Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

win32:rootkit-gen, win32:trojan-gen, BV:Malware-gen, [Solved]

Started by Aoc , May 13 2009 01:19 PM

  • This topic is locked This topic is locked

#1
Aoc
Posted 13 May 2009 - 01:19 PM

Aoc

    Member

  • Member
  • PipPip
  • 36 posts
About two weeks ago I started getting redirected from yahoo to various ad sites. My usb ports stopped working, and some other strange events. Avast found some issues but can get rid of everything, that is it keeps coming back on rebooting. Before coming to this site I had several times ran AVG, Avast, and Malwarebytes anti-malware, in safe mode. My usb ports are now working, but I can get away from the search engine redirects.

I have completed the Malware removal process and currently Malwarebytes is not finding anything. Here is the rooter and otlistit logs.

Microsoft Windows XP Home Edition (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:38154 Mo/Free:2232 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

Wed 05/13/2009|13:54

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
---------- C:\Program Files\Alwil Software\Avast4\ashServ.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\Google\Update\GoogleUpdate.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
---------- C:\WINDOWS\system32\drivers\CDAC11BA.EXE
---------- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
---------- C:\WINDOWS\System32\DVDRAMSV.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
---------- C:\WINDOWS\system32\HPZipm12.exe
---------- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
---------- C:\Program Files\Canon\CAL\CALMAIN.exe
---------- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
---------- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
---------- C:\WINDOWS\system32\TPSMain.exe
---------- C:\WINDOWS\AGRSMMSG.exe
---------- C:\WINDOWS\system32\TFNF5.exe
---------- C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\00THotkey.exe
---------- C:\Program Files\Belkin\F5D8053\v5\Belkinwcui.exe
---------- C:\WINDOWS\system32\RAMASST.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\system32\TPSBattM.exe
---------- C:\Program Files\Mozilla Firefox\firefox.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Wed 05/13/2009|13:55

----------------------\\ Scan completed at 13:55

OTListIt logfile created on: 5/13/2009 1:57:58 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.7 Folder = C:\Documents and Settings\John B\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

750.79 Mb Total Physical Memory | 353.42 Mb Available Physical Memory | 47.07% Memory free
1.04 Gb Paging File | 0.69 Gb Available in Paging File | 66.12% Paging File free
Paging file location(s): C:\pagefile.sys 360 720 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 10.18 Gb Free Space | 27.32% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JOHNLAPTOP
Current User Name: John B
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
PRC - C:\WINDOWS\system32\drivers\CDAC11BA.EXE (C-Dilla Ltd)
PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
PRC - C:\WINDOWS\System32\DVDRAMSV.exe (Matsushita Electric Industrial Co., Ltd.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
PRC - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE (Software 2000 Limited)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\WINDOWS\system32\TPSMain.exe (TOSHIBA Corporation)
PRC - C:\WINDOWS\AGRSMMSG.exe (Agere Systems)
PRC - C:\WINDOWS\system32\TFNF5.exe (TOSHIBA Corp.)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\00THotkey.exe (TOSHIBA Corp.)
PRC - C:\Program Files\Belkin\F5D8053\v5\Belkinwcui.exe (Belkin)
PRC - C:\WINDOWS\system32\RAMASST.exe (Matsushita Electric Industrial Co., Ltd.)
PRC - C:\WINDOWS\system32\TPSBattM.exe (TOSHIBA Corporation)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Documents and Settings\John B\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (ACDaemon [Auto | Running]) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (aswUpdSv [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (avast! Antivirus [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner [On_Demand | Running]) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner [On_Demand | Running]) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (C-DillaCdaC11BA [Auto | Running]) -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE (C-Dilla Ltd)
SRV - (CCALib8 [Auto | Running]) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (CFSvcs [Auto | Running]) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (DL [Unknown | Stopped]) -- File not found
SRV - (DVD-RAM_Service [Auto | Running]) -- C:\WINDOWS\System32\DVDRAMSV.exe (Matsushita Electric Industrial Co., Ltd.)
SRV - (gupdate1c9a0d0dfd66502 [Auto | Stopped]) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
SRV - (MSCSPTISRV [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (Sony Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (PACSPTISVR [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe ()
SRV - (Pml Driver HPH11 [On_Demand | Stopped]) -- C:\WINDOWS\system32\HPHipm11.exe (HP)
SRV - (Pml Driver HPZ12 [Unknown | Running]) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (rpcapd [On_Demand | Stopped]) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies)
SRV - (SonicStage Back-End Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe (Sony Corporation)
SRV - (SoundMAX Agent Service (default) [Auto | Running]) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
SRV - (SPTISRV [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (Sony Corporation)
SRV - (SSScsiSV [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (Sony Corporation)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\MSN Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (Aavmker4 [System | Running]) -- C:\WINDOWS\System32\drivers\aavmker4.sys (ALWIL Software)
DRV - (aeaudio [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Electronics Corporation)
DRV - (AegisP [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys (Cisco Systems, Inc.)
DRV - (Afc [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\Afc.sys (Arcsoft, Inc.)
DRV - (AFS2K [System | Running]) -- C:\WINDOWS\System32\drivers\AFS2K.SYS (Oak Technology Inc.)
DRV - (AgereSoftModem [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys (Agere Systems)
DRV - (ApfiltrService [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (APL531 [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\ov550i.sys (Omnivision Technologies, Inc.)
DRV - (aswFsBlk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys (ALWIL Software)
DRV - (aswMon2 [Auto | Running]) -- C:\WINDOWS\System32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswRdr [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\aswRdr.sys (ALWIL Software)
DRV - (aswSP [System | Running]) -- C:\WINDOWS\System32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswTdi [System | Running]) -- C:\WINDOWS\System32\drivers\aswTdi.sys (ALWIL Software)
DRV - (atksgt [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\atksgt.sys ()
DRV - (BsStor [Boot | Running]) -- C:\WINDOWS\System32\drivers\BsStor.sys (B.H.A Co.,Ltd.)
DRV - (BsUDF [Disabled | Running]) -- C:\WINDOWS\System32\drivers\BsUDF.sys (B.H.A Co.,Ltd.)
DRV - (catchme [Unknown | Stopped]) -- C:\WINDOWS\catchme.exe ()
DRV - (CdaC15BA [Auto | Running]) -- C:\WINDOWS\system32\drivers\CDAC15BA.SYS ()
DRV - (Dot4 HPH11 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\hphid411.sys (HP)
DRV - (Dot4Print HPH11 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\hphipr11.sys (HP)
DRV - (Dot4Usb HPH11 [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\hphius11.sys (HP)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (EAPPkt [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\EAPPkt.sys (Realtek)
DRV - (giveio [Boot | Running]) -- C:\WINDOWS\system32\giveio.sys ()
DRV - (grmnusb [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\grmnusb.sys (GARMIN Corp.)
DRV - (GWIOPM [On_Demand | Stopped]) -- c:\Program Files\LEA Digital Recorder\gwiopm.sys ()
DRV - (HPZid412 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys (HP)
DRV - (HPZipr12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (HP)
DRV - (HPZius12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys (HP)
DRV - (ialm [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (lirsgt [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\lirsgt.sys ()
DRV - (MASPINT [Auto | Running]) -- C:\WINDOWS\System32\drivers\MASPINT.SYS (MicroStaff Co.,Ltd.)
DRV - (MDC8021X [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdc8021x.sys (Meetinghouse Data Communications)
DRV - (meiudf [System | Running]) -- C:\WINDOWS\System32\Drivers\meiudf.sys (Matsushita Electric Industrial Co.,Ltd.)
DRV - (Netdevio [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\netdevio.sys (TOSHIBA Corporation.)
DRV - (NETGEAR_MA111 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\MA111nd5.sys ( )
DRV - (NPF [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies)
DRV - (pciSd [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\tossdpci.sys (TOSHIBA)
DRV - (pfc [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (PRISM_A02 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\PRISMAXP.sys (GlobespanVirata, Inc.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys (Sonic Solutions)
DRV - (rt2870 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\rt2870.sys (Ralink Technology, Corp.)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sfdrv01 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfhlp02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology)
DRV - (smwdm [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (sonypvs1 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sonypvs1.sys (Sony Corporation)
DRV - (speedfan [Boot | Running]) -- C:\WINDOWS\system32\speedfan.sys (Windows ® 2000 DDK provider)
DRV - (SUSTUCAM [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sustucam.sys (Susteen, Inc.)
DRV - (TBiosDrv [Auto | Running]) -- C:\WINDOWS\System32\drivers\TBiosDrv.sys ()
DRV - (tmcomm [Auto | Running]) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (tossmbnt [Auto | Running]) -- C:\WINDOWS\System32\drivers\TOSSMBNT.sys ()
DRV - (tsdhd [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\tsdhd.sys (TOSHIBA Corporation)
DRV - (TVALZ [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\TVALZ.SYS (TOSHIBA Corporation)
DRV - (usbaudio [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (WlanUIB [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\MA111nd5.sys ( )
DRV - ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ialmsbw.sys (Intel Corporation)
DRV - ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ialmkchw.sys (Intel Corporation)
DRV - ({E2B953A6-195A-44F9-9BA3-3D5F4E32BB55} [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\wA301a.sys (Intel Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...&ar=msnhome
IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {DCBD1271-D228-4082-9FBC-36D9B7660B03}:1.1.8
FF - prefs.js..extensions.enabledItems: [email protected]:0.8.1
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.3
FF - prefs.js..extensions.enabledItems: {fffe0eac-3819-4561-8aa9-178a68450d4f}:1.9
FF - prefs.js..extensions.enabledItems: [email protected]:1.1.0
FF - prefs.js..extensions.enabledItems: {5872365e-67d1-4afd-9480-fd293bebd20d}:1.7.2
FF - prefs.js..extensions.enabledItems: {9815d32d-08c2-42ca-a8c6-43e501a4512f}:0.3.2
FF - prefs.js..extensions.enabledItems: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.6.11
FF - prefs.js..extensions.enabledItems: {396BA20B-7E61-47EB-9095-08D70EF4D85A}:1.0
FF - prefs.js..extensions.enabledItems: {AFE5B061-B10B-4111-8C93-FE38258C5CE0}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10
FF - prefs.js..extensions.foxtor.browser.search.update: true

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/30 09:03:07 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/30 09:03:07 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Components: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\COMPONENTS [2009/04/01 14:12:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\PLUGINS [2009/03/03 11:10:06 | 00,000,000 | ---D | M]

[2009/01/10 15:56:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Extensions
[2009/01/10 15:56:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/13 10:48:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions
[2008/02/10 10:04:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{5872365e-67d1-4afd-9480-fd293bebd20d}
[2009/04/29 09:43:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{9815d32d-08c2-42ca-a8c6-43e501a4512f}
[2008/12/03 00:29:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{DCBD1271-D228-4082-9FBC-36D9B7660B03}
[2009/05/12 14:13:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2008/10/29 23:16:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
[2009/03/20 13:42:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{fffe0eac-3819-4561-8aa9-178a68450d4f}
[2009/03/17 14:10:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\[email protected]
[2008/09/10 22:44:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\[email protected]
[2009/05/13 10:48:28 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/04/30 14:08:01 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{396BA20B-7E61-47EB-9095-08D70EF4D85A}
[2009/04/30 09:03:07 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/30 16:06:32 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{AFE5B061-B10B-4111-8C93-FE38258C5CE0}
[2007/06/10 23:13:05 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\talkback@mozilla(2).org
[2009/04/30 09:02:58 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/30 09:02:59 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/01/10 15:56:18 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/01/10 15:56:18 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/01/10 15:56:18 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/01/10 15:56:18 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/01/10 15:56:18 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/01/10 15:56:18 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe (Agere Systems)
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [TFNF5] TFNF5.exe (TOSHIBA Corp.)
O4 - HKLM..\Run: [TPSMain] TPSMain.exe (TOSHIBA Corporation)
O4 - HKCU..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\00THotkey.exe (TOSHIBA Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin N Wireless USB Adapter Client Utility.lnk = C:\Program Files\Belkin\F5D8053\v5\Belkinwcui.exe (Belkin)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (Matsushita Electric Industrial Co., Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: aol.com ([free] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 28 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft....k/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/viewers/ipixx.cab (iPIX ActiveX Control)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.t...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} http://musicstore.co...ALStreaming.cab (MALPlaybackCtrl Class)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (Reg Error: Key error.)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} http://www.shockwave...gwebinstall.cab (Sandlot Loader Control)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://www.shockwave...mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} http://www.shockwave...bugs/axhost.cab (WildfireActiveXHost Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_16)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoft...free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupd...8135.7490393519 (Reg Error: Key error.)
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} http://www.trendmicr...scan/as4web.cab (Reg Error: Key error.)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcaf...,20/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0014-0002-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_16)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} http://download.game...inematycoon.cab (TikGames Online Control)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2099/01/01 12:00:00 | 00,006,456 | -H-- | C] () -- C:\WINDOWS\System32\vigotusa
[2009/05/13 13:54:52 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/05/13 12:00:30 | 24,699,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/13 11:22:16 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/05/13 10:37:06 | 78,733,7216 | -HS- | C] () -- C:\hiberfil.sys
[2009/05/13 10:34:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\John B\Local Settings\Temp
[2009/05/13 10:34:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/05/13 10:34:49 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/05/13 10:27:43 | 00,370,688 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swsc.exe
[2009/05/13 10:27:43 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swxcacls.exe
[2009/05/13 10:27:43 | 00,139,776 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swreg.exe
[2009/05/13 10:27:43 | 00,104,960 | ---- | C] () -- C:\WINDOWS\catchme.exe
[2009/05/13 10:27:43 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\vfind.exe
[2009/05/13 10:27:38 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/05/12 10:19:25 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/05/12 10:19:25 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/05/07 12:39:54 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\TZWNA
[2009/05/07 12:14:45 | 00,001,743 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin N Wireless USB Adapter Client Utility.lnk
[2009/05/07 12:14:45 | 00,001,725 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Belkin N Wireless USB Adapter Client Utility.lnk
[2009/05/07 12:13:52 | 00,450,432 | ---- | C] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\drivers\rtl8192u.sys
[2009/05/07 12:13:51 | 00,450,432 | ---- | C] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System\rtl8192u.sys
[2009/05/07 12:13:29 | 00,038,144 | ---- | C] (Realtek) -- C:\WINDOWS\System32\drivers\EAPPkt.sys
[2009/05/07 12:13:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Belkin N Wireless USB Adapter Software
[2009/05/07 09:14:03 | 00,000,226 | ---- | C] () -- C:\Boot.bak
[2009/05/07 09:13:57 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/05/07 09:13:48 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/05/07 09:12:09 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/05/07 09:12:09 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/05/07 09:12:09 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/05/07 09:12:09 | 00,117,248 | ---- | C] () -- C:\WINDOWS\vFind.exe
[2009/05/07 09:12:09 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/05/07 09:12:09 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/05/07 09:12:09 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/05/06 13:42:19 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\yotxsvbh.sys
[2009/05/06 11:01:53 | 00,023,152 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/05/06 11:01:53 | 00,001,709 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\avast! Antivirus.lnk
[2009/05/06 11:01:52 | 00,051,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/05/06 11:01:51 | 00,026,944 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/05/06 11:01:49 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2009/05/06 11:01:47 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/05/06 11:01:47 | 00,094,032 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/05/06 11:01:47 | 00,093,296 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/05/06 11:01:47 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/05/06 11:01:21 | 01,256,296 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/05/06 11:01:21 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2009/05/06 11:01:16 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2009/04/16 16:10:25 | 00,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/04/16 13:36:41 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/16 13:36:41 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/16 13:36:41 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/16 13:36:41 | 00,035,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sc.exe
[2009/04/16 13:36:40 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/16 13:36:40 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/16 13:36:39 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/16 13:36:39 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/16 13:36:39 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/16 13:36:39 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/16 13:35:00 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/16 13:34:59 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/16 13:34:59 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/15 08:47:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ArcSoft
[2009/04/15 08:47:02 | 00,018,688 | ---- | C] (Arcsoft, Inc.) -- C:\WINDOWS\System32\drivers\afc.sys
[2009/04/15 08:47:00 | 00,001,794 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Photo Impression 6.lnk
[2009/04/15 08:46:35 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\ArcSoft
[2009/04/15 08:44:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\OvtCam
[2009/04/15 08:44:24 | 00,000,000 | ---D | C] -- C:\Program Files\OVT
[2009/01/14 21:23:11 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll
[2008/12/09 00:09:21 | 00,030,208 | ---- | C] () -- C:\WINDOWS\System32\WNASPI32.DLL
[2008/12/09 00:09:21 | 00,000,291 | ---- | C] () -- C:\WINDOWS\msfsetup.ini
[2008/12/09 00:04:55 | 00,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2007/11/06 15:19:28 | 00,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2007/09/25 23:03:08 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2007/07/26 13:01:50 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\hppatusg01.dll
[2007/06/30 23:57:01 | 00,000,000 | ---- | C] () -- C:\WINDOWS\pestpatrol5.INI
[2007/06/18 00:34:35 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2007/04/25 00:14:14 | 00,000,052 | ---- | C] () -- C:\WINDOWS\STYLEEASEAPA.INI
[2007/04/10 00:03:22 | 00,532,480 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Sony.dll
[2007/03/05 13:34:28 | 00,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/02/19 03:25:49 | 00,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2007/02/11 04:09:33 | 00,000,059 | ---- | C] () -- C:\WINDOWS\LTDLG13N.INI
[2006/12/05 17:21:09 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Tripeaks.INI
[2006/11/02 17:03:38 | 00,002,042 | ---- | C] () -- C:\WINDOWS\tabled32.ini
[2006/10/31 12:06:03 | 00,000,128 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/09/11 09:46:53 | 00,165,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2006/09/11 09:46:52 | 00,018,048 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2005/09/04 22:53:16 | 00,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.John B.ini
[2005/08/06 09:32:12 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\MouseTrapLib.dll
[2005/06/10 10:57:39 | 00,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2005/06/02 22:37:45 | 00,004,005 | ---- | C] () -- C:\WINDOWS\hpdj3740.ini
[2005/05/28 18:50:53 | 00,005,667 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/03/01 15:30:20 | 00,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2005/02/23 21:17:54 | 00,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2005/01/16 20:42:25 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/12/17 16:34:53 | 00,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2004/10/06 19:33:37 | 00,112,128 | RH-- | C] () -- C:\WINDOWS\CdaC14BA.DLL
[2004/10/06 19:33:35 | 00,008,864 | ---- | C] () -- C:\WINDOWS\System32\drivers\CDAC15BA.SYS
[2004/07/22 19:26:30 | 00,000,028 | ---- | C] () -- C:\WINDOWS\BTW.ini
[2004/07/22 19:26:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\autorun.INI
[2004/07/07 20:09:00 | 00,072,704 | ---- | C] () -- C:\WINDOWS\System32\GTRTST32.DLL
[2004/07/07 20:08:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\arhelper.INI
[2004/07/06 21:24:06 | 00,000,708 | ---- | C] () -- C:\WINDOWS\label.ini
[2004/07/06 21:23:54 | 00,000,052 | ---- | C] () -- C:\WINDOWS\odbcddp.ini
[2004/05/28 21:40:39 | 00,000,067 | ---- | C] () -- C:\WINDOWS\swupdate.INI
[2004/03/03 16:27:08 | 00,666,624 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\MA111nd5.sys
[2004/01/30 10:37:50 | 00,000,092 | R--- | C] () -- C:\WINDOWS\System32\FTDIUN2K.INI
[2003/11/21 16:49:44 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/11/20 20:49:20 | 00,000,908 | ---- | C] () -- C:\WINDOWS\System32\Px.ini
[2003/11/20 20:40:32 | 00,000,021 | ---- | C] () -- C:\WINDOWS\CS_SETUP.ini
[2003/11/20 20:34:03 | 00,000,906 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/11/20 20:32:41 | 00,019,607 | ---- | C] () -- C:\WINDOWS\System32\drivers\TOSSMBNT.sys
[2003/11/20 20:12:08 | 00,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2003/11/20 20:06:36 | 00,000,034 | ---- | C] () -- C:\WINDOWS\wwwbatch.ini
[2003/11/20 19:54:31 | 00,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2003/11/20 19:54:31 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2003/11/20 19:54:31 | 00,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2003/11/20 19:54:31 | 00,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2003/11/20 19:53:21 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2003/11/20 19:44:16 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/11/20 19:28:40 | 00,006,867 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2003/11/20 18:53:50 | 00,001,924 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/11/20 18:50:00 | 00,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/11/20 18:42:22 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/11/20 17:12:52 | 00,000,382 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/11/20 17:12:23 | 00,000,742 | ---- | C] () -- C:\WINDOWS\win.ini
[2003/11/20 17:12:16 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2002/04/04 15:04:08 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\hpodinet.dll
[2001/07/07 04:00:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1996/04/03 14:33:26 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Files - Modified Within 30 Days ==========

[2009/05/13 10:37:48 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/13 10:37:23 | 00,000,314 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2009/05/13 10:37:21 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
[2009/05/13 10:37:18 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/13 10:37:11 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\John B\Local Settings\desktop.ini
[2009/05/13 10:37:08 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/13 10:37:06 | 78,733,7216 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/12 10:19:25 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/05/12 10:19:25 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/05/07 13:26:33 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/05/07 12:39:54 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\TZWNA
[2009/05/07 12:14:45 | 00,001,743 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin N Wireless USB Adapter Client Utility.lnk
[2009/05/07 12:14:45 | 00,001,725 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Belkin N Wireless USB Adapter Client Utility.lnk
[2009/05/07 09:32:44 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/05/07 09:14:03 | 00,000,296 | RHS- | M] () -- C:\boot.ini
[2009/05/07 00:16:30 | 24,699,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/06 13:42:19 | 00,061,440 | ---- | M] () -- C:\WINDOWS\System32\drivers\yotxsvbh.sys
[2009/05/06 11:01:53 | 00,001,709 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\avast! Antivirus.lnk
[2009/05/06 11:01:47 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/05/01 15:36:46 | 00,117,248 | ---- | M] () -- C:\WINDOWS\vFind.exe
[2009/04/30 14:16:32 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\vigotusa
[2009/04/17 08:51:13 | 00,479,920 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/17 08:51:13 | 00,407,908 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/17 08:51:13 | 00,064,398 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/17 08:41:26 | 00,247,904 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/16 16:15:27 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/15 08:47:00 | 00,001,794 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Photo Impression 6.lnk
< End of report >


OTListIt Extras logfile created on: 5/13/2009 1:57:58 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.7 Folder = C:\Documents and Settings\John B\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

750.79 Mb Total Physical Memory | 353.42 Mb Available Physical Memory | 47.07% Memory free
1.04 Gb Paging File | 0.69 Gb Available in Paging File | 66.12% Paging File free
Paging file location(s): C:\pagefile.sys 360 720 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 10.18 Gb Free Space | 27.32% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JOHNLAPTOP
Current User Name: John B
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
C:\Program Files\Smart PC Solutions\Startup Booster\StartupBooster.exe:*:Enabled:Make your pc faster! (Smart PC Solutions)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{02C85EC5-E864-4847-AF55-42730861004C}" = MrvlUsgTracking
"{063E409E-3D7C-4A4A-95AB-2F124B9224B3}" = ArcSoft PhotoImpression 6
"{0C4E1AFF-779C-443A-9B96-91D0D3063061}" = ReportViewer
"{10F5D9BB-E2F2-4B18-A65D-928B73D22E6F}" = USB-IrDA Adapter
"{13E824B4-FE15-4F8D-94C6-A7F98EBF9F01}" = TaxWise Workstation Setup
"{19C64880-BBCA-11D4-9EEE-0004ACDDDB3B}" = B's CLiP
"{1B4AA674-F5CA-4BB5-831A-CD37B4021959}" = ImageMixer for Sony
"{1E38AB5D-6393-4E44-A2E2-1AA01A265441}" = LEA Digital Recorder
"{27555031-A116-4EC6-9991-7B400142A936}" = HP PSC & OfficeJet 6.1.A
"{3470FBE6-B743-420F-B5CE-0D27FA749C16}" = Touch and Launch
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{366FFC89-C800-4366-B903-B9C4314109A5}" = Garmin WebUpdater
"{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}" = TOSHIBA Console
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}" = TOSHIBA SD Memory Card Format
"{548EAC70-EE00-11DD-908C-005056806466}" = Google Earth
"{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"{564A8DD3-70BC-4018-A5C3-7CEB10BBB6E9}" = Image Transfer
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{5B09BD67-4C99-46A1-8161-B7208CE18121}" = QuickTime
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{625BD732-ACDF-4552-BF22-98EBB413B6F3}" = McAfee Shredder
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{7148F0A8-6813-11D6-A77B-00B0D0142160}" = Java 2 Runtime Environment, SE v1.4.2_16
"{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1" = Auslogics BoostSpeed
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{7902E313-FF0F-4493-ACB1-A8147B78DCD0}" = HPSSupply
"{7B02BF60-796D-4616-908B-B31A63CFDEFB}" = HPCarePackCore
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}" = URGE
"{8E240C1C-25D0-4248-BC6C-ACC3472E35CE}" = SigmaTel MSCN Audio Player
"{901B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{90327F59-EBD1-4246-A3F6-FC85C0BDD329}" = Belkin N Wireless USB Adapter Software
"{91A10409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office OneNote 2003
"{93B8C73B-C8FB-4B60-A22E-1C40AE661AB7}" = CRS Photo Scanner
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD 4
"{9AC200C3-A4C8-401C-A5A8-202BE888B165}" = TOSHIBA Fax Extension
"{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = DVD-RAM Driver
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Alps Pointing-device Driver
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A0EB195B-5876-48E6-879D-33D4B2102610}" = SonicStage 4.3
"{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}" = Microsoft Works 6.0
"{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}" = TOSHIBA Controls
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B66899F2-C58D-4CEC-9FA8-867883FFB707}" = CoffeeCup Free FTP
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{BA561482-C49D-4687-A61C-96236C1688F0}" = ArcSoft Software Suite
"{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}" = Works Synchronization
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{C4BA56E6-3DA9-4454-AD39-81FB11810984}" = McAfee VirusScan Professional Bonus Pack
"{C6812939-B117-48E6-A3BA-1709C14A3C8C}" = Scan
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCD663AE-610D-4BDF-AAB0-E914B044527D}" = OpenMG Secure Module 4.7.00
"{DC19E750-988B-4005-A355-85EF66055EFE}" = Works Suite OS Pack
"{DDC146FA-73E0-4FA1-A353-841EA14BF600}" = Drag'n Drop CD+DVD
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = AusLogics Disk Defrag
"{ECA31632-C2AD-4774-A3CA-2813D47E4DD0}" = HPCarePackProducts
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F22C63FE-DBA4-4FDA-9306-55AA627CE6C7}" = Wise-FTP
"{F6C405D2-C50D-4D10-B89E-73A233A14D74}" = Toshiba Registration
"{FC88C8F6-507B-4150-B2B1-6F9A414300ED}" = TaxWise Workstation Setup
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"AdobeESD" = Adobe Download Manager 2.0 (Remove Only)
"Audacity_is1" = Audacity 1.2.3
"avast!" = avast! Antivirus
"BFG-Build-a-lot" = Build-a-lot
"BFGC" = Big Fish Games Client
"Bridge Building Game" = Bridge Building Game
"Cain & Abel v4.9.23" = Cain & Abel v4.9.23
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CCleaner" = CCleaner (remove only)
"CdaC13Ba" = Cda Product Service - shared component
"CRS Photo Scanner" = Uninstall CRS Photo Scanner
"CSCLIB" = Canon Camera Support Core Library
"EOS Utility" = Canon Utilities EOS Utility
"EPSON Printer and Utilities" = EPSON Printer Software
"ERUNT_is1" = ERUNT 1.1j
"Glary Registry Repair_is1" = Glary Registry Repair 3.0
"Glary Utilities_is1" = Glary Utilities 2.10.0.622
"Hidden Expedition Titanic" = Hidden Expedition Titanic (remove only)
"HijackThis" = HijackThis 1.99.1
"Hijackthis_is1" = Hijackthis 1.99.1
"HP LaserJet P1000 series" = HP LaserJet P1000 series
"hphuni04" = Photosmart Printer 130,230,7150,7350,7550 (Remove only)
"igLoader" = igLoader
"igLoader_is1" = igLoader 2,0,0,2
"InstallShield_{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"InstallShield_{CCD663AE-610D-4BDF-AAB0-E914B044527D}" = OpenMG Secure Module 4.7.00
"Luxor" = Luxor (remove only)
"Luxor AR" = Luxor Amun Rising (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.0.10)" = Mozilla Firefox (3.0.10)
"Mozilla Thunderbird (2.0.0.21)" = Mozilla Thunderbird (2.0.0.21)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"MWASPI" = MicroStaff WINASPI
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"Mystery Case Files - Huntsville" = Mystery Case Files - Huntsville (remove only)
"Notebook_Maximizer" = Notebook Maximizer
"OpenMG HotFix4.7-07-13-22-01" = OpenMG Limited Patch 4.7-07-14-05-01
"Panda ActiveScan" = Panda ActiveScan
"PC Diagnostic Tool" = TOSHIBA PC Diagnostic Tool
"PDF-XChange PDF Viewer_is1" = PDF-XChange PDF Viewer
"PhotoStitch" = Canon Utilities PhotoStitch
"PokerStars" = PokerStars
"Power Saver" = TOSHIBA Power Saver
"PROSet" = Intel® PRO Network Adapters and Drivers
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealPlayer 6.0" = RealPlayer
"RemoteCaptureDC" = Canon Utilities RemoteCapture DC
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Shockwave" = Shockwave
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"SpeedFan" = SpeedFan (remove only)
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"SpywareBlaster_is1" = SpywareBlaster v3.5.1
"Startup Booster_is1" = Startup Booster v2.1
"StreetPlugin" = Learn2 Player (Uninstall Only)
"StyleEase for APA Style" = StyleEase for APA Style
"SysInfo" = Creative System Information
"TablEdit_is1" = TablEdit 2.64
"TcD_is1" = TcD v2.2.4
"TDspBtn" = TOSHIBA Display Devices Change Utility
"TFNF5" = TOSHIBA Hotkey Utility for Display Devices
"TOSHIBA Access" = TOSHIBA Access
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Toshiba Tbiosdrv Driver" = Toshiba Tbiosdrv Driver
"TOSHIBA Utilities" = TOSHIBA Utilities
"TouchED" = TOSHIBA TouchPad On/Off Utility V2.05.00
"UnityWebPlayer" = Unity Web Player
"ViewpointMediaPlayer" = Viewpoint Media Player
"What's Running_is1" = What's Running 2.2
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinPcapInst" = WinPcap 4.0.2
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2002Setup" = Microsoft Works 2002 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"YInstHelper" = Yahoo! Install Manager
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility
"Zuma Deluxe 1.0" = Zuma Deluxe 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Mystery Case Files - Ravenhearst" = Mystery Case Files - Ravenhearst (remove only)

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 5/6/2009 3:14:31 PM | Computer Name = JOHNLAPTOP | Source = avast! | ID = 33554522
Description = Internal error has occurred in module aswar scan function failed!,
function A0000111.

Error - 5/6/2009 5:06:14 PM | Computer Name = JOHNLAPTOP | Source = avast! | ID = 33554522
Description = Internal error has occurred in module aswar scan function failed!,
function A0000111.

Error - 5/12/2009 4:06:30 PM | Computer Name = JOHNLAPTOP | Source = avast! | ID = 33554522
Description = Internal error has occurred in module aswar scan function failed!,
function 00000002.

[ Application Events ]
Error - 5/6/2009 9:33:56 AM | Computer Name = JOHNLAPTOP | Source = Google Update | ID = 20
Description =

Error - 5/6/2009 10:40:22 AM | Computer Name = JOHNLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application gdwizrkuy.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x771d5c8e.

Error - 5/6/2009 10:40:28 AM | Computer Name = JOHNLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application gdwizrkuy.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x771d5c8e.

Error - 5/6/2009 10:40:32 AM | Computer Name = JOHNLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application gdwizrkuy.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x771d5c8e.

Error - 5/6/2009 11:55:42 AM | Computer Name = JOHNLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.5512, faulting
module shlwapi.dll, version 6.0.2900.5512, fault address 0x0001a9b8.

Error - 5/6/2009 11:57:03 AM | Computer Name = JOHNLAPTOP | Source = Application Error | ID = 1000
Description = Faulting application 152297936.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x771c5796.

Error - 5/6/2009 11:59:06 AM | Computer Name = JOHNLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 5/6/2009 11:59:06 AM | Computer Name = JOHNLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 5/6/2009 2:25:39 PM | Computer Name = JOHNLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application setup.exe, version 12.0.0.58849, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/13/2009 1:01:57 PM | Computer Name = JOHNLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This operation returned because the timeout period expired.

[ System Events ]
Error - 5/12/2009 3:58:09 PM | Computer Name = JOHNLAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/12/2009 3:59:00 PM | Computer Name = JOHNLAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 5/12/2009 3:59:00 PM | Computer Name = JOHNLAPTOP | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBT service which failed
to start because of the following error: %%31

Error - 5/12/2009 3:59:00 PM | Computer Name = JOHNLAPTOP | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 5/12/2009 3:59:00 PM | Computer Name = JOHNLAPTOP | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD Networking Support
Environment service which failed to start because of the following error: %%31

Error - 5/12/2009 3:59:00 PM | Computer Name = JOHNLAPTOP | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 5/12/2009 3:59:00 PM | Computer Name = JOHNLAPTOP | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 5/13/2009 11:35:01 AM | Computer Name = JOHNLAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 5/13/2009 11:36:07 AM | Computer Name = JOHNLAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/13/2009 11:37:31 AM | Computer Name = JOHNLAPTOP | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2


< End of report >


The last Avast scan found the following win32:rootkit-gen, win32:trojan-gen, BV:Malware-gen

I am still having the redirect issues.

Thanks so much in advance
  • 0

Advertisements

#2
XmichouX
Posted 18 May 2009 - 09:39 AM

XmichouX

    Trusted Helper

  • Retired Staff
  • 1,292 posts
Welcome to the site! :) My name's XmichouX and I'll be helping clean up your computer. :) I'm currently looking over your log. I am still in training here, so there might be a delay between my replies as they need to be checked by an expert before I can post them. I'll need a bit of time to research your log fully, so please bear with me.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Malware Removal - HijackThis™ Logs Go Here.
  • Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
  • When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad click on Format | Uncheck Word Wrap)
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
  • Make sure you reply to this thread using the Add Reply button: Posted Image

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.


Regards,
  • 0

#3
Aoc
Posted 18 May 2009 - 12:12 PM

Aoc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Ok, I'm here with you. I have read everything and ready to go when you are. I can't thank you enough for trying to help.
  • 0

#4
XmichouX
Posted 18 May 2009 - 01:40 PM

XmichouX

    Trusted Helper

  • Retired Staff
  • 1,292 posts
Hi,

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Regards,
  • 0

#5
Aoc
Posted 18 May 2009 - 02:18 PM

Aoc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
ok. here ya go


ComboFix 09-05-17.08 - John B 05/18/2009 15:06.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.751.445 [GMT -5:00]
Running from: c:\documents and settings\John B\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090517-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-18 20:03 . 2009-05-18 20:04 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-05-13 18:54 . 2009-05-13 18:55 -------- d-----w C:\Rooter$
2009-05-13 16:22 . 2009-05-13 16:22 -------- d-----w c:\program files\ERUNT
2009-05-07 17:13 . 2008-10-22 21:04 450432 ----a-w c:\windows\system32\drivers\rtl8192u.sys
2009-05-07 17:13 . 2008-10-22 21:04 450432 ----a-w c:\windows\system\rtl8192u.sys
2009-05-07 17:13 . 2007-10-09 18:13 38144 ----a-w c:\windows\system32\drivers\EAPPkt.sys
2009-05-07 17:13 . 2009-05-07 17:13 -------- d-----w c:\windows\system32\Belkin N Wireless USB Adapter Software
2009-05-06 18:42 . 2009-05-06 18:42 61440 ----a-w c:\windows\system32\drivers\yotxsvbh.sys
2009-05-06 16:01 . 2009-05-06 16:01 -------- d-----w c:\program files\Alwil Software
2009-05-05 20:25 . 2009-05-05 20:25 -------- d-s---w c:\windows\system32\config\systemprofile\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 20:28 . 2005-05-26 03:10 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-07 19:35 . 2008-03-19 14:17 -------- d-----w c:\program files\Mystery Case Files - Ravenhearst
2009-05-07 19:30 . 2007-10-23 00:17 -------- d-----w c:\program files\Bridge Building Game
2009-05-07 17:13 . 2004-12-14 01:30 -------- d-----w c:\program files\Belkin
2009-05-07 17:13 . 2003-11-21 00:37 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-05 19:09 . 2005-05-20 16:26 -------- d-----w c:\program files\PokerStars
2009-05-01 19:19 . 2009-01-17 02:19 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 13:47 . 2009-04-15 13:46 -------- d-----w c:\program files\Common Files\ArcSoft
2009-04-15 13:46 . 2003-11-21 01:40 -------- d-----w c:\program files\ArcSoft
2009-04-15 13:44 . 2009-04-15 13:44 -------- d-----w c:\program files\OVT
2009-04-07 03:28 . 2005-06-28 17:22 42224 ----a-w c:\documents and settings\John B\Application Data\GDIPFONTCACHEV1.DAT
2009-04-06 20:32 . 2009-01-17 02:19 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-01-17 02:19 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2003-11-20 22:12 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-02-06 23:05 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-09-09 00:06 81920 ------w c:\windows\system32\ieencode.dll
2004-12-22 22:58 . 2004-12-29 01:41 18448384 ----a-w c:\program files\Common Files\TaxWise Workstation Setup.msi
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2003-11-20 278528]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2003-04-18 88363]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2003-10-16 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
00THotkey.exe [2003-4-15 258048]
Belkin N Wireless USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D8053\v5\Belkinwcui.exe [2009-5-7 1605632]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-11-20 155648]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^John B^Start Menu^Programs^Startup^Registration Silent Hunter III.LNK]
path=c:\documents and settings\John B\Start Menu\Programs\Startup\Registration Silent Hunter III.LNK
backup=c:\windows\pss\Registration Silent Hunter III.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"hpbdfawep"=c:\program files\HP\Dfawep\bin\hpbdfawep.exe 1
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"TouchED"=c:\program files\TOSHIBA\TouchED\TouchED.Exe
"Apoint"=c:\program files\Apoint2K\Apoint.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Smart PC Solutions\\Startup Booster\\StartupBooster.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [11/20/2003 8:52 PM 9344]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/6/2009 11:01 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/6/2009 11:01 AM 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [5/7/2009 12:13 PM 38144]
R4 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [11/20/2003 8:52 PM 390400]
S2 gupdate1c9a0d0dfd66502;Google Update Service (gupdate1c9a0d0dfd66502);c:\program files\Google\Update\GoogleUpdate.exe [3/9/2009 11:05 AM 133104]
S2 mrtRate;mrtRate; [x]
S3 APL531;CRS Photo Scanner;c:\windows\system32\drivers\ov550i.sys [1/28/2008 8:53 AM 580992]
S3 GWIOPM;gwiopm;c:\program files\LEA Digital Recorder\gwiopm.sys [6/16/2003 10:15 AM 3904]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [3/13/2007 4:35 AM 476416]
S3 RTL8187B;TRENDnet TEW-424UB Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\drivers\sustucam.sys [4/12/2006 2:01 PM 38016]
S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [3/3/2004 4:27 PM 666624]
.
Contents of the 'Scheduled Tasks' folder

2009-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-05-15 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-11-17 23:02]

2009-05-15 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-09 16:05]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
Trusted Zone: aol.com\free
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/barnyardinvasion/slgwebinstall.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://www.shockwave.com/content/tumblebugs/axhost.cab
FF - ProfilePath - c:\documents and settings\John B\Application Data\Mozilla\Firefox\Profiles\ghtrl0km.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJPI142_16.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 15:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3966931221-871848139-187226989-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3048)
c:\program files\Common Files\Microsoft Shared\Ink\PENUSA.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2009-05-18 15:15
ComboFix-quarantined-files.txt 2009-05-18 20:14
ComboFix2.txt 2009-05-13 15:34
ComboFix3.txt 2009-05-07 15:09
ComboFix4.txt 2009-05-07 14:54
ComboFix5.txt 2009-05-18 20:04

Pre-Run: 10,832,371,712 bytes free
Post-Run: 10,819,899,392 bytes free

150 --- E O F --- 2009-05-13 17:03
  • 0

#6
XmichouX
Posted 19 May 2009 - 02:20 PM

XmichouX

    Trusted Helper

  • Retired Staff
  • 1,292 posts
Hi,

Did you disallow changes to your Desktop ?

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...s...t&p=1539288

KillAll::

File::
C:\32788R22FWJFW.0.tmp

Collect::
c:\windows\system32\drivers\yotxsvbh.sys

Folder::
C:\32788R22FWJFW.0.tmp


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

Regards,
  • 0

#7
Aoc
Posted 20 May 2009 - 01:12 PM

Aoc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
ok, I did this but it never popped up asking to submit files.


ComboFix 09-05-17.08 - John B 05/20/2009 13:50.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.751.369 [GMT -5:00]
Running from: c:\documents and settings\John B\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John B\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090519-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

FILE ::
C:\32788R22FWJFW.0.tmp

file zipped: c:\windows\system32\drivers\yotxsvbh.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\32788R22FWJFW.0.tmp
c:\32788r22fwjfw.0.tmp\License\Curl - license.txt
c:\32788r22fwjfw.0.tmp\License\dumphive-license.txt
c:\32788r22fwjfw.0.tmp\License\EXTRACT.TXT
c:\32788r22fwjfw.0.tmp\License\FI - license.txt
c:\32788r22fwjfw.0.tmp\License\mtee.txt.txt
c:\32788r22fwjfw.0.tmp\License\pv_5_2_2.zip
c:\32788r22fwjfw.0.tmp\License\streamtools.zip
c:\32788r22fwjfw.0.tmp\License\UnxUtilsDist.html
c:\32788r22fwjfw.0.tmp\License\Zip - license.txt
c:\32788r22fwjfw.0.tmp\n.com
c:\32788r22fwjfw.0.tmp\ND_.bat
c:\32788r22fwjfw.0.tmp\ndis_combofix.dat
c:\32788r22fwjfw.0.tmp\netsvc.bad.dat
c:\32788r22fwjfw.0.tmp\netsvc.dat
c:\32788r22fwjfw.0.tmp\netsvc.vista.dat
c:\32788r22fwjfw.0.tmp\netsvc.xp.dat
c:\32788r22fwjfw.0.tmp\NetworkService.dat
c:\32788r22fwjfw.0.tmp\NirCmd.cfexe
c:\32788r22fwjfw.0.tmp\NirCmd.chm
c:\32788r22fwjfw.0.tmp\NirCmdC.cfexe
c:\32788r22fwjfw.0.tmp\NT-OS.cmd
c:\32788r22fwjfw.0.tmp\OSid.vbs
c:\32788r22fwjfw.0.tmp\pev.exe
c:\32788r22fwjfw.0.tmp\Policies.dat
c:\32788r22fwjfw.0.tmp\Prep.cmd
c:\32788r22fwjfw.0.tmp\Prep.inf
c:\32788r22fwjfw.0.tmp\Purity.dat
c:\32788r22fwjfw.0.tmp\RCLink.dat
c:\32788r22fwjfw.0.tmp\REGDACL.sed
c:\32788r22fwjfw.0.tmp\RegDo.sed
c:\32788r22fwjfw.0.tmp\region.dat
c:\32788r22fwjfw.0.tmp\RegScan.cmd
c:\32788r22fwjfw.0.tmp\restore_pt.vbs
c:\32788r22fwjfw.0.tmp\RestoreO4.bat
c:\32788r22fwjfw.0.tmp\Rkey.cmd
c:\32788r22fwjfw.0.tmp\rogues.dat
c:\32788r22fwjfw.0.tmp\run2.sed
c:\32788r22fwjfw.0.tmp\safeboot.dat
c:\32788r22fwjfw.0.tmp\safeboot.def.dat
c:\32788r22fwjfw.0.tmp\safeboot.def.vista.dat
c:\32788r22fwjfw.0.tmp\SafeBootRepair.bat
c:\32788r22fwjfw.0.tmp\sed.cfexe
c:\32788r22fwjfw.0.tmp\SetEnvmt.bat
c:\32788r22fwjfw.0.tmp\setpath.cfexe
c:\32788r22fwjfw.0.tmp\SnapShot.cmd
c:\32788r22fwjfw.0.tmp\SRestore.cmd
c:\32788r22fwjfw.0.tmp\srizbi.md5
c:\32788r22fwjfw.0.tmp\SuppScan.cmd
c:\32788r22fwjfw.0.tmp\svc_wht.dat
c:\32788r22fwjfw.0.tmp\SvcDrv.vbs
c:\32788r22fwjfw.0.tmp\svchost.dat
c:\32788r22fwjfw.0.tmp\svchost.vista.dat
c:\32788r22fwjfw.0.tmp\swreg.exe
c:\32788r22fwjfw.0.tmp\swsc.cfexe
c:\32788r22fwjfw.0.tmp\swxcacls.cfexe
c:\32788r22fwjfw.0.tmp\system_ini.dat
c:\32788r22fwjfw.0.tmp\tail.cfexe
c:\32788r22fwjfw.0.tmp\toolbar.sed
c:\32788r22fwjfw.0.tmp\unzip.cfexe
c:\32788r22fwjfw.0.tmp\Update-CF.cmd
c:\32788r22fwjfw.0.tmp\vistareg.dat
c:\32788r22fwjfw.0.tmp\w2kreg.dat
c:\32788r22fwjfw.0.tmp\Wmi_rem.vbs
c:\32788r22fwjfw.0.tmp\xpreg.dat
c:\32788r22fwjfw.0.tmp\zDomain.dat
c:\32788r22fwjfw.0.tmp\zhsvc.dat
c:\32788r22fwjfw.0.tmp\zip.cfexe
c:\windows\system32\drivers\yotxsvbh.sys

.
((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-19 18:20 . 2009-05-19 18:20 -------- d-----w c:\program files\GamesBar
2009-05-19 18:20 . 2009-05-19 18:20 -------- d-----w c:\program files\Oberon Media
2009-05-19 18:20 . 2009-05-19 18:20 -------- d-----w c:\program files\Common Files\Oberon Media
2009-05-19 18:20 . 2009-05-19 18:20 -------- d-----w c:\program files\Best Buy Games
2009-05-19 18:09 . 2009-05-19 18:09 -------- d-----w c:\documents and settings\All Users\Application Data\NeoEdge Networks
2009-05-19 13:59 . 2009-05-19 13:59 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-05-13 18:54 . 2009-05-13 18:55 -------- d-----w C:\Rooter$
2009-05-13 16:22 . 2009-05-13 16:22 -------- d-----w c:\program files\ERUNT
2009-05-07 17:13 . 2008-10-22 21:04 450432 ----a-w c:\windows\system32\drivers\rtl8192u.sys
2009-05-07 17:13 . 2008-10-22 21:04 450432 ----a-w c:\windows\system\rtl8192u.sys
2009-05-07 17:13 . 2007-10-09 18:13 38144 ----a-w c:\windows\system32\drivers\EAPPkt.sys
2009-05-07 17:13 . 2009-05-07 17:13 -------- d-----w c:\windows\system32\Belkin N Wireless USB Adapter Software
2009-05-06 16:01 . 2009-05-06 16:01 -------- d-----w c:\program files\Alwil Software
2009-05-05 20:25 . 2009-05-05 20:25 -------- d-s---w c:\windows\system32\config\systemprofile\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 18:16 . 2005-05-26 03:10 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-19 18:10 . 2006-01-13 03:23 -------- d-----w c:\program files\Yahoo! Games
2009-05-19 13:58 . 2006-01-04 18:36 -------- d-----w c:\program files\Google
2009-05-07 19:35 . 2008-03-19 14:17 -------- d-----w c:\program files\Mystery Case Files - Ravenhearst
2009-05-07 19:30 . 2007-10-23 00:17 -------- d-----w c:\program files\Bridge Building Game
2009-05-07 17:13 . 2004-12-14 01:30 -------- d-----w c:\program files\Belkin
2009-05-07 17:13 . 2003-11-21 00:37 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-05 19:09 . 2005-05-20 16:26 -------- d-----w c:\program files\PokerStars
2009-05-01 19:19 . 2009-01-17 02:19 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 13:47 . 2009-04-15 13:46 -------- d-----w c:\program files\Common Files\ArcSoft
2009-04-15 13:46 . 2003-11-21 01:40 -------- d-----w c:\program files\ArcSoft
2009-04-15 13:44 . 2009-04-15 13:44 -------- d-----w c:\program files\OVT
2009-04-07 03:28 . 2005-06-28 17:22 42224 ----a-w c:\documents and settings\John B\Application Data\GDIPFONTCACHEV1.DAT
2009-04-06 20:32 . 2009-01-17 02:19 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-01-17 02:19 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2003-11-20 22:12 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-02-06 23:05 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-09-09 00:06 81920 ------w c:\windows\system32\ieencode.dll
2004-12-22 22:58 . 2004-12-29 01:41 18448384 ----a-w c:\program files\Common Files\TaxWise Workstation Setup.msi
.

((((((((((((((((((((((((((((( SnapShot@2009-05-18_20.11.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-20 18:56 . 2009-05-20 18:56 16384 c:\windows\temp\Perflib_Perfdata_698.dat
+ 2009-05-19 13:59 . 2009-05-19 13:59 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\UNINST_Uninstall_G_408FFBEED62349E08B232864A94D2864.exe
+ 2009-05-19 13:59 . 2009-05-19 13:59 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-05-19 13:59 . 2009-05-19 13:59 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-05-19 13:59 . 2009-05-19 13:59 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\googleearth.exe1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
+ 2009-05-19 13:59 . 2009-05-19 13:59 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
+ 2009-05-19 13:59 . 2009-05-19 13:59 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\ARPPRODUCTICON.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2003-11-20 278528]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2003-04-18 88363]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2003-10-16 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
00THotkey.exe [2003-4-15 258048]
Belkin N Wireless USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D8053\v5\Belkinwcui.exe [2009-5-7 1605632]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-11-20 155648]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^John B^Start Menu^Programs^Startup^Registration Silent Hunter III.LNK]
path=c:\documents and settings\John B\Start Menu\Programs\Startup\Registration Silent Hunter III.LNK
backup=c:\windows\pss\Registration Silent Hunter III.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"hpbdfawep"=c:\program files\HP\Dfawep\bin\hpbdfawep.exe 1
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"TouchED"=c:\program files\TOSHIBA\TouchED\TouchED.Exe
"Apoint"=c:\program files\Apoint2K\Apoint.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Smart PC Solutions\\Startup Booster\\StartupBooster.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [11/20/2003 8:52 PM 9344]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/6/2009 11:01 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/6/2009 11:01 AM 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [5/7/2009 12:13 PM 38144]
R4 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [11/20/2003 8:52 PM 390400]
S2 gupdate1c9a0d0dfd66502;Google Update Service (gupdate1c9a0d0dfd66502);c:\program files\Google\Update\GoogleUpdate.exe [3/9/2009 11:05 AM 133104]
S2 mrtRate;mrtRate; [x]
S3 APL531;CRS Photo Scanner;c:\windows\system32\drivers\ov550i.sys [1/28/2008 8:53 AM 580992]
S3 GWIOPM;gwiopm;c:\program files\LEA Digital Recorder\gwiopm.sys [6/16/2003 10:15 AM 3904]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [3/13/2007 4:35 AM 476416]
S3 RTL8187B;TRENDnet TEW-424UB Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\drivers\sustucam.sys [4/12/2006 2:01 PM 38016]
S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [3/3/2004 4:27 PM 666624]
.
Contents of the 'Scheduled Tasks' folder

2009-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-05-20 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-11-17 23:02]

2009-05-20 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-09 16:05]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
Trusted Zone: aol.com\free
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/barnyardinvasion/slgwebinstall.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://www.shockwave.com/content/tumblebugs/axhost.cab
FF - ProfilePath - c:\documents and settings\John B\Application Data\Mozilla\Firefox\Profiles\ghtrl0km.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJPI142_16.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 13:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3966931221-871848139-187226989-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3932)
c:\program files\Common Files\Microsoft Shared\Ink\PENUSA.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\we.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\TPSBattM.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\00THotkey.exe
.
**************************************************************************
.
Completion time: 2009-05-20 14:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-20 19:07
ComboFix2.txt 2009-05-18 20:15
ComboFix3.txt 2009-05-13 15:34
ComboFix4.txt 2009-05-07 15:09
ComboFix5.txt 2009-05-20 18:49

Pre-Run: 10,591,465,472 bytes free
Post-Run: 10,625,679,360 bytes free

267 --- E O F --- 2009-05-13 17:03



thanks
  • 0

#8
XmichouX
Posted 20 May 2009 - 03:48 PM

XmichouX

    Trusted Helper

  • Retired Staff
  • 1,292 posts
Hi,

Please don't install this type of softwares : GamesBar, Oberon Media ..

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\program files\GamesBar
c:\program files\Oberon Media
c:\program files\Common Files\Oberon Media
c:\program files\Best Buy Games
C:\WINDOWS\System32\vigotusa
C:\WINDOWS\System32\TZWNA


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Regards,
  • 0

#9
Aoc
Posted 21 May 2009 - 07:54 AM

Aoc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Ok, sorry about the games. Do you mean never ever install this types of games, or just while we are in this process. Either way is fine, I'll do what you say.


Here is the log

ComboFix 09-05-20.A1 - John B 05/21/2009 8:34.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.751.423 [GMT -5:00]
Running from: c:\documents and settings\John B\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John B\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090520-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Best Buy Games
c:\program files\Best Buy Games\Build-a-Lot 2\bestbuy.ico
c:\program files\Best Buy Games\Build-a-Lot 2\Buildalot2.exe
c:\program files\Best Buy Games\Build-a-Lot 2\Buildalot2.ico
c:\program files\Best Buy Games\Build-a-Lot 2\Buildalot2.rez
c:\program files\Best Buy Games\Build-a-Lot 2\GDFShell.dll
c:\program files\Best Buy Games\Build-a-Lot 2\ge_menu.xml
c:\program files\Best Buy Games\Build-a-Lot 2\HookIsolate.dll
c:\program files\Best Buy Games\Build-a-Lot 2\INSTALL.LOG
c:\program files\Best Buy Games\Build-a-Lot 2\install.sss
c:\program files\Best Buy Games\Build-a-Lot 2\Launch.exe
c:\program files\Best Buy Games\Build-a-Lot 2\old_bestbuy.ico
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\dimming.css
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\empty.html
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\gs.html
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\gs1.html
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\gs2.html
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\1pixel.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\best_buy_splash_screen.bmp
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\BkgTile.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\buttonDown.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\buttonOut.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\buttonOver.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\channelLogo.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\check.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\gameLogo.jpg
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\gameSaverCloseX.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\getMoreGames.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\graybackground.png
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\gsBackground.jpg
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\gsBuyButton.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\gsJoinButton.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\icon.ico
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\icon.png
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\index.html
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\longButtonDown.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\longButtonOut.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\longButtonOver.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\oberon.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\old_channelLogo.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\progressBar.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\progressBox.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\splash2.html
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\truste.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\images\verisign.gif
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\LauncherApi.js
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\omallgames.js
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\omgame.js
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\ominit1.js
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\ominit2.js
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\reg.html
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\regerr.html
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\RulesEngine.js
c:\program files\Best Buy Games\Build-a-Lot 2\omdata\thankyou.html
c:\program files\Best Buy Games\Build-a-Lot 2\TimeProtect.dll
c:\program files\Best Buy Games\Build-a-Lot 2\Uninstall.exe
c:\program files\Best Buy Games\Build-a-Lot 2\version.txt
c:\program files\Common Files\Oberon Media
c:\program files\Common Files\Oberon Media\OberonBroker\1.0.0.63\OberonBroker.exe
c:\program files\Common Files\Oberon Media\Odyssey\2.0.0.29\Odyssey.dll
c:\program files\GamesBar
c:\program files\GamesBar\Localization2-English.ini
c:\program files\Oberon Media
c:\program files\Oberon Media\bestbuy.ico

.
((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-19 18:09 . 2009-05-19 18:09 -------- d-----w c:\documents and settings\All Users\Application Data\NeoEdge Networks
2009-05-13 18:54 . 2009-05-13 18:55 -------- d-----w C:\Rooter$
2009-05-13 16:22 . 2009-05-13 16:22 -------- d-----w c:\program files\ERUNT
2009-05-07 17:13 . 2008-10-22 21:04 450432 ----a-w c:\windows\system32\drivers\rtl8192u.sys
2009-05-07 17:13 . 2008-10-22 21:04 450432 ----a-w c:\windows\system\rtl8192u.sys
2009-05-07 17:13 . 2007-10-09 18:13 38144 ----a-w c:\windows\system32\drivers\EAPPkt.sys
2009-05-07 17:13 . 2009-05-07 17:13 -------- d-----w c:\windows\system32\Belkin N Wireless USB Adapter Software
2009-05-06 16:01 . 2009-05-06 16:01 -------- d-----w c:\program files\Alwil Software
2009-05-05 20:25 . 2009-05-05 20:25 -------- d-s---w c:\windows\system32\config\systemprofile\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 18:16 . 2005-05-26 03:10 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-19 18:10 . 2006-01-13 03:23 -------- d-----w c:\program files\Yahoo! Games
2009-05-19 13:58 . 2006-01-04 18:36 -------- d-----w c:\program files\Google
2009-05-07 19:35 . 2008-03-19 14:17 -------- d-----w c:\program files\Mystery Case Files - Ravenhearst
2009-05-07 19:30 . 2007-10-23 00:17 -------- d-----w c:\program files\Bridge Building Game
2009-05-07 17:13 . 2004-12-14 01:30 -------- d-----w c:\program files\Belkin
2009-05-07 17:13 . 2003-11-21 00:37 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-06 18:34 . 2009-05-06 18:46 184100 ----a-w c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2009-05-05 19:09 . 2005-05-20 16:26 -------- d-----w c:\program files\PokerStars
2009-05-01 19:19 . 2009-01-17 02:19 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 13:47 . 2009-04-15 13:46 -------- d-----w c:\program files\Common Files\ArcSoft
2009-04-15 13:46 . 2003-11-21 01:40 -------- d-----w c:\program files\ArcSoft
2009-04-15 13:44 . 2009-04-15 13:44 -------- d-----w c:\program files\OVT
2009-04-07 03:28 . 2005-06-28 17:22 42224 ----a-w c:\documents and settings\John B\Application Data\GDIPFONTCACHEV1.DAT
2009-04-06 20:32 . 2009-01-17 02:19 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-01-17 02:19 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2003-11-20 22:12 284160 ----a-w c:\windows\system32\pdh.dll
2004-12-22 22:58 . 2004-12-29 01:41 18448384 ----a-w c:\program files\Common Files\TaxWise Workstation Setup.msi
.

((((((((((((((((((((((((((((( SnapShot@2009-05-18_20.11.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-20 18:56 . 2009-05-20 18:56 16384 c:\windows\temp\Perflib_Perfdata_698.dat
+ 2009-05-19 13:59 . 2009-05-19 13:59 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\UNINST_Uninstall_G_408FFBEED62349E08B232864A94D2864.exe
+ 2009-05-19 13:59 . 2009-05-19 13:59 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-05-19 13:59 . 2009-05-19 13:59 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2009-05-19 13:59 . 2009-05-19 13:59 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\googleearth.exe1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
+ 2009-05-19 13:59 . 2009-05-19 13:59 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
+ 2009-05-19 13:59 . 2009-05-19 13:59 25214 c:\windows\Installer\{CC016F21-3970-11DE-B878-005056806466}\ARPPRODUCTICON.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2003-11-20 278528]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2003-04-18 88363]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2003-10-16 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
00THotkey.exe [2003-4-15 258048]
Belkin N Wireless USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D8053\v5\Belkinwcui.exe [2009-5-7 1605632]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-11-20 155648]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^John B^Start Menu^Programs^Startup^Registration Silent Hunter III.LNK]
path=c:\documents and settings\John B\Start Menu\Programs\Startup\Registration Silent Hunter III.LNK
backup=c:\windows\pss\Registration Silent Hunter III.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"hpbdfawep"=c:\program files\HP\Dfawep\bin\hpbdfawep.exe 1
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"TouchED"=c:\program files\TOSHIBA\TouchED\TouchED.Exe
"Apoint"=c:\program files\Apoint2K\Apoint.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Smart PC Solutions\\Startup Booster\\StartupBooster.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [11/20/2003 8:52 PM 9344]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/6/2009 11:01 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/6/2009 11:01 AM 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [5/7/2009 12:13 PM 38144]
R4 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [11/20/2003 8:52 PM 390400]
S2 gupdate1c9a0d0dfd66502;Google Update Service (gupdate1c9a0d0dfd66502);c:\program files\Google\Update\GoogleUpdate.exe [3/9/2009 11:05 AM 133104]
S2 mrtRate;mrtRate; [x]
S3 APL531;CRS Photo Scanner;c:\windows\system32\drivers\ov550i.sys [1/28/2008 8:53 AM 580992]
S3 GWIOPM;gwiopm;c:\program files\LEA Digital Recorder\gwiopm.sys [6/16/2003 10:15 AM 3904]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [3/13/2007 4:35 AM 476416]
S3 RTL8187B;TRENDnet TEW-424UB Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\drivers\sustucam.sys [4/12/2006 2:01 PM 38016]
S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [3/3/2004 4:27 PM 666624]
.
Contents of the 'Scheduled Tasks' folder

2009-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-05-20 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-11-17 23:02]

2009-05-20 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-09 16:05]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
Trusted Zone: aol.com\free
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/barnyardinvasion/slgwebinstall.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://www.shockwave.com/content/tumblebugs/axhost.cab
FF - ProfilePath - c:\documents and settings\John B\Application Data\Mozilla\Firefox\Profiles\ghtrl0km.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPJPI142_16.dll
FF - plugin: c:\program files\Java\j2re1.4.2_16\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 08:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3966931221-871848139-187226989-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-05-21 8:43
ComboFix-quarantined-files.txt 2009-05-21 13:42
ComboFix2.txt 2009-05-20 19:08
ComboFix3.txt 2009-05-18 20:15
ComboFix4.txt 2009-05-13 15:34
ComboFix5.txt 2009-05-21 13:33

Pre-Run: 11,030,528,000 bytes free
Post-Run: 11,007,213,568 bytes free

218 --- E O F --- 2009-05-13 17:03
  • 0

#10
XmichouX
Posted 21 May 2009 - 01:44 PM

XmichouX

    Trusted Helper

  • Retired Staff
  • 1,292 posts
Hi,

It is not the games but the toolbars :)


1) Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

2) Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

Regards,
  • 0

Advertisements

#11
Aoc
Posted 26 May 2009 - 12:10 PM

Aoc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
ok here you go.


alwarebytes' Anti-Malware 1.36
Database version: 2163
Windows 5.1.2600 Service Pack 3

5/21/2009 3:00:33 PM
mbam-log-2009-05-21 (15-00-33).txt

Scan type: Quick Scan
Objects scanned: 92404
Time elapsed: 5 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




ComboFix.exe/data002\32788R22FWJFW\FIND3M.bat;C:\Documents and Settings\John B\desktop\ComboFix.exe/data002;Probably BATCH.Virus;;
data002;C:\Documents and Settings\John B\desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\John B\desktop;Container contains infected objects;Moved.;
Process.exe;C:\Documents and Settings\John B\desktop\facebook\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\John B\desktop\facebook\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;
8254AD8Ed01\data011;C:\Documents and Settings\John B\Local Settings\Application Data\Mozilla\Firefox\Profiles\ghtrl0km.default\Cache(2)\8254AD8Ed01;Trojan.KeyLogger.2669;;
8254AD8Ed01;C:\Documents and Settings\John B\Local Settings\Application Data\Mozilla\Firefox\Profiles\ghtrl0km.default\Cache(2);Archive contains infected objects;Moved.;
Abel.exe;C:\Program Files\Cain;Tool.Cain;Incurable.Moved.;
A0064190.EXE;C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP379;Program.PsExec.170;Incurable.Moved.;
A0064225.EXE;C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP379;Program.PsExec.170;Incurable.Moved.;
A0064253.bat;C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP379;Probably BATCH.Virus;Incurable.Moved.;
A0064328.bat;C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP379;Probably BATCH.Virus;Incurable.Moved.;
A0065454.bat;C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP381;Probably BATCH.Virus;Incurable.Moved.;
A0065516.bat;C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP381;Probably BATCH.Virus;Incurable.Moved.;
A0065600.bat;C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP381;Probably BATCH.Virus;Incurable.Moved.;
A0065738.bat;C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP385;Probably BATCH.Virus;Incurable.Moved.;
A0065829.bat;C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP385;Probably BATCH.Virus;Incurable.Moved.;
A0066027.bat;C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP386;Probably BATCH.Virus;Incurable.Moved.;
A0066084.bat;C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP386;Probably BATCH.Virus;Incurable.Moved.;
A0066147.bat;C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP386;Probably BATCH.Virus;Incurable.Moved.;
A0066245.bat;C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP386;Probably BATCH.Virus;Incurable.Moved.;
  • 0

#12
XmichouX
Posted 26 May 2009 - 01:33 PM

XmichouX

    Trusted Helper

  • Retired Staff
  • 1,292 posts
Hi,

How is running your PC now ?

Please post a new fresh report from OTL.

Regards,
  • 0

#13
Aoc
Posted 26 May 2009 - 01:55 PM

Aoc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
its still redirecting in yahoo and google. Nothing has seemed to change

here is the new scan.


OTListIt logfile created on: 5/26/2009 2:50:14 PM - Run 2
OTListIt2 by OldTimer - Version 2.0.15.7 Folder = C:\Documents and Settings\John B\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

750.79 Mb Total Physical Memory | 340.00 Mb Available Physical Memory | 45.28% Memory free
1.04 Gb Paging File | 0.70 Gb Available in Paging File | 67.48% Paging File free
Paging file location(s): C:\pagefile.sys 360 720 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 10.11 Gb Free Space | 27.14% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JOHNLAPTOP
Current User Name: John B
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\system32\TPSMain.exe (TOSHIBA Corporation)
PRC - C:\WINDOWS\AGRSMMSG.exe (Agere Systems)
PRC - C:\WINDOWS\system32\TFNF5.exe (TOSHIBA Corp.)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\00THotkey.exe (TOSHIBA Corp.)
PRC - C:\Program Files\Belkin\F5D8053\v5\Belkinwcui.exe (Belkin)
PRC - C:\WINDOWS\system32\RAMASST.exe (Matsushita Electric Industrial Co., Ltd.)
PRC - C:\WINDOWS\system32\TPSBattM.exe (TOSHIBA Corporation)
PRC - C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
PRC - C:\WINDOWS\system32\drivers\CDAC11BA.EXE (C-Dilla Ltd)
PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
PRC - C:\WINDOWS\System32\DVDRAMSV.exe (Matsushita Electric Industrial Co., Ltd.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE (Software 2000 Limited)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\WINDOWS\system32\dumprep.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\John B\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (ACDaemon [Auto | Running]) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (aswUpdSv [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (avast! Antivirus [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner [On_Demand | Running]) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner [On_Demand | Running]) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (C-DillaCdaC11BA [Auto | Running]) -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE (C-Dilla Ltd)
SRV - (CCALib8 [Auto | Running]) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (CFSvcs [Auto | Running]) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (DVD-RAM_Service [Auto | Running]) -- C:\WINDOWS\System32\DVDRAMSV.exe (Matsushita Electric Industrial Co., Ltd.)
SRV - (gupdate1c9a0d0dfd66502 [Auto | Stopped]) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
SRV - (MSCSPTISRV [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (Sony Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (PACSPTISVR [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe ()
SRV - (Pml Driver HPH11 [On_Demand | Stopped]) -- C:\WINDOWS\system32\HPHipm11.exe (HP)
SRV - (Pml Driver HPZ12 [Unknown | Running]) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (rpcapd [On_Demand | Stopped]) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies)
SRV - (SonicStage Back-End Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe (Sony Corporation)
SRV - (SoundMAX Agent Service (default) [Auto | Running]) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
SRV - (SPTISRV [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (Sony Corporation)
SRV - (SSScsiSV [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (Sony Corporation)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\MSN Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (Aavmker4 [System | Running]) -- C:\WINDOWS\System32\drivers\aavmker4.sys (ALWIL Software)
DRV - (aeaudio [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Electronics Corporation)
DRV - (AegisP [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys (Cisco Systems, Inc.)
DRV - (Afc [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\Afc.sys (Arcsoft, Inc.)
DRV - (AFS2K [System | Running]) -- C:\WINDOWS\System32\drivers\AFS2K.SYS (Oak Technology Inc.)
DRV - (AgereSoftModem [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys (Agere Systems)
DRV - (ApfiltrService [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (APL531 [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\ov550i.sys (Omnivision Technologies, Inc.)
DRV - (aswFsBlk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys (ALWIL Software)
DRV - (aswMon2 [Auto | Running]) -- C:\WINDOWS\System32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswRdr [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\aswRdr.sys (ALWIL Software)
DRV - (aswSP [System | Running]) -- C:\WINDOWS\System32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswTdi [System | Running]) -- C:\WINDOWS\System32\drivers\aswTdi.sys (ALWIL Software)
DRV - (atksgt [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\atksgt.sys ()
DRV - (BsStor [Boot | Running]) -- C:\WINDOWS\System32\drivers\BsStor.sys (B.H.A Co.,Ltd.)
DRV - (BsUDF [Disabled | Running]) -- C:\WINDOWS\System32\drivers\BsUDF.sys (B.H.A Co.,Ltd.)
DRV - (CdaC15BA [Auto | Running]) -- C:\WINDOWS\system32\drivers\CDAC15BA.SYS ()
DRV - (Dot4 HPH11 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\hphid411.sys (HP)
DRV - (Dot4Print HPH11 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\hphipr11.sys (HP)
DRV - (Dot4Usb HPH11 [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\hphius11.sys (HP)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (EAPPkt [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\EAPPkt.sys (Realtek)
DRV - (giveio [Boot | Running]) -- C:\WINDOWS\system32\giveio.sys ()
DRV - (grmnusb [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\grmnusb.sys (GARMIN Corp.)
DRV - (GWIOPM [On_Demand | Stopped]) -- c:\Program Files\LEA Digital Recorder\gwiopm.sys ()
DRV - (HPZid412 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys (HP)
DRV - (HPZipr12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (HP)
DRV - (HPZius12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys (HP)
DRV - (ialm [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (lirsgt [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\lirsgt.sys ()
DRV - (MASPINT [Auto | Running]) -- C:\WINDOWS\System32\drivers\MASPINT.SYS (MicroStaff Co.,Ltd.)
DRV - (MDC8021X [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdc8021x.sys (Meetinghouse Data Communications)
DRV - (meiudf [System | Running]) -- C:\WINDOWS\System32\Drivers\meiudf.sys (Matsushita Electric Industrial Co.,Ltd.)
DRV - (Netdevio [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\netdevio.sys (TOSHIBA Corporation.)
DRV - (NETGEAR_MA111 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\MA111nd5.sys ( )
DRV - (NPF [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies)
DRV - (pciSd [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\tossdpci.sys (TOSHIBA)
DRV - (pfc [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (PRISM_A02 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\PRISMAXP.sys (GlobespanVirata, Inc.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys (Sonic Solutions)
DRV - (rt2870 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\rt2870.sys (Ralink Technology, Corp.)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sfdrv01 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfhlp02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology)
DRV - (smwdm [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (sonypvs1 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sonypvs1.sys (Sony Corporation)
DRV - (speedfan [Boot | Running]) -- C:\WINDOWS\system32\speedfan.sys (Windows ® 2000 DDK provider)
DRV - (SUSTUCAM [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sustucam.sys (Susteen, Inc.)
DRV - (TBiosDrv [Auto | Running]) -- C:\WINDOWS\System32\drivers\TBiosDrv.sys ()
DRV - (tmcomm [Auto | Running]) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (tossmbnt [Auto | Running]) -- C:\WINDOWS\System32\drivers\TOSSMBNT.sys ()
DRV - (tsdhd [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\tsdhd.sys (TOSHIBA Corporation)
DRV - (TVALZ [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\TVALZ.SYS (TOSHIBA Corporation)
DRV - (usbaudio [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (WlanUIB [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\MA111nd5.sys ( )
DRV - ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ialmsbw.sys (Intel Corporation)
DRV - ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ialmkchw.sys (Intel Corporation)
DRV - ({E2B953A6-195A-44F9-9BA3-3D5F4E32BB55} [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\wA301a.sys (Intel Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...&ar=msnhome
IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {DCBD1271-D228-4082-9FBC-36D9B7660B03}:1.1.8
FF - prefs.js..extensions.enabledItems: [email protected]:0.8.1
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.3
FF - prefs.js..extensions.enabledItems: {fffe0eac-3819-4561-8aa9-178a68450d4f}:1.9
FF - prefs.js..extensions.enabledItems: [email protected]:1.1.0
FF - prefs.js..extensions.enabledItems: {5872365e-67d1-4afd-9480-fd293bebd20d}:1.7.2
FF - prefs.js..extensions.enabledItems: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.6.11
FF - prefs.js..extensions.enabledItems: {396BA20B-7E61-47EB-9095-08D70EF4D85A}:1.0
FF - prefs.js..extensions.enabledItems: {AFE5B061-B10B-4111-8C93-FE38258C5CE0}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10
FF - prefs.js..extensions.foxtor.browser.search.update: true

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/30 09:03:07 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/30 09:03:07 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Components: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\COMPONENTS [2009/04/01 14:12:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\PLUGINS [2009/03/03 11:10:06 | 00,000,000 | ---D | M]

[2009/01/10 15:56:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Extensions
[2009/01/10 15:56:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/26 12:15:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions
[2008/02/10 10:04:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{5872365e-67d1-4afd-9480-fd293bebd20d}
[2008/12/03 00:29:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{DCBD1271-D228-4082-9FBC-36D9B7660B03}
[2009/05/12 14:13:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2008/10/29 23:16:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
[2009/03/20 13:42:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{fffe0eac-3819-4561-8aa9-178a68450d4f}
[2009/03/17 14:10:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\[email protected]
[2008/09/10 22:44:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\[email protected]
[2009/05/26 12:15:57 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/04/30 14:08:01 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{396BA20B-7E61-47EB-9095-08D70EF4D85A}
[2009/04/30 09:03:07 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/30 16:06:32 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{AFE5B061-B10B-4111-8C93-FE38258C5CE0}
[2007/06/10 23:13:05 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\talkback@mozilla(2).org
[2009/04/30 09:02:58 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/30 09:02:59 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/01/10 15:56:18 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/01/10 15:56:18 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/01/10 15:56:18 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/01/10 15:56:18 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/01/10 15:56:18 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/01/10 15:56:18 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe (Agere Systems)
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [TFNF5] TFNF5.exe (TOSHIBA Corp.)
O4 - HKLM..\Run: [TPSMain] TPSMain.exe (TOSHIBA Corporation)
O4 - HKCU..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\00THotkey.exe (TOSHIBA Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin N Wireless USB Adapter Client Utility.lnk = C:\Program Files\Belkin\F5D8053\v5\Belkinwcui.exe (Belkin)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (Matsushita Electric Industrial Co., Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: aol.com ([free] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 28 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft....k/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/viewers/ipixx.cab (iPIX ActiveX Control)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.t...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} http://musicstore.co...ALStreaming.cab (MALPlaybackCtrl Class)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (Reg Error: Key error.)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} http://www.shockwave...gwebinstall.cab (Sandlot Loader Control)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://www.shockwave...mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} http://www.shockwave...bugs/axhost.cab (WildfireActiveXHost Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_16)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoft...free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupd...8135.7490393519 (Reg Error: Key error.)
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} http://www.trendmicr...scan/as4web.cab (Reg Error: Key error.)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcaf...,20/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0014-0002-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_16)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} http://download.game...inematycoon.cab (TikGames Online Control)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2099/01/01 12:00:00 | 00,006,456 | -H-- | C] () -- C:\WINDOWS\System32\vigotusa
[2009/05/26 13:05:28 | 00,002,691 | ---- | C] () -- C:\Documents and Settings\John B\Desktop\DrWeb.csv
[2009/05/21 15:03:39 | 14,095,000 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\John B\Desktop\drweb-cureit.exe
[2009/05/21 08:33:00 | 00,130,048 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/05/19 13:20:53 | 00,001,766 | ---- | C] () -- C:\Documents and Settings\John B\Desktop\Build-a-Lot 2.lnk
[2009/05/19 13:20:53 | 00,001,130 | ---- | C] () -- C:\Documents and Settings\John B\Desktop\Game Center.lnk
[2009/05/19 13:15:37 | 58,746,152 | ---- | C] (Oberon Media Inc.) -- C:\Documents and Settings\John B\Desktop\Build_a_lot_2-setup.exe
[2009/05/19 13:09:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NeoEdge Networks
[2009/05/19 08:59:14 | 00,001,836 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2009/05/18 14:52:51 | 00,214,534 | ---- | C] () -- C:\Documents and Settings\John B\Desktop\_0.27918000 1224882611
[2009/05/13 13:56:34 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\John B\Desktop\OTListIt2.exe
[2009/05/13 13:54:52 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/05/13 12:00:30 | 24,699,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/13 11:22:16 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/05/13 11:17:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\John B\Desktop\newspy
[2009/05/13 10:37:06 | 78,733,7216 | -HS- | C] () -- C:\hiberfil.sys
[2009/05/13 10:34:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\John B\Local Settings\Temp
[2009/05/13 10:34:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/05/12 10:19:25 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/05/12 10:19:25 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/05/07 15:17:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\John B\Desktop\McafeeRootkitDetective
[2009/05/07 15:03:18 | 01,728,150 | ---- | C] () -- C:\Documents and Settings\John B\Desktop\McafeeRootkitDetective.zip
[2009/05/07 12:39:54 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\TZWNA
[2009/05/07 12:39:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\John B\Desktop\RootkitRevealer
[2009/05/07 12:14:45 | 00,001,743 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin N Wireless USB Adapter Client Utility.lnk
[2009/05/07 12:14:45 | 00,001,725 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Belkin N Wireless USB Adapter Client Utility.lnk
[2009/05/07 12:13:52 | 00,450,432 | ---- | C] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\drivers\rtl8192u.sys
[2009/05/07 12:13:51 | 00,450,432 | ---- | C] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System\rtl8192u.sys
[2009/05/07 12:13:29 | 00,038,144 | ---- | C] (Realtek) -- C:\WINDOWS\System32\drivers\EAPPkt.sys
[2009/05/07 12:13:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Belkin N Wireless USB Adapter Software
[2009/05/07 12:12:02 | 06,549,329 | ---- | C] () -- C:\Documents and Settings\John B\Desktop\f5d8053v5_us_5.01.03_w6.exe
[2009/05/07 09:14:03 | 00,000,226 | ---- | C] () -- C:\Boot.bak
[2009/05/07 09:13:57 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/05/07 09:13:48 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/05/07 09:12:09 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/05/07 09:12:09 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/05/07 09:12:09 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/05/07 09:12:09 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/05/07 09:12:09 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/05/07 09:12:09 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/05/06 11:01:53 | 00,023,152 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/05/06 11:01:53 | 00,001,709 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2009/05/06 11:01:52 | 00,051,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/05/06 11:01:51 | 00,026,944 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/05/06 11:01:49 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2009/05/06 11:01:47 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/05/06 11:01:47 | 00,094,032 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/05/06 11:01:47 | 00,093,296 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/05/06 11:01:47 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/05/06 11:01:21 | 01,256,296 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/05/06 11:01:21 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2009/05/06 11:01:16 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2009/05/05 09:11:45 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\John B\My Documents\alice grant.doc
[2009/01/14 21:23:11 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll
[2008/12/09 00:09:21 | 00,030,208 | ---- | C] () -- C:\WINDOWS\System32\WNASPI32.DLL
[2008/12/09 00:09:21 | 00,000,291 | ---- | C] () -- C:\WINDOWS\msfsetup.ini
[2008/12/09 00:04:55 | 00,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2007/11/06 15:19:28 | 00,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2007/09/25 23:03:08 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2007/07/26 13:01:50 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\hppatusg01.dll
[2007/06/30 23:57:01 | 00,000,000 | ---- | C] () -- C:\WINDOWS\pestpatrol5.INI
[2007/06/18 00:34:35 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2007/04/25 00:14:14 | 00,000,052 | ---- | C] () -- C:\WINDOWS\STYLEEASEAPA.INI
[2007/04/10 00:03:22 | 00,532,480 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Sony.dll
[2007/03/05 13:34:28 | 00,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/02/19 03:25:49 | 00,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2007/02/11 04:09:33 | 00,000,059 | ---- | C] () -- C:\WINDOWS\LTDLG13N.INI
[2006/12/05 17:21:09 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Tripeaks.INI
[2006/11/02 17:03:38 | 00,002,042 | ---- | C] () -- C:\WINDOWS\tabled32.ini
[2006/10/31 12:06:03 | 00,000,128 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/09/11 09:46:53 | 00,165,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2006/09/11 09:46:52 | 00,018,048 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2005/09/04 22:53:16 | 00,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.John B.ini
[2005/08/06 09:32:12 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\MouseTrapLib.dll
[2005/06/10 10:57:39 | 00,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2005/06/02 22:37:45 | 00,004,005 | ---- | C] () -- C:\WINDOWS\hpdj3740.ini
[2005/05/28 18:50:53 | 00,005,667 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/03/01 15:30:20 | 00,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2005/02/23 21:17:54 | 00,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2005/01/16 20:42:25 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/12/17 16:34:53 | 00,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2004/10/06 19:33:37 | 00,112,128 | RH-- | C] () -- C:\WINDOWS\CdaC14BA.DLL
[2004/10/06 19:33:35 | 00,008,864 | ---- | C] () -- C:\WINDOWS\System32\drivers\CDAC15BA.SYS
[2004/07/22 19:26:30 | 00,000,028 | ---- | C] () -- C:\WINDOWS\BTW.ini
[2004/07/22 19:26:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\autorun.INI
[2004/07/07 20:09:00 | 00,072,704 | ---- | C] () -- C:\WINDOWS\System32\GTRTST32.DLL
[2004/07/07 20:08:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\arhelper.INI
[2004/07/06 21:24:06 | 00,000,708 | ---- | C] () -- C:\WINDOWS\label.ini
[2004/07/06 21:23:54 | 00,000,052 | ---- | C] () -- C:\WINDOWS\odbcddp.ini
[2004/05/28 21:40:39 | 00,000,067 | ---- | C] () -- C:\WINDOWS\swupdate.INI
[2004/03/03 16:27:08 | 00,666,624 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\MA111nd5.sys
[2004/01/30 10:37:50 | 00,000,092 | R--- | C] () -- C:\WINDOWS\System32\FTDIUN2K.INI
[2003/11/21 16:49:44 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/11/20 20:49:20 | 00,000,908 | ---- | C] () -- C:\WINDOWS\System32\Px.ini
[2003/11/20 20:40:32 | 00,000,021 | ---- | C] () -- C:\WINDOWS\CS_SETUP.ini
[2003/11/20 20:34:03 | 00,000,906 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/11/20 20:32:41 | 00,019,607 | ---- | C] () -- C:\WINDOWS\System32\drivers\TOSSMBNT.sys
[2003/11/20 20:12:08 | 00,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2003/11/20 20:06:36 | 00,000,034 | ---- | C] () -- C:\WINDOWS\wwwbatch.ini
[2003/11/20 19:54:31 | 00,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2003/11/20 19:54:31 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2003/11/20 19:54:31 | 00,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2003/11/20 19:54:31 | 00,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2003/11/20 19:53:21 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2003/11/20 19:44:16 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/11/20 19:28:40 | 00,006,867 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2003/11/20 18:53:50 | 00,001,924 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/11/20 18:50:00 | 00,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/11/20 18:42:22 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/11/20 17:12:52 | 00,000,382 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/11/20 17:12:23 | 00,000,742 | ---- | C] () -- C:\WINDOWS\win.ini
[2003/11/20 17:12:16 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2002/04/04 15:04:08 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\hpodinet.dll
[2001/07/07 04:00:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1996/04/03 14:33:26 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Files - Modified Within 30 Days ==========

[2009/05/26 14:45:25 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/26 14:43:39 | 00,000,314 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2009/05/26 14:43:26 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
[2009/05/26 14:43:24 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/26 14:42:56 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\John B\Local Settings\desktop.ini
[2009/05/26 14:42:54 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/26 14:42:52 | 78,733,7216 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/26 13:05:28 | 00,002,691 | ---- | M] () -- C:\Documents and Settings\John B\Desktop\DrWeb.csv
[2009/05/21 15:04:21 | 14,095,000 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\John B\Desktop\drweb-cureit.exe
[2009/05/21 08:39:31 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/05/20 20:37:02 | 00,130,048 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/05/20 13:57:47 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/05/20 10:01:55 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\John B\My Documents\alice grant.doc
[2009/05/19 13:20:53 | 00,001,766 | ---- | M] () -- C:\Documents and Settings\John B\Desktop\Build-a-Lot 2.lnk
[2009/05/19 13:20:53 | 00,001,130 | ---- | M] () -- C:\Documents and Settings\John B\Desktop\Game Center.lnk
[2009/05/19 13:20:13 | 58,746,152 | ---- | M] (Oberon Media Inc.) -- C:\Documents and Settings\John B\Desktop\Build_a_lot_2-setup.exe
[2009/05/19 09:11:03 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/05/19 08:59:14 | 00,001,836 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2009/05/18 14:52:52 | 00,214,534 | ---- | M] () -- C:\Documents and Settings\John B\Desktop\_0.27918000 1224882611
[2009/05/13 13:56:35 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\John B\Desktop\OTListIt2.exe
[2009/05/12 10:19:25 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/05/07 15:03:47 | 01,728,150 | ---- | M] () -- C:\Documents and Settings\John B\Desktop\McafeeRootkitDetective.zip
[2009/05/07 12:39:54 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\TZWNA
[2009/05/07 12:14:45 | 00,001,743 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin N Wireless USB Adapter Client Utility.lnk
[2009/05/07 12:14:45 | 00,001,725 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Belkin N Wireless USB Adapter Client Utility.lnk
[2009/05/07 12:12:40 | 06,549,329 | ---- | M] () -- C:\Documents and Settings\John B\Desktop\f5d8053v5_us_5.01.03_w6.exe
[2009/05/07 09:14:03 | 00,000,296 | RHS- | M] () -- C:\boot.ini
[2009/05/07 00:16:30 | 24,699,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/06 11:01:53 | 00,001,709 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2009/05/06 11:01:47 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/04/30 14:16:32 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\vigotusa

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0F8F5844
@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:16C36E31
@Alternate Data Stream - 96 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EA34E08F
@Alternate Data Stream - 96 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3F2F06F2
@Alternate Data Stream - 224 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C86B29EB
@Alternate Data Stream - 189 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:00C31200
@Alternate Data Stream - 162 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7B60C375
@Alternate Data Stream - 161 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2C321309
@Alternate Data Stream - 154 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8961A52
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CC2932DB
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4B4630A5
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:32A5186C
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:538B96B5
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:98DFF516
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:55F44B88
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F42B5B0E
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:52D76DB8
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:015DC393
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D9046031
@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E11F6DF5
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:10D98D98
< End of report >
  • 0

#14
XmichouX
Posted 27 May 2009 - 07:28 AM

XmichouX

    Trusted Helper

  • Retired Staff
  • 1,292 posts
Hi,

The named of this tool has changed. So when i say "OTL", i mean "OTListIt2" :)

1) Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTLI
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
[2099/01/01 12:00:00 | 00,006,456 | -H-- | C] () -- C:\WINDOWS\System32\vigotusa
[2009/05/21 08:33:00 | 00,130,048 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/05/07 12:39:54 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\TZWNA

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

2) Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.

Regards,

Edited by XmichouX, 27 May 2009 - 07:29 AM.

  • 0

#15
Aoc
Posted 27 May 2009 - 11:41 AM

Aoc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Ok, I ran both scans. After I did the otl scan fix, a spyware project 2009 virus program showed up on the task bar along with popsup claiming I had a virus. Popup alerts are showing up almost every minute now.

here are the two scans
========== OTLISTIT ==========
Process explorer.exe killed successfully!
C:\WINDOWS\System32\vigotusa moved successfully.
C:\WINDOWS\PEV.exe moved successfully.
C:\WINDOWS\System32\TZWNA moved successfully.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\John B\Local Settings\Temp\plugtmp-1\plugin-pfre.php scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\John B\Local Settings\Temp\etilqs_I8J7DDXbrasZrxi30vtP scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\John B\Local Settings\Temp\~DF83E.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6f0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.15.7 log created on 05272009_102450

Files moved on Reboot...
C:\Documents and Settings\John B\Local Settings\Temp\plugtmp-1\plugin-pfre.php moved successfully.
File C:\Documents and Settings\John B\Local Settings\Temp\etilqs_I8J7DDXbrasZrxi30vtP not found!
C:\Documents and Settings\John B\Local Settings\Temp\~DF83E.tmp moved successfully.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_6f0.dat moved successfully.

Registry entries deleted on Reboot...



GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-27 12:34:46
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEE3596B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEE359574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEE359A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEE35914C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEE35964E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEE35976E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEE35972E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEE3598AE]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[816] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[816] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Udfs \UdfsCdRom BsUDF.SYS (UDF File System Driver (WindowsXP)/B.H.A Co.,Ltd.)
Device \FileSystem\Udfs \UdfsDisk BsUDF.SYS (UDF File System Driver (WindowsXP)/B.H.A Co.,Ltd.)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs BsUDF.SYS (UDF File System Driver (WindowsXP)/B.H.A Co.,Ltd.)

---- EOF - GMER 1.0.15 ----
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP