Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows Update not working and Search Engine hijacked [Solved]

Started by Babine , Apr 04 2010 05:55 PM

  • This topic is locked This topic is locked

#1
Babine
Posted 04 April 2010 - 05:55 PM

Babine

    Member

  • Member
  • PipPip
  • 58 posts
I have recently been struck with the redirecting virus (yet to be solved...), and my computer had alerted me that I needed to do an update. So I followed all the steps like normal routine, but in the end, no installation took place. I went to Google my problem and tried to manually download the updates from the Microsoft update website, but just my luck, all of the websites of microsoft containing the term "windows updates" don't work...I'm using Firefox and it says "Problem loading page". What's even weirder is that when I Google the term "windows updates" together, without space, it doesn't work either. I am brought to the "Problem loading page" screen. Even as I type this, if I include the term windows updates together without space, it will not let me post, it brings me to the Problem loading page.

I do not know if this is in anyway related to the fact of the hijacked search engines, but it's really bugging me, and I am really unsure of now when exactly my last successful update took place, ergo causing problems for the computer...I also recently got rid of the Antivirus Suite spyware, but with no luck in taking the hijacked stuff away...Any help or advice would be GREATLY appreciated!

I have run the MBAM and logs for GMR and OTL.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3947

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

4/4/2010 11:03:55 AM
mbam-log-2010-04-04 (11-03-55).txt

Scan type: Quick scan
Objects scanned: 107925
Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



OTL logfile created on: 4/4/2010 4:34:56 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Henry\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 74.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 277.11 Gb Free Space | 92.96% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HENRYLAU
Current User Name: Henry
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/04 11:23:39 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Henry\Desktop\OTL.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/09 03:24:10 | 002,769,336 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/11/22 15:44:16 | 002,384,240 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2009/11/22 15:42:50 | 001,037,192 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2009/10/26 21:42:42 | 000,718,232 | ---- | M] (Pelmorex Media Inc.) -- C:\Documents and Settings\Henry\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
PRC - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2009/02/06 17:07:48 | 000,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/04/14 05:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/04/04 11:23:39 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Henry\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/11/22 15:44:16 | 002,384,240 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 22:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.eset.com/online-scanner#
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..browser.startup.homepage: "www.sympatico.msn.ca"
FF - prefs.js..extensions.enabledItems: SkipScreen@SkipScreen:0.4.7amo
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:3.76
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.76

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 14:13:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 14:13:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

[2009/10/11 20:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Extensions
[2009/10/11 20:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Extensions\[email protected]
[2010/04/03 23:06:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions
[2009/09/02 07:44:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/03 19:44:27 | 000,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2010/04/03 19:44:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\[email protected]
[2010/04/03 19:44:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\SkipScreen@SkipScreen
[2009/11/12 18:55:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Sunbird\Profiles\srg3s7iq.default\extensions
[2010/04/03 23:06:09 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/04 16:25:57 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2010/04/03 23:06:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]

O1 HOSTS File: ([2010/04/02 15:53:34 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [WeatherEye] C:\Documents and Settings\Henry\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe (Pelmorex Media Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.59.144.90 64.59.144.91
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Henry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Henry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/03 04:50:11 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/08/22 15:15:49 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 14 Days ==========

[2010/04/04 11:10:59 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/04 11:10:58 | 000,162,640 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/04 11:10:57 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/04 11:10:56 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/04 11:10:55 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/04 11:10:55 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/04 11:10:54 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/04 11:10:46 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/04 11:10:46 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/04 11:10:44 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/04/04 11:10:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/04/04 11:00:09 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/03 23:31:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot2
[2010/04/03 23:00:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\My Documents\ForceField Shared Files
[2010/04/03 23:00:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Application Data\CheckPoint
[2010/04/03 23:00:50 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2010/04/03 23:00:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2010/04/03 23:00:43 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2010/04/03 23:00:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2010/04/03 22:59:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\Anti-Virus
[2010/04/03 22:55:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\My Documents\Simply Super Software
[2010/04/03 22:43:05 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/03 22:03:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\Graboid_Inc
[2010/04/03 22:03:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Application Data\MozillaControl
[2010/04/03 22:03:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\Graboid
[2010/04/03 22:01:45 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla ActiveX Control v1.7.12
[2010/04/03 21:58:55 | 000,000,000 | ---D | C] -- C:\Program Files\Graboid
[2010/04/03 20:31:02 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010/04/03 17:21:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2010/04/03 17:20:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/02 18:45:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\iklphushm
[2010/04/02 15:52:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/02 15:21:15 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/02 15:17:05 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/02 15:17:05 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/02 15:17:05 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/02 15:17:05 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/02 15:16:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/02 15:11:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/02 15:07:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/02 15:07:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/02 15:06:39 | 000,000,000 | ---D | C] -- C:\Program Files\Sun
[2010/04/02 15:01:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\qsexfthui
[2010/04/02 14:23:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/02 14:23:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/02 13:36:40 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/02 13:36:38 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/02 13:36:38 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/01 23:30:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\ESET
[2010/04/01 22:59:39 | 000,050,376 | ---- | C] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys
[2010/04/01 22:59:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2010/04/01 21:10:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/04/01 21:05:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
[2010/04/01 20:58:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/04/01 18:57:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\WMTools Downloaded Files
[2010/04/01 18:47:48 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2010/04/01 18:38:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\Soft Product
[2010/03/31 21:17:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/03/31 20:41:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/03/31 20:08:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/31 19:57:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/03/31 18:02:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/03/30 17:39:54 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/03/30 17:39:50 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/03/30 17:39:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/03/30 17:37:38 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/03/30 17:35:45 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/02/12 18:19:45 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/28 14:52:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/03 04:50:09 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[1 C:\Documents and Settings\Henry\My Documents\*.tmp files -> C:\Documents and Settings\Henry\My Documents\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/04 16:32:29 | 004,456,448 | ---- | M] () -- C:\Documents and Settings\Henry\ntuser.dat
[2010/04/04 16:21:06 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/04 16:20:44 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/04 16:20:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/04 11:10:55 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/04 10:55:35 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Henry\ntuser.ini
[2010/04/03 23:07:38 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/03 23:02:21 | 004,839,310 | -H-- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\IconCache.db
[2010/04/03 23:01:25 | 000,422,437 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/04/03 23:00:49 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/04/03 22:18:24 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/03 22:01:29 | 000,000,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/04/03 21:01:34 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\11th Hour Movie CritiqueHenry Lau.doc
[2010/04/02 16:40:52 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/02 15:53:34 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/02 15:21:18 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/02 14:52:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/02 13:12:29 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/02 11:27:09 | 000,015,344 | -HS- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\LK2mfPE2j
[2010/04/02 11:27:09 | 000,015,344 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/04/02 11:25:03 | 000,182,784 | -HS- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\2927340765.dll
[2010/04/01 22:59:39 | 000,050,376 | ---- | M] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys
[2010/03/31 23:07:29 | 000,030,208 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Chapter 5 QuestionsHenry Lau.doc
[2010/03/30 17:37:54 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/03/29 16:53:01 | 007,494,865 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\ApprenticeWorkbook.pdf
[2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/28 15:31:51 | 000,034,816 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Geometry workbook answers.doc
[2010/03/22 21:38:26 | 000,000,573 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/21 22:50:37 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\A Green Paradise.doc
[2010/03/21 21:25:09 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\March 21.doc
[2010/03/21 20:23:48 | 000,140,415 | ---- | M] () -- C:\Documents and Settings\Henry\Desktop\242_1024x768-wallpaper-cb1267710607.jpg
[2010/03/21 20:19:14 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\C5V4.doc
[1 C:\Documents and Settings\Henry\My Documents\*.tmp files -> C:\Documents and Settings\Henry\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/03 23:00:49 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/04/03 23:00:43 | 000,422,437 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/04/03 22:55:46 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2010/04/03 22:55:46 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2010/04/03 22:01:29 | 000,000,719 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/04/02 22:37:00 | 000,022,528 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\11th Hour Movie CritiqueHenry Lau.doc
[2010/04/02 16:40:52 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/02 15:21:18 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/02 15:21:16 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/02 15:17:05 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/02 15:17:05 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/02 15:17:05 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/02 15:17:05 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/02 11:25:03 | 000,182,784 | -HS- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\2927340765.dll
[2010/04/02 11:23:46 | 000,015,344 | -HS- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\LK2mfPE2j
[2010/04/02 11:23:46 | 000,015,344 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/03/31 21:03:41 | 000,030,208 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Chapter 5 QuestionsHenry Lau.doc
[2010/03/30 17:40:31 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/03/30 17:37:54 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/03/29 16:53:01 | 007,494,865 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\ApprenticeWorkbook.pdf
[2010/03/28 18:18:59 | 003,482,145 | ---- | C] () -- C:\Documents and Settings\Henry\Desktop\New Radicals - Someday We'll Know.mp3
[2010/03/28 15:31:50 | 000,034,816 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Geometry workbook answers.doc
[2010/03/21 22:50:37 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\A Green Paradise.doc
[2010/03/21 21:25:08 | 000,023,040 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\March 21.doc
[2010/03/21 20:23:54 | 000,140,415 | ---- | C] () -- C:\Documents and Settings\Henry\Desktop\242_1024x768-wallpaper-cb1267710607.jpg
[2010/03/21 20:17:13 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\C5V4.doc
[2010/02/21 22:53:25 | 000,000,589 | ---- | C] () -- C:\Documents and Settings\Henry\mbr.log
[2010/02/21 22:10:25 | 000,000,048 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/02/01 14:12:31 | 000,012,686 | -HS- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\u1ly73
[2009/12/15 17:13:21 | 000,012,098 | ---- | C] () -- C:\Documents and Settings\Henry\hs_err_pid3928.log
[2009/12/11 02:37:56 | 000,536,576 | ---- | C] () -- C:\WINDOWS\System32\crash_report.dll
[2009/09/22 10:57:45 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/22 22:33:01 | 004,456,448 | ---- | C] () -- C:\Documents and Settings\Henry\ntuser.dat
[2009/08/22 20:45:40 | 000,000,075 | ---- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\FASTWiz.log
[2009/08/22 18:49:27 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/21 21:13:00 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Henry\ntuser.dat.LOG
[2009/08/21 21:13:00 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Henry\ntuser.ini
[2009/08/21 21:12:49 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2009/08/21 21:12:49 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2009/08/19 18:23:26 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/02/03 05:13:31 | 000,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2009/02/03 05:09:03 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4864.dll
[2009/01/21 11:53:37 | 000,001,466 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[1996/04/03 12:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2010/04/04 11:10:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/08/22 23:04:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2010/04/01 20:58:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/04/01 22:59:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2010/02/01 18:16:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/03/30 17:40:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/11 16:41:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/08/21 21:28:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/08/23 08:16:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Azureus
[2010/04/03 23:00:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\CheckPoint
[2010/03/14 17:58:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\LimeWire

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 05:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 05:00:00 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/14 05:00:00 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 05:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/04/03 21:08:52 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2010/02/10 17:16:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2010/04/03 21:08:52 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 05:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 05:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 05:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 05:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 05:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/08/22 15:19:32 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/08/22 22:13:59 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav
[2009/08/22 15:19:32 | 017,563,648 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/08/22 15:19:33 | 004,456,448 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8C35AEA7
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-04 16:14:51
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Henry\LOCALS~1\Temp\fwrcipob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0xA802E464]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA80FDC56]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xA822E630]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xA8227D80]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA80FDB12]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xA822EE40]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0xA802E49E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xA822EFB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xA8228C60]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteKey [0xA802E290]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteValueKey [0xA802E302]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA80FD6E8]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xA824E080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xA824E2B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xA8228750]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA80FDBEC]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0xA802E7B2]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0xA802E68E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xA802E52A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA80FDD0C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA80FE194]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xA824EA40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xA822E180]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA80FDCCC]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0xA802E426]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xA8229080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xA824F8E0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetValueKey [0xA802E38E]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA81C1320]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0xA802E5AE]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0xA802E5E6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA810A45C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 89A52AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
  • 0

Advertisements

#2
azarl
Posted 05 April 2010 - 06:31 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
Hi

Welcome to Geekstogo. I'll be helping you with this problem.

  • Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.

  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

  • 0

#3
Babine
Posted 05 April 2010 - 12:18 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Thanks so much for helping Azarl!

Here is the log as requested

11:15:46:000 2696 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
11:15:46:000 2696 ================================================================================
11:15:46:000 2696 SystemInfo:

11:15:46:000 2696 OS Version: 5.1.2600 ServicePack: 3.0
11:15:46:000 2696 Product type: Workstation
11:15:46:000 2696 ComputerName: HENRYLAU
11:15:46:000 2696 UserName: Henry
11:15:46:000 2696 Windows directory: C:\WINDOWS
11:15:46:000 2696 Processor architecture: Intel x86
11:15:46:000 2696 Number of processors: 2
11:15:46:000 2696 Page size: 0x1000
11:15:46:000 2696 Boot type: Normal boot
11:15:46:000 2696 ================================================================================
11:15:46:000 2696 UnloadDriverW: NtUnloadDriver error 2
11:15:46:000 2696 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
11:15:46:015 2696 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
11:15:46:015 2696 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:15:46:015 2696 wfopen_ex: Trying to KLMD file open
11:15:46:015 2696 wfopen_ex: File opened ok (Flags 2)
11:15:46:015 2696 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
11:15:46:015 2696 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:15:46:015 2696 wfopen_ex: Trying to KLMD file open
11:15:46:015 2696 wfopen_ex: File opened ok (Flags 2)
11:15:46:015 2696 Initialize success
11:15:46:015 2696
11:15:46:015 2696 Scanning Services ...
11:15:46:390 2696 Raw services enum returned 337 services
11:15:46:390 2696
11:15:46:390 2696 Scanning Kernel memory ...
11:15:46:390 2696 Devices to scan: 4
11:15:46:390 2696
11:15:46:390 2696 Driver Name: Disk
11:15:46:390 2696 IRP_MJ_CREATE : BA0EEBB0
11:15:46:390 2696 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
11:15:46:390 2696 IRP_MJ_CLOSE : BA0EEBB0
11:15:46:390 2696 IRP_MJ_READ : BA0E8D1F
11:15:46:390 2696 IRP_MJ_WRITE : BA0E8D1F
11:15:46:390 2696 IRP_MJ_QUERY_INFORMATION : 804F4562
11:15:46:390 2696 IRP_MJ_SET_INFORMATION : 804F4562
11:15:46:390 2696 IRP_MJ_QUERY_EA : 804F4562
11:15:46:390 2696 IRP_MJ_SET_EA : 804F4562
11:15:46:390 2696 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
11:15:46:390 2696 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
11:15:46:390 2696 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
11:15:46:390 2696 IRP_MJ_DIRECTORY_CONTROL : 804F4562
11:15:46:390 2696 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
11:15:46:390 2696 IRP_MJ_DEVICE_CONTROL : BA0E93BB
11:15:46:390 2696 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
11:15:46:390 2696 IRP_MJ_SHUTDOWN : BA0E92E2
11:15:46:390 2696 IRP_MJ_LOCK_CONTROL : 804F4562
11:15:46:390 2696 IRP_MJ_CLEANUP : 804F4562
11:15:46:390 2696 IRP_MJ_CREATE_MAILSLOT : 804F4562
11:15:46:390 2696 IRP_MJ_QUERY_SECURITY : 804F4562
11:15:46:390 2696 IRP_MJ_SET_SECURITY : 804F4562
11:15:46:390 2696 IRP_MJ_POWER : BA0EAC82
11:15:46:390 2696 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
11:15:46:390 2696 IRP_MJ_DEVICE_CHANGE : 804F4562
11:15:46:390 2696 IRP_MJ_QUERY_QUOTA : 804F4562
11:15:46:390 2696 IRP_MJ_SET_QUOTA : 804F4562
11:15:46:437 2696 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
11:15:46:437 2696
11:15:46:437 2696 Driver Name: USBSTOR
11:15:46:437 2696 IRP_MJ_CREATE : BA40D218
11:15:46:437 2696 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
11:15:46:437 2696 IRP_MJ_CLOSE : BA40D218
11:15:46:437 2696 IRP_MJ_READ : BA40D23C
11:15:46:437 2696 IRP_MJ_WRITE : BA40D23C
11:15:46:437 2696 IRP_MJ_QUERY_INFORMATION : 804F4562
11:15:46:437 2696 IRP_MJ_SET_INFORMATION : 804F4562
11:15:46:437 2696 IRP_MJ_QUERY_EA : 804F4562
11:15:46:437 2696 IRP_MJ_SET_EA : 804F4562
11:15:46:437 2696 IRP_MJ_FLUSH_BUFFERS : 804F4562
11:15:46:437 2696 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
11:15:46:437 2696 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
11:15:46:437 2696 IRP_MJ_DIRECTORY_CONTROL : 804F4562
11:15:46:437 2696 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
11:15:46:437 2696 IRP_MJ_DEVICE_CONTROL : BA40D180
11:15:46:437 2696 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA4089E6
11:15:46:437 2696 IRP_MJ_SHUTDOWN : 804F4562
11:15:46:437 2696 IRP_MJ_LOCK_CONTROL : 804F4562
11:15:46:437 2696 IRP_MJ_CLEANUP : 804F4562
11:15:46:437 2696 IRP_MJ_CREATE_MAILSLOT : 804F4562
11:15:46:437 2696 IRP_MJ_QUERY_SECURITY : 804F4562
11:15:46:437 2696 IRP_MJ_SET_SECURITY : 804F4562
11:15:46:437 2696 IRP_MJ_POWER : BA40C5F0
11:15:46:437 2696 IRP_MJ_SYSTEM_CONTROL : BA40AA6E
11:15:46:437 2696 IRP_MJ_DEVICE_CHANGE : 804F4562
11:15:46:437 2696 IRP_MJ_QUERY_QUOTA : 804F4562
11:15:46:437 2696 IRP_MJ_SET_QUOTA : 804F4562
11:15:46:437 2696 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
11:15:46:437 2696
11:15:46:437 2696 Driver Name: Disk
11:15:46:437 2696 IRP_MJ_CREATE : BA0EEBB0
11:15:46:437 2696 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
11:15:46:437 2696 IRP_MJ_CLOSE : BA0EEBB0
11:15:46:437 2696 IRP_MJ_READ : BA0E8D1F
11:15:46:437 2696 IRP_MJ_WRITE : BA0E8D1F
11:15:46:437 2696 IRP_MJ_QUERY_INFORMATION : 804F4562
11:15:46:437 2696 IRP_MJ_SET_INFORMATION : 804F4562
11:15:46:437 2696 IRP_MJ_QUERY_EA : 804F4562
11:15:46:437 2696 IRP_MJ_SET_EA : 804F4562
11:15:46:437 2696 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
11:15:46:437 2696 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
11:15:46:437 2696 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
11:15:46:437 2696 IRP_MJ_DIRECTORY_CONTROL : 804F4562
11:15:46:437 2696 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
11:15:46:437 2696 IRP_MJ_DEVICE_CONTROL : BA0E93BB
11:15:46:437 2696 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
11:15:46:437 2696 IRP_MJ_SHUTDOWN : BA0E92E2
11:15:46:437 2696 IRP_MJ_LOCK_CONTROL : 804F4562
11:15:46:437 2696 IRP_MJ_CLEANUP : 804F4562
11:15:46:437 2696 IRP_MJ_CREATE_MAILSLOT : 804F4562
11:15:46:437 2696 IRP_MJ_QUERY_SECURITY : 804F4562
11:15:46:437 2696 IRP_MJ_SET_SECURITY : 804F4562
11:15:46:437 2696 IRP_MJ_POWER : BA0EAC82
11:15:46:437 2696 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
11:15:46:437 2696 IRP_MJ_DEVICE_CHANGE : 804F4562
11:15:46:437 2696 IRP_MJ_QUERY_QUOTA : 804F4562
11:15:46:437 2696 IRP_MJ_SET_QUOTA : 804F4562
11:15:46:437 2696 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
11:15:46:437 2696
11:15:46:437 2696 Driver Name: atapi
11:15:46:437 2696 IRP_MJ_CREATE : 899D3AC8
11:15:46:437 2696 IRP_MJ_CREATE_NAMED_PIPE : 899D3AC8
11:15:46:437 2696 IRP_MJ_CLOSE : 899D3AC8
11:15:46:437 2696 IRP_MJ_READ : 899D3AC8
11:15:46:437 2696 IRP_MJ_WRITE : 899D3AC8
11:15:46:437 2696 IRP_MJ_QUERY_INFORMATION : 899D3AC8
11:15:46:437 2696 IRP_MJ_SET_INFORMATION : 899D3AC8
11:15:46:437 2696 IRP_MJ_QUERY_EA : 899D3AC8
11:15:46:437 2696 IRP_MJ_SET_EA : 899D3AC8
11:15:46:437 2696 IRP_MJ_FLUSH_BUFFERS : 899D3AC8
11:15:46:437 2696 IRP_MJ_QUERY_VOLUME_INFORMATION : 899D3AC8
11:15:46:437 2696 IRP_MJ_SET_VOLUME_INFORMATION : 899D3AC8
11:15:46:437 2696 IRP_MJ_DIRECTORY_CONTROL : 899D3AC8
11:15:46:437 2696 IRP_MJ_FILE_SYSTEM_CONTROL : 899D3AC8
11:15:46:437 2696 IRP_MJ_DEVICE_CONTROL : 899D3AC8
11:15:46:437 2696 IRP_MJ_INTERNAL_DEVICE_CONTROL : 899D3AC8
11:15:46:437 2696 IRP_MJ_SHUTDOWN : 899D3AC8
11:15:46:437 2696 IRP_MJ_LOCK_CONTROL : 899D3AC8
11:15:46:437 2696 IRP_MJ_CLEANUP : 899D3AC8
11:15:46:437 2696 IRP_MJ_CREATE_MAILSLOT : 899D3AC8
11:15:46:437 2696 IRP_MJ_QUERY_SECURITY : 899D3AC8
11:15:46:437 2696 IRP_MJ_SET_SECURITY : 899D3AC8
11:15:46:437 2696 IRP_MJ_POWER : 899D3AC8
11:15:46:437 2696 IRP_MJ_SYSTEM_CONTROL : 899D3AC8
11:15:46:437 2696 IRP_MJ_DEVICE_CHANGE : 899D3AC8
11:15:46:437 2696 IRP_MJ_QUERY_QUOTA : 899D3AC8
11:15:46:437 2696 IRP_MJ_SET_QUOTA : 899D3AC8
11:15:46:437 2696 Driver "atapi" infected by TDSS rootkit!
11:15:46:453 2696 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
11:15:46:453 2696 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 11:15:46:453 2696 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
11:15:46:453 2696 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
11:15:46:656 2696 vfvi6
11:15:46:703 2696 !dsvbh1
11:15:46:890 2696 dsvbh2
11:15:46:890 2696 fdfb2
11:15:46:890 2696 Backup copy found, using it..
11:15:46:906 2696 will be cured on next reboot
11:15:46:906 2696 Reboot required for cure complete..
11:15:46:906 2696 Cure on reboot scheduled successfully
11:15:46:906 2696
11:15:46:906 2696 Completed
11:15:46:906 2696
11:15:46:906 2696 Results:
11:15:46:906 2696 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
11:15:46:906 2696 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
11:15:46:906 2696 File objects infected / cured / cured on reboot: 1 / 0 / 1
11:15:46:906 2696
11:15:46:906 2696 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
11:15:46:906 2696 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
11:15:46:906 2696 UnloadDriverW: NtUnloadDriver error 1
11:15:46:906 2696 KLMD(ARK) unloaded successfully
  • 0

#4
azarl
Posted 05 April 2010 - 12:33 PM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process, directly to your desktop
Please Download Combofix from any of the links below but rename it to svchost.com before saving it to your desktop.

Link 2
Link 3

Posted Image


Double click on svchost.com& follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

  • 0

#5
Babine
Posted 05 April 2010 - 12:57 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
ComboFix 10-04-01.02 - Henry 04/02/2010 15:28:00.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1531 [GMT -7:00]
Running from: c:\documents and settings\Henry\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1013080728-2837474664-3517634451-1000
c:\documents and settings\Henry\Local Settings\Temporary Internet Files\5OUsl1c.jpg
c:\documents and settings\Henry\Local Settings\Temporary Internet Files\776jtl67p.jpg
c:\documents and settings\Henry\Local Settings\Temporary Internet Files\m8lKB5.jpg
c:\documents and settings\Henry\Local Settings\Temporary Internet Files\XOIq0.jpg
c:\recycler\S-1-5-21-1844237615-1592454029-1417001333-1003
c:\recycler\S-1-5-21-3179742922-496393314-3364022493-1003
C:\s
c:\windows\AppPatch\AcAdProc.dll
c:\windows\system\oeminfo.ini
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-03-02 to 2010-04-02 )))))))))))))))))))))))))))))))
.

2010-04-02 22:07 . 2010-04-02 22:07 -------- d-----w- c:\program files\Common Files\Java
2010-04-02 22:06 . 2010-04-02 22:06 -------- d-----w- c:\program files\Sun
2010-04-02 21:23 . 2010-04-02 22:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\qsexfthui
2010-04-02 21:23 . 2010-04-02 21:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-02 20:36 . 2010-03-29 22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-02 20:36 . 2010-04-02 20:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 20:36 . 2010-03-29 22:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-02 18:25 . 2010-04-02 18:25 182784 --sha-w- c:\documents and settings\Henry\Local Settings\Application Data\2927340765.dll
2010-04-02 06:30 . 2010-04-02 06:30 -------- d-----w- c:\documents and settings\Henry\Local Settings\Application Data\ESET
2010-04-02 05:59 . 2010-04-02 05:59 50376 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-02 05:59 . 2010-04-02 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-04-02 04:10 . 2010-04-02 07:08 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-02 04:05 . 2010-04-02 04:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-04-02 03:58 . 2010-04-02 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-04-02 01:57 . 2010-04-02 02:46 -------- d-----w- c:\documents and settings\Henry\Local Settings\Application Data\WMTools Downloaded Files
2010-04-01 03:09 . 2010-04-01 03:09 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-04-01 01:02 . 2010-04-01 01:02 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-31 00:39 . 2010-03-31 00:39 -------- d-----w- c:\program files\iPod
2010-03-31 00:39 . 2010-03-31 00:40 -------- d-----w- c:\program files\iTunes
2010-03-31 00:39 . 2010-03-31 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-31 00:37 . 2010-03-31 00:37 -------- d-----w- c:\program files\QuickTime
2010-03-31 00:35 . 2010-03-31 00:35 -------- d-----w- c:\program files\Bonjour
2010-03-31 00:33 . 2010-03-31 00:33 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-02 22:06 . 2009-08-22 21:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-02 22:04 . 2009-08-22 21:23 -------- d-----w- c:\program files\Java
2010-04-02 19:54 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-04-02 05:57 . 2009-11-20 03:48 -------- d-----w- c:\documents and settings\Henry\Application Data\vlc
2010-04-02 03:58 . 2010-02-22 05:58 -------- d-----w- c:\program files\ESET
2010-03-31 00:39 . 2009-08-22 04:28 -------- d-----w- c:\program files\Common Files\Apple
2010-03-15 00:58 . 2009-10-12 03:47 -------- d-----w- c:\documents and settings\Henry\Application Data\LimeWire
2010-03-12 05:16 . 2009-08-22 04:13 70096 ----a-w- c:\documents and settings\Henry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-12 02:10 . 2009-08-20 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-12 02:10 . 2009-09-22 17:47 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-03-12 02:10 . 2009-09-22 17:47 -------- d-----w- c:\program files\Microsoft.NET
2010-03-12 02:09 . 2009-08-23 15:39 -------- d-----w- c:\program files\MSBuild
2010-02-26 05:43 . 2008-04-14 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 17:16 . 2010-02-13 01:19 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-22 04:22 . 2009-12-18 06:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-16 02:46 . 2009-11-13 01:54 -------- d-----w- c:\program files\Mozilla Sunbird
2010-02-13 18:31 . 2010-02-13 01:04 -------- d-----w- c:\documents and settings\Henry\Application Data\SUPERAntiSpyware.com
2010-02-13 18:31 . 2010-02-13 01:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-13 01:04 . 2010-02-13 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-11 00:16 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-02 01:16 . 2009-02-03 12:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-02 01:13 . 2010-02-02 01:13 -------- d-----w- c:\documents and settings\Henry\Application Data\Malwarebytes
2010-02-02 01:13 . 2010-02-02 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-02 01:01 . 2010-02-02 01:01 -------- d-----w- c:\documents and settings\Henry\Application Data\PC Tools
2010-02-02 01:01 . 2010-02-02 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-01-28 02:47 . 2010-01-10 19:46 28409 ----a-w- c:\windows\system32\TD0M0DX2W0.dat
2010-01-19 02:33 . 2010-01-19 02:33 56716 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-15 02:31 . 2010-01-10 19:46 1860 ----a-w- c:\windows\system32\F6PJK00MI.dat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2010-02-11 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2010-02-11 00:16 . 84B647F9DF97B26A4412FE01CCEFE108 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherEye"="c:\documents and settings\Henry\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-10-27 718232]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-05 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Henry^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Henry\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Henry^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Henry\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Companion

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 08:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 23:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"4145:TCP"= 4145:TCP:Services

R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [4/1/2010 10:59 PM 50376]
S0 zbokwl;zbokwl; [x]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [12/20/2009 2:52 PM 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [12/20/2009 2:52 PM 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [12/20/2009 2:52 PM 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [12/20/2009 2:52 PM 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [12/20/2009 2:52 PM 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [12/20/2009 2:52 PM 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [12/20/2009 2:52 PM 109864]
.
Contents of the 'Scheduled Tasks' folder

2010-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.eset.com/online-scanner#
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.sympatico.msn.ca
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\Shim.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-02 15:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89247AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f37852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb9e30bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9e3da21
SendHandler -> NDIS.sys @ 0xb9e1b87b
user & kernel MBR OK
copy of MBR has been found in sector 0x02542D6C1
malicious code @ sector 0x02542D6C4 !
PE file found in sector at 0x02542D6DA !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2592)
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-02 15:38:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-02 22:38

Pre-Run: 291,139,686,400 bytes free
Post-Run: 291,949,309,952 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - F54B85B1A32AB41B1BB5F888FFAC9749
ComboFix 10-04-01.02 - Henry 04/02/2010 15:48:34.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1588 [GMT -7:00]
Running from: c:\documents and settings\Henry\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Henry\Desktop\CFScript.txt

FILE ::
"c:\docume~1\SAMT~1\LOCALS~1\Temp\DMSKSSRh.sys"
.

((((((((((((((((((((((((( Files Created from 2010-03-02 to 2010-04-02 )))))))))))))))))))))))))))))))
.

2010-04-02 22:07 . 2010-04-02 22:07 -------- d-----w- c:\program files\Common Files\Java
2010-04-02 22:06 . 2010-04-02 22:06 -------- d-----w- c:\program files\Sun
2010-04-02 21:23 . 2010-04-02 22:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\qsexfthui
2010-04-02 21:23 . 2010-04-02 21:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-02 20:36 . 2010-03-29 22:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-02 20:36 . 2010-04-02 20:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 20:36 . 2010-03-29 22:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-02 18:25 . 2010-04-02 18:25 182784 --sha-w- c:\documents and settings\Henry\Local Settings\Application Data\2927340765.dll
2010-04-02 06:30 . 2010-04-02 06:30 -------- d-----w- c:\documents and settings\Henry\Local Settings\Application Data\ESET
2010-04-02 05:59 . 2010-04-02 05:59 50376 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-02 05:59 . 2010-04-02 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-04-02 04:10 . 2010-04-02 07:08 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-02 04:05 . 2010-04-02 04:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-04-02 03:58 . 2010-04-02 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-04-02 01:57 . 2010-04-02 02:46 -------- d-----w- c:\documents and settings\Henry\Local Settings\Application Data\WMTools Downloaded Files
2010-04-01 03:09 . 2010-04-01 03:09 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-04-01 01:02 . 2010-04-01 01:02 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-31 00:39 . 2010-03-31 00:39 -------- d-----w- c:\program files\iPod
2010-03-31 00:39 . 2010-03-31 00:40 -------- d-----w- c:\program files\iTunes
2010-03-31 00:39 . 2010-03-31 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-31 00:37 . 2010-03-31 00:37 -------- d-----w- c:\program files\QuickTime
2010-03-31 00:35 . 2010-03-31 00:35 -------- d-----w- c:\program files\Bonjour
2010-03-31 00:33 . 2010-03-31 00:33 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-02 22:06 . 2009-08-22 21:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-02 22:04 . 2009-08-22 21:23 -------- d-----w- c:\program files\Java
2010-04-02 19:54 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-04-02 05:57 . 2009-11-20 03:48 -------- d-----w- c:\documents and settings\Henry\Application Data\vlc
2010-04-02 03:58 . 2010-02-22 05:58 -------- d-----w- c:\program files\ESET
2010-03-31 00:39 . 2009-08-22 04:28 -------- d-----w- c:\program files\Common Files\Apple
2010-03-15 00:58 . 2009-10-12 03:47 -------- d-----w- c:\documents and settings\Henry\Application Data\LimeWire
2010-03-12 05:16 . 2009-08-22 04:13 70096 ----a-w- c:\documents and settings\Henry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-12 02:10 . 2009-08-20 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-12 02:10 . 2009-09-22 17:47 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-03-12 02:10 . 2009-09-22 17:47 -------- d-----w- c:\program files\Microsoft.NET
2010-03-12 02:09 . 2009-08-23 15:39 -------- d-----w- c:\program files\MSBuild
2010-02-26 05:43 . 2008-04-14 12:00 667136 ------w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 17:16 . 2010-02-13 01:19 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-22 04:22 . 2009-12-18 06:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-16 02:46 . 2009-11-13 01:54 -------- d-----w- c:\program files\Mozilla Sunbird
2010-02-13 18:31 . 2010-02-13 01:04 -------- d-----w- c:\documents and settings\Henry\Application Data\SUPERAntiSpyware.com
2010-02-13 18:31 . 2010-02-13 01:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-13 01:04 . 2010-02-13 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-11 00:16 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-02 01:16 . 2009-02-03 12:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-02 01:13 . 2010-02-02 01:13 -------- d-----w- c:\documents and settings\Henry\Application Data\Malwarebytes
2010-02-02 01:13 . 2010-02-02 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-02 01:01 . 2010-02-02 01:01 -------- d-----w- c:\documents and settings\Henry\Application Data\PC Tools
2010-02-02 01:01 . 2010-02-02 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-01-28 02:47 . 2010-01-10 19:46 28409 ----a-w- c:\windows\system32\TD0M0DX2W0.dat
2010-01-19 02:33 . 2010-01-19 02:33 56716 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-15 02:31 . 2010-01-10 19:46 1860 ----a-w- c:\windows\system32\F6PJK00MI.dat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2010-02-11 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2010-02-11 00:16 . 84B647F9DF97B26A4412FE01CCEFE108 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-04-02_22.33.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-02 22:53 . 2010-04-02 22:53 16384 c:\windows\temp\Perflib_Perfdata_40c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherEye"="c:\documents and settings\Henry\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-10-27 718232]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-05 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Henry^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Henry\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Henry^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Henry\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 08:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 23:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"4145:TCP"= 4145:TCP:Services

R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [4/1/2010 10:59 PM 50376]
S0 zbokwl;zbokwl; [x]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [12/20/2009 2:52 PM 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [12/20/2009 2:52 PM 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [12/20/2009 2:52 PM 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [12/20/2009 2:52 PM 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [12/20/2009 2:52 PM 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [12/20/2009 2:52 PM 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [12/20/2009 2:52 PM 109864]
.
Contents of the 'Scheduled Tasks' folder

2010-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.eset.com/online-scanner#
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.sympatico.msn.ca
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\Shim.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3416)
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-02 15:56:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-02 22:56
ComboFix2.txt 2010-04-02 22:38

Pre-Run: 291,956,031,488 bytes free
Post-Run: 291,922,718,720 bytes free

- - End Of File - - 9AF6DA648C34D736719D753C01465CC4
  • 0

#6
Babine
Posted 05 April 2010 - 06:45 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
If you don't mind me asking, but do you think these two problems I have, inability to access windows update (Or to type it together for that matter), and the search engines getting hijacked, related in any way?
  • 0

#7
azarl
Posted 06 April 2010 - 02:17 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts

If you don't mind me asking, but do you think these two problems I have, inability to access windows update (Or to type it together for that matter), and the search engines getting hijacked, related in any way?

Very probably. It's quite common for that to happen

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start > Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

In the event the tool does not detect an mbr infection and completes...

Click Start > Run and type the following bolded command, then hit Enter.

mbr -F

Now, please do the Start > Run > mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start > Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
  • 0

#8
Babine
Posted 06 April 2010 - 05:32 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
The tool did not detect and mbr infection, so I ran the second option.

C:\Documents and Settings\Henry\Desktop\HelpAsst_mebroot_fix.exe
Tue 04/06/2010 at 15:42:24.00

HelpAssistant account was found to be Inactive


~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list


HelpAssistant profile not found in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 04/06/2010 at 16:31:39.25

Full Name Remote Desktop Help Assistant Account
Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x899B7AC8]<<
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x02542D6C1
malicious code @ sector 0x02542D6C4 !
PE file found in sector at 0x02542D6DA !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

Edited by Babine, 06 April 2010 - 05:56 PM.

  • 0

#9
azarl
Posted 07 April 2010 - 02:02 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
  • Download OTL to your Desktop
  • Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into your reply.
  • 0

#10
Babine
Posted 07 April 2010 - 06:03 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Just today, I have been getting more ads, and one in particular that just pops up on the bottom left corner of my browser. Is this a new symptom, or new problem altogether?

My log for the OTL.Txt. No other log was opened upon the completion of the scan.

OTL logfile created on: 4/7/2010 4:28:33 PM - Run 3
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Henry\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 74.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 275.25 Gb Free Space | 92.34% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HENRYLAU
Current User Name: Henry
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/07 16:19:35 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Henry\Desktop\OTL.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/15 16:56:54 | 000,013,088 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
PRC - [2010/03/09 03:24:10 | 002,769,336 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/10/26 21:42:42 | 000,718,232 | ---- | M] (Pelmorex Media Inc.) -- C:\Documents and Settings\Henry\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
PRC - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2009/02/06 17:07:48 | 000,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/04/14 05:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/04/07 16:19:35 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Henry\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/11/22 15:44:16 | 002,384,240 | ---- | M] (Check Point Software Technologies LTD) [Auto | Stopped] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 22:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.eset.com/online-scanner#
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..browser.startup.homepage: "www.sympatico.msn.ca"
FF - prefs.js..extensions.enabledItems: SkipScreen@SkipScreen:0.4.7amo
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:3.76
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {d8c77b75-d01d-cd98-1b00-c1fb57b20e1e}:4.6.6.6
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.76


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 14:13:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 14:13:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

[2009/10/11 20:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Extensions
[2009/10/11 20:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Extensions\[email protected]
[2010/04/06 17:15:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions
[2009/09/02 07:44:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/03 19:44:27 | 000,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2010/04/03 19:44:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\[email protected]
[2010/04/03 19:44:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\SkipScreen@SkipScreen
[2009/11/12 18:55:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Sunbird\Profiles\srg3s7iq.default\extensions
[2010/04/06 17:15:41 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/06 15:38:47 | 000,000,000 | ---D | M] (z) -- C:\Program Files\Mozilla Firefox\extensions\{d8c77b75-d01d-cd98-1b00-c1fb57b20e1e}
[2010/04/07 16:15:06 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2010/04/03 23:06:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]

O1 HOSTS File: ([2010/04/02 15:53:34 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (profitizeme browser enhancer) - {1A0EA010-74FF-678A-06E7-89785789110D} - C:\WINDOWS\System32\wqslhxijvle.dll File not found
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [WeatherEye] C:\Documents and Settings\Henry\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe (Pelmorex Media Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.59.144.90 64.59.144.91
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Henry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Henry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/03 04:50:11 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/08/22 15:15:49 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 14 Days ==========

[2010/04/07 16:19:35 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Henry\Desktop\OTL.exe
[2010/04/07 16:13:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/04/07 11:56:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/05 11:43:57 | 000,000,000 | --SD | C] -- C:\svchost.com
[2010/04/04 22:11:02 | 000,000,000 | ---D | C] -- C:\HelpAsst_backup
[2010/04/04 17:53:50 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Henry\Desktop\TDSSKiller.exe
[2010/04/04 17:53:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\tdsskiller
[2010/04/04 11:10:59 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/04 11:10:58 | 000,162,640 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/04 11:10:57 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/04 11:10:56 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/04 11:10:55 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/04 11:10:55 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/04 11:10:54 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/04 11:10:46 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/04 11:10:46 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/04 11:10:44 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/04/04 11:10:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/04/04 11:00:09 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/03 23:31:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot2
[2010/04/03 23:00:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\My Documents\ForceField Shared Files
[2010/04/03 23:00:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Application Data\CheckPoint
[2010/04/03 23:00:50 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2010/04/03 23:00:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2010/04/03 23:00:43 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2010/04/03 23:00:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2010/04/03 22:59:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\Anti-Virus
[2010/04/03 22:55:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\My Documents\Simply Super Software
[2010/04/03 22:43:05 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/03 22:03:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\Graboid_Inc
[2010/04/03 22:03:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Application Data\MozillaControl
[2010/04/03 22:03:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\Graboid
[2010/04/03 22:01:45 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla ActiveX Control v1.7.12
[2010/04/03 21:58:55 | 000,000,000 | ---D | C] -- C:\Program Files\Graboid
[2010/04/03 20:31:02 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010/04/03 17:21:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2010/04/03 17:20:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/02 18:45:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\iklphushm
[2010/04/02 15:52:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/02 15:21:15 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/02 15:17:05 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/02 15:17:05 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/02 15:17:05 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/02 15:17:05 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/02 15:16:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/02 15:11:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/02 15:07:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/02 15:07:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/02 15:06:39 | 000,000,000 | ---D | C] -- C:\Program Files\Sun
[2010/04/02 15:01:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\qsexfthui
[2010/04/02 14:23:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/02 13:36:40 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/02 13:36:38 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/02 13:36:38 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/01 23:30:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\ESET
[2010/04/01 22:59:39 | 000,050,376 | ---- | C] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys
[2010/04/01 22:59:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2010/04/01 21:10:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/04/01 21:05:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
[2010/04/01 20:58:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/04/01 18:57:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\WMTools Downloaded Files
[2010/04/01 18:47:48 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2010/04/01 18:38:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\Soft Product
[2010/03/31 21:17:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/03/31 20:41:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/03/31 20:08:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/31 19:57:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/03/31 18:02:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/03/30 17:39:54 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/03/30 17:39:50 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/03/30 17:39:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/03/30 17:37:38 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/03/30 17:35:45 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/02/12 18:19:45 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/28 14:52:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/03 04:50:09 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[1 C:\Documents and Settings\Henry\My Documents\*.tmp files -> C:\Documents and Settings\Henry\My Documents\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/07 16:22:07 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\lgfstixi.sys
[2010/04/07 16:19:35 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Henry\Desktop\OTL.exe
[2010/04/07 16:12:22 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/07 16:11:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/07 16:10:46 | 004,718,592 | ---- | M] () -- C:\Documents and Settings\Henry\ntuser.dat
[2010/04/07 16:10:46 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Henry\ntuser.ini
[2010/04/06 23:57:12 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Eco Journal.doc
[2010/04/06 23:16:32 | 000,140,343 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Hot stuff.JPG
[2010/04/06 19:43:17 | 000,012,937 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\C6V3.docx
[2010/04/06 17:49:42 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/06 15:39:35 | 000,489,296 | ---- | M] () -- C:\Documents and Settings\Henry\Desktop\HelpAsst_mebroot_fix.exe
[2010/04/06 15:38:47 | 000,096,704 | ---- | M] () -- C:\WINDOWS\System32\6f685ed4.exe
[2010/04/05 23:51:44 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Physics Lab.doc
[2010/04/05 20:53:03 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\French Project.doc
[2010/04/05 18:23:36 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\The Book of Negroes.doc
[2010/04/05 16:26:41 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\C6V2.doc
[2010/04/05 11:42:24 | 003,907,460 | R--- | M] () -- C:\Documents and Settings\Henry\Desktop\svchost.com.exe
[2010/04/04 23:06:13 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\C6V1.doc
[2010/04/04 22:01:17 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\11th Hour Movie CritiqueHenry Lau.doc
[2010/04/04 20:49:05 | 000,013,676 | -HS- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\VHx0W
[2010/04/04 20:49:05 | 000,013,676 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\VHx0W
[2010/04/04 19:58:05 | 000,056,916 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/04/04 16:44:10 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/04 11:10:55 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/03 23:02:21 | 004,839,310 | -H-- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\IconCache.db
[2010/04/03 23:01:25 | 000,422,437 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/04/03 23:00:49 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/04/03 22:18:24 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/03 22:01:29 | 000,000,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/04/02 16:40:52 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/02 15:53:34 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/02 15:21:18 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/02 14:52:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/02 13:12:29 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/02 11:27:09 | 000,015,344 | -HS- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\LK2mfPE2j
[2010/04/02 11:27:09 | 000,015,344 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/04/02 11:25:03 | 000,182,784 | -HS- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\2927340765.dll
[2010/04/01 22:59:39 | 000,050,376 | ---- | M] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys
[2010/03/31 23:07:29 | 000,030,208 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Chapter 5 QuestionsHenry Lau.doc
[2010/03/30 17:37:54 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/03/29 16:53:01 | 007,494,865 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\ApprenticeWorkbook.pdf
[2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/28 15:31:51 | 000,034,816 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Geometry workbook answers.doc
[1 C:\Documents and Settings\Henry\My Documents\*.tmp files -> C:\Documents and Settings\Henry\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/07 16:22:07 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\lgfstixi.sys
[2010/04/06 23:57:12 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Eco Journal.doc
[2010/04/06 19:14:59 | 000,012,937 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\C6V3.docx
[2010/04/06 18:32:44 | 000,140,343 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Hot stuff.JPG
[2010/04/06 15:38:47 | 000,096,704 | ---- | C] () -- C:\WINDOWS\System32\6f685ed4.exe
[2010/04/05 23:51:44 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Physics Lab.doc
[2010/04/05 20:53:03 | 000,028,672 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\French Project.doc
[2010/04/05 11:42:42 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\C6V2.doc
[2010/04/05 11:42:13 | 003,907,460 | R--- | C] () -- C:\Documents and Settings\Henry\Desktop\svchost.com.exe
[2010/04/04 22:10:24 | 000,489,296 | ---- | C] () -- C:\Documents and Settings\Henry\Desktop\HelpAsst_mebroot_fix.exe
[2010/04/04 22:09:07 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\C6V1.doc
[2010/04/04 20:47:10 | 000,013,676 | -HS- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\VHx0W
[2010/04/04 20:47:10 | 000,013,676 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\VHx0W
[2010/04/03 23:00:49 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/04/03 23:00:43 | 000,422,437 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/04/03 22:55:46 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2010/04/03 22:55:46 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2010/04/03 22:01:29 | 000,000,719 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/04/02 22:37:00 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\11th Hour Movie CritiqueHenry Lau.doc
[2010/04/02 16:40:52 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/02 15:21:18 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/02 15:21:16 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/02 15:17:05 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/02 15:17:05 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/02 15:17:05 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/02 15:17:05 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/02 11:25:03 | 000,182,784 | -HS- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\2927340765.dll
[2010/04/02 11:23:46 | 000,015,344 | -HS- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\LK2mfPE2j
[2010/04/02 11:23:46 | 000,015,344 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/03/31 21:03:41 | 000,030,208 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Chapter 5 QuestionsHenry Lau.doc
[2010/03/30 17:40:31 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/03/30 17:37:54 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/03/29 16:53:01 | 007,494,865 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\ApprenticeWorkbook.pdf
[2010/03/28 18:18:59 | 003,482,145 | ---- | C] () -- C:\Documents and Settings\Henry\Desktop\New Radicals - Someday We'll Know.mp3
[2010/03/28 15:31:50 | 000,034,816 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Geometry workbook answers.doc
[2010/02/21 22:53:25 | 000,000,327 | ---- | C] () -- C:\Documents and Settings\Henry\mbr.log
[2010/02/21 22:10:25 | 000,000,048 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/02/01 14:12:31 | 000,012,686 | -HS- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\u1ly73
[2009/12/15 17:13:21 | 000,012,098 | ---- | C] () -- C:\Documents and Settings\Henry\hs_err_pid3928.log
[2009/12/11 02:37:56 | 000,536,576 | ---- | C] () -- C:\WINDOWS\System32\crash_report.dll
[2009/09/22 10:57:45 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/22 22:33:01 | 004,718,592 | ---- | C] () -- C:\Documents and Settings\Henry\ntuser.dat
[2009/08/22 20:45:40 | 000,000,075 | ---- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\FASTWiz.log
[2009/08/22 18:49:27 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/21 21:13:00 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Henry\ntuser.dat.LOG
[2009/08/21 21:13:00 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Henry\ntuser.ini
[2009/08/21 21:12:49 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2009/08/21 21:12:49 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2009/08/19 18:23:26 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/02/03 05:13:31 | 000,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2009/02/03 05:09:03 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4864.dll
[2009/01/21 11:53:37 | 000,001,466 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[1996/04/03 12:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2010/04/04 11:10:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/08/22 23:04:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2010/04/01 20:58:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/04/01 22:59:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2010/02/01 18:16:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/03/30 17:40:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/11 16:41:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/08/21 21:28:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/08/23 08:16:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Azureus
[2010/04/03 23:00:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\CheckPoint
[2010/03/14 17:58:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\LimeWire

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 05:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 05:00:00 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/14 05:00:00 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 05:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/04/03 21:08:52 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2010/02/10 17:16:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2010/04/05 11:46:34 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 05:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 05:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 05:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 05:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 05:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/08/22 15:19:32 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/08/22 22:13:59 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav
[2009/08/22 15:19:32 | 017,563,648 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/08/22 15:19:33 | 004,456,448 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8C35AEA7
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >
  • 0

Advertisements

#11
azarl
Posted 08 April 2010 - 02:17 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
We've a way to go yet. What's the new pop-up?

» Step 1«
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
» Step 2«
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Processes 

:Services

:OTL
O2 - BHO: (profitizeme browser enhancer) - {1A0EA010-74FF-678A-06E7-89785789110D} - C:\WINDOWS\System32\wqslhxijvle.dll File not found

:Files
C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys /e

:Commands
[purity]
[emptytemp]

[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
» Step 3 «
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir
C:\Documents and Settings\NetworkService\Local Settings\Application Data\iklphushm
C:\Documents and Settings\NetworkService\Local Settings\Application Data\qsexfthui
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
  • 0

#12
Babine
Posted 08 April 2010 - 08:18 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Well there aren't any really specific ones, but they pop up on the bottom of my right hand corner. I know one of them tells me I won a prize, another says it's like an interactive ad. They pop up sometimes, but generally not all the time.

GooredFix by jpshortstuff (08.01.10.1)
Log created at 19:08 on 08/04/2010 (Henry)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
[email protected] [20:24 10/09/2009]
[email protected] [06:05 04/04/2010]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:22 22/08/2009]
{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} [22:06 02/04/2010]
{d8c77b75-d01d-cd98-1b00-c1fb57b20e1e} [22:38 06/04/2010]

C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\
[email protected] [02:44 04/04/2010]
SkipScreen@SkipScreen [02:44 04/04/2010]
{20a82645-c095-46ed-80e3-08825760534b} [14:44 02/09/2009]
{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} [02:44 04/04/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [22:06 02/04/2010]

---------- Old Logs ----------
GooredFix[02.07.35_09-04-2010].txt

-=E.O.F=-

Edited by Babine, 08 April 2010 - 08:20 PM.

  • 0

#13
Babine
Posted 08 April 2010 - 08:37 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
OTL logfile created on: 4/8/2010 7:20:57 PM - Run 5
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Henry\Desktop\New Folder (3)
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 276.34 Gb Free Space | 92.70% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HENRYLAU
Current User Name: Henry
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/07 16:19:35 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Henry\Desktop\New Folder (3)\OTL.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/09 03:24:10 | 002,769,336 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/11/22 15:44:16 | 002,384,240 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2009/11/22 15:42:50 | 001,037,192 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2009/10/26 21:42:42 | 000,718,232 | ---- | M] (Pelmorex Media Inc.) -- C:\Documents and Settings\Henry\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
PRC - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/04/14 05:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/04/07 16:19:35 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Henry\Desktop\New Folder (3)\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/03/09 03:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/11/22 15:44:16 | 002,384,240 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 22:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.eset.com/online-scanner#
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..browser.startup.homepage: "www.sympatico.msn.ca"
FF - prefs.js..extensions.enabledItems: SkipScreen@SkipScreen:0.4.7amo
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:3.76
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {d8c77b75-d01d-cd98-1b00-c1fb57b20e1e}:4.6.6.6
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.76


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 14:13:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 14:13:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

[2009/10/11 20:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Extensions
[2009/10/11 20:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Extensions\[email protected]
[2010/04/08 19:07:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions
[2009/09/02 07:44:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/03 19:44:27 | 000,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2010/04/03 19:44:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\[email protected]
[2010/04/03 19:44:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\extensions\SkipScreen@SkipScreen
[2009/11/12 18:55:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Mozilla\Sunbird\Profiles\srg3s7iq.default\extensions
[2010/04/08 19:07:11 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/06 15:38:47 | 000,000,000 | ---D | M] (z) -- C:\Program Files\Mozilla Firefox\extensions\{d8c77b75-d01d-cd98-1b00-c1fb57b20e1e}
[2010/04/08 19:15:09 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2010/04/03 23:06:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]

O1 HOSTS File: ([2010/04/02 15:53:34 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [WeatherEye] C:\Documents and Settings\Henry\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe (Pelmorex Media Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.59.144.90 64.59.144.91
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Henry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Henry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/03 04:50:11 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 14 Days ==========

[2010/04/08 19:10:19 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/08 19:07:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\GooredFix Backups
[2010/04/08 18:59:54 | 000,070,858 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Henry\Desktop\GooredFix.exe
[2010/04/07 16:50:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\New Folder (3)
[2010/04/07 11:56:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/05 11:43:57 | 000,000,000 | --SD | C] -- C:\svchost.com
[2010/04/04 22:11:02 | 000,000,000 | ---D | C] -- C:\HelpAsst_backup
[2010/04/04 17:53:50 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Henry\Desktop\TDSSKiller.exe
[2010/04/04 11:10:59 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/04 11:10:58 | 000,162,640 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/04 11:10:57 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/04 11:10:56 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/04 11:10:55 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/04 11:10:55 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/04 11:10:54 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/04 11:10:46 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/04 11:10:46 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/04 11:10:44 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/04/04 11:10:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/04/04 11:00:09 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/03 23:31:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot2
[2010/04/03 23:00:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\My Documents\ForceField Shared Files
[2010/04/03 23:00:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Application Data\CheckPoint
[2010/04/03 23:00:50 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2010/04/03 23:00:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2010/04/03 23:00:43 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2010/04/03 23:00:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2010/04/03 22:59:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\Anti-Virus
[2010/04/03 22:55:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\My Documents\Simply Super Software
[2010/04/03 22:43:05 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/03 22:03:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\Graboid_Inc
[2010/04/03 22:03:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Application Data\MozillaControl
[2010/04/03 22:03:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\Graboid
[2010/04/03 22:01:45 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla ActiveX Control v1.7.12
[2010/04/03 21:58:55 | 000,000,000 | ---D | C] -- C:\Program Files\Graboid
[2010/04/03 20:31:02 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010/04/03 17:21:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2010/04/03 17:20:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/02 18:45:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\iklphushm
[2010/04/02 15:52:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/02 15:21:15 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/02 15:17:05 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/02 15:17:05 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/02 15:17:05 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/02 15:17:05 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/02 15:16:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/02 15:11:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/02 15:07:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/02 15:07:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/02 15:06:39 | 000,000,000 | ---D | C] -- C:\Program Files\Sun
[2010/04/02 15:01:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\qsexfthui
[2010/04/02 14:23:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/02 13:36:40 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/02 13:36:38 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/02 13:36:38 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/01 23:30:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\ESET
[2010/04/01 22:59:39 | 000,050,376 | ---- | C] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys
[2010/04/01 22:59:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2010/04/01 21:10:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/04/01 21:05:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
[2010/04/01 20:58:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/04/01 18:57:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Local Settings\Application Data\WMTools Downloaded Files
[2010/04/01 18:47:48 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2010/04/01 18:38:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Henry\Desktop\Soft Product
[2010/03/31 21:17:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/03/31 20:41:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/03/31 20:08:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/31 19:57:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/03/31 18:02:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/03/30 17:39:54 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/03/30 17:39:50 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/03/30 17:39:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/03/30 17:37:38 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/03/30 17:35:45 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/02/12 18:19:45 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/28 14:52:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/03 04:50:09 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[1 C:\Documents and Settings\Henry\My Documents\*.tmp files -> C:\Documents and Settings\Henry\My Documents\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/08 19:20:47 | 004,718,592 | ---- | M] () -- C:\Documents and Settings\Henry\ntuser.dat
[2010/04/08 19:17:22 | 000,100,908 | ---- | M] () -- C:\Documents and Settings\Henry\Desktop\SystemLook.exe
[2010/04/08 19:13:01 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/08 19:12:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/08 19:11:36 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Henry\ntuser.ini
[2010/04/08 18:59:52 | 000,070,858 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Henry\Desktop\GooredFix.exe
[2010/04/07 18:15:39 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/06 23:57:12 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Eco Journal.doc
[2010/04/06 23:16:32 | 000,140,343 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Hot stuff.JPG
[2010/04/06 19:43:17 | 000,012,937 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\C6V3.docx
[2010/04/06 15:39:35 | 000,489,296 | ---- | M] () -- C:\Documents and Settings\Henry\Desktop\HelpAsst_mebroot_fix.exe
[2010/04/06 15:38:47 | 000,096,704 | ---- | M] () -- C:\WINDOWS\System32\6f685ed4.exe
[2010/04/05 23:51:44 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Physics Lab.doc
[2010/04/05 20:53:03 | 000,028,672 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\French Project.doc
[2010/04/05 18:23:36 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\The Book of Negroes.doc
[2010/04/05 16:26:41 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\C6V2.doc
[2010/04/05 11:42:24 | 003,907,460 | R--- | M] () -- C:\Documents and Settings\Henry\Desktop\svchost.com.exe
[2010/04/04 23:06:13 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\C6V1.doc
[2010/04/04 22:01:17 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\11th Hour Movie CritiqueHenry Lau.doc
[2010/04/04 20:49:05 | 000,013,676 | -HS- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\VHx0W
[2010/04/04 20:49:05 | 000,013,676 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\VHx0W
[2010/04/04 19:58:05 | 000,056,916 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/04/04 16:44:10 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/04 11:10:55 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/03 23:02:21 | 004,839,310 | -H-- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\IconCache.db
[2010/04/03 23:01:25 | 000,422,437 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/04/03 23:00:49 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/04/03 22:18:24 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/03 22:01:29 | 000,000,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/04/02 16:40:52 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/02 15:53:34 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/02 15:21:18 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/02 14:52:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/02 13:12:29 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/02 11:27:09 | 000,015,344 | -HS- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\LK2mfPE2j
[2010/04/02 11:27:09 | 000,015,344 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/04/02 11:25:03 | 000,182,784 | -HS- | M] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\2927340765.dll
[2010/04/01 22:59:39 | 000,050,376 | ---- | M] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys
[2010/03/31 23:07:29 | 000,030,208 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Chapter 5 QuestionsHenry Lau.doc
[2010/03/30 17:37:54 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/03/29 16:53:01 | 007,494,865 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\ApprenticeWorkbook.pdf
[2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/28 15:31:51 | 000,034,816 | ---- | M] () -- C:\Documents and Settings\Henry\My Documents\Geometry workbook answers.doc
[1 C:\Documents and Settings\Henry\My Documents\*.tmp files -> C:\Documents and Settings\Henry\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/08 19:17:24 | 000,100,908 | ---- | C] () -- C:\Documents and Settings\Henry\Desktop\SystemLook.exe
[2010/04/06 23:57:12 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Eco Journal.doc
[2010/04/06 19:14:59 | 000,012,937 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\C6V3.docx
[2010/04/06 18:32:44 | 000,140,343 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Hot stuff.JPG
[2010/04/06 15:38:47 | 000,096,704 | ---- | C] () -- C:\WINDOWS\System32\6f685ed4.exe
[2010/04/05 23:51:44 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Physics Lab.doc
[2010/04/05 20:53:03 | 000,028,672 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\French Project.doc
[2010/04/05 11:42:42 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\C6V2.doc
[2010/04/05 11:42:13 | 003,907,460 | R--- | C] () -- C:\Documents and Settings\Henry\Desktop\svchost.com.exe
[2010/04/04 22:10:24 | 000,489,296 | ---- | C] () -- C:\Documents and Settings\Henry\Desktop\HelpAsst_mebroot_fix.exe
[2010/04/04 22:09:07 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\C6V1.doc
[2010/04/04 20:47:10 | 000,013,676 | -HS- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\VHx0W
[2010/04/04 20:47:10 | 000,013,676 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\VHx0W
[2010/04/03 23:00:49 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/04/03 23:00:43 | 000,422,437 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/04/03 22:55:46 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2010/04/03 22:55:46 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2010/04/03 22:01:29 | 000,000,719 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2010/04/02 22:37:00 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\11th Hour Movie CritiqueHenry Lau.doc
[2010/04/02 16:40:52 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/02 15:21:18 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/02 15:21:16 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/02 15:17:05 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/02 15:17:05 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/02 15:17:05 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/02 15:17:05 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/02 11:25:03 | 000,182,784 | -HS- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\2927340765.dll
[2010/04/02 11:23:46 | 000,015,344 | -HS- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\LK2mfPE2j
[2010/04/02 11:23:46 | 000,015,344 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/03/31 21:03:41 | 000,030,208 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Chapter 5 QuestionsHenry Lau.doc
[2010/03/30 17:40:31 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/03/30 17:37:54 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/03/29 16:53:01 | 007,494,865 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\ApprenticeWorkbook.pdf
[2010/03/28 18:18:59 | 003,482,145 | ---- | C] () -- C:\Documents and Settings\Henry\Desktop\New Radicals - Someday We'll Know.mp3
[2010/03/28 15:31:50 | 000,034,816 | ---- | C] () -- C:\Documents and Settings\Henry\My Documents\Geometry workbook answers.doc
[2010/02/21 22:53:25 | 000,000,327 | ---- | C] () -- C:\Documents and Settings\Henry\mbr.log
[2010/02/21 22:10:25 | 000,000,048 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/02/01 14:12:31 | 000,012,686 | -HS- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\u1ly73
[2009/12/15 17:13:21 | 000,012,098 | ---- | C] () -- C:\Documents and Settings\Henry\hs_err_pid3928.log
[2009/12/11 02:37:56 | 000,536,576 | ---- | C] () -- C:\WINDOWS\System32\crash_report.dll
[2009/09/22 10:57:45 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/22 22:33:01 | 004,718,592 | ---- | C] () -- C:\Documents and Settings\Henry\ntuser.dat
[2009/08/22 20:45:40 | 000,000,075 | ---- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\FASTWiz.log
[2009/08/22 18:49:27 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\Henry\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/21 21:13:00 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Henry\ntuser.dat.LOG
[2009/08/21 21:13:00 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Henry\ntuser.ini
[2009/08/21 21:12:49 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2009/08/21 21:12:49 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2009/08/19 18:23:26 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/02/03 05:13:31 | 000,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2009/02/03 05:09:03 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4864.dll
[2009/01/21 11:53:37 | 000,001,466 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[1996/04/03 12:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2010/04/04 11:10:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/08/22 23:04:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2010/04/01 20:58:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/04/01 22:59:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2010/02/01 18:16:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/03/30 17:40:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/11 16:41:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/08/21 21:28:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/08/23 08:16:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\Azureus
[2010/04/03 23:00:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\CheckPoint
[2010/03/14 17:58:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Henry\Application Data\LimeWire

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8C35AEA7
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >
  • 0

#14
Babine
Posted 08 April 2010 - 08:39 PM

Babine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:38 on 08/04/2010 by Henry (Administrator - Elevation successful)

========== dir ==========

C:\Documents and Settings\NetworkService\Local Settings\Application Data\iklphushm - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

C:\Documents and Settings\NetworkService\Local Settings\Application Data\qsexfthui - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

-=End Of File=-
  • 0

#15
azarl
Posted 09 April 2010 - 01:58 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
ComboFix Script
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

Driver::
zbokwl

FCopy::
C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I need you to include in your next reply.

Edited by azarl, 09 April 2010 - 02:30 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP