Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Possible CTFMON infection


  • Please log in to reply

#1
spacemonkeymafia

spacemonkeymafia

    New Member

  • Member
  • Pip
  • 6 posts
Hi.

I really hope that someone can help with this. After an issue with an online login I tried to run an HJT scan but HJT would not run when I was online, and trying to run it even cut the internet connection. I managed to run a scan later and an online HJT scanner said there was an infection. The "04" CTFMON entries were what it thought was an infection.

The second issue, I don't know if it means anything is that HJT shows two instances of Internet Exploer running when in fact only one was.

I have included the HJT log after the OTL and Rooter logs your site requested. Malwarebytes was clean in safe and normal mode.

I have run Avira, Malwarebytes, Gmer catch me and they found nothing.

OTL logfile created on: 15/07/2009 11:14:45 AM - Run 1
OTL by OldTimer - Version 3.0.7.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

253.98 Mb Total Physical Memory | 88.95 Mb Available Physical Memory | 35.02% Memory free
625.05 Mb Paging File | 325.66 Mb Available in Paging File | 52.10% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 27.06 Gb Free Space | 72.66% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Z: | 5.00 Gb Total Space | 4.98 Gb Free Space | 99.44% Space Free | Partition Type: NTFS

Computer Name: NONE-0T2PBMK1HZ
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Program Files\Tall Emu\Online Armor\oasrv.exe (Tall Emu)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (Avira GmbH)
PRC - C:\WINDOWS\System32\CTsvcCDA.EXE (Creative Technology Ltd)
PRC - C:\Program Files\Tall Emu\Online Armor\oacat.exe (Tall Emu)
PRC - C:\Program Files\Sandboxie\SbieSvc.exe (tzuk)
PRC - C:\WINDOWS\System32\MsPMSPSv.exe (Microsoft Corporation)
PRC - C:\WINDOWS\System32\wscntfy.exe (Microsoft Corporation)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Tall Emu\Online Armor\oaui.exe (Tall Emu)
PRC - C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
PRC - C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
PRC - C:\WINDOWS\vVX3000.exe (Microsoft Corporation)
PRC - C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe ()
PRC - C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe ()
PRC - C:\Program files\Returnil\Returnil.exe (Returnil SIA)
PRC - C:\Program Files\Tall Emu\Online Armor\oahlp.exe (Tall Emu)
PRC - C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
PRC - C:\Program Files\Eraser\eraser.exe (Heidi Computers Ltd)
PRC - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
PRC - C:\Program Files\Sandboxie\SbieCtrl.exe (tzuk)
PRC - C:\Program Files\TADAust Connect\dialer.exe (ISPWizard)
PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (AntiVirScheduler [Auto | Running]) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH)
SRV - (AntiVirService [Auto | Running]) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (Avira GmbH)
SRV - (Creative Service for CDROM Access [Auto | Running]) -- C:\WINDOWS\System32\CTsvcCDA.EXE (Creative Technology Ltd)
SRV - (dlbt_device [On_Demand | Stopped]) -- C:\WINDOWS\System32\dlbtcoms.exe (Dell)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (OAcat [Auto | Running]) -- C:\Program Files\Tall Emu\Online Armor\oacat.exe (Tall Emu)
SRV - (SbieSvc [Auto | Running]) -- C:\Program Files\Sandboxie\SbieSvc.exe (tzuk)
SRV - (SvcOnlineArmor [Auto | Running]) -- C:\Program Files\Tall Emu\Online Armor\oasrv.exe (Tall Emu)
SRV - (WMDM PMSP Service [Auto | Running]) -- C:\WINDOWS\System32\MsPMSPSv.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (avgio [System | Running]) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys (Avira GmbH)
DRV - (avgntflt [On_Demand | Running]) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys (Avira GmbH)
DRV - (avipbb [System | Running]) -- C:\WINDOWS\System32\DRIVERS\avipbb.sys (Avira GmbH)
DRV - (ctsfm2k [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ctsfm2k.sys (Creative Technology Ltd)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (HSFHWBS2 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (HSF_DP [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (ialm [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (MODEMCSA [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (OADevice [System | Running]) -- C:\WINDOWS\System32\drivers\OADriver.sys (Tall Emu Pty Ltd)
DRV - (OAmon [System | Running]) -- C:\WINDOWS\System32\drivers\OAmon.sys (Tall Emu Pty Ltd)
DRV - (OAnet [System | Running]) -- C:\WINDOWS\System32\drivers\OAnet.sys (Tall Emu Pty Ltd)
DRV - (OMCI [System | Running]) -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS (Dell Computer Corporation)
DRV - (ossrv [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ctoss2k.sys (Creative Technology Ltd.)
DRV - (P17 [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\P17.sys (Creative Technology Ltd.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (RVFsSec [Boot | Running]) -- C:\WINDOWS\system32\Drivers\RVFsSec.sys (Returnil SIA)
DRV - (RVSystem [Boot | Running]) -- C:\WINDOWS\system32\Drivers\RVSystem.sys (Returnil SIA)
DRV - (SASDIFSV [System | Running]) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM [On_Demand | Stopped]) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL [System | Running]) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SbieDrv [On_Demand | Running]) -- C:\Program Files\Sandboxie\SbieDrv.sys (tzuk)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (ssmdrv [System | Running]) -- C:\WINDOWS\System32\DRIVERS\ssmdrv.sys (Avira GmbH)
DRV - (usbaudio [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (VX3000 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\VX3000.sys (Microsoft Corporation)
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/06/10 17:16:39 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/06/10 17:16:17 | 00,000,000 | ---D | M]

[2009/06/10 17:16:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Extensions
[2009/06/10 17:16:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/06/10 17:16:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\g87clm0a.default\extensions
[2009/06/10 17:16:18 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/10 17:16:18 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/24 14:38:30 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/24 14:38:32 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/04/24 14:38:33 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/04/24 10:39:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/04/24 10:39:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/24 10:39:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/24 10:39:08 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/04/24 10:39:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/04/24 10:39:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/24 10:39:08 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [@OnlineArmor GUI] C:\Program Files\Tall Emu\Online Armor\oaui.exe (Tall Emu)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Dell Photo AIO Printer 922] C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe ()
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [P17Helper] C:\WINDOWS\System32\P17.DLL ()
O4 - HKLM..\Run: [Rvsystem] C:\Program files\Returnil\Returnil.exe (Returnil SIA)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [VX3000] C:\WINDOWS\vVX3000.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe (Heidi Computers Ltd)
O4 - HKCU..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKCU..\Run: [SandboxieControl] C:\Program Files\Sandboxie\SbieCtrl.exe (tzuk)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 25 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1236411858506 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1237702287156 (MUWebControl Class)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {4F07DA45-8170-4859-9B5F-037EF2970034} - C:\Program Files\Tall Emu\Online Armor\oaevent.dll (Tall Emu)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/06 17:38:22 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/03/14 20:22:09 | 00,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/05/29 15:35:40 | 00,000,000 | RHSD | M] - Z:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/07/15 11:13:02 | 00,173,119 | ---- | C] (Eric_71) -- C:\Documents and Settings\Owner\Desktop\Rooter.exe
[2009/07/15 11:12:14 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/07/14 17:26:51 | 14,918,680 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\Owner\Desktop\77p2b5e7.exe
[2009/07/14 17:13:45 | 00,002,506 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2009/07/14 17:12:44 | 00,289,144 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\VCCLSID.exe
[2009/07/14 17:12:44 | 00,288,417 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\SrchSTS.exe
[2009/07/14 17:12:44 | 00,087,552 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\VACFix.exe
[2009/07/14 17:12:44 | 00,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.exe
[2009/07/14 17:12:44 | 00,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.C.exe
[2009/07/14 17:12:44 | 00,082,432 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\404Fix.exe
[2009/07/14 17:12:44 | 00,080,384 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\o4Patch.exe
[2009/07/14 17:12:44 | 00,079,360 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swxcacls.exe
[2009/07/14 17:12:44 | 00,078,336 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\Agent.OMZ.Fix.exe
[2009/07/14 17:12:44 | 00,075,776 | ---- | C] () -- C:\WINDOWS\System32\WS2Fix.exe
[2009/07/14 17:12:44 | 00,051,200 | ---- | C] () -- C:\WINDOWS\System32\dumphive.exe
[2009/07/14 17:12:44 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\swsc.exe
[2009/07/14 17:12:43 | 00,135,168 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swreg.exe
[2009/07/14 17:12:43 | 00,053,248 | ---- | C] (http://www.beyondlogic.org) -- C:\WINDOWS\System32\Process.exe
[2009/07/14 17:12:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\SmitfraudFix
[2009/07/14 17:04:07 | 01,885,088 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe
[2009/07/13 19:06:47 | 00,000,780 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/07/13 19:06:13 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/06/22 19:30:35 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\New Rich Text Document.rtf
[2009/06/16 19:50:13 | 00,005,462 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\june16.rtf
[2009/06/02 17:22:06 | 00,002,338 | ---- | C] () -- C:\WINDOWS\Sandboxie.ini
[2009/05/22 17:04:36 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2009/05/22 17:04:26 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2009/05/22 17:03:23 | 00,003,278 | ---- | C] () -- C:\WINDOWS\System32\LudaP17.ini
[2009/05/22 17:03:23 | 00,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2009/05/22 17:03:19 | 00,065,536 | R--- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[2009/05/22 17:03:19 | 00,060,928 | R--- | C] () -- C:\WINDOWS\System32\P17.dll
[2009/05/22 17:03:19 | 00,053,248 | R--- | C] () -- C:\WINDOWS\System32\P17CPI.dll
[2009/03/26 16:48:38 | 00,000,502 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2009/03/26 16:41:12 | 00,126,976 | R--- | C] () -- C:\WINDOWS\System32\dlbtsnls.dll
[2009/03/26 16:41:11 | 00,143,360 | R--- | C] () -- C:\WINDOWS\System32\dlbtcoin.dll
[2009/03/26 16:40:47 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbtvs.dll
[2009/03/26 16:40:44 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\dlbtcur.dll
[2009/03/26 16:40:44 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\dlbtcu.dll
[2009/03/26 16:40:38 | 00,557,056 | ---- | C] () -- C:\WINDOWS\System32\dlbtjswr.dll
[2009/03/26 16:40:33 | 00,401,408 | ---- | C] () -- C:\WINDOWS\System32\dlbtutil.dll
[2009/03/15 17:29:37 | 00,015,498 | ---- | C] () -- C:\WINDOWS\VX3000.ini
[2009/03/13 18:39:44 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/03/06 18:09:40 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2003/07/17 06:51:23 | 00,000,503 | ---- | C] () -- C:\WINDOWS\win.ini
[2003/07/17 06:47:28 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2009/07/15 11:13:02 | 00,173,119 | ---- | M] (Eric_71) -- C:\Documents and Settings\Owner\Desktop\Rooter.exe
[2009/07/15 11:12:15 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/07/15 10:52:54 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/07/15 10:52:36 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/07/14 20:31:52 | 01,381,864 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/07/14 18:26:41 | 14,918,680 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\Owner\Desktop\77p2b5e7.exe
[2009/07/14 17:17:41 | 00,002,506 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2009/07/14 17:11:18 | 01,885,088 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe
[2009/07/13 19:06:47 | 00,000,780 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/07/13 16:03:41 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/07/10 17:35:27 | 00,000,502 | ---- | M] () -- C:\WINDOWS\dellstat.ini
[2009/07/01 19:04:14 | 00,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2009/06/26 19:18:14 | 00,000,008 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\New Rich Text Document.rtf
[2009/06/17 11:27:56 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/17 11:27:44 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/16 19:50:14 | 00,005,462 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\june16.rtf

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

OTL Extras logfile created on: 15/07/2009 11:14:45 AM - Run 1
OTL by OldTimer - Version 3.0.7.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

253.98 Mb Total Physical Memory | 88.95 Mb Available Physical Memory | 35.02% Memory free
625.05 Mb Paging File | 325.66 Mb Available in Paging File | 52.10% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 27.06 Gb Free Space | 72.66% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Z: | 5.00 Gb Total Space | 4.98 Gb Free Space | 99.44% Space Free | Partition Type: NTFS

Computer Name: NONE-0T2PBMK1HZ
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{24AAB420-4E30-4496-9739-3E216F3DE6AE}" = Python 2.6.2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B80CC46C-5839-4A48-B051-3CACF23A2718}_is1" = Eraser 5.82
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CEB481CC-F57C-4397-81A0-DADD22257047}" = Sound Blaster Live! 24-bit
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{E5B72007-07C9-4E67-B29E-696073F45704}" = DropMyRights
"AntiVir PersonalEdition Classic" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner (remove only)
"CleanUp!" = CleanUp!
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"Dell Photo AIO Printer 922" = Dell Photo AIO Printer 922
"Gadwin PrintScreen" = Gadwin PrintScreen
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.0.10)" = Mozilla Firefox (3.0.10)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OnlineArmor_is1" = Online Armor 3.0
"PhotoFiltre" = PhotoFiltre
"PROSet" = Intel® PRO Network Adapters and Drivers
"Rvsystem" = Returnil Virtual System Premium Edition
"Sandboxie" = Sandboxie 3.38
"SpywareBlaster_is1" = SpywareBlaster 4.2
"TADAust Connect" = TADAust Connect
"Tweak UI 2.10" = Tweak UI
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 27/03/2009 10:21:33 PM | Computer Name = NONE-0T2PBMK1HZ | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.35.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 20/05/2009 5:17:02 AM | Computer Name = NONE-0T2PBMK1HZ | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 20/05/2009 5:17:08 AM | Computer Name = NONE-0T2PBMK1HZ | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 31/05/2009 4:41:09 AM | Computer Name = NONE-0T2PBMK1HZ | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 31/05/2009 4:41:21 AM | Computer Name = NONE-0T2PBMK1HZ | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 1/06/2009 2:14:52 AM | Computer Name = NONE-0T2PBMK1HZ | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/06/2009 2:14:52 AM | Computer Name = NONE-0T2PBMK1HZ | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/06/2009 2:14:58 AM | Computer Name = NONE-0T2PBMK1HZ | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 1/06/2009 2:15:03 AM | Computer Name = NONE-0T2PBMK1HZ | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 7/06/2009 1:27:01 AM | Computer Name = NONE-0T2PBMK1HZ | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070005 from line 62 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

[ System Events ]
Error - 14/07/2009 5:37:31 AM | Computer Name = NONE-0T2PBMK1HZ | Source = RVSystem | ID = 1411
Description =

Error - 14/07/2009 5:38:29 AM | Computer Name = NONE-0T2PBMK1HZ | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 14/07/2009 5:38:34 AM | Computer Name = NONE-0T2PBMK1HZ | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 14/07/2009 5:38:52 AM | Computer Name = NONE-0T2PBMK1HZ | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 14/07/2009 5:38:52 AM | Computer Name = NONE-0T2PBMK1HZ | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 14/07/2009 5:38:52 AM | Computer Name = NONE-0T2PBMK1HZ | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD Networking Support
Environment service which failed to start because of the following error: %%31

Error - 14/07/2009 5:38:52 AM | Computer Name = NONE-0T2PBMK1HZ | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 14/07/2009 5:38:52 AM | Computer Name = NONE-0T2PBMK1HZ | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT OADevice OAmon OAnet OMCI RasAcd Rdbss
SASDIFSV
SASKUTIL
ssmdrv
Tcpip

Error - 14/07/2009 6:31:41 AM | Computer Name = NONE-0T2PBMK1HZ | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 14/07/2009 6:32:01 AM | Computer Name = NONE-0T2PBMK1HZ | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 3 Stepping 4, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.0.10 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:37 Go - Free:27 Go )
D:\ [CD_Rom]
Z:\ [Fixed-NTFS] .. ( Total:5 Go - Free:4 Go )
.
Scan : 11:19.17
Path : C:\Documents and Settings\Owner\Desktop\Rooter.exe
User : Owner ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (504)
______ \??\C:\WINDOWS\system32\csrss.exe (576)
______ \??\C:\WINDOWS\system32\winlogon.exe (600)
______ C:\WINDOWS\system32\services.exe (648)
______ C:\WINDOWS\system32\lsass.exe (660)
______ C:\WINDOWS\system32\svchost.exe (816)
______ C:\WINDOWS\system32\svchost.exe (884)
______ C:\WINDOWS\System32\svchost.exe (920)
______ C:\WINDOWS\System32\svchost.exe (968)
______ C:\WINDOWS\System32\svchost.exe (1024)
______ C:\WINDOWS\system32\spoolsv.exe (1312)
______ C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (1360)
______ C:\WINDOWS\System32\svchost.exe (1404)
______ C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (1472)
______ C:\WINDOWS\system32\CTsvcCDA.EXE (1484)
______ C:\Program Files\Tall Emu\Online Armor\oacat.exe (1520)
______ C:\Program Files\Sandboxie\SbieSvc.exe (1704)
______ C:\WINDOWS\System32\svchost.exe (1796)
______ C:\WINDOWS\system32\MsPMSPSv.exe (1864)
______ C:\WINDOWS\System32\alg.exe (352)
______ C:\WINDOWS\system32\wscntfy.exe (1296)
______ C:\WINDOWS\Explorer.EXE (1892)
______ C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe (2228)
______ C:\WINDOWS\system32\hkcmd.exe (2636)
______ C:\WINDOWS\system32\igfxpers.exe (2672)
______ C:\WINDOWS\vVX3000.exe (2792)
______ C:\Program files\Returnil\Returnil.exe (2908)
______ C:\WINDOWS\system32\Rundll32.exe (2952)
______ C:\WINDOWS\system32\ctfmon.exe (3052)
______ C:\Program Files\Eraser\eraser.exe (3156)
______ C:\Program Files\Messenger\msmsgs.exe (3224)
______ C:\Documents and Settings\Owner\Desktop\Rooter.exe (808)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:39991279104)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_vVX3000_exe.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 11:19.19
.
C:\Rooter$\Rooter_1.txt - (15/07/2009 | 11:19.19)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:24 PM, on 13/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program files\Returnil\Returnil.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
C:\Program Files\TADAust Connect\dialer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Rvsystem] "C:\Program files\Returnil\Returnil.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1236411858506
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1237702287156
O17 - HKLM\System\CCS\Services\Tcpip\..\{6414ECA6-81D3-4268-89CE-FD1A6E2E73D5}: NameServer = 124.254.72.68 124.254.72.70
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 6121 bytes

Here is a smitfraudfix scan I also ran in case it helps. Sorry if it is just clutter.

SmitFraudFix v2.423

Scan done at 17:17:19.15, Tue 14/07/2009
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program files\Returnil\Returnil.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TADAust Connect\dialer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Policies.exe
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 124.254.72.68
DNS Server Search Order: 124.254.72.70

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6414ECA6-81D3-4268-89CE-FD1A6E2E73D5}: NameServer=124.254.72.68 124.254.72.70
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6414ECA6-81D3-4268-89CE-FD1A6E2E73D5}: NameServer=124.254.72.68 124.254.72.70


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Thanks for any help
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP