Google Redirect Virus [Closed] [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Google Redirect Virus [Closed] [Solved] Google searches direct to wrong webpage

#1 Xenotool

Group: Member
Posts: 10
Joined: 11-December 09

Posted 11 December 2009 - 11:29 PM

I was having many problems with IE and switched to Firefox, but when I do Google searches and click on the link it redirects to the wrong page. I sometimes get transferred to coolwebsearch, a windows security website, or a web page that says my computer is infected and I need to buy their product. I ran MBAM and Norton several times and they did not detect any viruses. I used security task manager and found one virus on startup. I then uninstalled Norton and downloaded Avast which detected two more viruses. After that scan MBAM detected two virus's in system files. My firewall is active and working, I've always had virus protection. I have never had virus problems like this before. Any help is greatly appreciated, thanks.

MBAM LOG

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/11/2009 10:14:45 PM
mbam-log-2009-12-11 (22-14-45).txt

Scan type: Quick Scan
Objects scanned: 106755
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jake\Local Settings\Temp\2.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

ROOT REPEAL

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/11 21:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA28D9000 Size: 892928 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA1DA8000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa29d96b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa29d9574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa29d9a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa29d914c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa29d964e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa29d908c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa29d90f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa29d976e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa29d972e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa29d98ae

==EOF==

OTL

OTL logfile created on: 12/11/2009 10:17:47 PM - Run 1
OTL by OldTimer - Version 3.1.16.0 Folder = C:\Documents and Settings\Jake\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.42 Gb Available Physical Memory | 71.46% Memory free
3.33 Gb Paging File | 2.89 Gb Available in Paging File | 86.75% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 72.06 Gb Total Space | 56.93 Gb Free Space | 79.00% Space Free | Partition Type: NTFS
Drive D: | 72.05 Gb Total Space | 71.98 Gb Free Space | 99.90% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: XENOTOOL
Current User Name: Jake
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/11 18:12:57 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jake\My Documents\Downloads\OTL.exe
PRC - [2009/11/24 16:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 16:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 16:51:21 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 16:48:48 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 16:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/02 20:23:08 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/27 18:13:42 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/10/27 18:13:42 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/05/26 21:06:32 | 00,079,088 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
PRC - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/04/27 14:08:42 | 17,881,088 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2009/04/16 16:46:30 | 00,630,784 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
PRC - [2009/04/16 15:58:54 | 00,118,784 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsTray.exe
PRC - [2009/03/25 07:43:40 | 00,376,832 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
PRC - [2009/03/13 13:15:02 | 00,098,304 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsEPCMon.exe
PRC - [2009/03/06 01:57:54 | 01,434,920 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2008/04/14 05:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/19 08:08:12 | 00,159,744 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2007/12/19 08:08:08 | 00,135,168 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2007/12/19 08:07:40 | 00,163,840 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2007/12/19 08:07:30 | 00,249,856 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2000/05/20 17:23:48 | 00,086,016 | ---- | M] () -- C:\WINDOWS\StartupMonitor.exe

========== Modules (SafeList) ==========

MOD - [2009/12/11 18:12:57 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jake\My Documents\Downloads\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 16:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 16:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 16:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 16:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/10/27 18:13:42 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/02/06 15:08:58 | 00,533,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 08 79 CC 03 52 C8 DA 49 9C 0E 39 0D 09 7D 56 4C [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {f62a1d7e-0939-4b9b-b57b-a9cc15a76c5b}:1.0
FF - prefs.js..extensions.enabledItems: {6F1F1B9B-C4D3-4617-A981-343FB714C18C}:1.9.1
FF - prefs.js..extensions.enabledItems: {B6494E47-0413-485E-BF41-6F4CAB786B4A}:1.9.1

FF - HKLM\software\mozilla\Firefox\extensions\\{6F1F1B9B-C4D3-4617-A981-343FB714C18C}: C:\Documents and Settings\Jake\Local Settings\Application Data\{6F1F1B9B-C4D3-4617-A981-343FB714C18C} [2009/11/03 16:28:32 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{B6494E47-0413-485E-BF41-6F4CAB786B4A}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{B6494E47-0413-485E-BF41-6F4CAB786B4A} [2009/11/03 17:09:29 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/02 16:44:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/02 16:44:01 | 00,000,000 | ---D | M]

[2009/12/02 16:44:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\Mozilla\Extensions
[2009/11/16 21:40:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2009/12/11 14:45:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\df7g7khm.default\extensions
[2009/12/09 08:19:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\df7g7khm.default\extensions\{f62a1d7e-0939-4b9b-b57b-a9cc15a76c5b}
[2009/12/11 18:29:06 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Run StartupMonitor] C:\WINDOWS\StartupMonitor.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynAsusAcpi] C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe (Synaptics Incorporated)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics Incorporated)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ SuperHybridEngine.lnk = C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe (ASUSTeK Computer Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.3.25
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/27 22:03:59 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/04/27 22:03:27 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17173422438088704)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/11 18:31:53 | 00,048,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/12/11 18:31:53 | 00,027,408 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/12/11 18:31:53 | 00,023,120 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/12/11 18:31:52 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/12/11 18:31:52 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2009/12/11 18:31:52 | 00,094,160 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/12/11 18:31:52 | 00,093,424 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/12/11 18:31:52 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/12/11 18:31:25 | 01,280,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/12/11 18:31:22 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2009/12/11 18:15:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/12/11 18:15:02 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/12/11 17:16:55 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Jake\Recent
[2009/12/11 16:49:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jake\Local Settings\Application Data\Help
[2009/12/11 16:49:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jake\Application Data\Help
[2009/12/11 16:36:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2009/12/11 16:35:50 | 00,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2009/12/07 19:40:35 | 00,000,000 | ---D | C] -- C:\Program Files\Essentials Codec Pack
[2009/12/07 19:28:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jake\Application Data\WinRAR
[2009/12/07 19:28:03 | 00,000,000 | -HSD | C] -- C:\WINDOWS\System32\SysWoW32
[2009/12/07 19:26:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1455365501
[2009/12/02 18:03:38 | 00,000,000 | ---D | C] -- C:\Program Files\MSN
[2009/12/02 16:44:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jake\Local Settings\Application Data\Mozilla
[2009/12/02 16:44:00 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/04/27 22:06:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/04/27 22:06:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/04/27 22:03:55 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/04/27 22:03:55 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/11 22:15:10 | 00,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\boqrtol.sys
[2009/12/11 21:45:58 | 00,521,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/11 21:45:58 | 00,442,024 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/11 21:45:58 | 00,071,810 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/11 19:25:22 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/11 19:25:02 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/11 18:32:19 | 03,407,872 | -H-- | M] () -- C:\Documents and Settings\Jake\NTUSER.DAT
[2009/12/11 18:32:19 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Jake\ntuser.ini
[2009/12/11 18:31:53 | 00,001,709 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2009/12/11 18:31:52 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/11 18:15:04 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Jake\Desktop\NTREGOPT.lnk
[2009/12/11 18:15:04 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Jake\Desktop\ERUNT.lnk
[2009/12/11 16:35:28 | 00,000,120 | ---- | M] () -- C:\WINDOWS\Wsululowu.dat
[2009/12/11 14:35:03 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Xtetovisidubadi.bin
[2009/12/10 19:33:35 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/10 16:06:41 | 00,000,501 | ---- | M] () -- C:\Documents and Settings\Jake\Desktop\Shortcut to Saved.lnk
[2009/12/10 15:56:45 | 00,000,449 | ---- | M] () -- C:\Documents and Settings\Jake\Desktop\Shortcut to My Music.lnk
[2009/12/09 21:44:20 | 00,264,616 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/09 10:01:11 | 00,002,076 | -HS- | M] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716P.manifest
[2009/12/09 09:52:47 | 00,000,817 | ---- | M] () -- C:\WINDOWS\System32\1686993434
[2009/12/09 08:25:04 | 00,005,609 | -HS- | M] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716C.manifest
[2009/12/09 08:20:32 | 00,000,232 | -HS- | M] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716O.manifest
[2009/12/09 08:17:44 | 00,001,295 | -HS- | M] () -- C:\WINDOWS\System32\886909514
[2009/12/09 08:17:28 | 00,000,011 | -HS- | M] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716S.manifest
[2009/12/08 19:26:29 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/07 19:40:48 | 00,000,773 | ---- | M] () -- C:\Documents and Settings\Jake\Desktop\Media Player Classic.lnk
[2009/12/07 19:26:32 | 00,203,776 | -HS- | M] () -- C:\WINDOWS\System32\unrar.exe
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/02 17:38:35 | 00,000,230 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf
[2009/12/02 16:44:14 | 00,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2009/12/02 16:44:04 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/11 22:15:10 | 00,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\boqrtol.sys
[2009/12/11 18:31:53 | 00,001,709 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2009/12/11 18:31:25 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2009/12/11 18:15:04 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Jake\Desktop\NTREGOPT.lnk
[2009/12/11 18:15:04 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Jake\Desktop\ERUNT.lnk
[2009/12/11 16:20:41 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\Startup.cpl
[2009/12/10 16:06:41 | 00,000,501 | ---- | C] () -- C:\Documents and Settings\Jake\Desktop\Shortcut to Saved.lnk
[2009/12/10 15:56:45 | 00,000,449 | ---- | C] () -- C:\Documents and Settings\Jake\Desktop\Shortcut to My Music.lnk
[2009/12/07 19:40:48 | 00,000,773 | ---- | C] () -- C:\Documents and Settings\Jake\Desktop\Media Player Classic.lnk
[2009/12/07 19:29:16 | 00,001,295 | -HS- | C] () -- C:\WINDOWS\System32\886909514
[2009/12/07 19:29:15 | 00,000,817 | ---- | C] () -- C:\WINDOWS\System32\1686993434
[2009/12/07 19:26:32 | 00,203,776 | -HS- | C] () -- C:\WINDOWS\System32\unrar.exe
[2009/12/07 19:26:12 | 00,005,609 | -HS- | C] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716C.manifest
[2009/12/07 19:26:12 | 00,002,076 | -HS- | C] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716P.manifest
[2009/12/07 19:26:12 | 00,000,232 | -HS- | C] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716O.manifest
[2009/12/07 19:26:12 | 00,000,011 | -HS- | C] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716S.manifest
[2009/12/02 17:38:35 | 00,000,230 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf
[2009/12/02 16:44:14 | 00,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/12/02 16:44:04 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/10/29 22:13:22 | 00,009,216 | ---- | C] () -- C:\Documents and Settings\Jake\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/27 20:38:42 | 00,000,074 | ---- | C] () -- C:\Documents and Settings\Jake\Local Settings\Application Data\FASTWiz.log
[2009/10/27 18:24:44 | 00,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2009/10/27 16:12:31 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Jake\Application Data\wklnhst.dat
[2009/05/05 11:13:43 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/05/05 10:16:46 | 00,232,872 | R--- | C] () -- C:\WINDOWS\System32\drivers\SRS_PremiumSound_i386.sys
[2009/05/05 09:03:49 | 00,021,864 | ---- | C] () -- C:\WINDOWS\AsAcpiSvrLang.ini
[2009/05/05 09:03:49 | 00,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini
[2009/05/05 08:52:19 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
[2009/04/27 21:51:49 | 00,005,312 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

========== LOP Check ==========

[2009/11/02 17:28:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ableton
[2009/11/25 21:56:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/12/11 18:34:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2009/05/05 09:02:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wireless LAN Card
[2009/11/02 17:49:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\Ableton
[2009/12/10 15:57:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\LimeWire
[2009/11/25 21:55:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\NCH Swift Sound
[2009/10/28 12:33:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\OpenOffice.org
[2009/10/28 20:39:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\Template

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: ATAPI.SYS >
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 05:00:00 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 05:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2008/09/11 22:32:56 | 00,327,192 | ---- | M] (Intel Corporation) MD5=8EF427C54497C5F8A7A645990E4278C7 -- C:\WINDOWS\I386\$OEM$\TEXTMODE\IASTOR.SYS
[2008/09/11 22:32:56 | 00,327,192 | ---- | M] (Intel Corporation) MD5=8EF427C54497C5F8A7A645990E4278C7 -- C:\WINDOWS\OemDir\iaStor.sys
[2008/09/11 22:32:56 | 00,327,192 | ---- | M] (Intel Corporation) MD5=8EF427C54497C5F8A7A645990E4278C7 -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 05:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 05:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 05:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >

EXTRAS

OTL Extras logfile created on: 12/11/2009 10:17:47 PM - Run 1
OTL by OldTimer - Version 3.1.16.0 Folder = C:\Documents and Settings\Jake\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.42 Gb Available Physical Memory | 71.46% Memory free
3.33 Gb Paging File | 2.89 Gb Available in Paging File | 86.75% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 72.06 Gb Total Space | 56.93 Gb Free Space | 79.00% Space Free | Partition Type: NTFS
Drive D: | 72.05 Gb Total Space | 71.98 Gb Free Space | 99.90% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: XENOTOOL
Current User Name: Jake
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0DFB3DE8-65B9-44FF-AA0A-3BECC5A2BFD1}" = Adobe Flash Player 10 Plugin
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{19F5658D-92E8-4A08-8657-D38ABB1574B2}" = Asus ACPI Driver
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C52E7DA-C431-4239-B66B-1BF703D5B194}" = Windows Live Photo Gallery
"{3FB39BED-37C8-4E60-8E02-315B8C2B07E3}" = USB2.0 UVC Camera Device
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{47BACF74-5A07-48BD-BADB-A769550F0F5A}" = FontResizer
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}" = Junk Mail filter update
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate for Eee PC
"{6333FC29-BFE5-4024-AC78-958A1A7555D1}" = EeeSplendid
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76CD2979-09C0-493A-84B3-8FD97EF4BCEA}" = Windows Live Family Safety
"{76EFAC4F-1712-401F-B2AE-590B170C9BCE}" = StartupMonitor
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{88F08F98-12BC-4613-81A2-8F9B88CFC73E}" = Super Hybrid Engine
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}" = Azurewave Wireless LAN Card
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}" = Windows Live Sync
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81100000003}" = Adobe Reader 8.1.1
"{B9BDA46B-2E17-4F43-9D7A-9B1E09A0A4D8}" = Data Sync
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{C72CA49A-9237-4810-8449-45DA3BD26D64}" = EzMessenger
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"avast!" = avast! Antivirus
"CCleaner" = CCleaner
"Eee Docking_is1" = Eee Docking 1.3.1.0
"EeePC_1005HA" = EeePC_1005HA Screen Saver
"ERUNT_is1" = ERUNT 1.1j
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"LimeWire" = LimeWire 5.3.6
"Live 4.1.4" = Live 4.1.4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Security Task Manager" = Security Task Manager 1.7h
"Switch" = Switch Sound File Converter
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Essentials Media Codec Pack" = Windows Essentials Media Codec Pack 2.3d
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinSCP_is1" = WinSCP 3.8 beta released
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/31/2009 6:35:13 PM | Computer Name = XENOTOOL | Source = Application Hang | ID = 1002
Description = Hanging application Weird Metronome.exe, version 1.0.4.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/5/2009 3:46:37 AM | Computer Name = XENOTOOL | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/5/2009 3:48:39 AM | Computer Name = XENOTOOL | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/7/2009 7:23:51 PM | Computer Name = XENOTOOL | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/7/2009 7:23:58 PM | Computer Name = XENOTOOL | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/22/2009 9:42:46 PM | Computer Name = XENOTOOL | Source = Application Hang | ID = 1002
Description = Hanging application explorer.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/9/2009 11:03:44 PM | Computer Name = XENOTOOL | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 0025D3385BF1. The following
error occurred: %%121. Your computer will continue to try and obtain an address on
its own from the network address (DHCP) server.

Error - 11/10/2009 12:16:58 AM | Computer Name = XENOTOOL | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 0025D3385BF1. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.

Error - 11/13/2009 12:08:18 AM | Computer Name = XENOTOOL | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 11/13/2009 12:08:18 AM | Computer Name = XENOTOOL | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 11/13/2009 8:10:40 PM | Computer Name = XENOTOOL | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 11/13/2009 8:10:40 PM | Computer Name = XENOTOOL | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 11/13/2009 8:10:40 PM | Computer Name = XENOTOOL | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 11/13/2009 8:10:40 PM | Computer Name = XENOTOOL | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 11/15/2009 8:37:11 PM | Computer Name = XENOTOOL | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.102 for the Network Card with network
address 0025D3385BF1 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 11/17/2009 10:18:53 AM | Computer Name = XENOTOOL | Source = DCOM | ID = 10010
Description = The server {781B925F-0BF8-4C7B-A2A8-A8B11B488A07} did not register
with DCOM within the required timeout.

< End of report >

#2 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 12 December 2009 - 06:28 AM

hi

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
[2009/12/07 19:26:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1455365501
[2009/12/11 22:15:10 | 00,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\boqrtol.sys
[2009/12/11 16:35:28 | 00,000,120 | ---- | M] () -- C:\WINDOWS\Wsululowu.dat
[2009/12/11 14:35:03 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Xtetovisidubadi.bin
[2009/12/09 09:52:47 | 00,000,817 | ---- | M] () -- C:\WINDOWS\System32\1686993434
[2009/12/09 08:17:44 | 00,001,295 | -HS- | M] () -- C:\WINDOWS\System32\886909514
[2009/12/07 19:29:16 | 00,001,295 | -HS- | C] () -- C:\WINDOWS\System32\886909514
[2009/12/07 19:29:15 | 00,000,817 | ---- | C] () -- C:\WINDOWS\System32\1686993434

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

#3 Xenotool

Group: Member
Posts: 10
Joined: 11-December 09

Posted 12 December 2009 - 04:32 PM

Thank you for such a quick reply!

GooredFix by jpshortstuff (06.12.09.1)
Log created at 15:16 on 12/12/2009 (Jake)
Firefox version 3.5.5 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{6F1F1B9B-C4D3-4617-A981-343FB714C18C} -> Success!
Deleting C:\Documents and Settings\Jake\Local Settings\Application Data\{6F1F1B9B-C4D3-4617-A981-343FB714C18C} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{B6494E47-0413-485E-BF41-6F4CAB786B4A} -> Success!
Deleting C:\Documents and Settings\Administrator\Local Settings\Application Data\{B6494E47-0413-485E-BF41-6F4CAB786B4A} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:44 02/12/2009]

C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\df7g7khm.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [00:17 03/12/2009]
{f62a1d7e-0939-4b9b-b57b-a9cc15a76c5b} [02:26 08/12/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [01:13 28/10/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [21:12 29/10/2009]

-=E.O.F=-

OTL logfile created on: 12/12/2009 3:24:01 PM - Run 2
OTL by OldTimer - Version 3.1.16.0 Folder = C:\Documents and Settings\Jake\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.51 Gb Available Physical Memory | 75.74% Memory free
3.33 Gb Paging File | 2.93 Gb Available in Paging File | 88.14% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 72.06 Gb Total Space | 57.10 Gb Free Space | 79.24% Space Free | Partition Type: NTFS
Drive D: | 72.05 Gb Total Space | 71.98 Gb Free Space | 99.90% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: XENOTOOL
Current User Name: Jake
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/11 18:12:57 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jake\Desktop\OTL.exe
PRC - [2009/11/24 16:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 16:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 16:51:21 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 16:48:48 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 16:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/02 20:23:08 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/27 18:13:42 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/10/27 18:13:42 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/05/26 21:06:32 | 00,079,088 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
PRC - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/04/27 14:08:42 | 17,881,088 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2009/04/16 16:46:30 | 00,630,784 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
PRC - [2009/04/16 15:58:54 | 00,118,784 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsTray.exe
PRC - [2009/03/25 07:43:40 | 00,376,832 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
PRC - [2009/03/13 13:15:02 | 00,098,304 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsEPCMon.exe
PRC - [2009/03/06 01:57:54 | 01,434,920 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2008/04/14 05:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/19 08:08:12 | 00,159,744 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2007/12/19 08:08:08 | 00,135,168 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2007/12/19 08:07:40 | 00,163,840 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2007/12/19 08:07:30 | 00,249,856 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2000/05/20 17:23:48 | 00,086,016 | ---- | M] () -- C:\WINDOWS\StartupMonitor.exe

========== Modules (SafeList) ==========

MOD - [2009/12/11 18:12:57 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jake\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 16:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 16:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 16:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 16:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/10/27 18:13:42 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/02/06 15:08:58 | 00,533,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 08 79 CC 03 52 C8 DA 49 9C 0E 39 0D 09 7D 56 4C [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {f62a1d7e-0939-4b9b-b57b-a9cc15a76c5b}:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/02 16:44:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/02 16:44:01 | 00,000,000 | ---D | M]

[2009/12/02 16:44:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\Mozilla\Extensions
[2009/11/16 21:40:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2009/12/11 14:45:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\df7g7khm.default\extensions
[2009/12/09 08:19:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\df7g7khm.default\extensions\{f62a1d7e-0939-4b9b-b57b-a9cc15a76c5b}
[2009/12/11 18:29:06 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Run StartupMonitor] C:\WINDOWS\StartupMonitor.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynAsusAcpi] C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe (Synaptics Incorporated)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics Incorporated)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ SuperHybridEngine.lnk = C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe (ASUSTeK Computer Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.3.25
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/27 22:03:59 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2009/12/12 15:19:50 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/12/12 15:16:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jake\Desktop\GooredFix Backups
[2009/12/12 15:15:50 | 00,071,848 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Jake\Desktop\GooredFix.exe
[2009/12/11 18:31:53 | 00,048,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/12/11 18:31:53 | 00,027,408 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/12/11 18:31:53 | 00,023,120 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/12/11 18:31:52 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2009/12/11 18:31:52 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[2009/12/11 18:31:52 | 00,094,160 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2009/12/11 18:31:52 | 00,093,424 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/12/11 18:31:52 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/12/11 18:31:25 | 01,280,480 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/12/11 18:31:22 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2009/12/11 18:15:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/12/11 18:15:02 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/12/11 18:12:48 | 00,538,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jake\Desktop\OTL.exe
[2009/12/11 17:16:55 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Jake\Recent
[2009/12/11 16:49:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jake\Local Settings\Application Data\Help
[2009/12/11 16:49:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jake\Application Data\Help
[2009/12/11 16:36:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2009/12/11 16:35:50 | 00,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2009/12/07 19:40:35 | 00,000,000 | ---D | C] -- C:\Program Files\Essentials Codec Pack
[2009/12/07 19:28:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jake\Application Data\WinRAR
[2009/12/07 19:28:03 | 00,000,000 | -HSD | C] -- C:\WINDOWS\System32\SysWoW32
[2009/12/02 18:03:38 | 00,000,000 | ---D | C] -- C:\Program Files\MSN
[2009/12/02 16:44:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jake\Local Settings\Application Data\Mozilla
[2009/12/02 16:44:00 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/04/27 22:06:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/04/27 22:06:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/04/27 22:03:55 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/04/27 22:03:55 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2009/12/12 15:26:20 | 00,521,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/12 15:26:20 | 00,442,024 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/12 15:26:20 | 00,071,810 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/12 15:21:04 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/12 15:20:45 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/12 15:20:17 | 03,407,872 | -H-- | M] () -- C:\Documents and Settings\Jake\NTUSER.DAT
[2009/12/12 15:20:17 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Jake\ntuser.ini
[2009/12/12 15:15:50 | 00,071,848 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Jake\Desktop\GooredFix.exe
[2009/12/11 18:31:53 | 00,001,709 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2009/12/11 18:31:52 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/11 18:15:04 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Jake\Desktop\NTREGOPT.lnk
[2009/12/11 18:15:04 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Jake\Desktop\ERUNT.lnk
[2009/12/11 18:12:57 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jake\Desktop\OTL.exe
[2009/12/10 19:33:35 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/10 16:06:41 | 00,000,501 | ---- | M] () -- C:\Documents and Settings\Jake\Desktop\Shortcut to Saved.lnk
[2009/12/10 15:56:45 | 00,000,449 | ---- | M] () -- C:\Documents and Settings\Jake\Desktop\Shortcut to My Music.lnk
[2009/12/09 21:44:20 | 00,264,616 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/09 10:01:11 | 00,002,076 | -HS- | M] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716P.manifest
[2009/12/09 08:25:04 | 00,005,609 | -HS- | M] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716C.manifest
[2009/12/09 08:20:32 | 00,000,232 | -HS- | M] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716O.manifest
[2009/12/09 08:17:28 | 00,000,011 | -HS- | M] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716S.manifest
[2009/12/08 19:26:29 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/07 19:40:48 | 00,000,773 | ---- | M] () -- C:\Documents and Settings\Jake\Desktop\Media Player Classic.lnk
[2009/12/07 19:26:32 | 00,203,776 | -HS- | M] () -- C:\WINDOWS\System32\unrar.exe
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/02 17:38:35 | 00,000,230 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf
[2009/12/02 16:44:14 | 00,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2009/12/02 16:44:04 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

========== Files Created - No Company Name ==========

[2009/12/11 18:31:53 | 00,001,709 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Antivirus.lnk
[2009/12/11 18:31:25 | 00,380,928 | ---- | C] () -- C:\WINDOWS\System32\actskin4.ocx
[2009/12/11 18:15:04 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Jake\Desktop\NTREGOPT.lnk
[2009/12/11 18:15:04 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Jake\Desktop\ERUNT.lnk
[2009/12/11 16:20:41 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\Startup.cpl
[2009/12/10 16:06:41 | 00,000,501 | ---- | C] () -- C:\Documents and Settings\Jake\Desktop\Shortcut to Saved.lnk
[2009/12/10 15:56:45 | 00,000,449 | ---- | C] () -- C:\Documents and Settings\Jake\Desktop\Shortcut to My Music.lnk
[2009/12/07 19:40:48 | 00,000,773 | ---- | C] () -- C:\Documents and Settings\Jake\Desktop\Media Player Classic.lnk
[2009/12/07 19:26:32 | 00,203,776 | -HS- | C] () -- C:\WINDOWS\System32\unrar.exe
[2009/12/07 19:26:12 | 00,005,609 | -HS- | C] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716C.manifest
[2009/12/07 19:26:12 | 00,002,076 | -HS- | C] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716P.manifest
[2009/12/07 19:26:12 | 00,000,232 | -HS- | C] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716O.manifest
[2009/12/07 19:26:12 | 00,000,011 | -HS- | C] () -- C:\Documents and Settings\Jake\Application Data\02000000be83f42d716S.manifest
[2009/12/02 17:38:35 | 00,000,230 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf
[2009/12/02 16:44:14 | 00,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/12/02 16:44:04 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/10/29 22:13:22 | 00,009,216 | ---- | C] () -- C:\Documents and Settings\Jake\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/27 20:38:42 | 00,000,074 | ---- | C] () -- C:\Documents and Settings\Jake\Local Settings\Application Data\FASTWiz.log
[2009/10/27 18:24:44 | 00,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2009/10/27 16:12:31 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Jake\Application Data\wklnhst.dat
[2009/05/05 11:13:43 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/05/05 10:16:46 | 00,232,872 | R--- | C] () -- C:\WINDOWS\System32\drivers\SRS_PremiumSound_i386.sys
[2009/05/05 09:03:49 | 00,021,864 | ---- | C] () -- C:\WINDOWS\AsAcpiSvrLang.ini
[2009/05/05 09:03:49 | 00,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini
[2009/05/05 08:52:19 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
[2009/04/27 21:51:49 | 00,005,312 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

========== LOP Check ==========

[2009/11/02 17:28:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ableton
[2009/11/25 21:56:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/12/11 18:34:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2009/05/05 09:02:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wireless LAN Card
[2009/11/02 17:49:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\Ableton
[2009/12/10 15:57:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\LimeWire
[2009/11/25 21:55:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\NCH Swift Sound
[2009/10/28 12:33:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\OpenOffice.org
[2009/10/28 20:39:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Jake\Application Data\Template

========== Purity Check ==========

< End of report >

#4 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 13 December 2009 - 05:49 AM

hi

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#5 Xenotool

Group: Member
Posts: 10
Joined: 11-December 09

Posted 14 December 2009 - 01:17 PM

Okay, ty. ComboFix is currently down and will download and run the program when it is working again.

#6 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 14 December 2009 - 03:41 PM

do this

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

#7 Xenotool

Group: Member
Posts: 10
Joined: 11-December 09

Posted 17 December 2009 - 12:28 PM

Okay....I'm really sorry about this, yesterday the AC adaptor for my netbook shorted, and it will be at least a week until I get a new one. I tried to run the GMER Rootkit scanner but my computer just didn't have the juice. Is this topic going to stay open during the delay or am I going to have to open a new one later? Thanks.

#8 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 17 December 2009 - 05:34 PM

it will stay open, PM me if it doesn't

#9 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 28 December 2009 - 10:08 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

#10 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 08 January 2010 - 07:06 PM

post the logs

#11 Xenotool

Group: Member
Posts: 10
Joined: 11-December 09

Posted 10 January 2010 - 06:03 PM

tried twice to run GMER both times it crashed my cpu at approximately the same time. any suggestions?

#12 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 11 January 2010 - 08:19 AM

try combofix again

#13 Xenotool

Group: Member
Posts: 10
Joined: 11-December 09

Posted 11 January 2010 - 08:20 PM

Combofix is still down. Ran GMER again today and crashed going through c:/system volume/restore files

#14 Xenotool

Group: Member
Posts: 10
Joined: 11-December 09

Posted 11 January 2010 - 09:51 PM

okay. I re-downloaded Combofix from bleepingcomputer.com and this time it worked. here is the log

ComboFix 10-01-11.01 - Jake 01/11/2010 20:42:58.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1620 [GMT -7:00]
Running from: c:\documents and settings\Jake\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100111-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jake\Application Data\02000000be83f42d716C.manifest
c:\documents and settings\Jake\Application Data\02000000be83f42d716O.manifest
c:\documents and settings\Jake\Application Data\02000000be83f42d716P.manifest
c:\documents and settings\Jake\Application Data\02000000be83f42d716S.manifest
c:\documents and settings\Jake\Application Data\Mozilla\Firefox\Profiles\df7g7khm.default\extensions\{f62a1d7e-0939-4b9b-b57b-a9cc15a76c5b}
c:\documents and settings\Jake\Application Data\Mozilla\Firefox\Profiles\df7g7khm.default\extensions\{f62a1d7e-0939-4b9b-b57b-a9cc15a76c5b}\chrome.manifest
c:\documents and settings\Jake\Application Data\Mozilla\Firefox\Profiles\df7g7khm.default\extensions\{f62a1d7e-0939-4b9b-b57b-a9cc15a76c5b}\chrome\xulcache.jar
c:\documents and settings\Jake\Application Data\Mozilla\Firefox\Profiles\df7g7khm.default\extensions\{f62a1d7e-0939-4b9b-b57b-a9cc15a76c5b}\defaults\preferences\xulcache.js
c:\documents and settings\Jake\Application Data\Mozilla\Firefox\Profiles\df7g7khm.default\extensions\{f62a1d7e-0939-4b9b-b57b-a9cc15a76c5b}\install.rdf
c:\recycler\S-1-5-21-783013601-2911902795-2016744192-1003
c:\windows\system32\SysWoW32
c:\windows\system32\SysWoW32\_i1054285888v4
c:\windows\system32\SysWoW32\_i1054285888v5
c:\windows\system32\SysWoW32\_i1054285888v6
c:\windows\system32\SysWoW32\_i1054285888v7
c:\windows\system32\SysWoW32\_u1054285888v0
c:\windows\system32\SysWoW32\_u1054285888v1
c:\windows\system32\SysWoW32\_u1054285888v2
c:\windows\system32\SysWoW32\_u1054285888v3
c:\windows\system32\SysWoW32\mi1054285888v4
c:\windows\system32\SysWoW32\mi1054285888v4.kwd
c:\windows\system32\SysWoW32\mi1054285888v5
c:\windows\system32\SysWoW32\mi1054285888v5.kwd
c:\windows\system32\SysWoW32\mi1054285888v6
c:\windows\system32\SysWoW32\mi1054285888v6.kwd
c:\windows\system32\SysWoW32\mi1054285888v7
c:\windows\system32\SysWoW32\mi1054285888v7.kwd
c:\windows\system32\SysWoW32\wu1054285888v0
c:\windows\system32\SysWoW32\wu1054285888v0.kwd
c:\windows\system32\SysWoW32\wu1054285888v1
c:\windows\system32\SysWoW32\wu1054285888v1.kwd
c:\windows\system32\SysWoW32\wu1054285888v2
c:\windows\system32\SysWoW32\wu1054285888v2.kwd
c:\windows\system32\SysWoW32\wu1054285888v3
c:\windows\system32\SysWoW32\wu1054285888v3.kwd
c:\windows\system32\Thumbs.db
c:\windows\system32\unrar.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-12 03:34 . 2010-01-12 03:34 398521 ----a-w- c:\windows\1005HA-ASUS-1203.zip
2010-01-12 00:32 . 2010-01-12 01:18 -------- d-----w- c:\documents and settings\Jake\dwhelper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 05:35 . 2009-10-28 01:17 -------- d-----w- c:\documents and settings\Jake\Application Data\Skype
2010-01-11 05:35 . 2009-11-17 04:39 -------- d-----w- c:\documents and settings\Jake\Application Data\LimeWire
2010-01-11 01:54 . 2009-10-28 01:24 -------- d-----w- c:\documents and settings\Jake\Application Data\skypePM
2009-12-13 01:04 . 2009-12-13 01:04 -------- d-----w- c:\documents and settings\Jake\Application Data\Media Player Classic
2009-12-12 22:56 . 2009-12-11 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-12-12 01:31 . 2009-12-12 01:31 -------- d-----w- c:\program files\Alwil Software
2009-12-12 01:23 . 2009-05-05 16:40 -------- d-----w- c:\program files\Norton Internet Security
2009-12-12 01:22 . 2009-11-04 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-12 01:15 . 2009-12-12 01:15 -------- d-----w- c:\program files\ERUNT
2009-12-11 23:49 . 2009-12-11 23:35 -------- d-----w- c:\program files\Security Task Manager
2009-12-11 23:20 . 2009-12-11 23:20 1078 ----a-r- c:\documents and settings\Jake\Application Data\Microsoft\Installer\{76EFAC4F-1712-401F-B2AE-590B170C9BCE}\_60c11ac7.exe
2009-12-11 02:34 . 2009-11-04 00:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-11 02:00 . 2009-11-04 00:09 64008 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-08 02:40 . 2009-12-08 02:40 -------- d-----w- c:\program files\Essentials Codec Pack
2009-12-03 23:14 . 2009-11-04 00:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 23:13 . 2009-11-04 00:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 18:07 . 2009-10-28 19:33 1 ----a-w- c:\documents and settings\Jake\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-02 23:44 . 2009-12-02 23:44 0 ----a-w- c:\windows\nsreg.dat
2009-12-02 20:45 . 2009-11-10 14:32 -------- d-----w- c:\documents and settings\Jake\Application Data\U3
2009-11-26 04:57 . 2009-11-26 04:57 -------- d-----w- c:\program files\NCH Software
2009-11-26 04:56 . 2009-11-26 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-11-26 04:55 . 2009-11-26 04:55 -------- d-----w- c:\program files\NCH Swift Sound
2009-11-26 04:55 . 2009-11-26 04:55 -------- d-----w- c:\documents and settings\Jake\Application Data\NCH Swift Sound
2009-11-24 23:54 . 2009-12-12 01:31 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-12-12 01:31 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-12-12 01:31 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-12-12 01:31 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-12-12 01:31 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-12-12 01:31 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-12-12 01:31 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-12-12 01:31 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-12-12 01:31 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-18 04:37 . 2009-11-18 04:37 -------- d-----w- c:\program files\WinSCP
2009-11-16 21:55 . 2009-11-16 21:54 -------- d-----w- c:\program files\LimeWire
2009-11-01 21:33 . 2009-10-28 10:32 64008 ----a-w- c:\documents and settings\Jake\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-30 03:39 . 2009-10-30 03:39 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-29 03:22 . 2009-04-28 05:03 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-28 01:24 . 2009-10-28 01:24 32 ----a-w- c:\documents and settings\All Users\Application Data\ezsid.dat
2009-10-28 01:13 . 2009-10-28 01:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-28 01:13 . 2009-10-28 01:13 152576 ----a-w- c:\documents and settings\Jake\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-27 23:12 . 2009-10-27 23:12 0 ----a-w- c:\documents and settings\Jake\Application Data\wklnhst.dat
2009-10-21 05:38 . 2009-04-28 04:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2009-04-28 04:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 00:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"RTHDCPL"="RTHDCPL.EXE" [2009-04-27 17881088]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-16 630784]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-16 118784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-28 149280]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-21 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-5-5 376832]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 23:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/11/2009 6:31 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/11/2009 6:31 PM 20560]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [5/5/2009 9:39 AM 55152]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [4/27/2009 6:59 PM 38912]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/5/2009 9:00 AM 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 3:08 PM 533360]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [5/5/2009 10:16 AM 232872]
S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [3/16/2009 2:27 PM 39040]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ATAPI
*NewlyCreated* - PCIIDE
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://win.eeedownload.asus.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Jake\Application Data\Mozilla\Firefox\Profiles\df7g7khm.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-11 20:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-11 20:48:56
ComboFix-quarantined-files.txt 2010-01-12 03:48

Pre-Run: 61,220,556,800 bytes free
Post-Run: 61,188,886,528 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 96FF8295FE1C4882202D7CF46DC15282

#15 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 12 January 2010 - 08:28 AM

recognise this file ?

c:\windows\1005HA-ASUS-1203.zip

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Back to Virus, Spyware, Malware Removal

Share this topic:

2 Pages
1
2
→

Please log in to reply

Google Redirect Virus [Closed] [Solved] - Geeks to Go Forums