c:\program files\Norton SystemWorks\swSymUIRes.dll
c:\program files\Norton SystemWorks\SysOpt.chm
c:\program files\Norton SystemWorks\SysOpt.exe
c:\program files\Norton SystemWorks\WDUndo.IDX
c:\program files\Norton SystemWorks\WDUndo.LOG
c:\program files\Norton SystemWorks\WSPlugin.dll
c:\program files\Norton SystemWorks\wsplugin.nsi
c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Compaq_Owner.job
c:\windows\Tasks\Norton SystemWorks One Button Checkup.job

.
(((((((((((((((((((((((((   Files Created from 2009-03-15 to 2009-04-15  )))))))))))))))))))))))))))))))
.

2009-04-15 13:17 . 2009-04-15 13:17    --------    d-----w    c:\documents and settings\All Users\Application Data\BVRP Software
2009-04-06 12:36 . 2009-04-06 12:36    --------    d-----w    c:\documents and settings\Administrator\Application Data\Avanquest
2009-04-03 20:00 . 2009-04-03 20:00    --------    d-----w    c:\documents and settings\LocalService\Application Data\Avanquest
2009-04-03 19:09 . 2009-04-03 19:09    --------    d-----w    c:\program files\Trend Micro
2009-04-03 16:31 . 2009-04-03 16:31    --------    d-----w    c:\documents and settings\Mary.DEVINS-COMPUTER\Application Data\Malwarebytes
2009-04-01 12:53 . 2009-04-01 12:53    --------    d-----w    c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\Malwarebytes
2009-04-01 12:53 . 2009-04-01 12:53    --------    d-----w    c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-31 16:47 . 2004-08-04 00:56    24576    ----a-w    c:\windows\system32\userinit.exe
2009-03-31 14:36 . 2009-03-31 14:36    --------    d-----w    c:\program files\Alwil Software
2009-03-31 14:20 . 2009-03-31 14:23    --------    d-----w    c:\program files\MSECACHE
2009-03-22 23:17 . 2004-08-04 05:00    182912    ----a-w    c:\windows\system32\drivers\ndis.sys
2009-03-22 23:17 . 2004-08-04 05:00    182912    ----a-w    c:\windows\system32\dllcache\ndis.sys
2009-03-21 21:35 . 2009-03-21 21:35    --------    d-----w    c:\documents and settings\Mary.DEVINS-COMPUTER\Application Data\Avanquest
2009-03-21 20:58 . 2009-03-21 20:58    --------    d-----w    c:\documents and settings\Mary.DEVINS-COMPUTER\Local Settings\Application Data\{D7580E61-F1FF-4657-9774-66828F2FEA71}
2009-03-21 20:47 . 2009-03-21 20:47    --------    d-----w    c:\documents and settings\Casey.DEVINS-COMPUTER\Local Settings\Application Data\{CD11E80D-6FBD-460B-B239-A9813A1FC28D}
2009-03-21 20:40 . 2009-03-21 20:41    --------    d-----w    c:\documents and settings\All Users\Application Data\Avanquest
2009-03-21 20:39 . 2009-03-21 20:39    --------    d-sh--r    C:\_Backup.RC
2009-03-21 20:35 . 2009-04-15 13:17    --------    d--h--w    C:\_Backup
2009-03-21 20:35 . 2009-03-21 21:05    --------    d-----w    c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\Avanquest
2009-03-21 20:35 . 2009-03-21 20:35    --------    d-----w    c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\InstallShield
2009-03-21 20:34 . 2009-04-15 13:17    --------    d-----w    c:\program files\Common Files\AntiVirus
2009-03-21 20:33 . 2009-03-21 20:33    --------    d-----w    c:\program files\Avanquest
2009-03-21 18:42 . 2009-03-21 18:42    2    ----a-w    C:\1409495341
2009-03-19 00:57 . 2007-04-13 17:30    25136    ----a-r    c:\windows\system32\drivers\ATWPKT2.SYS
2009-03-19 00:53 . 2003-01-10 21:13    33588    ----a-r    c:\windows\system32\drivers\wanatw4.sys
2009-03-19 00:52 . 2009-03-19 00:52    --------    d-----w    c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\AOL
2009-03-18 23:47 . 2009-03-18 23:47    --------    d-----w    c:\documents and settings\Mary.DEVINS-COMPUTER\Local Settings\Application Data\Wildtangent
2009-03-18 23:46 . 2009-03-18 23:46    1746157    --sh--w    c:\windows\system32\atidimah.tmp

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 12:38 . 2009-01-26 23:09    --------    d-----w    c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\LimeWire
2009-04-07 12:52 . 2009-04-07 12:52    2495    ----a-w    C:\Rooter.txt
2009-04-03 18:54 . 2009-04-03 18:36    135    ----a-w    C:\VundoFix.txt
2009-03-23 00:32 . 2005-08-02 05:33    14336    ----a-w    c:\windows\system32\svchost.exe
2009-03-23 00:32 . 2005-08-02 05:33    14336    ----a-w    c:\windows\system32\dllcache\svchost.exe
2009-03-22 22:06 . 2005-08-11 07:14    --------    d-----w    c:\program files\iTunes
2009-03-22 22:06 . 2005-08-11 07:14    --------    d-----w    c:\program files\QuickTime
2009-03-21 22:46 . 2005-12-25 15:14    --------    d-----w    c:\program files\America Online 9.0b
2009-03-20 00:00 . 2007-02-08 16:36    --------    d-----w    c:\program files\Verizon
2009-03-19 23:52 . 2008-03-14 22:25    502    ----a-w    c:\documents and settings\Mary.DEVINS-COMPUTER\Application Data\wklnhst.dat
2009-03-19 00:20 . 2005-12-28 02:00    --------    d-----w    c:\program files\ValuSoft
2009-03-19 00:19 . 2005-08-11 06:50    --------    d-----w    c:\program files\Common Files\InstallShield
2009-03-19 00:16 . 2007-06-26 02:34    --------    d-----w    c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\Apple Computer
2009-03-19 00:11 . 2005-12-27 20:26    --------    d-----w    c:\program files\Bird Hunter Wild Wings Edition
2009-03-18 23:08 . 2006-01-27 21:52    --------    d-----w    c:\program files\LimeWire
2009-03-08 20:39 . 2009-03-08 20:39    --------    d-----w    c:\documents and settings\Guest.DEVINS-COMPUTER\Application Data\Yahoo!
2009-02-09 10:19 . 2005-08-02 05:35    1846272    ----a-w    c:\windows\system32\win32k.sys
2009-02-09 10:19 . 2005-08-02 05:35    1846272    ----a-w    c:\windows\system32\dllcache\win32k.sys
2009-01-26 23:14 . 2009-01-26 23:14    47680    -c--a-w    c:\documents and settings\Casey.DEVINS-COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-17 02:35 . 2005-08-02 12:31    3594752    ------w    c:\windows\system32\dllcache\mshtml.dll
2008-10-19 14:02 . 2008-10-19 14:02    47680    -c--a-w    c:\documents and settings\Mary.DEVINS-COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-10-15 02:47 . 2007-10-15 02:47    121904    -c--a-w    c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2007-03-24 15:16 . 2007-03-24 15:16    40568    -c--a-w    c:\documents and settings\Mary\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-03-24 13:36 . 2007-03-24 13:34    40568    -c--a-w    c:\documents and settings\Casey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-03-17 22:08 . 2007-03-17 22:08    40568    -c--a-w    c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((   SnapShot@2009-04-13_ 9.13.57.90   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-15 13:19 . 2000-08-31 12:00    98816              c:\windows\sed.exe
- 2009-04-13 12:48 . 2000-08-31 12:00    98816              c:\windows\sed.exe
+ 2009-04-15 13:19 . 2000-08-31 12:00    80412              c:\windows\grep.exe
- 2009-04-13 12:48 . 2000-08-31 12:00    80412              c:\windows\grep.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-05-29 50528]
"AOL Fast Start"="c:\program files\America Online 9.0b\AOL.EXE" [2005-07-25 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

c:\documents and settings\Casey.DEVINS-COMPUTER\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-02-05 256000]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 sbre;sbre; [x]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S3 tfilter;tfilter; [x]
S4 sbaphd;sbaphd; [x]
S4 sbapifs;sbapifs; [x]


--- Other Services/Drivers In Memory ---

*Deregistered* - kfilter
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2007-10-25 c:\windows\Tasks\SAT Scores.job
- c:\progra~1\INTERN~1\iexplore.exe [2008-12-19 01:25]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 09:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(444)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-15  9:26
ComboFix-quarantined-files.txt  2009-04-15 13:26

Pre-Run: 104,390,909,952 bytes free
Post-Run: 104,338,706,432 bytes free

368    --- E O F ---    2009-03-14 07:01


3) Here is the HijackThis log:
CODE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:48 AM, on 4/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6023 bytes


4) Here is the VirSCAN log:
CODE
VirSCAN.org Scanned Report :
Scanned time   : 2009/04/15 09:37:13 (EDT)
Scanner results: 5% Scanner(2/37) found malware!
File Name      : atidimah.tmp
File Size      : 1746157 byte
File Type      : data
MD5            : 386c0d9bbb87c9eb1f9fea4d1b8690df
SHA1           : 194e606e37713e1ac0812d01d7a430f6c3c2d33e
Online report  : http://virscan.org/report/d12fba23fc54476221c3c0f75830adad.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      4.0.0.32        20090415043116    2009-04-15  2.66   -
AhnLab V3      2009.04.15.01   2009.04.15        2009-04-15  1.34   -
AntiVir        7.9.0.143       7.1.3.56          2009-04-15  2.07   -
Antiy          2.0.18          20090415.2296744  2009-04-15  0.12   -
Authentium     5.1.1           200904141852      2009-04-14  1.25   -
AVAST!         3.0.1           090414-0          2009-04-14  0.05   -
AVG            7.5.52.442      270.11.57/2060    2009-04-15  2.08   -
BitDefender    7.81008.2846513 7.24816           2009-04-15  2.64   -
CA (VET)       9.0.0.143       31.6.6435         2009-04-14  5.42   -
ClamAV         0.95            9238              2009-04-15  0.06   -
Comodo         3.8             1115              2009-04-15  1.26   -
CP Secure      1.1.0.715       2009.04.15        2009-04-15  8.54   -
Dr.Web         4.44.0.9170     2009.04.15        2009-04-15  4.48   -
F-Prot         4.4.4.56        20090414          2009-04-14  1.11   -
F-Secure       5.51.6100       2009.04.15.05     2009-04-15  5.97   -
Fortinet       2.81-3.117      10.284            2009-04-15  0.18   -
GData          19.4636/19.300  20090415          2009-04-15  5.88   -
ViRobot        20090414        2009.04.14        2009-04-14  0.38   -
Ikarus         T3.1.01.49      2009.04.15.72581  2009-04-15  2.86   -
JiangMin       11.0.706        2009.04.14        2009-04-14  4.62   -
Kaspersky      5.5.10          2009.04.15        2009-04-15  0.02   -
KingSoft       2009.2.5.15     2009.4.15.18      2009-04-15  0.63   -
McAfee         5.3.00          5584              2009-04-14  2.76   Vundo!grb
Microsoft      1.4502          2009.04.15        2009-04-15  5.82   -
mks_vir        2.01            2009.04.15        2009-04-15  2.91   -
Norman         6.00.06         6.00.00           2009-04-14  10.01  -
Panda          9.05.01         2009.04.14        2009-04-14  1.66   -
Trend Micro    8.700-1004      5.966.22          2009-04-14  0.02   -
Quick Heal     10.00           2009.04.14        2009-04-14  5.11   -
Rising         20.0            21.25.24.00       2009-04-15  0.34   -
Sophos         2.85.0          4.40              2009-04-15  2.13   -
Sunbelt        5093            5093              2009-04-14  1.49   Virtumonde.Traces (v)
Symantec       1.3.0.24        20090414.020      2009-04-14  0.10   -
nProtect       20090415.02     3471338           2009-04-15  5.07   -
The Hacker     6.3.4.0         v00309            2009-04-14  0.61   -
VBA32          3.12.10.2       20090413.1221     2009-04-13  1.79   -
VirusBuster    4.5.11.10       10.102.40/1228619 2009-04-09  1.59   -


Thanks!
Go to the top of the page
 
+Quote Post
andrewuk
post Apr 15 2009, 12:47 PM
Post #6


Trusted Helper
Group Icon
Posts: 4,598
From: London, UK
OS: XP
no need to post the logs in codeboxes smile.gif

in this post we will remove the remaining items i can see and update your java.

in the next post we will do some general scans to clear out the remnants and then, all being well, we can wrap this up in the post after that.

we will also update your java


====STEP 1====
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
File::
c:\windows\system32\atidimah.tmp

Driver::
tfilter
sbaphd
sbapifs
sbre



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



====STEP 2====
Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts. A log will appear (JavaRa.log) - no need to post that here
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


In your next reply could i see:
1. the combofix log
2. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
Go to the top of the page
 
+Quote Post
NuttySquirrel
post Apr 16 2009, 07:04 AM
Post #7


Member
**
Posts: 39
OS: Windows XP
Thanks, appreciate you sticking with me.

1)
ComboFix 09-04-13.A2 - Casey 2009-04-15 16:43.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.136 [GMT -4:00]
Running from: c:\documents and settings\Casey.DEVINS-COMPUTER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Casey.DEVINS-COMPUTER\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090415-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\atidimah.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\atidimah.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sbaphd
-------\Legacy_sbapifs
-------\Legacy_sbre
-------\Legacy_tfilter
-------\Service_sbre
-------\Service_tfilter


((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-15 13:17 . 2009-04-15 13:17 -------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2009-04-06 12:36 . 2009-04-06 12:36 -------- d-----w c:\documents and settings\Administrator\Application Data\Avanquest
2009-04-03 20:00 . 2009-04-03 20:00 -------- d-----w c:\documents and settings\LocalService\Application Data\Avanquest
2009-04-03 19:09 . 2009-04-03 19:09 -------- d-----w c:\program files\Trend Micro
2009-04-03 16:31 . 2009-04-03 16:31 -------- d-----w c:\documents and settings\Mary.DEVINS-COMPUTER\Application Data\Malwarebytes
2009-04-01 12:53 . 2009-04-01 12:53 -------- d-----w c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\Malwarebytes
2009-04-01 12:53 . 2009-04-01 12:53 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-31 16:47 . 2004-08-04 00:56 24576 ----a-w c:\windows\system32\userinit.exe
2009-03-31 14:36 . 2009-03-31 14:36 -------- d-----w c:\program files\Alwil Software
2009-03-31 14:20 . 2009-03-31 14:23 -------- d-----w c:\program files\MSECACHE
2009-03-22 23:17 . 2004-08-04 05:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-22 23:17 . 2004-08-04 05:00 182912 ----a-w c:\windows\system32\dllcache\ndis.sys
2009-03-21 21:35 . 2009-03-21 21:35 -------- d-----w c:\documents and settings\Mary.DEVINS-COMPUTER\Application Data\Avanquest
2009-03-21 20:58 . 2009-03-21 20:58 -------- d-----w c:\documents and settings\Mary.DEVINS-COMPUTER\Local Settings\Application Data\{D7580E61-F1FF-4657-9774-66828F2FEA71}
2009-03-21 20:47 . 2009-03-21 20:47 -------- d-----w c:\documents and settings\Casey.DEVINS-COMPUTER\Local Settings\Application Data\{CD11E80D-6FBD-460B-B239-A9813A1FC28D}
2009-03-21 20:40 . 2009-03-21 20:41 -------- d-----w c:\documents and settings\All Users\Application Data\Avanquest
2009-03-21 20:39 . 2009-03-21 20:39 -------- d-sh--r C:\_Backup.RC
2009-03-21 20:35 . 2009-04-15 13:17 -------- d--h--w C:\_Backup
2009-03-21 20:35 . 2009-03-21 21:05 -------- d-----w c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\Avanquest
2009-03-21 20:35 . 2009-03-21 20:35 -------- d-----w c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\InstallShield
2009-03-21 20:34 . 2009-04-15 13:17 -------- d-----w c:\program files\Common Files\AntiVirus
2009-03-21 20:33 . 2009-03-21 20:33 -------- d-----w c:\program files\Avanquest
2009-03-21 18:42 . 2009-03-21 18:42 2 ----a-w C:\1409495341
2009-03-19 00:57 . 2007-04-13 17:30 25136 ----a-r c:\windows\system32\drivers\ATWPKT2.SYS
2009-03-19 00:53 . 2003-01-10 21:13 33588 ----a-r c:\windows\system32\drivers\wanatw4.sys
2009-03-19 00:52 . 2009-03-19 00:52 -------- d-----w c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\AOL
2009-03-18 23:47 . 2009-03-18 23:47 -------- d-----w c:\documents and settings\Mary.DEVINS-COMPUTER\Local Settings\Application Data\Wildtangent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 12:38 . 2009-01-26 23:09 -------- d-----w c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\LimeWire
2009-04-07 12:52 . 2009-04-07 12:52 2495 ----a-w C:\Rooter.txt
2009-04-03 18:54 . 2009-04-03 18:36 135 ----a-w C:\VundoFix.txt
2009-03-23 00:32 . 2005-08-02 05:33 14336 ----a-w c:\windows\system32\svchost.exe
2009-03-23 00:32 . 2005-08-02 05:33 14336 ----a-w c:\windows\system32\dllcache\svchost.exe
2009-03-22 22:06 . 2005-08-11 07:14 -------- d-----w c:\program files\iTunes
2009-03-22 22:06 . 2005-08-11 07:14 -------- d-----w c:\program files\QuickTime
2009-03-21 22:46 . 2005-12-25 15:14 -------- d-----w c:\program files\America Online 9.0b
2009-03-20 00:00 . 2007-02-08 16:36 -------- d-----w c:\program files\Verizon
2009-03-19 23:52 . 2008-03-14 22:25 502 ----a-w c:\documents and settings\Mary.DEVINS-COMPUTER\Application Data\wklnhst.dat
2009-03-19 00:20 . 2005-12-28 02:00 -------- d-----w c:\program files\ValuSoft
2009-03-19 00:19 . 2005-08-11 06:50 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-19 00:16 . 2007-06-26 02:34 -------- d-----w c:\documents and settings\Casey.DEVINS-COMPUTER\Application Data\Apple Computer
2009-03-19 00:11 . 2005-12-27 20:26 -------- d-----w c:\program files\Bird Hunter Wild Wings Edition
2009-03-18 23:08 . 2006-01-27 21:52 -------- d-----w c:\program files\LimeWire
2009-03-08 20:39 . 2009-03-08 20:39 -------- d-----w c:\documents and settings\Guest.DEVINS-COMPUTER\Application Data\Yahoo!
2009-02-09 10:19 . 2005-08-02 05:35 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:19 . 2005-08-02 05:35 1846272 ----a-w c:\windows\system32\dllcache\win32k.sys
2009-01-26 23:14 . 2009-01-26 23:14 47680 -c--a-w c:\documents and settings\Casey.DEVINS-COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-17 02:35 . 2005-08-02 12:31 3594752 ------w c:\windows\system32\dllcache\mshtml.dll
2008-10-19 14:02 . 2008-10-19 14:02 47680 -c--a-w c:\documents and settings\Mary.DEVINS-COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-10-15 02:47 . 2007-10-15 02:47 121904 -c--a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2007-03-24 15:16 . 2007-03-24 15:16 40568 -c--a-w c:\documents and settings\Mary\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-03-24 13:36 . 2007-03-24 13:34 40568 -c--a-w c:\documents and settings\Casey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-03-17 22:08 . 2007-03-17 22:08 40568 -c--a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-04-13_ 9.13.57.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-15 20:50 . 2009-04-15 20:50 16384 c:\windows\Temp\Perflib_Perfdata_418.dat
- 2009-04-13 12:56 . 2009-04-13 12:56 16384 c:\windows\Temp\Perflib_Perfdata_418.dat
+ 2009-04-15 13:19 . 2000-08-31 12:00 98816 c:\windows\sed.exe
- 2009-04-13 12:48 . 2000-08-31 12:00 98816 c:\windows\sed.exe
+ 2009-04-15 13:19 . 2000-08-31 12:00 80412 c:\windows\grep.exe
- 2009-04-13 12:48 . 2000-08-31 12:00 80412 c:\windows\grep.exe
+ 2009-04-15 20:48 . 2005-10-21 00:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-04-13 12:53 . 2005-10-21 00:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-05-29 50528]
"AOL Fast Start"="c:\program files\America Online 9.0b\AOL.EXE" [2005-07-25 50776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

c:\documents and settings\Casey.DEVINS-COMPUTER\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2009-02-05 256000]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]

.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2007-10-25 c:\windows\Tasks\SAT Scores.job
- c:\progra~1\INTERN~1\iexplore.exe [2008-12-19 01:25]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 16:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(436)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(472)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-04-15 16:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-15 20:55

Pre-Run: 104,224,870,400 bytes free
Post-Run: 104,207,491,072 bytes free

184 --- E O F --- 2009-03-14 07:01


2)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:56:48 PM, on 4/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5851 bytes
Go to the top of the page
 
+Quote Post
andrewuk
post Apr 16 2009, 12:45 PM
Post #8


Trusted Helper
Group Icon
Posts: 4,598
From: London, UK
OS: XP
in this post we will do some general scans to clear out the remnants and ensure nothing else sneaked onto your machine.

the scans will likely take 4 hours, quite possibly much longer. so just let them run.


====STEP 1====
Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 2====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 3====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

====STEP 4====
Please do an online scan with Kaspersky WebScanner (this will identify any issues, we will clear them in the following post)

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 12.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u11-windows-i586-p.exe and select "Run as an Administrator.")

In your next reply could i see:
1. the malwarebytes log
2. the superantispyware log
3. the kaspersky log
4. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
Go to the top of the page
 
+Quote Post
andrewuk
post Apr 19 2009, 05:47 PM
Post #9


Trusted Helper
Group Icon
Posts: 4,598
From: London, UK
OS: XP
still with us?
Go to the top of the page
 
+Quote Post
NuttySquirrel
post Apr 20 2009, 06:38 AM
Post #10


Member
**
Posts: 39
OS: Windows XP
It seems like every time I run a Malwarebytes' Anti-Malware scan the computer restarts. When everything is loaded it says "The system has recovered from a serious error". In Event Viewer, all I am seeing is an Event ID 1003 System Error. In the description, it gives me error code 10000050. I am going to try to do a scan in Safe Mode to see if this still happens.

SUPERAntiSpyware has run, and Kaspersky WebScanner is currently running so I will post the logs when it is finished.

This post has been edited by NuttySquirrel: Apr 20 2009, 06:58 AM
Go to the top of the page
 
+Quote Post
andrewuk
post Apr 20 2009, 08:18 AM
Post #11


Trusted Helper
Group Icon
Posts: 4,598
From: London, UK
OS: XP
ok, dont do the malwarebytes scan then.
Go to the top of the page
 
+Quote Post
NuttySquirrel
post Apr 20 2009, 03:15 PM
Post #12


Member
**
Posts: 39
OS: Windows XP
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, April 20, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, April 20, 2009 18:47:13
Records in database: 2063798
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\

Scan statistics:
Files scanned: 81479
Threat name: 9
Infected objects: 10
Suspicious objects: 0
Duration of the scan: 01:42:25


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\43D35461.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\44256E07.cla Infected: Trojan.Java.ClassLoader.Dummy.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\44281804.cla Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C253EC3.dll Infected: not-a-virus:AdWare.Win32.WinAD.bv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77775D46.dll Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77F06EC1.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A2451DD.exe Infected: Backdoor.Win32.DsBot.jm 1
C:\Documents and Settings\Casey.DEVINS-COMPUTER\My Documents\LimeWire\Saved\handelbars.mp3 Infected: Trojan-Downloader.WMA.GetCodec.w 1
C:\Documents and Settings\Casey.DEVINS-COMPUTER\My Documents\LimeWire\Saved\handelbars.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Program Files\Online Services\AOL\United States\AOL90\comps\toolbar\toolbr.EXE Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

The selected area was scanned.









SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/17/2009 at 10:30 AM

Application Version : 4.26.1000

Core Rules Database Version : 3848
Trace Rules Database Version: 1802

Scan type : Complete Scan
Total Scan Time : 17:26:30

Memory items scanned : 465
Memory threats detected : 0
Registry items scanned : 5255
Registry threats detected : 98
File items scanned : 134276
File threats detected : 13

Trojan.DNSChanger-Codec
C:\Program Files\PrivateVideo\Uninstall.exe
C:\Program Files\PrivateVideo

Malware.VirusProtectPro
HKCR\TypeLib\{6D88033C-6FD8-4374-9532-7EA301DF08AE}
HKCR\TypeLib\{6D88033C-6FD8-4374-9532-7EA301DF08AE}\1.0
HKCR\TypeLib\{6D88033C-6FD8-4374-9532-7EA301DF08AE}\1.0\0
HKCR\TypeLib\{6D88033C-6FD8-4374-9532-7EA301DF08AE}\1.0\0\win32
HKCR\TypeLib\{6D88033C-6FD8-4374-9532-7EA301DF08AE}\1.0\FLAGS
HKCR\TypeLib\{6D88033C-6FD8-4374-9532-7EA301DF08AE}\1.0\HELPDIR
HKCR\Interface\{07420914-E5A0-451E-BFD4-AA1B799D39AD}
HKCR\Interface\{07420914-E5A0-451E-BFD4-AA1B799D39AD}\ProxyStubClsid
HKCR\Interface\{07420914-E5A0-451E-BFD4-AA1B799D39AD}\ProxyStubClsid32
HKCR\Interface\{07420914-E5A0-451E-BFD4-AA1B799D39AD}\TypeLib
HKCR\Interface\{07420914-E5A0-451E-BFD4-AA1B799D39AD}\TypeLib#Version
HKCR\Interface\{0B6C7539-C6D5-4DDE-9632-184F421EF8D7}
HKCR\Interface\{0B6C7539-C6D5-4DDE-9632-184F421EF8D7}\ProxyStubClsid
HKCR\Interface\{0B6C7539-C6D5-4DDE-9632-184F421EF8D7}\ProxyStubClsid32
HKCR\Interface\{0B6C7539-C6D5-4DDE-9632-184F421EF8D7}\TypeLib
HKCR\Interface\{0B6C7539-C6D5-4DDE-9632-184F421EF8D7}\TypeLib#Version
HKCR\Interface\{164913B3-FCDE-45B5-8901-1750F4E3119E}
HKCR\Interface\{164913B3-FCDE-45B5-8901-1750F4E3119E}\ProxyStubClsid
HKCR\Interface\{164913B3-FCDE-45B5-8901-1750F4E3119E}\ProxyStubClsid32
HKCR\Interface\{164913B3-FCDE-45B5-8901-1750F4E3119E}\TypeLib
HKCR\Interface\{164913B3-FCDE-45B5-8901-1750F4E3119E}\TypeLib#Version
HKCR\Interface\{365036EB-87C2-4627-8FBC-EF6E9E8DA5C2}
HKCR\Interface\{365036EB-87C2-4627-8FBC-EF6E9E8DA5C2}\ProxyStubClsid
HKCR\Interface\{365036EB-87C2-4627-8FBC-EF6E9E8DA5C2}\ProxyStubClsid32
HKCR\Interface\{365036EB-87C2-4627-8FBC-EF6E9E8DA5C2}\TypeLib
HKCR\Interface\{365036EB-87C2-4627-8FBC-EF6E9E8DA5C2}\TypeLib#Version
HKCR\Interface\{64D6666F-B95E-4048-9FA5-F68B094EA030}
HKCR\Interface\{64D6666F-B95E-4048-9FA5-F68B094EA030}\ProxyStubClsid
HKCR\Interface\{64D6666F-B95E-4048-9FA5-F68B094EA030}\ProxyStubClsid32
HKCR\Interface\{64D6666F-B95E-4048-9FA5-F68B094EA030}\TypeLib
HKCR\Interface\{64D6666F-B95E-4048-9FA5-F68B094EA030}\TypeLib#Version
HKCR\Interface\{69B73AA0-CA0C-4BE6-9811-EB0D951B5B99}
HKCR\Interface\{69B73AA0-CA0C-4BE6-9811-EB0D951B5B99}\ProxyStubClsid
HKCR\Interface\{69B73AA0-CA0C-4BE6-9811-EB0D951B5B99}\ProxyStubClsid32
HKCR\Interface\{69B73AA0-CA0C-4BE6-9811-EB0D951B5B99}\TypeLib
HKCR\Interface\{69B73AA0-CA0C-4BE6-9811-EB0D951B5B99}\TypeLib#Version
HKCR\Interface\{77345588-AB75-4CDA-873F-AAE78C01EFCD}
HKCR\Interface\{77345588-AB75-4CDA-873F-AAE78C01EFCD}\ProxyStubClsid
HKCR\Interface\{77345588-AB75-4CDA-873F-AAE78C01EFCD}\ProxyStubClsid32
HKCR\Interface\{77345588-AB75-4CDA-873F-AAE78C01EFCD}\TypeLib
HKCR\Interface\{77345588-AB75-4CDA-873F-AAE78C01EFCD}\TypeLib#Version
HKCR\Interface\{B56ED873-C3D3-4202-9EF8-FB31DEE2C207}
HKCR\Interface\{B56ED873-C3D3-4202-9EF8-FB31DEE2C207}\ProxyStubClsid
HKCR\Interface\{B56ED873-C3D3-4202-9EF8-FB31DEE2C207}\ProxyStubClsid32
HKCR\Interface\{B56ED873-C3D3-4202-9EF8-FB31DEE2C207}\TypeLib
HKCR\Interface\{B56ED873-C3D3-4202-9EF8-FB31DEE2C207}\TypeLib#Version
HKCR\Interface\{BB3EBAF2-F4C4-4B66-9A98-EED3B70D1BB3}
HKCR\Interface\{BB3EBAF2-F4C4-4B66-9A98-EED3B70D1BB3}\ProxyStubClsid
HKCR\Interface\{BB3EBAF2-F4C4-4B66-9A98-EED3B70D1BB3}\ProxyStubClsid32
HKCR\Interface\{BB3EBAF2-F4C4-4B66-9A98-EED3B70D1BB3}\TypeLib
HKCR\Interface\{BB3EBAF2-F4C4-4B66-9A98-EED3B70D1BB3}\TypeLib#Version
HKCR\Interface\{C5CC0894-AD1E-47AD-9265-0F463AE30508}
HKCR\Interface\{C5CC0894-AD1E-47AD-9265-0F463AE30508}\ProxyStubClsid
HKCR\Interface\{C5CC0894-AD1E-47AD-9265-0F463AE30508}\ProxyStubClsid32
HKCR\Interface\{C5CC0894-AD1E-47AD-9265-0F463AE30508}\TypeLib
HKCR\Interface\{C5CC0894-AD1E-47AD-9265-0F463AE30508}\TypeLib#Version
HKCR\Interface\{C7604D71-CD16-4976-9383-D24B6FAD052E}
HKCR\Interface\{C7604D71-CD16-4976-9383-D24B6FAD052E}\ProxyStubClsid
HKCR\Interface\{C7604D71-CD16-4976-9383-D24B6FAD052E}\ProxyStubClsid32
HKCR\Interface\{C7604D71-CD16-4976-9383-D24B6FAD052E}\TypeLib
HKCR\Interface\{C7604D71-CD16-4976-9383-D24B6FAD052E}\TypeLib#Version
HKCR\Interface\{D42CF3BB-E79E-4C0B-B434-6841CA9C4593}
HKCR\Interface\{D42CF3BB-E79E-4C0B-B434-6841CA9C4593}\ProxyStubClsid
HKCR\Interface\{D42CF3BB-E79E-4C0B-B434-6841CA9C4593}\ProxyStubClsid32
HKCR\Interface\{D42CF3BB-E79E-4C0B-B434-6841CA9C4593}\TypeLib
HKCR\Interface\{D42CF3BB-E79E-4C0B-B434-6841CA9C4593}\TypeLib#Version
HKCR\Interface\{D8C36036-2E41-4CE0-9351-99087DD28A29}
HKCR\Interface\{D8C36036-2E41-4CE0-9351-99087DD28A29}\ProxyStubClsid
HKCR\Interface\{D8C36036-2E41-4CE0-9351-99087DD28A29}\ProxyStubClsid32
HKCR\Interface\{D8C36036-2E41-4CE0-9351-99087DD28A29}\TypeLib
HKCR\Interface\{D8C36036-2E41-4CE0-9351-99087DD28A29}\TypeLib#Version
HKCR\Interface\{E60A0F09-DD6B-4343-84B0-C33B946D5A9C}
HKCR\Interface\{E60A0F09-DD6B-4343-84B0-C33B946D5A9C}\ProxyStubClsid
HKCR\Interface\{E60A0F09-DD6B-4343-84B0-C33B946D5A9C}\ProxyStubClsid32
HKCR\Interface\{E60A0F09-DD6B-4343-84B0-C33B946D5A9C}\TypeLib
HKCR\Interface\{E60A0F09-DD6B-4343-84B0-C33B946D5A9C}\TypeLib#Version
HKCR\Interface\{E6369BCA-E4FA-4497-89C5-ECF9268B64B1}
HKCR\Interface\{E6369BCA-E4FA-4497-89C5-ECF9268B64B1}\ProxyStubClsid
HKCR\Interface\{E6369BCA-E4FA-4497-89C5-ECF9268B64B1}\ProxyStubClsid32
HKCR\Interface\{E6369BCA-E4FA-4497-89C5-ECF9268B64B1}\TypeLib
HKCR\Interface\{E6369BCA-E4FA-4497-89C5-ECF9268B64B1}\TypeLib#Version
HKCR\Interface\{F040E242-BAD6-46F7-A787-D3AB811E5BC3}
HKCR\Interface\{F040E242-BAD6-46F7-A787-D3AB811E5BC3}\ProxyStubClsid
HKCR\Interface\{F040E242-BAD6-46F7-A787-D3AB811E5BC3}\ProxyStubClsid32
HKCR\Interface\{F040E242-BAD6-46F7-A787-D3AB811E5BC3}\TypeLib
HKCR\Interface\{F040E242-BAD6-46F7-A787-D3AB811E5BC3}\TypeLib#Version

Malware.VirusRanger
HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}
HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\infj
HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\Insertable
HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\MlEngAba
HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\Ole1Class
HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\ProgID
HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\qGom
HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\RmTQizrWXq
HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\TreatAs
HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\TutlzxJhC
HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\wtYFs

Rogue.Component/Trace
HKU\S-1-5-21-3994500381-1856417476-269032298-1010\Software\Microsoft\FIAS4051

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\FAVORITES\ONLINE SECURITY TEST.URL

Adware.Vundo/Variant-86K
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP602\A0115873.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP602\A0115877.DLL

Adware.Tracking Cookie
C:\USERDATA\Cookies\compaq_owner@2o7[2].txt
C:\USERDATA\Cookies\compaq_owner@advertising[2].txt
C:\USERDATA\Cookies\compaq_owner@ar.atwola[1].txt
C:\USERDATA\Cookies\compaq_owner@atwola[1].txt
C:\USERDATA\Cookies\compaq_owner@doubleclick[1].txt
C:\USERDATA\Cookies\compaq_owner@mywebsearch[1].txt
C:\USERDATA\Cookies\compaq_owner@www.clickmanage[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.icityfind[1].txt









Computer is running much faster now, especially on startup!
Go to the top of the page
 
+Quote Post
andrewuk
post Apr 20 2009, 03:36 PM
Post #13


Trusted Helper
Group Icon
Posts: 4,598
From: London, UK
OS: XP
the kaspersky scan mostly found items already safely quarantined by your old norton and found one false positive and 2 infected files we will clear now. the superantispyware can found remnants, traces and a couple of infected files which it cleared, and infected items in the system restore which we will clear at the end.

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    CODE
    :Processes
    explorer.exe

    :Files
    C:\Documents and Settings\Casey.DEVINS-COMPUTER\My Documents\LimeWire\Saved\handelbars.mp3
    C:\Documents and Settings\Casey.DEVINS-COMPUTER\My Documents\LimeWire\Saved\handelbars.wma
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]

  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Go to the top of the page
 
+Quote Post
NuttySquirrel
post Apr 21 2009, 06:47 AM
Post #14


Member
**
Posts: 39
OS: Windows XP
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\Documents and Settings\Casey.DEVINS-COMPUTER\My Documents\LimeWire\Saved\handelbars.mp3 moved successfully.
C:\Documents and Settings\Casey.DEVINS-COMPUTER\My Documents\LimeWire\Saved\handelbars.wma moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Casey.DEVINS-COMPUTER\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_42c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5b4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04212009_083434

Files moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_42c.dat moved successfully.
File move failed. C:\WINDOWS\temp\Perflib_Perfdata_5b4.dat scheduled to be moved on reboot.
Go to the top of the page
 
+Quote Post
andrewuk
post Apr 21 2009, 05:02 PM
Post #15


Trusted Helper
Group Icon
Posts: 4,598
From: London, UK
OS: XP
Hello NuttySquirrel

congratulations, your logs are clean and another fix is in the can thumbsup.gif

make sure you update your avast antivirus program.

in this post we will clear away the fix tools (this is so that should you ever be re-infected, you will download updated versions and it will also remove the quarantined Malware from your computer), reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.

====STEP 1====
Follow these steps to uninstall Combofix, the tools used in the removal of malware and to flush your system restore points
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


====STEP 2====
Please download the OTCleanIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTCleanIT.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
you can also clear away any other tools we used.


====IDEAS TO SPEED UP YOUR MACHINE====
this page http://users.telenet.be/bluepatchy/miekiem...owcomputer.html gives some good ideas on how to improve the efficiency of your machine and has one or two useful links to help you further.


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. MBAM - Malware Bytes Anti Malware is an excellent tool for anyone's antimalware arsenal. This program should be updated and run often.
  2. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  3. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  4. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  5. ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  6. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  7. Comodo Firewall - The use of a firewall is a personal preference, but its certainly a good idea. Comodo is free and light. Remember, never install more than 1 firewall. also remember, do not download the comodo antivirus program if you already have an antivirus program on your machine.
  8. Digsby or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  9. Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  10. FireFox - Alternate web browser. Open source and quick, Firefox is usually the first thing I install on a new system.
  11. NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

best wishes

andrewuk
Go to the top of the page
 
+Quote Post
 

2 Pages V   1 2 >
Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 
RSS Time is now: 21st November 2009 - 02:17 PM

Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks mentioned on this page are the property of their respective owners.

© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy | Advertising
Powered By IP.Board © 2009  IPS, Inc.