Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

IRCbot Virus

Started by bearj , Nov 25 2009 10:26 PM

  • Please log in to reply

#1
bearj
Posted 25 November 2009 - 10:26 PM

bearj

    New Member

  • Member
  • Pip
  • 7 posts
Hi everyone. I recently was told by my ISP that I have an IRCbot infection at my house. I've got two machines here, and this information pertains to only one of them. Once I get this one sorted I'll move on to the second one.
I haven't been able to find a trace of this virus. My ISP was of course unable to provide me with any more information about the problem. I haven't noticed any problems with these machines (both are recently formatted units), but I can't think of anything else to do to make sure they don't cut my connection.

I have followed the steps in the guide, so please forgive me the massive logs posting. I believe this computer to be clean, but I'd love some confirmation.

Thank you very much for your help!

Here we go!

First off, my Malwarebytes log: (the time on this is actually later than the other scans because I forgot to save a log file the first time through. The results were the same though)

Malwarebytes' Anti-Malware 1.41
Database version: 3235
Windows 5.1.2600 Service Pack 3

11/25/2009 11:13:50 PM
mbam-log-2009-11-25 (23-13-50).txt

Scan type: Quick Scan
Objects scanned: 98139
Time elapsed: 2 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



-------------------------------
Next up, a Root Repeal log. This one has something interesting in it, but I don't know what it means:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/25 22:57
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB70D7000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADEC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA998000 Size: 49152 File Visible: No Signed: -
Status: -

==EOF==

-------------------------------
Following that, an OTL log:

OTL logfile created on: 11/25/2009 11:00:06 PM - Run 1
OTL by OldTimer - Version 3.1.10.1 Folder = E:\Josh
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 140.48 Gb Free Space | 60.32% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 1006.47 Mb Total Space | 70.19 Mb Free Space | 6.97% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D620XP
Current User Name: Josh
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/25 22:03:44 | 00,531,456 | ---- | M] (OldTimer Tools) -- E:\Josh\OTL.exe
PRC - [2009/11/12 10:45:33 | 02,020,120 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2009/11/12 10:45:32 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/10/26 23:00:13 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/10/26 23:00:13 | 00,502,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/10/26 23:00:12 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/10/26 23:00:12 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/10/26 23:00:09 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2009/10/26 23:00:09 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/09/06 12:38:06 | 00,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2009/02/06 05:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2009/02/06 05:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/08/20 16:38:30 | 00,860,160 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2008/08/20 16:28:34 | 00,348,160 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe
PRC - [2008/08/20 16:27:36 | 01,368,064 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
PRC - [2008/08/20 16:18:34 | 00,905,216 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PRC - [2008/08/20 16:09:12 | 01,191,936 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
PRC - [2008/08/20 16:08:02 | 00,466,944 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2008/06/09 07:23:00 | 00,159,812 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2008/04/14 07:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 07:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2007/07/20 16:55:46 | 01,228,800 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2007/07/20 16:53:52 | 00,475,136 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PRC - [2007/05/10 10:22:32 | 00,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
PRC - [2006/06/28 07:46:30 | 00,622,592 | ---- | M] () -- C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
PRC - [2006/06/27 10:30:30 | 00,339,968 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
PRC - [2006/05/08 18:52:04 | 00,204,800 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
PRC - [2005/10/07 14:13:38 | 00,176,128 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2005/07/27 16:41:08 | 00,045,056 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2004/06/28 23:56:12 | 00,045,056 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\hidfind.exe


========== Modules (SafeList) ==========

MOD - [2009/11/25 22:03:44 | 00,531,456 | ---- | M] (OldTimer Tools) -- E:\Josh\OTL.exe
MOD - [2008/04/14 07:00:00 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/14 07:00:00 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll
MOD - [2007/07/20 16:56:14 | 00,098,304 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/10/26 23:00:09 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/10/26 23:00:09 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/09/06 12:38:06 | 00,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2008/08/20 16:38:30 | 00,860,160 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV - [2008/08/20 16:28:34 | 00,348,160 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2008/08/20 16:18:34 | 00,905,216 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2008/08/20 16:08:02 | 00,466,944 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/06/09 07:23:00 | 00,159,812 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2008/04/14 07:00:00 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2007/07/20 16:53:52 | 00,475,136 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...&ar=msnhome
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {8b86149f-01fb-4842-9dd8-4d7eb02fd055}:0.20.0
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.701
FF - prefs.js..extensions.enabledItems: {77b819fa-95ad-4f2c-ac7c-486b356188a9}:1.5.20090525
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/11/10 16:23:13 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/11/02 01:19:28 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/06 11:27:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/06 11:27:08 | 00,000,000 | ---D | M]

[2009/10/26 22:49:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Mozilla\Extensions
[2009/10/26 22:49:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/22 13:48:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Mozilla\Firefox\Profiles\ndme59kn.default\extensions
[2009/11/02 10:06:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Mozilla\Firefox\Profiles\ndme59kn.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/06 11:27:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Mozilla\Firefox\Profiles\ndme59kn.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2009/10/26 23:05:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Mozilla\Firefox\Profiles\ndme59kn.default\extensions\{8b86149f-01fb-4842-9dd8-4d7eb02fd055}
[2009/10/26 22:49:04 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/06 11:27:04 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/11/06 11:27:04 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/11/06 11:27:04 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/11/06 11:27:06 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2007/03/22 19:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
[2009/02/27 13:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2009/08/24 13:45:46 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/08/24 13:45:46 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/08/24 13:45:46 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/08/24 13:45:46 | 00,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/08/24 13:45:46 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/08/24 13:45:46 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/08/24 13:45:46 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe ()
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel® Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1256667045765 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1256854680875 (MUWebControl Class)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.71.255.198
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/26 20:31:10 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1bf1f5f9-c87e-11de-9065-0016419036c4}\Shell - "" = AutoRun
O33 - MountPoints2\{1bf1f5f9-c87e-11de-9065-0016419036c4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1bf1f5f9-c87e-11de-9065-0016419036c4}\Shell\AutoRun\command - "" = F:\WD SmartWare.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/10/26 14:58:00 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - C:\WINDOWS\system32\irmon.dll (Microsoft Corporation)
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: helpsvc - C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16892059130527744)

========== Files/Folders - Created Within 14 Days ==========

[2009/11/25 22:15:46 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/11/25 22:13:14 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/11/25 17:51:48 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/11/25 17:51:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/11/25 00:30:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Josh\Application Data\Malwarebytes
[2009/11/25 00:29:55 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/25 00:29:54 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/25 00:29:54 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/11/25 00:29:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/11/25 00:25:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Josh\Desktop\Scanners
[2009/11/22 12:46:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Josh\Desktop\Midsummer
[2009/11/17 11:37:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Josh\Local Settings\Application Data\CutePDF Writer
[2009/11/17 11:33:03 | 00,000,000 | ---D | C] -- C:\Program Files\GPLGS
[2009/11/17 11:32:15 | 00,000,000 | ---D | C] -- C:\Program Files\Acro Software

========== Files - Modified Within 14 Days ==========

[2009/11/25 22:55:00 | 00,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2077806209-1417001333-1003UA.job
[2009/11/25 22:22:40 | 45,728,930 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/11/25 22:22:23 | 00,105,608 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/11/25 22:14:04 | 00,509,454 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/25 22:14:04 | 00,433,364 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/25 22:14:04 | 00,067,772 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/25 22:10:17 | 00,189,259 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/11/25 22:10:16 | 00,027,744 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2009/11/25 22:10:14 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/25 22:09:58 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/25 22:09:55 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/25 22:09:15 | 02,359,296 | -H-- | M] () -- C:\Documents and Settings\Josh\NTUSER.DAT
[2009/11/25 22:09:15 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Josh\ntuser.ini
[2009/11/25 13:14:13 | 00,029,696 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\Midsummer Nov_2009 2009_11_25 1315.xls
[2009/11/25 12:15:39 | 00,025,600 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\Midsummer Nov_2009 2009_11_25 1215.xls
[2009/11/18 23:35:08 | 00,005,739 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\roar.pdf
[2009/11/18 13:30:48 | 00,111,824 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\demetrius 4 per page.pdf
[2009/11/18 10:55:00 | 00,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2077806209-1417001333-1003Core.job
[2009/11/18 10:32:35 | 00,200,144 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/18 10:23:12 | 00,000,573 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/18 10:17:40 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/18 00:54:31 | 00,014,336 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\budget midsummer.xls
[2009/11/18 00:54:27 | 00,115,200 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\Enter Prologu1.doc
[2009/11/18 00:54:20 | 00,107,520 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\Enter Prologue.doc
[2009/11/18 00:53:59 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\Purchase.doc
[2009/11/18 00:53:47 | 00,033,792 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\prop list details.doc
[2009/11/17 23:31:27 | 00,074,346 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\folio script 11x17 booklet - duplex it.pdf
[2009/11/17 12:52:09 | 00,117,760 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\Play within a play script MODIFIED by john.doc
[2009/11/16 00:51:51 | 00,117,248 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\Play within a play script MODIFIED.doc

========== Files Created - No Company Name ==========

[2009/11/25 13:14:13 | 00,029,696 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\Midsummer Nov_2009 2009_11_25 1315.xls
[2009/11/25 12:15:39 | 00,025,600 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\Midsummer Nov_2009 2009_11_25 1215.xls
[2009/11/18 23:35:07 | 00,005,739 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\roar.pdf
[2009/11/18 13:30:42 | 00,111,824 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\demetrius 4 per page.pdf
[2009/11/18 00:54:26 | 00,115,200 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\Enter Prologu1.doc
[2009/11/18 00:54:19 | 00,107,520 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\Enter Prologue.doc
[2009/11/18 00:53:59 | 00,020,480 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\Purchase.doc
[2009/11/17 23:31:27 | 00,074,346 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\folio script 11x17 booklet - duplex it.pdf
[2009/11/17 11:33:27 | 00,117,760 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\Play within a play script MODIFIED by john.doc
[2009/11/17 11:32:20 | 00,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/11/16 00:29:14 | 00,117,248 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\Play within a play script MODIFIED.doc
[2009/11/03 11:01:35 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\Josh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/03 10:52:31 | 00,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2009/11/02 23:41:41 | 00,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/11/02 23:41:41 | 00,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/11/02 23:41:15 | 00,000,228 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/11/02 23:41:15 | 00,000,094 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/11/02 23:40:41 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/10/29 17:13:18 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/10/27 00:41:45 | 00,045,496 | ---- | C] () -- C:\Documents and Settings\Josh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/10/26 23:20:35 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/10/26 23:20:35 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/10/26 23:20:34 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/10/26 23:20:33 | 01,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/10/26 21:49:58 | 06,413,602 | -H-- | C] () -- C:\Documents and Settings\Josh\Local Settings\Application Data\IconCache.db
[2009/10/26 21:05:40 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Josh\Application Data\desktop.ini
[2009/10/26 20:31:10 | 00,000,000 | ---- | C] () -- C:\WINDOWS\control.ini
[2009/10/26 20:27:51 | 00,000,037 | ---- | C] () -- C:\WINDOWS\vbaddin.ini
[2009/10/26 20:27:51 | 00,000,036 | ---- | C] () -- C:\WINDOWS\vb.ini
[2009/10/26 20:27:11 | 00,013,223 | ---- | C] () -- C:\WINDOWS\System32\tslabels.ini
[2009/10/26 20:27:10 | 00,001,931 | ---- | C] () -- C:\WINDOWS\System32\msdtcprf.ini
[2009/10/26 15:05:47 | 00,509,454 | ---- | C] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/26 15:05:47 | 00,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/10/26 15:05:20 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2008/04/14 07:00:00 | 01,291,264 | ---- | C] () -- C:\WINDOWS\System32\quartz.dll
[2008/04/14 07:00:00 | 01,015,477 | ---- | C] () -- C:\WINDOWS\System32\esentprf.ini
[2008/04/14 07:00:00 | 00,733,696 | ---- | C] () -- C:\WINDOWS\System32\qedwipes.dll
[2008/04/14 07:00:00 | 00,562,176 | ---- | C] () -- C:\WINDOWS\System32\qedit.dll
[2008/04/14 07:00:00 | 00,498,742 | ---- | C] () -- C:\WINDOWS\System32\dxmasf.dll
[2008/04/14 07:00:00 | 00,386,048 | ---- | C] () -- C:\WINDOWS\System32\qdvd.dll
[2008/04/14 07:00:00 | 00,355,112 | ---- | C] () -- C:\WINDOWS\System32\msjetoledb40.dll
[2008/04/14 07:00:00 | 00,279,040 | ---- | C] () -- C:\WINDOWS\System32\qdv.dll
[2008/04/14 07:00:00 | 00,270,848 | ---- | C] () -- C:\WINDOWS\System32\sbe.dll
[2008/04/14 07:00:00 | 00,252,928 | ---- | C] () -- C:\WINDOWS\System32\compatUI.dll
[2008/04/14 07:00:00 | 00,199,168 | ---- | C] () -- C:\WINDOWS\System32\ir32_32.dll
[2008/04/14 07:00:00 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\qcap.dll
[2008/04/14 07:00:00 | 00,186,880 | ---- | C] () -- C:\WINDOWS\System32\encdec.dll
[2008/04/14 07:00:00 | 00,094,282 | ---- | C] () -- C:\WINDOWS\System32\msencode.dll
[2008/04/14 07:00:00 | 00,070,656 | ---- | C] () -- C:\WINDOWS\System32\amstream.dll
[2008/04/14 07:00:00 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\devenum.dll
[2008/04/14 07:00:00 | 00,053,478 | ---- | C] () -- C:\WINDOWS\System32\tcpmon.ini
[2008/04/14 07:00:00 | 00,042,809 | ---- | C] () -- C:\WINDOWS\System32\key01.sys
[2008/04/14 07:00:00 | 00,042,537 | ---- | C] () -- C:\WINDOWS\System32\keyboard.sys
[2008/04/14 07:00:00 | 00,035,648 | ---- | C] () -- C:\WINDOWS\System32\ntio411.sys
[2008/04/14 07:00:00 | 00,035,424 | ---- | C] () -- C:\WINDOWS\System32\ntio412.sys
[2008/04/14 07:00:00 | 00,035,328 | ---- | C] () -- C:\WINDOWS\System32\mciqtz32.dll
[2008/04/14 07:00:00 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio804.sys
[2008/04/14 07:00:00 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio404.sys
[2008/04/14 07:00:00 | 00,033,840 | ---- | C] () -- C:\WINDOWS\System32\ntio.sys
[2008/04/14 07:00:00 | 00,029,370 | ---- | C] () -- C:\WINDOWS\System32\ntdos411.sys
[2008/04/14 07:00:00 | 00,029,274 | ---- | C] () -- C:\WINDOWS\System32\ntdos412.sys
[2008/04/14 07:00:00 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos804.sys
[2008/04/14 07:00:00 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos404.sys
[2008/04/14 07:00:00 | 00,027,866 | ---- | C] () -- C:\WINDOWS\System32\ntdos.sys
[2008/04/14 07:00:00 | 00,027,097 | ---- | C] () -- C:\WINDOWS\System32\country.sys
[2008/04/14 07:00:00 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\tsd32.dll
[2008/04/14 07:00:00 | 00,014,336 | ---- | C] () -- C:\WINDOWS\System32\msdmo.dll
[2008/04/14 07:00:00 | 00,013,312 | ---- | C] () -- C:\WINDOWS\System32\win87em.dll
[2008/04/14 07:00:00 | 00,012,082 | ---- | C] () -- C:\WINDOWS\System32\rsvp.ini
[2008/04/14 07:00:00 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\scriptpw.dll
[2008/04/14 07:00:00 | 00,010,110 | ---- | C] () -- C:\WINDOWS\System32\mqperf.ini
[2008/04/14 07:00:00 | 00,009,029 | ---- | C] () -- C:\WINDOWS\System32\ansi.sys
[2008/04/14 07:00:00 | 00,006,877 | ---- | C] () -- C:\WINDOWS\System32\pschdprf.ini
[2008/04/14 07:00:00 | 00,004,768 | ---- | C] () -- C:\WINDOWS\System32\himem.sys
[2008/04/14 07:00:00 | 00,004,126 | ---- | C] () -- C:\WINDOWS\System32\msdxmlc.dll
[2008/04/14 07:00:00 | 00,003,458 | ---- | C] () -- C:\WINDOWS\System32\rasctrs.ini
[2008/04/14 07:00:00 | 00,002,891 | ---- | C] () -- C:\WINDOWS\System32\perfci.ini
[2008/04/14 07:00:00 | 00,002,732 | ---- | C] () -- C:\WINDOWS\System32\perfwci.ini
[2008/04/14 07:00:00 | 00,002,656 | ---- | C] () -- C:\WINDOWS\System32\netware.drv
[2008/04/14 07:00:00 | 00,001,405 | ---- | C] () -- C:\WINDOWS\msdfmap.ini
[2008/04/14 07:00:00 | 00,001,152 | ---- | C] () -- C:\WINDOWS\System32\perffilt.ini
[2008/04/14 07:00:00 | 00,000,573 | ---- | C] () -- C:\WINDOWS\win.ini
[2008/04/14 07:00:00 | 00,000,343 | ---- | C] () -- C:\WINDOWS\System32\prodspec.ini
[2008/04/14 07:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/17 17:36:28 | 00,157,696 | ---- | C] () -- C:\WINDOWS\System32\paqsp.dll

========== LOP Check ==========

[2009/10/29 20:10:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/10/26 23:00:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/11/02 23:39:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Brother
[2009/11/03 10:52:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
[2009/10/26 23:30:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dell
[2009/10/26 23:40:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intel
[2009/11/25 00:29:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/10/29 17:11:09 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/10/27 07:55:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NOS
[2009/11/25 18:27:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/10/27 00:43:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/10/29 20:10:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Adobe
[2009/11/03 16:48:47 | 00,000,000 | R--D | M] -- C:\Documents and Settings\Josh\Application Data\Brother
[2009/11/03 10:52:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Canneverbe_Limited
[2009/10/26 23:30:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Dell
[2009/10/26 21:05:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Identities
[2009/10/26 23:29:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\InstallShield
[2009/10/26 23:41:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Intel
[2009/10/26 23:10:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Macromedia
[2009/11/25 00:30:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Malwarebytes
[2009/11/06 11:58:53 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Josh\Application Data\Microsoft
[2009/10/26 22:49:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Mozilla
[2008/04/14 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/18 10:55:00 | 00,000,922 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2077806209-1417001333-1003Core.job
[2009/11/25 22:55:00 | 00,000,974 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2077806209-1417001333-1003UA.job
[2009/11/25 22:09:58 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: ATAPI.SYS >
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 07:00:00 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 07:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 07:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 07:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 07:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 07:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 07:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
< End of report >

-------------------------------
And finally, the extras.txt file:

OTL Extras logfile created on: 11/25/2009 11:00:06 PM - Run 1
OTL by OldTimer - Version 3.1.10.1 Folder = E:\Josh
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 140.48 Gb Free Space | 60.32% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 1006.47 Mb Total Space | 70.19 Mb Free Space | 6.97% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D620XP
Current User Name: Josh
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\VectorWorks 11\VectorWorks.exe" = C:\Program Files\VectorWorks 11\VectorWorks.exe:*:Enabled:VectorWorks Application -- (Nemetschek North America, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26E1BFB0-E87E-4696-9F89-B467F01F81E5}" = Broadcom Advanced Control Suite
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{43602F34-1AA3-44FB-AEB2-D08C2C73743F}" = Paint.NET v3.36
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{52A7C6A6-6B88-47D1-922E-9F8A7E089E6A}" = Intel® PROSet/Wireless WiFi Software
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F0F563C4-D4AD-41C4-A8A6-26664C027D11}" = Brother MFL-Pro Suite
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG9Uninstall" = AVG Free 9.0
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CutePDF Writer Installation" = CutePDF Writer 2.8
"ERUNT_is1" = ERUNT 1.1j
"FMS" = FMS
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSNINST" = MSN
"NVIDIA Drivers" = NVIDIA Drivers
"ProInst" = Intel PROSet Wireless
"SmartPropoPlus" = SmartPropoPlus
"VectorWorks 11" = VectorWorks 11
"WinLiveSuite_Wave3" = Windows Live Essentials

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/19/2009 12:58:36 AM | Computer Name = D620XP | Source = Google Update | ID = 20
Description =

Error - 11/19/2009 1:58:38 AM | Computer Name = D620XP | Source = Google Update | ID = 20
Description =

Error - 11/22/2009 1:55:05 PM | Computer Name = D620XP | Source = Google Update | ID = 20
Description =

Error - 11/25/2009 1:55:07 AM | Computer Name = D620XP | Source = Google Update | ID = 20
Description =

Error - 11/25/2009 12:55:05 PM | Computer Name = D620XP | Source = Google Update | ID = 20
Description =

Error - 11/25/2009 1:58:21 PM | Computer Name = D620XP | Source = Google Update | ID = 20
Description =

Error - 11/25/2009 2:58:40 PM | Computer Name = D620XP | Source = Google Update | ID = 20
Description =

Error - 11/25/2009 6:55:05 PM | Computer Name = D620XP | Source = Google Update | ID = 20
Description =

Error - 11/25/2009 7:55:05 PM | Computer Name = D620XP | Source = Google Update | ID = 20
Description =

Error - 11/25/2009 8:55:05 PM | Computer Name = D620XP | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 11/25/2009 11:08:15 PM | Computer Name = D620XP | Source = Service Control Manager | ID = 7031
Description = The AVG Free WatchDog service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 0 milliseconds:
Restart the service.

Error - 11/25/2009 11:08:15 PM | Computer Name = D620XP | Source = Service Control Manager | ID = 7034
Description = The Intel® PROSet/Wireless Event Log service terminated unexpectedly.
It has done this 1 time(s).

Error - 11/25/2009 11:08:15 PM | Computer Name = D620XP | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 11/25/2009 11:08:15 PM | Computer Name = D620XP | Source = Service Control Manager | ID = 7034
Description = The NMSAccessU service terminated unexpectedly. It has done this
1 time(s).

Error - 11/25/2009 11:08:15 PM | Computer Name = D620XP | Source = Service Control Manager | ID = 7034
Description = The Intel® PROSet/Wireless Registry Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 11/25/2009 11:08:15 PM | Computer Name = D620XP | Source = Service Control Manager | ID = 7034
Description = The Intel® PROSet/Wireless SSO Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 11/25/2009 11:08:15 PM | Computer Name = D620XP | Source = Service Control Manager | ID = 7034
Description = The AVG Free E-mail Scanner service terminated unexpectedly. It has
done this 1 time(s).

Error - 11/25/2009 11:10:04 PM | Computer Name = D620XP | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 11/25/2009 11:10:04 PM | Computer Name = D620XP | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 11/25/2009 11:10:04 PM | Computer Name = D620XP | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.


< End of report >
  • 0

Advertisements

#2
RKinner
Posted 26 November 2009 - 12:16 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
The rootrepeal log is normal. I would prefer the Full Scan with MBAM but the quick scan found nothing.

The only thing that looks suspicious in OTL is the autoexec.bat file date:

O32 - AutoRun File - [2009/10/26 20:31:10 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT

Apparently the file is empty so it probably is not important but usually it gets a date close to the time windows was installed since it is no longer used for much of anything.

There is an odd error:
"Error - 11/25/2009 11:10:04 PM | Computer Name = D620XP | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool."

At this same time a bunch of other programs crashed so you might want to fix it. See:
BradC's comment at:
http://community.spi...w/84-dcom-10016

A4199E55-EBB9-49E5-AF1A-7A5408B2E206 is Intel's Proset Wireless connection utility

or just uninstall the Proset and let Windows handle the wireless.



I'd like to see a combofix log before saying for sure that it's clean but there is nothing obvious.

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:


Post Back (copy/paste the .txt files, do not use attachments)
After following the above, post back with:



1.Contents of C:\Combofix.txt;


Ron

PS You can post the logs for the second computer in this same thread. Just mark them as TWO.
  • 0

#3
bearj
Posted 09 December 2009 - 07:42 PM

bearj

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sorry for the delay, I got called away for awhile. However, I'm now back and I've done as you requested. One odd thing was that Combofix seems to have just opened a Notepad window with the log file text in it. There was no file saved in C:\ or anywhere else I could find.

I can also post a MBAM full scan if you want.

Here's the Combofix log:

ComboFix 09-12-09.04 - Josh 12/09/2009 20:17:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2448 [GMT -5:00]
Running from: c:\documents and settings\Josh\Desktop\george.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\st325602.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-10 to 2009-12-10 )))))))))))))))))))))))))))))))
.

2009-11-26 03:13 . 2009-11-26 03:13 -------- d-----w- c:\program files\ERUNT
2009-11-25 22:51 . 2009-11-25 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-25 22:51 . 2009-11-25 22:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 05:30 . 2009-11-25 05:30 -------- d-----w- c:\documents and settings\Josh\Application Data\Malwarebytes
2009-11-25 05:29 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 05:29 . 2009-11-25 05:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 05:29 . 2009-11-25 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-25 05:29 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-17 16:37 . 2009-11-19 04:35 -------- d-----w- c:\documents and settings\Josh\Local Settings\Application Data\CutePDF Writer
2009-11-17 16:33 . 2009-11-17 16:33 -------- d-----w- c:\program files\GPLGS
2009-11-17 16:32 . 2007-07-13 03:33 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2009-11-17 16:32 . 2009-11-17 16:32 -------- d-----w- c:\program files\Acro Software
2009-11-12 15:45 . 2009-11-12 15:45 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 15:45 . 2009-11-12 15:45 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 16:51 . 2009-10-27 04:00 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-03 21:48 . 2009-11-03 21:48 -------- d-----r- c:\documents and settings\Josh\Application Data\Brother
2009-11-03 18:31 . 2009-10-27 05:41 45496 ----a-w- c:\documents and settings\Josh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 16:00 . 2009-11-03 16:00 -------- d-----w- c:\program files\Paint.NET
2009-11-03 15:52 . 2009-11-03 15:52 -------- d-----w- c:\documents and settings\Josh\Application Data\Canneverbe_Limited
2009-11-03 15:52 . 2009-11-03 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2009-11-03 15:52 . 2009-11-03 15:52 -------- d-----w- c:\program files\CDBurnerXP
2009-11-03 15:36 . 2009-11-03 15:36 -------- d-----w- c:\program files\IrfanView
2009-11-03 04:46 . 2009-11-03 04:39 57 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-11-03 04:41 . 2009-11-03 04:41 50 ----a-w- c:\windows\system32\bridf06a.dat
2009-11-03 04:40 . 2009-11-03 04:40 -------- d-----w- c:\program files\Brother
2009-11-03 04:40 . 2009-10-27 04:20 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-03 04:40 . 2009-10-27 04:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-03 04:39 . 2009-11-03 04:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-11-02 03:35 . 2009-11-02 03:25 -------- d-----w- c:\program files\VectorWorks 11
2009-11-01 18:32 . 2009-11-01 18:31 -------- d-----w- c:\program files\FMS
2009-10-29 22:12 . 2009-10-29 22:12 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-29 22:11 . 2009-10-29 22:11 -------- d-----w- c:\program files\Microsoft.NET
2009-10-29 20:49 . 2009-10-29 20:49 -------- d-----w- c:\program files\Microsoft
2009-10-29 20:49 . 2009-10-29 20:49 -------- d-----w- c:\program files\Windows Live
2009-10-29 20:49 . 2009-10-29 20:49 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-29 20:46 . 2009-10-29 20:46 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-29 07:45 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 18:23 . 2009-10-27 18:23 -------- d-----w- c:\program files\MSBuild
2009-10-27 18:23 . 2009-10-27 18:23 -------- d-----w- c:\program files\Reference Assemblies
2009-10-27 12:55 . 2009-10-27 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-27 04:41 . 2009-10-27 04:41 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intel
2009-10-27 04:41 . 2009-10-27 04:41 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-10-27 04:41 . 2009-10-27 04:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-10-27 04:41 . 2009-10-27 04:41 -------- d-----w- c:\documents and settings\Josh\Application Data\Intel
2009-10-27 04:41 . 2009-10-27 04:41 -------- d-----w- c:\documents and settings\Default User\Application Data\Intel
2009-10-27 04:40 . 2009-10-27 04:40 -------- d-----w- c:\program files\Common Files\Intel
2009-10-27 04:40 . 2009-10-27 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-10-27 04:40 . 2009-10-27 04:28 -------- d-----w- c:\program files\Intel
2009-10-27 04:33 . 2009-10-27 04:33 5 ----a-w- c:\windows\system32\drivers\DELL_LAT_D620.MRK
2009-10-27 04:33 . 2009-10-27 04:33 5 ----a-w- c:\windows\system32\drivers\1028_DELL_LAT_D620.MRK
2009-10-27 04:33 . 2009-10-27 04:27 -------- d-----w- c:\program files\Dell
2009-10-27 04:30 . 2009-10-27 04:30 -------- d-----w- c:\program files\SigmaTel
2009-10-27 04:30 . 2009-10-27 04:30 -------- d-----w- c:\documents and settings\Josh\Application Data\Dell
2009-10-27 04:30 . 2009-10-27 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2009-10-27 04:29 . 2009-10-27 04:29 -------- d-----w- c:\documents and settings\Josh\Application Data\InstallShield
2009-10-27 04:26 . 2009-10-27 04:26 -------- d-----w- c:\program files\Broadcom
2009-10-27 04:25 . 2009-10-27 04:25 -------- d-----w- c:\program files\CONEXANT
2009-10-27 04:23 . 2009-10-27 04:23 -------- d-----w- c:\program files\Apoint
2009-10-27 04:22 . 2009-10-27 04:21 27744 ----a-w- c:\windows\system32\nvModes.dat
2009-10-27 04:12 . 2009-10-27 04:11 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-27 04:10 . 2009-10-27 04:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-27 04:10 . 2009-10-27 04:10 38208 ----a-w- c:\documents and settings\Josh\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-27 04:10 . 2009-10-27 04:10 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-27 04:09 . 2009-10-27 04:09 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-10-27 04:08 . 2009-10-27 04:08 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-10-27 04:00 . 2009-10-27 04:00 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-27 04:00 . 2009-10-27 04:00 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-27 04:00 . 2009-10-27 04:00 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-27 04:00 . 2009-10-27 04:00 -------- d-----w- c:\program files\AVG
2009-10-27 04:00 . 2009-10-27 04:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-27 03:49 . 2009-10-27 03:49 0 ----a-w- c:\windows\nsreg.dat
2009-10-27 01:57 . 2009-10-27 01:30 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-27 01:31 . 2009-10-27 01:31 -------- d-----w- c:\program files\microsoft frontpage
2009-10-27 01:28 . 2009-10-27 01:28 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-21 05:38 . 2008-04-14 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2008-04-14 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-14 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-29 01:57 . 2009-11-03 15:52 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-09-25 05:37 . 2009-09-25 05:37 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 14:18 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-03 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13537280]
"nwiz"="nwiz.exe" [2008-06-09 1630208]
"NVHotkey"="nvHotkey.dll" [2008-06-09 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 86016]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-27 04:00 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\VectorWorks 11\\VectorWorks.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/26/2009 11:00 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/26/2009 11:00 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/26/2009 11:00 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/26/2009 11:00 PM 285392]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\ndme59kn.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Josh\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-09 20:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2009-12-09 20:20:40
ComboFix-quarantined-files.txt 2009-12-10 01:20

Pre-Run: 150,166,388,736 bytes free
Post-Run: 150,186,151,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - BAA1F4E4D07EC645CF62E969E6B32BA3


Thanks for the help!
  • 0

#4
RKinner
Posted 10 December 2009 - 02:05 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Log doesn't show anything bad so I would say this PC is clean and the other one is at fault. I think the file Combofix deleted (st325602.dll) is a false positive since you do have something from SigmaTel on your PC. I think it's audio related so if you have problems with your audio you need to restore the file. It will be in C:\qoobox\quarantine\c\windows\system32 and will have been renamed to st325602.dll.vir so you would need to locate it with Explorer and then rightclick on it and Rename it to st325602.dll then copy the file and go to C:\windows\system32\ and paste it in.

Alternatively you can do the following:

Start, Run, cmd, OK to open a new command window. Type with an Enter after each line:

copy \qoobox\quarantine\c\windows\system32\st325602.dll.vir \windows\system32\st325602.dll

Instead of typing you can highlight the above line and Ctrl + c then open the command window and rightclick and Paste. Then Enter.

Ron
  • 0

#5
RKinner
Posted 10 December 2009 - 02:07 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Log doesn't show anything bad so I would say this PC is clean and the other one is at fault. I think the file Combofix deleted (st325602.dll) is a false positive since you do have something from SigmaTel on your PC. I think it's audio related so if you have problems with your audio you need to restore the file. It will be in C:\qoobox\quarantine\c\windows\system32 and will have been renamed to st325602.dll.vir so you would need to locate it with Explorer and then rightclick on it and Rename it to st325602.dll then copy the file and go to C:\windows\system32\ and paste it in.

Alternatively you can do the following:

Start, Run, cmd, OK to open a new command window. Type with an Enter after each line:

copy \qoobox\quarantine\c\windows\system32\st325602.dll.vir \windows\system32\st325602.dll

Instead of typing you can highlight the above line and Ctrl + c then open the command window and rightclick and Paste. Then Enter.

Ron
  • 0

#6
RKinner
Posted 10 December 2009 - 02:09 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Log doesn't show anything bad so I would say this PC is clean and the other one is at fault. I think the file Combofix deleted (st325602.dll) is a false positive since you do have something from SigmaTel on your PC. I think it's audio related so if you have problems with your audio you need to restore the file. It will be in C:\qoobox\quarantine\c\windows\system32 and will have been renamed to st325602.dll.vir so you would need to locate it with Explorer and then rightclick on it and Rename it to st325602.dll then copy the file and go to C:\windows\system32\ and paste it in.

Alternatively you can do the following:

Start, Run, cmd, OK to open a new command window. Type with an Enter after each line:

copy \qoobox\quarantine\c\windows\system32\st325602.dll.vir \windows\system32\st325602.dll

Instead of typing you can highlight the above line and Ctrl + c then open the command window and rightclick and Paste. Then Enter.

Ron
  • 0

#7
bearj
Posted 10 December 2009 - 10:27 PM

bearj

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Well that's good news! And so far audio is working as I expect it.

So...now on to computer #2. Here are the MBAM, RootRepeal, and OTL logs.

First, MalwareBytes:
Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/10/2009 11:08:42 PM
mbam-log-2009-12-10 (23-08-42).txt

Scan type: Quick Scan
Objects scanned: 99481
Time elapsed: 3 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


-----
Next the RootRepeal log:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/10 23:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB1AEA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79BD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF76C7000 Size: 49152 File Visible: No Signed: -
Status: -

==EOF==

Next, the OTL log:
OTL logfile created on: 12/10/2009 11:19:30 PM - Run 1
OTL by OldTimer - Version 3.1.15.0 Folder = C:\Documents and Settings\Josh\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.40 Gb Total Physical Memory | 0.99 Gb Available Physical Memory | 70.85% Memory free
3.25 Gb Paging File | 2.99 Gb Available in Paging File | 91.82% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 44.89 Gb Total Space | 27.85 Gb Free Space | 62.04% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 539.49 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: PrlSF
Drive Y: | 419.88 Gb Total Space | 78.69 Gb Free Space | 18.74% Space Free | Partition Type: PrlSF
Drive Z: | 419.88 Gb Total Space | 78.69 Gb Free Space | 18.74% Space Free | Partition Type: PrlSF

Computer Name: BRAEBURNWIN
Current User Name: Josh
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/10 23:17:28 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe
PRC - [2009/11/26 11:58:51 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/11/26 11:58:51 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/11/26 11:58:51 | 00,502,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/11/26 11:58:50 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/11/26 11:58:49 | 02,020,120 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2009/11/26 11:58:46 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/10/14 13:27:58 | 00,027,976 | ---- | M] (Parallels, Inc.) -- C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe
PRC - [2009/10/14 13:27:24 | 00,129,864 | ---- | M] (Parallels, Inc.) -- C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe
PRC - [2009/10/14 13:27:20 | 00,138,056 | ---- | M] (Parallels, Inc.) -- C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe
PRC - [2009/10/14 13:27:06 | 00,198,984 | ---- | M] (Parallels, Inc.) -- C:\Program Files\Parallels\Parallels Tools\prl_cc.exe
PRC - [2009/10/14 13:26:32 | 00,140,104 | ---- | M] (Parallels, Inc.) -- C:\Program Files\Parallels\Parallels Tools\Services\prl_tools.exe
PRC - [2009/06/05 12:39:22 | 00,292,136 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/06/05 12:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/01/20 15:28:24 | 00,099,632 | ---- | M] (Apple Inc.) -- C:\WINDOWS\system32\AppleTimeSrv.exe
PRC - [2009/01/20 15:28:22 | 00,136,496 | ---- | M] () -- C:\WINDOWS\system32\AppleOSSMgr.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/07/11 06:05:00 | 00,226,592 | ---- | M] (SafeNet, Inc) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
PRC - [2008/07/11 00:02:10 | 00,328,992 | ---- | M] (SafeNet, Inc.) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
PRC - [2008/04/14 07:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/13 12:39:52 | 01,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 12:39:34 | 00,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe


========== Modules (SafeList) ==========

MOD - [2009/12/10 23:17:28 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/11/26 11:58:46 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/10/14 13:27:58 | 00,027,976 | ---- | M] (Parallels, Inc.) [Auto | Running] -- C:\Program Files\Parallels\Parallels Tools\Services\coherence.exe -- (Parallels Coherence Service)
SRV - [2009/10/14 13:27:20 | 00,138,056 | ---- | M] (Parallels, Inc.) [Auto | Running] -- C:\Program Files\Parallels\Parallels Tools\Services\prl_tools_service.exe -- (Parallels Tools Service)
SRV - [2009/06/05 12:39:14 | 00,541,992 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/01/20 15:28:24 | 00,099,632 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\WINDOWS\system32\AppleTimeSrv.exe -- (AppleTimeSrv)
SRV - [2009/01/20 15:28:22 | 00,136,496 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\AppleOSSMgr.exe -- (AppleOSSMgr)
SRV - [2009/01/20 15:20:54 | 00,168,004 | ---- | M] (NVIDIA Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/07/11 06:05:00 | 00,226,592 | ---- | M] (SafeNet, Inc) [Auto | Running] -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe -- (SentinelProtectionServer)
SRV - [2008/07/11 00:02:10 | 00,328,992 | ---- | M] (SafeNet, Inc.) [Auto | Running] -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe -- (SentinelKeysServer)
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\..\URLSearchHook: {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll (Spigot, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {8b86149f-01fb-4842-9dd8-4d7eb02fd055}:0.19.1
FF - prefs.js..extensions.enabledItems: {B922D405-6D13-4A2B-AE89-08A030DA4402}:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.2.1

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/10/05 16:03:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/05 16:03:32 | 00,000,000 | ---D | M]

[2009/05/23 06:09:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Mozilla\Extensions
[2009/11/24 19:38:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Mozilla\Firefox\Profiles\hye1z6ni.default\extensions
[2009/06/08 09:27:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Mozilla\Firefox\Profiles\hye1z6ni.default\extensions\{8b86149f-01fb-4842-9dd8-4d7eb02fd055}
[2009/11/24 19:38:49 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/05/23 10:24:23 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{B922D405-6D13-4A2B-AE89-08A030DA4402}
[2009/05/23 10:24:23 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]

O1 HOSTS File: (760 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 .psf
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (pdfforge Toolbar) - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\WidgiToolbarIE.dll (GreenTree Applications, Inc.)
O2 - BHO: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll (Spigot, Inc.)
O3 - HKLM\..\Toolbar: (pdfforge Toolbar) - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\WidgiToolbarIE.dll (GreenTree Applications, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [Parallels Shared Internet Applications] C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe (Parallels, Inc.)
O4 - HKLM..\Run: [Parallels Tools Center] C:\Program Files\Parallels\Parallels Tools\prl_cc.exe (Parallels, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SearchSettings] C:\Program Files\pdfforge Toolbar\SearchSettings.exe (Spigot, Inc.)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\Wcescomm.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: .psf ([]file in Trusted sites)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.aka...vex-2.2.4.8.cab (DLM Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx (AcDcToday Control)
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} file://C:\Program Files\AutoCAD 2002\InstBanr.ocx (NOXLATE-BANR)
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} file://C:\Program Files\AutoCAD 2002\InstFred.ocx (InstaFred)
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} file://C:\Program Files\AutoCAD 2002\AcPreview.ocx (AcPreview Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.211.55.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/10 17:05:59 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\##.psf#My Passport\Shell - "" = AutoRun
O33 - MountPoints2\##.psf#My Passport\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##.psf#My Passport\Shell\AutoRun\command - "" = X:\setup.exe -- File not found
O33 - MountPoints2\##.psf#NO NAME\Shell - "" = AutoRun
O33 - MountPoints2\##.psf#NO NAME\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##.psf#NO NAME\Shell\AutoRun\command - "" = Y:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe -- File not found
O33 - MountPoints2\##.psf#NO NAME\Shell\open\command - "" = Y:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe -- File not found
O33 - MountPoints2\{6c552a22-6da2-11de-b73d-001c4262bce9}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\setup.exe -- [2008/04/14 07:00:00 | 00,023,040 | ---- | M] (Microsoft Corporation)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/05/10 16:40:22 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - C:\WINDOWS\system32\irmon.dll (Microsoft Corporation)
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891947461378048)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/10 23:17:26 | 00,537,088 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe
[2009/12/10 23:09:43 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Josh\Desktop\RootRepeal.exe
[2009/12/10 23:01:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/12/10 23:00:52 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/12/10 22:57:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Josh\Desktop\Scanners
[2009/12/06 22:01:47 | 00,000,000 | ---D | C] -- C:\Program Files\LogicPort
[2009/12/06 22:01:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\System\drivers
[2009/12/01 19:41:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Josh\Local Settings\Application Data\Yenka
[2009/12/01 19:38:14 | 00,000,000 | ---D | C] -- C:\Program Files\Yenka
[2009/11/26 11:56:51 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/11/26 11:56:51 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/11/26 11:56:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/11/26 11:56:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/05/23 10:17:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2003/06/19 10:05:04 | 00,431,888 | --S- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\riched20.dll
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/10 23:17:28 | 00,537,088 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Josh\Desktop\OTL.exe
[2009/12/10 23:16:08 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Josh\Desktop\settings.dat
[2009/12/10 23:09:44 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Josh\Desktop\RootRepeal.exe
[2009/12/10 23:03:53 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/10 23:03:31 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/10 23:03:27 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/10 23:02:46 | 02,621,440 | -H-- | M] () -- C:\Documents and Settings\Josh\NTUSER.DAT
[2009/12/10 23:02:46 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Josh\ntuser.ini
[2009/12/10 14:28:00 | 00,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1500820517-1644491937-1003UA.job
[2009/12/10 13:44:02 | 46,449,860 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/12/10 13:43:37 | 00,122,916 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/12/10 13:39:39 | 00,514,462 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/10 13:39:39 | 00,436,258 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/10 13:39:39 | 00,068,866 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/09 23:59:42 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/09 22:28:00 | 00,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1500820517-1644491937-1003Core.job
[2009/12/06 22:01:49 | 00,001,572 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\LogicPort.lnk
[2009/12/06 17:49:17 | 00,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/12/06 17:48:44 | 00,023,552 | ---- | M] () -- C:\Documents and Settings\Josh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/01 19:55:28 | 00,003,709 | ---- | M] () -- C:\Documents and Settings\Josh\My Documents\SwitchSim.yka
[2009/12/01 19:40:10 | 00,001,611 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Yenka.lnk
[2009/11/28 11:17:03 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/10 23:16:08 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Josh\Desktop\settings.dat
[2009/12/06 22:01:49 | 00,001,572 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\LogicPort.lnk
[2009/12/01 19:55:28 | 00,003,709 | ---- | C] () -- C:\Documents and Settings\Josh\My Documents\SwitchSim.yka
[2009/12/01 19:40:10 | 00,001,611 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Yenka.lnk
[2009/08/27 21:15:58 | 00,002,528 | ---- | C] () -- C:\Documents and Settings\Josh\Application Data\$_hpcst$.hpc
[2009/08/07 00:44:03 | 00,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/07/13 14:39:51 | 00,023,552 | ---- | C] () -- C:\Documents and Settings\Josh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/10 11:41:38 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/05/23 10:23:54 | 00,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2009/05/11 06:15:04 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/05/11 06:15:04 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/05/11 06:15:03 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/05/11 06:15:02 | 01,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/05/11 06:15:02 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2009/03/23 12:44:22 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\MPMapTrace.dll
[2009/03/23 12:09:28 | 00,364,544 | ---- | C] () -- C:\WINDOWS\System32\mpPathan.dll
[2006/12/13 15:03:14 | 00,074,240 | ---- | C] () -- C:\WINDOWS\System32\zlibwapi.dll
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2000/09/18 15:50:28 | 00,202,752 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll

========== LOP Check ==========

[2009/11/26 11:58:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/05/23 07:53:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MA Lighting Technologies
[2009/06/10 11:54:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/07/11 00:18:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Autodesk
[2009/06/10 11:15:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\CadSoft
[2009/11/29 17:27:56 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Josh\Application Data\Microchip
[2009/10/29 18:45:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Parallels
[2009/05/29 21:26:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\pdfforge
[2009/05/29 21:26:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Josh\Application Data\Search Settings

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: ATAPI.SYS >
[2009/05/11 18:56:04 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 07:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 07:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 07:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 07:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 13:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\SP2QFE\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 07:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 07:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >

-----
And finally the OTL extras log:
OTL Extras logfile created on: 12/10/2009 11:19:30 PM - Run 1
OTL by OldTimer - Version 3.1.15.0 Folder = C:\Documents and Settings\Josh\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.40 Gb Total Physical Memory | 0.99 Gb Available Physical Memory | 70.85% Memory free
3.25 Gb Paging File | 2.99 Gb Available in Paging File | 91.82% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 44.89 Gb Total Space | 27.85 Gb Free Space | 62.04% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 539.49 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: PrlSF
Drive Y: | 419.88 Gb Total Space | 78.69 Gb Free Space | 18.74% Space Free | Partition Type: PrlSF
Drive Z: | 419.88 Gb Total Space | 78.69 Gb Free Space | 18.74% Space Free | Partition Type: PrlSF

Computer Name: BRAEBURNWIN
Current User Name: Josh
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\MA Lighting Technologies\grandMA\ grandMA2 onPC 1.000\gma2onpc.exe" = C:\Program Files\MA Lighting Technologies\grandMA\ grandMA2 onPC 1.000\gma2onpc.exe:*:Enabled:gma2onpc -- ()
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\MA Lighting Technologies\grandMA\grandMA onPC 5.920\gmaOnPC.exe" = C:\Program Files\MA Lighting Technologies\grandMA\grandMA onPC 5.920\gmaOnPC.exe:*:Enabled:gmaOnPC -- ™
"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe" = C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe:*:Enabled:Sentinel Protection Server -- (SafeNet, Inc)
"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe" = C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe:*:Enabled:Sentinel Keys Server -- (SafeNet, Inc.)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
" grandMA2 onPC 1.000" = grandMA2 onPC 1.000
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{1540C876-F39E-4405-BEF7-3A6C30BE9C08}" = Parallels Tools
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{43602F34-1AA3-44FB-AEB2-D08C2C73743F}" = Paint.NET v3.36
"{44564479-0533-4542-8D5A-4937EA4BFBAC}" = MPLAB Tools v8.30
"{5783F2D7-0101-0409-0000-0060B0CE6BBA}" = AutoCAD 2002
"{58EADB7D-3EF7-4209-B1A1-39CDEAA2C0EC}" = Vivien
"{5D601655-6D54-4384-B52C-17EC5385FBBD}" = iTunes
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{96BE30F4-D29C-4304-BD1C-B7B7D147FCDE}" = Hog2PC 3.4.3.160
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5A63519-F5C2-4F4A-849A-F28A1AB3D522}" = Sentinel Protection Installer 7.5.0
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B498EC40-04DA-11DD-6784-0B58D97A18BE}" = LogicPort
"{B8B0FC8B-E69B-4215-AF1A-4BDFF20D794B}" = pdfforge Toolbar v1.0
"{B8F556C7-FA95-432A-B9B4-5E414F2015F2}" = WYSIWYG Textures
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2C46D78-4B9A-45BA-896A-86FE930239B4}" = WYSIWYG
"{F0E45628-1218-4865-A516-8E8A54272ADC}" = Boot Camp Services
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FFB61732-3942-4EC0-B7B6-0B32695CB436}" = GC-Prevue 17.3.2
"065B919FD23D12E588F6E2BFB21F7836E2F0E704" = Windows Driver Package - Intel Net (07/16/2008 9.52.10.0)
"1E934494E1FDB938ED1D9B958D5D5D465A07F06A" = Windows Driver Package - Intel Net (08/05/2008 10.3.49.0)
"2AC97D2605162B73D046D68013D1030CB7CFB87E" = Windows Driver Package - Intel Net (01/08/2008 8.3.9.0)
"4D00971668041EDAD7097C5827D1739F03B9E5D7" = Windows Driver Package - Apple Inc. Apple IR Receiver (02/21/2008 2.0.4.0)
"5CAEB5499BEEC88685160E3A8EA2837463582707" = Windows Driver Package - Atheros (AR5416) Net (09/18/2008 7.6.1.149)
"5EB750CA881E02D17EC9337C89965E602A363B24" = Windows Driver Package - Apple Inc. Apple Multitouch Mouse (01/13/2009 2.1.2.110)
"5F8BE32FAE3D6BC77B512F7B0624D7B6C8A26EFB" = Windows Driver Package - Apple Inc. Apple Bluetooth Enabler (06/27/2007 2.0.0.1)
"627745F8E8BB901B043047C3E308B4A76C1194FE" = Windows Driver Package - Intel (E1000) Net (11/07/2007 8.10.1.0)
"675AAC36E980D647C94EAFFB2F929F247E711708" = Windows Driver Package - Intel (e1kexpress) Net (07/22/2008 10.3.45.0)
"6AB59209597E0F6B986EC8E976521FDF0A696C9D" = Windows Driver Package - Marvell (yukonwxp) Net (03/23/2007 10.12.7.3)
"72D80FFBCBE049DB294FF180D250CFBD3EB318D1" = Windows Driver Package - Apple Inc. Apple Multitouch (01/13/2008 2.1.2.110)
"78C67451B87511098A9A0EC86E75B99B12298F5C" = Windows Driver Package - Intel (e1express) Net (02/06/2008 9.12.18.0)
"7BD968405DE73C7E0F8E489DB5A5853A6CCB8D1D" = Windows Driver Package - Intel (e1qexpress) Net (08/05/2008 10.3.49.0)
"82BE89CA9B7493FA05D2D4D32B415CF07EA08B47" = Windows Driver Package - Intel System (07/20/2007 1.2.76.0)
"9324ED54E32F5399037F87E076CA01C6CEB92830" = Windows Driver Package - Apple Inc. Apple Built-in iSight (10/25/2007 2.0.1.0)
"9747248FCA6A074E791AABC17F527823A8225756" = Windows Driver Package - Intel Net (07/22/2008 10.3.45.0)
"992615C0D0002C27AA3BB336C66D1E7764047A51" = Windows Driver Package - Apple Inc. Apple Trackpad (10/09/2007 2.0.1.5)
"A06888013552B918232820F81FDBA706F5CAAD39" = Windows Driver Package - Intel (e1yexpress) Net (06/13/2008 9.52.9.0)
"AD3493E108434977125BBF78F47699626F8AF64B" = Windows Driver Package - Apple Inc. (AppleUSBEthernet) Net (01/11/2008 3.4.3.18)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AnswerWorks" = AnswerWorks Runtime
"AVG9Uninstall" = AVG Free 9.0
"B345101E6CC8B2FD9765620B9C7BCD3D7002BE6D" = Windows Driver Package - Intel Net (02/06/2008 9.12.17.0)
"B4AC4F962DDC0DD6B71FCF20B8F2F694214FAE69" = Windows Driver Package - Apple Inc. Apple ODD (01/17/2008 2.0.2.2)
"CobBackup9" = Cobian Backup 9
"D1E46C4F35C591B14E31349A9EDA8227C5F0E966" = Windows Driver Package - Apple Inc. Apple Trackpad Enabler (10/09/2007 2.0.1.5)
"D3BCC671821E117ACD653C1AA146540791143F25" = Windows Driver Package - Apple Inc. Apple Display (12/19/2007 2.0.2.0)
"D6C9DD5C967BC29A19DB3D4D989A513581F00AC7" = Windows Driver Package - Atheros (AR5416) Net (09/18/2008 7.6.1.149)
"D7BD0CDD4F84752390916F44F40574507E36FE5E" = Windows Driver Package - Apple Inc. (applebt) Bluetooth (01/19/2009 2.1.2.1)
"EAGLE 5.6.0" = EAGLE 5.6.0
"EAGLE PCB Power Tools 5.06" = EAGLE PCB Power Tools 5.06
"EASEUS Todo Backup 1.0_is1" = EASEUS Todo Backup 1.0
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"F24CB85E5983448F6319803791DEACED91E6565B" = Windows Driver Package - Apple Inc. System (08/22/2008 2.1.1.1)
"F9CAE8A40A51E1CCEA10B0012CD7CFD3877B50DD" = Windows Driver Package - Broadcom (BCM43XX) Net (10/22/2008 5.10.38.26)
"FE6C13AFE350660993DCE88716B777EF0BCB2C91" = Windows Driver Package - Apple Inc. Apple Keyboard (09/15/2008 2.1.2.0)
"FMS" = FMS
"GMA Remote Emulator 6.100" = GMA Remote Emulator 6.100
"grandMA onPC 5.920" = grandMA onPC 5.920
"grandMA onPC 6.120" = grandMA onPC 6.120
"HijackThis" = HijackThis 2.0.2
"Horizon Software" = Horizon Software
"Icon Restore_is1" = Icon Restore 1.0
"InstallShield_{44564479-0533-4542-8D5A-4937EA4BFBAC}" = MPLAB Tools v8.30
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.13)" = Mozilla Firefox (3.0.13)
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NetSetMan 2_is1" = NetSetMan 2.6.1
"NVIDIA Drivers" = NVIDIA Drivers
"SmartPropoPlus" = SmartPropoPlus
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"X-Lite 1.5_is1" = X-Lite 3.0
"Yenka" = Yenka

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/20/2009 8:26:36 PM | Computer Name = BRAEBURNWIN | Source = Google Update | ID = 20
Description =

Error - 9/21/2009 12:25:49 AM | Computer Name = BRAEBURNWIN | Source = Google Update | ID = 20
Description =

Error - 9/22/2009 8:26:14 AM | Computer Name = BRAEBURNWIN | Source = Google Update | ID = 20
Description =

Error - 9/26/2009 1:26:37 AM | Computer Name = BRAEBURNWIN | Source = Google Update | ID = 20
Description =

Error - 10/1/2009 12:26:39 PM | Computer Name = BRAEBURNWIN | Source = Google Update | ID = 20
Description =

Error - 10/1/2009 1:26:38 PM | Computer Name = BRAEBURNWIN | Source = Google Update | ID = 20
Description =

Error - 10/1/2009 2:26:27 PM | Computer Name = BRAEBURNWIN | Source = Google Update | ID = 20
Description =

Error - 10/2/2009 9:30:13 PM | Computer Name = BRAEBURNWIN | Source = Google Update | ID = 20
Description =

Error - 10/4/2009 1:23:25 PM | Computer Name = BRAEBURNWIN | Source = Google Update | ID = 20
Description =

Error - 10/4/2009 2:23:25 PM | Computer Name = BRAEBURNWIN | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 10/5/2009 3:52:38 PM | Computer Name = BRAEBURNWIN | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 119 minutes. NtpClient has no source of accurate
time.

Error - 10/5/2009 5:03:17 PM | Computer Name = BRAEBURNWIN | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 10/5/2009 5:03:17 PM | Computer Name = BRAEBURNWIN | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 10/5/2009 5:03:29 PM | Computer Name = BRAEBURNWIN | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{78D88B1C-CD6E-49DB-9809-AD22905B4CE3}
because another computer on the network has the same name. The server could not
start.

Error - 10/7/2009 10:48:42 AM | Computer Name = BRAEBURNWIN | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.132 for the Network Card with network
address 001C427FF573 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 10/7/2009 9:15:09 PM | Computer Name = BRAEBURNWIN | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 001C427FF573. The following
error occurred: %%121. Your computer will continue to try and obtain an address on
its own from the network address (DHCP) server.

Error - 10/7/2009 11:37:28 PM | Computer Name = BRAEBURNWIN | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{78D88B1C-CD6E-49DB-9809-AD22905B4CE3}
because another computer on the network has the same name. The server could not
start.

Error - 10/7/2009 11:56:58 PM | Computer Name = BRAEBURNWIN | Source = Dhcp | ID = 1002
Description = The IP address lease 10.211.55.5 for the Network Card with network
address 001C427FF573 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 10/7/2009 11:58:04 PM | Computer Name = BRAEBURNWIN | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 001C427FF573. The following
error occurred: %%121. Your computer will continue to try and obtain an address on
its own from the network address (DHCP) server.

Error - 10/9/2009 2:27:18 AM | Computer Name = BRAEBURNWIN | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{78D88B1C-CD6E-49DB-9809-AD22905B4CE3}
because another computer on the network has the same name. The server could not
start.


< End of report >

Thanks for the help!
  • 0

#8
RKinner
Posted 10 December 2009 - 11:34 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Found something on this one.

"O33 - MountPoints2\##.psf#NO NAME\Shell\AutoRun\command - "" = Y:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe -- File not found
O33 - MountPoints2\##.psf#NO NAME\Shell\open\command - "" = Y:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe -- File not found
O33 - MountPoints2\{6c552a22-6da2-11de-b73d-001c4262bce9}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\setup.exe -- [2008/04/14 07:00:00 | 00,023,040 | "

Can't imagine why a legitimate program would run from a folder called Recycler. Apparently the file is not there now. What is Y: ?


Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************************************
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /f

**********************************************************************

Start, Run, cmd, OK to bring up a new Command Prompt window. Rightclick and select Paste and the above text should appear. Make sure you got it all and then hit Enter.

Close the Command Prompt window.

What that does is remove all of the mountpoints so they are not automatically run.

It is usually a good idea to also run: Flash_Disinfector.exe
Download Flash_Disinfector.exe by sUBs
http://www.techsuppo...Disinfector.exe
and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.


Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

I would also like for you to submit the file C:\WINDOWS\System32\setup.exe to http://www.virustotal.com

Click the Browse button then point it at c:\windows\system32\setup.exe then click on Send File. It will think for a little while then you will get a report. Wait until it finishes then copy it and paste it into your next reply.

The name is too common to be sure what it is but I'm not used to seeing it as a mountpoint.

Finally run Combofix as before and post its log.

Ron
  • 0

#9
bearj
Posted 11 December 2009 - 08:14 AM

bearj

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hmm...interesting. This machine is actually a Parallels virtual machine installed on a Mac. The Y: drive is mapped so that the virtual machine can access the host's drive. If I delete the mountpoints will that get rid of my network drives or just programs that are automatically run?

If something has hidden itself on the Mac partition it's rather clever. I should be able to clean it as usual as for the most part OSX just ignores the files that Windows places there. I'll wait to run those things until I've heard back from you though.

Thanks!
  • 0

#10
RKinner
Posted 11 December 2009 - 10:26 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
First time I've run into to your type of setup so I'm no expert but even if your Mac will ignore the files it appears that the virtual windows will try to use them whenever they are around. Usually we see this type of thing on an infected USB drive. Normally when you plug it in you get a little window asking what you want to do. In the window is a box saying Automatically do this everytime. If you check the box and select one of the options you get a mountpoint entry so the window is skipped the next time.

You can skip the mountpoint removal if you like. You might try and create a folder called svchost.exe at Y:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\. That will prevent the file from coming back since Windows won't make a file of the same name as a folder. (If it won't let you make a folder then that means a hidden file exists of the same name.) The rest should not bother your setup.

Ron
  • 0

Advertisements

#11
bearj
Posted 11 December 2009 - 07:06 PM

bearj

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok, I tried to download Flash Disinfector but got a 404 error. Any thoughts?

In any case, I've skipped the mountpoint removal for the moment. Here is the Virustotal log: (cool site by the way!)

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.11 -
AhnLab-V3 5.0.0.2 2009.12.11 -
AntiVir 7.9.1.108 2009.12.11 -
Antiy-AVL 2.0.3.7 2009.12.11 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.11 -
AVG 8.5.0.427 2009.12.11 -
BitDefender 7.2 2009.12.11 -
CAT-QuickHeal 10.00 2009.12.11 -
ClamAV 0.94.1 2009.12.11 -
Comodo 3208 2009.12.11 -
DrWeb 5.0.0.12182 2009.12.11 -
eSafe 7.0.17.0 2009.12.10 -
eTrust-Vet 35.1.7171 2009.12.11 -
F-Prot 4.5.1.85 2009.12.11 -
F-Secure 9.0.15370.0 2009.12.11 -
Fortinet 4.0.14.0 2009.12.11 -
GData 19 2009.12.11 -
Ikarus T3.1.1.74.0 2009.12.11 -
Jiangmin 13.0.900 2009.12.11 -
K7AntiVirus 7.10.918 2009.12.11 -
Kaspersky 7.0.0.125 2009.12.11 -
McAfee 5829 2009.12.11 -
McAfee+Artemis 5829 2009.12.11 -
McAfee-GW-Edition 6.8.5 2009.12.11 -
Microsoft 1.5302 2009.12.11 -
NOD32 4680 2009.12.11 -
Norman 6.04.03 2009.12.11 -
nProtect 2009.1.8.0 2009.12.11 -
Panda 10.0.2.2 2009.12.11 -
PCTools 7.0.3.5 2009.12.11 -
Prevx 3.0 2009.12.11 -
Rising 22.25.04.07 2009.12.11 -
Sophos 4.48.0 2009.12.11 -
Sunbelt 3.2.1858.2 2009.12.11 -
Symantec 1.4.4.12 2009.12.11 -
TheHacker 6.5.0.2.091 2009.12.11 -
TrendMicro 9.100.0.1001 2009.12.11 -
VBA32 3.12.12.0 2009.12.10 -
ViRobot 2009.12.11.2083 2009.12.11 -
VirusBuster 5.0.21.0 2009.12.11 -
Additional information
File size: 23040 bytes
MD5...: 759a1524c60da113b43c5a13b5fd39ac
SHA1..: 8c3ffbe8e71f473801f54464763c51d81e5d8dec
SHA256: a6af1bfbed853058c9be38bc8b5ffbc36ad22a6d2e60b083515a08fd3a27e4f9
ssdeep: 384:etKlAsClaC7Q/JJNW/6gGFJe/jKfGbLthN0q2EDWtmyiWA2yW21:iJsy57Q/
dgsE73tU73Ays2
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x20e1
timedatestamp.....: 0x48025271 (Sun Apr 13 18:35:29 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x46d4 0x4800 6.48 af52dd1b65d31246a2bdc962c7b6acc9
.data 0x6000 0x838 0x400 2.08 f4be14ccf0a7729f861af17cd3cc27de
.rsrc 0x7000 0x8e8 0xa00 3.41 e093258730df23789310bbb3de97715a

( 1 imports )
> KERNEL32.dll: DisconnectNamedPipe, CloseHandle, FreeLibrary, GetLastError, ReadFile, ConnectNamedPipe, SetEvent, CreateNamedPipeA, OpenEventA, LoadLibraryA, GetProcAddress, GetModuleFileNameA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCommandLineA, GetVersionExA, ExitProcess, GetModuleHandleA, WriteFile, GetStdHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, HeapDestroy, HeapCreate, VirtualFree, HeapFree, HeapAlloc, GetACP, GetOEMCP, GetCPInfo, VirtualAlloc, HeapReAlloc, RtlUnwind, InterlockedExchange, VirtualQuery, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, VirtualProtect, GetSystemInfo

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows NT Setup Executable
original name: SETUP.EXE
internal name: SETUP.EXE
file version.: 5.1.2600.5512 (xpsp.080413-2111)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

-----
And here's my Combofix log. It said it found a rootkit and asked to reboot so I let it. Once I logged in again it continued on.

ComboFix 09-12-11.01 - Josh 12/11/2009 17:08:35.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1431.1054 [GMT -5:00]
Running from: c:\documents and settings\Josh\Desktop\george.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\pdfforge Toolbar\SearchSettings.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 )))))))))))))))))))))))))))))))
.

2009-12-11 18:51 . 2009-11-26 16:58 798488 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2009-12-11 04:02 . 2009-12-11 04:02 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-11 04:00 . 2009-12-11 04:00 -------- d-----w- c:\program files\ERUNT
2009-12-10 02:00 . 2009-12-10 02:00 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\Help Viewer (Mac).exe
2009-12-10 02:00 . 2009-12-10 02:00 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\Microsoft Word (Mac).exe
2009-12-10 02:00 . 2009-12-10 02:00 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\TextEdit (Mac).exe
2009-12-10 02:00 . 2009-12-10 02:00 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\Microsoft PowerPoint (Mac).exe
2009-12-10 02:00 . 2009-12-10 02:00 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\Microsoft Excel (Mac).exe
2009-12-10 02:00 . 2009-12-10 02:00 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\Google Chrome (Mac).exe
2009-12-10 02:00 . 2009-12-10 02:00 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\Firefox (Mac).exe
2009-12-10 02:00 . 2009-12-10 02:00 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\System Profiler (Mac).exe
2009-12-07 03:01 . 2009-12-07 03:02 -------- d-----w- c:\program files\LogicPort
2009-12-07 03:01 . 2009-12-07 03:01 -------- d-----w- c:\windows\system\drivers
2009-12-02 00:41 . 2009-12-02 00:42 -------- d-----w- c:\documents and settings\Josh\Local Settings\Application Data\Yenka
2009-12-02 00:38 . 2009-12-02 00:40 -------- d-----w- c:\program files\Yenka
2009-11-29 22:28 . 2009-11-29 22:28 3963160 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-29 22:28 . 2009-11-26 16:58 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-29 22:27 . 2009-11-29 22:27 844056 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-29 22:27 . 2009-11-29 22:27 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-27 00:37 . 2009-11-27 00:37 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\ColorSync Utility (Mac).exe
2009-11-27 00:37 . 2009-11-27 00:37 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\Preview (Mac).exe
2009-11-27 00:37 . 2009-11-27 00:37 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\Safari (Mac).exe
2009-11-26 16:59 . 2009-11-26 17:10 -------- d-----w- C:\$AVG
2009-11-26 16:59 . 2009-11-26 16:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-26 16:59 . 2009-11-26 16:59 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-26 16:59 . 2009-11-26 16:59 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-26 16:59 . 2009-11-26 16:59 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-26 16:58 . 2009-12-11 18:52 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-26 16:58 . 2009-11-26 16:58 -------- d-----w- c:\program files\AVG
2009-11-26 16:58 . 2009-11-26 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-26 04:28 . 2009-11-26 04:28 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\EAGLE (Mac).exe
2009-11-25 04:06 . 2009-11-25 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-25 04:06 . 2009-11-25 04:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-25 03:34 . 2009-11-25 03:34 -------- d-----w- c:\documents and settings\Josh\Application Data\Malwarebytes
2009-11-25 03:34 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 03:34 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-25 03:34 . 2009-11-25 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-25 03:34 . 2009-12-11 04:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-25 00:42 . 2009-11-25 00:42 -------- d-----w- c:\program files\ESET
2009-11-13 05:51 . 2009-11-13 05:51 -------- d-----w- C:\embedinc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-11 22:12 . 2009-05-23 15:24 -------- d-----w- c:\program files\pdfforge Toolbar
2009-11-29 22:27 . 2009-06-10 20:49 -------- d--h--r- c:\documents and settings\Josh\Application Data\Microchip
2009-11-03 21:20 . 2009-11-03 21:16 -------- d-----w- c:\program files\Vivien 2010
2009-11-03 21:15 . 2009-05-11 11:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-01 22:43 . 2009-11-01 22:43 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\Grapher (Mac).exe
2009-10-31 01:04 . 2009-10-31 01:02 -------- d-----w- c:\program files\FMS
2009-10-30 15:47 . 2008-09-27 06:18 39664 ----a-w- c:\windows\system32\drivers\FTD2XX.sys
2009-10-30 00:04 . 2009-10-30 00:04 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\VLC (Mac).exe
2009-10-30 00:04 . 2009-10-30 00:04 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\QuickTime Player (Mac).exe
2009-10-30 00:04 . 2009-10-30 00:04 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\iTunes (Mac).exe
2009-10-30 00:04 . 2009-10-30 00:04 249344 ----a-w- c:\documents and settings\Josh\Application Data\Parallels\Shared Applications\Audacity (Mac).exe
2009-10-29 23:45 . 2009-05-12 00:02 -------- d-----w- c:\documents and settings\Josh\Application Data\Parallels
2009-10-29 05:38 . 2008-04-14 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2008-04-14 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-14 18:27 . 2009-10-05 18:04 19784 ----a-w- c:\windows\system32\drivers\prl_vamp.sys
2009-10-14 18:27 . 2009-10-05 18:04 83784 ----a-w- c:\windows\system32\prl_vadd.dll
2009-10-14 18:27 . 2009-10-29 23:45 15560 ----a-w- c:\windows\system32\drivers\prl_time.sys
2009-10-14 18:27 . 2009-10-05 18:04 22728 ----a-w- c:\windows\system32\drivers\prl_tg.sys
2009-10-14 18:27 . 2009-10-05 18:04 101704 ----a-w- c:\windows\system32\drivers\prl_pv32.sys
2009-10-14 18:27 . 2009-10-05 18:04 15432 ----a-w- c:\windows\system32\drivers\prl_mouf.sys
2009-10-14 18:27 . 2009-08-29 20:52 148168 ----a-w- c:\windows\system32\drivers\prl_fs.sys
2009-10-14 18:27 . 2009-10-05 18:04 17864 ----a-w- c:\windows\system32\drivers\prl_eth5.sys
2009-10-14 18:27 . 2009-10-14 18:27 33608 ----a-w- c:\windows\system32\drivers\prl_boot.sys
2009-10-14 18:23 . 2009-05-05 18:36 80896 ----a-w- c:\windows\system32\prl_np.dll
2009-10-14 18:22 . 2009-10-05 18:04 151040 ----a-w- c:\windows\system32\prl_gl.dll
2009-10-13 10:30 . 2008-04-14 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-14 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-05 17:00 . 2009-10-05 17:00 11026 ----a-w- c:\windows\system32\drivers\vmscsi.sys
2009-09-25 05:37 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2003-06-19 15:05 . 2003-06-19 15:05 431888 --s-a-w- c:\program files\Common Files\riched20.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B922D405-6D13-4A2B-AE89-08A030DA4402}]
2009-05-04 20:32 650752 ----a-w- c:\program files\pdfforge Toolbar\WidgiToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B922D405-6D13-4A2B-AE89-08A030DA4402}"= "c:\program files\pdfforge Toolbar\WidgiToolbarIE.dll" [2009-05-04 650752]

[HKEY_CLASSES_ROOT\clsid\{b922d405-6d13-4a2b-ae89-08a030da4402}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-13 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-20 13549568]
"nwiz"="nwiz.exe" [2009-01-20 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-20 86016]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-20 18082304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SearchSettings"="c:\program files\pdfforge Toolbar\SearchSettings.exe" [2009-03-30 970240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Parallels Shared Internet Applications"="c:\program files\Parallels\Parallels Tools\SIA\SharedIntApp.exe" [2009-10-14 129864]
"Parallels Tools Center"="c:\program files\Parallels\Parallels Tools\prl_cc.exe" [2009-10-14 198984]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-11 2033432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-26 16:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@="Driver Group"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MA Lighting Technologies\\grandMA\\ grandMA2 onPC 1.000\\gma2onpc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MA Lighting Technologies\\grandMA\\grandMA onPC 5.920\\gmaOnPC.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [8/21/2009 5:06 AM 26120]
R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [8/21/2009 5:06 AM 20616]
R0 prl_pv32;prl_pv32;c:\windows\system32\drivers\prl_pv32.sys [10/5/2009 1:04 PM 101704]
R0 prl_tg;Parallels Tool Device;c:\windows\system32\drivers\prl_tg.sys [10/5/2009 1:04 PM 22728]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/26/2009 11:59 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/26/2009 11:59 AM 360584]
R1 prl_boot;Parallels BootCamp Helper;c:\windows\system32\drivers\prl_boot.sys [10/14/2009 1:27 PM 33608]
R1 prl_fs;Parallels Shared Folders;c:\windows\system32\drivers\prl_fs.sys [8/29/2009 3:52 PM 148168]
R2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [1/20/2009 3:28 PM 136496]
R2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [1/20/2009 3:28 PM 99632]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/26/2009 11:58 AM 285392]
R2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [1/20/2009 3:15 PM 5760]
R2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [1/20/2009 3:14 PM 8192]
R2 Parallels Coherence Service;Parallels Coherence Service;c:\program files\Parallels\Parallels Tools\Services\coherence.exe [10/14/2009 1:27 PM 27976]
R2 Parallels Tools Service;Parallels Tools Service;c:\program files\Parallels\Parallels Tools\Services\prl_tools_service.exe [10/14/2009 1:27 PM 138056]
R2 PortTalk;PortTalk;c:\windows\system32\drivers\porttalk.sys [6/12/2000 5:34 PM 7157]
R2 prl_time;Parallels Time Synchronization Helper;c:\windows\system32\drivers\prl_time.sys [10/29/2009 6:45 PM 15560]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [7/11/2008 12:02 AM 328992]
R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [8/21/2009 5:06 AM 122504]
R3 prl_eth5;Parallels Ethernet Adapter;c:\windows\system32\drivers\prl_eth5.sys [10/5/2009 1:04 PM 17864]
R3 prl_mouf;Parallels Mouse Synchronization Device;c:\windows\system32\drivers\prl_mouf.sys [10/5/2009 1:04 PM 15432]
R3 prl_va;Parallels Video Adapter;c:\windows\system32\drivers\prl_vamp.sys [10/5/2009 1:04 PM 19784]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [10/5/2009 12:00 PM 11026]
S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\drivers\applemtm.sys [5/11/2009 6:17 AM 10496]
S3 applemtp;Apple Multitouch;c:\windows\system32\drivers\applemtp.sys [5/11/2009 6:17 AM 29312]
S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [8/21/2009 5:06 AM 14216]
S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\drivers\IRFilter.sys [5/11/2009 6:16 AM 16512]
S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [5/11/2009 6:16 AM 22528]
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: .psf
FF - ProfilePath - c:\documents and settings\Josh\Application Data\Mozilla\Firefox\Profiles\hye1z6ni.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B922D405-6D13-4A2B-AE89-08A030DA4402}\components\pdfforgeToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\SearchSettingsFF.dll
FF - plugin: c:\documents and settings\Josh\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Josh\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-11 17:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0xF7737E00]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a0852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Parallels Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7421bb0
PacketIndicateHandler -> NDIS.sys @ 0xf742ea21
SendHandler -> NDIS.sys @ 0xf740c87b
user & kernel MBR OK

**************************************************************************
.
Completion time: 2009-12-11 17:14:16
ComboFix-quarantined-files.txt 2009-12-11 22:13

Pre-Run: 29,669,281,792 bytes free
Post-Run: 29,642,575,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 940C50F12DD7E84AD644C07321EF6A38


Thanks!
  • 0

#12
RKinner
Posted 11 December 2009 - 10:13 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Try http://download.blee...Disinfector.exe

I'll get back to you later but I don't see anything off hand. I think the one file it deleted was another false positive. I think the rootkit detection is probably just because it's a virtual machine.

Ron
  • 0

#13
bearj
Posted 12 December 2009 - 12:03 PM

bearj

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok, this time I got it and ran it. Had my USB drive plugged in as well. It didn't seem to generate a log file though.

Once this one passes there's one more computer to go!

By the way, interesting aside. Remember the audio file that got quarantined on the first computer? I noticed that machine (a laptop) wasn't sleeping properly anymore. Restored the file and it seems to be better. There was no problem with startup or any audio issues though. Weird.

Thanks!
  • 0

#14
RKinner
Posted 12 December 2009 - 01:57 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
It doesn't generate a log. It mostly removes autorun.inf files and adds autorun.inf folders to all your drives. This keeps them from being used by the most common type of USB drive infections.

Other than that one missing file on Y: I haven't seen any sign of an infection. (Did you try to create a folder named svchost.exe in Y:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\? If it works then the file is truely gone. Delete everything from the Y:\Recycler folder.)

Are you sure the message about ircbot was from your ISP?

We can look at the tcp ports in use on a PC to see if there is any activity on port 194 or ports 6662-6669 which is usually used by IRC.

Close your browser and all other programs then wait about 5 minutes then do Start, Run, cmd, OK to bring up a command window then type (with an Enter after each line)

netstat -an > \junk.txt

notepad \junk.txt

Copy the resulting text and paste it in a reply. Close notepad but leave the command window up. Start up your browser and let it go to your home page. Repeat the above two commands and post the result too.

Ron
  • 0

#15
bearj
Posted 12 December 2009 - 03:37 PM

bearj

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
That y:\recycler directory doesn't seem to exist anymore, so I haven't tried to recreate the file. I did successfully create a \recycler directory then deleted it.

The message about the virus was definitely from my ISP. They shut off the connection. The helpful bit is that they then don't tell you anything more than "you have an IRC bot virus". When you ask for logs to help you find it, they say no. Oh, and they charge you while they've cut you off too. Nice eh? So it's possible there never was a virus, I can't ever prove there was.

I have one more virtual machine I realized I used, so we can start on that one once we're done with this one.

As for the netstat dump, here's the first:


Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:990 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7002 0.0.0.0:0 LISTENING
TCP 10.211.55.5:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1029 127.0.0.1:27015 ESTABLISHED
TCP 127.0.0.1:1033 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5679 0.0.0.0:0 LISTENING
TCP 127.0.0.1:7438 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 127.0.0.1:1029 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1026 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:7001 *:*
UDP 0.0.0.0:50007 *:*
UDP 10.211.55.5:123 *:*
UDP 10.211.55.5:137 *:*
UDP 10.211.55.5:138 *:*
UDP 10.211.55.5:1900 *:*
UDP 10.211.55.5:5353 *:*
UDP 10.211.55.5:6001 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:6001 *:*

And here's one with Chrome open and sitting at Google:


Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:990 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7002 0.0.0.0:0 LISTENING
TCP 10.211.55.5:139 0.0.0.0:0 LISTENING
TCP 10.211.55.5:1057 64.233.169.105:80 ESTABLISHED
TCP 10.211.55.5:1058 64.233.169.105:80 ESTABLISHED
TCP 10.211.55.5:1059 74.125.115.100:80 ESTABLISHED
TCP 127.0.0.1:1029 127.0.0.1:27015 ESTABLISHED
TCP 127.0.0.1:1033 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5679 0.0.0.0:0 LISTENING
TCP 127.0.0.1:7438 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 127.0.0.1:1029 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1026 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:7001 *:*
UDP 0.0.0.0:50007 *:*
UDP 10.211.55.5:123 *:*
UDP 10.211.55.5:137 *:*
UDP 10.211.55.5:138 *:*
UDP 10.211.55.5:1900 *:*
UDP 10.211.55.5:5353 *:*
UDP 10.211.55.5:6001 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:6001 *:*

Thanks!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP